% % Title page % - Hi everyone % - Welcome to my talk % - I'm Rasmus % -- I work in the TCR group together with Fredrik and others % -- I've been here since September, and it started out as an internship. Then % we decided to prolong that into something more permanent. % -- I am also aff. with Kau, where I do my PhD studies. % -- Surprise surprise, my thesis is about transparent logs. % \begin{frame} \vfill \begin{columns} \begin{column}{0.5\textwidth} \mktitle{Outline} \begin{enumerate} \item Transparent Logging \begin{itemize} \item Why? % Let's talk DigiNotar \item How? % Let's talk CT \item What? % What should you make transparent \end{itemize} \item ``System Transparency Logging'' \end{enumerate} \end{column} \begin{column}{0.5\textwidth} \centering \includegraphics[width=\columnwidth]{img/rgdd} \burl{https://creativecommons.org/licenses/by-sa/4.0/} \end{column} \end{columns} \end{frame} \begin{frame} \vfill \begin{columns} \begin{column}{0.45\textwidth} \mktitle{Let's travel in space and time} \begin{itemize} \item June, 2011 \item Netherlands, Beverwijk \item DigiNotar \end{itemize} \end{column} \begin{column}{0.55\textwidth} \centering \includegraphics[width=\columnwidth]{img/beverwijk} \burl{https://creativecommons.org/licenses/by-sa/3.0/} % https://commons.wikimedia.org/wiki/File:Nzkanaal2.jpg \end{column} \end{columns} \end{frame} \begin{frame} % % To give you the backdrop. % % DigiNotar was a so-called certificate authority that issues web certs % - If this means nothing to you, it is sort of like passports but for % websites. In real life we have a trusted government body that is % responsible of issuing our passports. We trust that a passport will not % be issued for us unless we can prove that we are who we say we are. % - In the digital world certificate authorities play this role but for % websites. This way, you can be sure that you are really visiting % mullvad.net, and not someone that is impersonating our domain. % % So, the expectation here is that you would only issue a certificate to the % rightful domain owner. At minimum, this requires some identity checking. % % Let's get back to what happened then. % % It turns out that DigiNotar was hacked. They issued fraudulent % certificates for Google, Facebook, Twitter, Mozilla, Tor, and many others. % % This was detected by DigiNotar a week after the incident. % - They decided to be silent. % % The only reason why we detected this is because of a large scale attack % in Iran, which targeted 300k gmail users. If the attacker had been more % stealthy, we probably would not have detected the attack. % % Fortunately we did detect the attack. Soon thereafter, none of the major % browser trusted DigiNotar anymore. In September, a bankruptcy was filed. % \vfill \begin{columns} \begin{column}{0.45\textwidth} \mktitle{What happened?} \begin{itemize} \item DigiNotar issued web certificates \item Did not live up to expectations \item Then lied about it for weeks \end{itemize} \end{column} \begin{column}{0.55\textwidth} \centering \includegraphics[width=\columnwidth]{img/diginotar} \burl{https://www.bbc.com/news/technology-14989334} \end{column} \end{columns} \end{frame} \begin{frame} % % What to make of this then? % % First of all, DigiNotar was neither the first nor the last. Many % certificate authorities messed up before them. Many certificate % authorities messed up after them. % % It would be incredibly helpful if we could detect if a certificate % authority makes mistakes. In the case of certificate management, % detection really comes down to the ability of discovering which % certificates have been issued for whom. % % From this intuition the idea of Certificate Transparency is simple. % - Talk about figure. % - Emphasize that the log is not a trusted party due to crypto magic. % \vfill \begin{columns} \begin{column}{0.5\textwidth} \mktitle{What to make of this} \begin{itemize} \item DigiNotar was neither first nor last\footnotemark \item Detection of certificate mis-issuance? \item Discoverability with transparent logs\footnotemark \end{itemize} \end{column} \begin{column}{0.5\textwidth} \input{img/ct} \end{column} \end{columns} \vfill \pause \centering\alert{Chrome and Safari enforce Certificate Transparency} \footnotetext[1]{\burl{https://sslmate.com/certspotter/failures}} \footnotetext[2]{\burl{https://certificate.transparency.dev/}} \end{frame} \begin{frame} % % Okay, great that we have transparency for certificates. Does that mean % are done? % % The short answer is no. We are definitely not done. There is still a lot % of remaining work with Certificate Transparency. There is even more work % left to do when we think about other use-cases of transparency logging. % % (Use do you get the same binaries as everyone else for example, leave the % rest for them to think about if they want to) % \mktitle{Transparency logging is good for more than just certificates} Source code \\ Binaries \\ Config files \\ TPM quotes \\ Media content \\ Tax declarations \\ Documents of ownership \\ BGP announcements \\ Tor's consensus \\ ... \\ \vfill \pause \alert{The log we are working on is helpful for all these use-cases!} \end{frame} % % https://curl.se/download.html % \begin{frame} % % 1. Introduce the setup. Daniel represents many software projects. % 2. How would you know if your private key got compromised? % \mktitle{Example use-case\#1} \begin{columns} \begin{column}{0.5\textwidth} \mktitle{Meet Daniel} \begin{itemize} \item The author of \texttt{curl} \item Digitally signs new releases \item Long-term signing key-pair \end{itemize} \end{column} \begin{column}{0.5\textwidth} \centering \includegraphics[height=.6\textheight]{img/curl} \burl{https://creativecommons.org/licenses/by-sa/4.0/} \end{column} \end{columns} \end{frame} % % https://arxiv.org/pdf/2104.06020.pdf, page 6 for the challenge. % \begin{frame} % % 1. What is R-B. % 2. Challenge % 3. How I think that challenge could be approached % \mktitle{Example use-case\#2} \begin{columns} \begin{column}{0.6\textwidth} \mktitle{Meet the R-B project} \begin{itemize} \item Same input gives the same output \item Consensus of ``valid'' checksum? \end{itemize} \end{column} \begin{column}{0.4\textwidth} \centering \includegraphics[width=\columnwidth]{img/rb} \burl{https://creativecommons.org/licenses/by-sa/4.0/} \end{column} \end{columns} \end{frame} \begin{frame} \mktitle{Problem summary} \vfill \begin{columns} \begin{column}{0.125\textwidth} \end{column} \begin{column}{0.75\textwidth} \begin{enumerate} \item Which signatures were produced by what private keys? \item Consensus of checksums that should be considered valid? \end{enumerate} \end{column} \begin{column}{0.125\textwidth} \end{column} \end{columns} \vfill \end{frame} \begin{frame} % % 1. Introduce the system. Think first two paragraphs in design.md % \mktitle{Our starting point} \begin{columns} \begin{column}{0.5\textwidth} \begin{itemize} \item Data publisher \item End-user \item Assumptions \begin{itemize} \item Public key can be located \item Signed data can be located \item End-user can install extra tooling \end{itemize} \end{itemize} \end{column} \begin{column}{0.5\textwidth} \centering \input{img/before} \end{column} \end{columns} \vfill \pause \alert{The attacker can compromise the data publisher}\\ \pause \alert{The goal is to detect unwanted key-usage} \end{frame} \begin{frame} % % 1. Our design is about transparency logs. So, I need to explain briefly % what a transparency log is. % 2. Append-only Merkle tree. You can think of the data as being stored in % the leaves. Each leaf is hashed. Parents concatenate their children % hashes to produces their own hash values. Repeat until single root hash. % 3. The root hash is usually called a tree head. % 4. Tree head interesting because it fixes the structure and the content of % the tree. Add/remove/modify -> new tree head. % 5. If the log signs the tree head, you can hold it accountable for its % structure and content. % 6. This is important because the attacker can control the log. % 7. So we cannot trust that the log is append-only. We will need to verify % that. To this end we have consistency proofs. The intuition is that you % can force the log to reveal a number of cryptographic hashes. These % hashes will prove that the tree head you see today is consistent with the % tree head you saw yesterday. % 8. You can also prove that something is in the log efficiently. This is % called an inclusion proof. The intuition is that you reveal a number of % hashes. If you can use them to reconstruct the root of a globally % consistent tree head you can be sure that some data is in the log. % 8. Global consistency (as opposed to just consistency) is what prevents % the log from creating forks. I will return to this later on because it is % an important part of our design. % (9. Not having global consistency would be like having a blockchain % without a consensus mechanism.) % \mktitle{An intuition of transparency log properties} \input{img/mt} \vfill \begin{columns} \begin{column}{0.33\textwidth} \begin{itemize} \item Tree head \end{itemize} \end{column} \begin{column}{0.33\textwidth} \begin{itemize} \item Consistency proof \end{itemize} \end{column} \begin{column}{0.33\textwidth} \begin{itemize} \item Inclusion proof \end{itemize} \end{column} \end{columns} \vfill \pause \alert{The attacker can control the log} \end{frame} \begin{frame} \mktitle{Preparing a logging request} \begin{columns} \begin{column}{0.5\textwidth} \begin{itemize} \item Select a shard hint and checksum \item Sign using your private key \end{itemize} \end{column} \begin{column}{0.5\textwidth} \lstinputlisting[style=CStyle]{img/tree-leaf.trunnel} \end{column} \end{columns} \end{frame} \begin{frame} \mktitle{Submitting a logging request} \begin{columns} \begin{column}{0.2\textwidth} \underline{Key-value pairs:} \begin{itemize} \item Shard hint \item Checksum \item Signature \item Public key \item Domain hint \end{itemize} \end{column} \begin{column}{0.8\textwidth} \centering \input{img/log-request} \end{column} \end{columns} \end{frame} \begin{frame} \mktitle{Distributing proofs of public logging} \begin{columns} \begin{column}{0.5\textwidth} \begin{itemize} \item End-user will not talk to the log \item Proofs of logging \begin{itemize} \item Inclusion proof \item Tree head \end{itemize} \item Witness cosigning \end{itemize} \end{column} \begin{column}{0.5\textwidth} \centering \input{img/after} \end{column} \end{columns} \pause \alert{The attacker can control a threshold of witnesses} \end{frame} \begin{frame} \mktitle{Example use-case\#1} \begin{columns} \begin{column}{0.5\textwidth} \mktitle{Remember Daniel?} \begin{itemize} \item Sign a checksum of each \texttt{curl} release \item Start logging every signed checksum \item Monitor the log for your own leaves \end{itemize} \end{column} \begin{column}{0.5\textwidth} \centering \includegraphics[height=.6\textheight]{img/curl} \burl{https://creativecommons.org/licenses/by-sa/4.0/} \end{column} \end{columns} \end{frame} \begin{frame} \mktitle{Example use-case\#2} \begin{columns} \begin{column}{0.6\textwidth} \mktitle{Remember the R-B project?} \begin{itemize} \item Sign the expected checksum of each build \item A valid checksum is a logged checksum \item Rebuilders validate logged checksums \end{itemize} \end{column} \begin{column}{0.4\textwidth} \centering \includegraphics[width=\columnwidth]{img/rb} \burl{https://creativecommons.org/licenses/by-sa/4.0/} \end{column} \end{columns} \end{frame} \begin{frame} \mktitle{Summary and feature overview} \begin{columns} \begin{column}{0.5\textwidth} \begin{itemize} \item Signed checksums \item Sharding \item Preserved data flows \item Anti-spam \item Global consistency \item Few simple parsers \item No cryptographic agility \end{itemize} \end{column} \begin{column}{0.5\textwidth} \includegraphics[width=\columnwidth]{img/clean} \end{column} \end{columns} \end{frame} \begin{frame} \vfill \begin{columns} \begin{column}{0.7\textwidth} \mktitle{Current status} \begin{itemize} \item Version v0 README and documentation\footnotemark \item A public instance of the log is up and running \item At least one party is witnessing the log \item Come say hello and contribute if you want! \begin{itemize} \item \texttt{irc/oftc \#siglog} \item Matrix bridge\footnotemark \item Open meetings every Tuesday, 1300 \end{itemize} \end{itemize} \end{column} \begin{column}{0.3\textwidth} \centering \includegraphics[width=\columnwidth]{img/thanks} \end{column} \end{columns} \footnotetext[1]{\burl{https://github.com/system-transparency/stfe/}} \footnotetext[2]{\burl{https://app.element.io/\#/room/\#siglog:matrix.org}} \end{frame}