Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
CSE 127: Introduction to
Security
Lecture 15: TLS
Nadia Heninger and Deian StefanUCSD
Fall 2019
Some material from Dan Boneh, Stefan Savage
Reminder: Network Attacker Threat Model
Network Attacker:
• Controls infrastructure: Routers, DNS• Eavesdrops, injects, drops, or modifies packets
Examples:
• Wifi at internet cafe• Internet access at hotels
Goal: Establish a secure channel to a host that ensures
• Confidentiality and Integrity of messages• Authentication of the remote host
Constructing a secure encrypted channel
• To ensure confidentiality and integrity: Encrypt and MAC data
• To negotiate shared symmetric keys: Diffie-Hellman keyexchange. Key Derivation Function (KDF) maps shared secret
to symmetric key.
• To ensure authenticity of endpoints: Digital Signatures
c = AESke(m), t = MACkm(c)
ga
gb
ke, km = KDF(gab) ke, km = KDF(gab)
RSApubB, SignB(ga, gb)
How does Alice know to trust Bob’s public signing key?
Constructing a secure encrypted channel
• To ensure confidentiality and integrity: Encrypt and MAC data• To negotiate shared symmetric keys: Diffie-Hellman keyexchange. Key Derivation Function (KDF) maps shared secret
to symmetric key.
• To ensure authenticity of endpoints: Digital Signatures
c = AESke(m), t = MACkm(c)
ga
gb
ke, km = KDF(gab) ke, km = KDF(gab)
RSApubB, SignB(ga, gb)
How does Alice know to trust Bob’s public signing key?
Constructing a secure encrypted channel
• To ensure confidentiality and integrity: Encrypt and MAC data• To negotiate shared symmetric keys: Diffie-Hellman keyexchange. Key Derivation Function (KDF) maps shared secret
to symmetric key.
• To ensure authenticity of endpoints: Digital Signatures
c = AESke(m), t = MACkm(c)
ga
gb
ke, km = KDF(gab) ke, km = KDF(gab)
RSApubB, SignB(ga, gb)
How does Alice know to trust Bob’s public signing key?
Constructing a secure encrypted channel
• To ensure confidentiality and integrity: Encrypt and MAC data• To negotiate shared symmetric keys: Diffie-Hellman keyexchange. Key Derivation Function (KDF) maps shared secret
to symmetric key.
• To ensure authenticity of endpoints: Digital Signatures
c = AESke(m), t = MACkm(c)
ga
gb
ke, km = KDF(gab) ke, km = KDF(gab)
RSApubB, SignB(ga, gb)
How does Alice know to trust Bob’s public signing key?
Public Key Infrastructure: Establishing Trust in Keys
Ways to establish trust in keys:
• Meet in person to exchange keys.• Not practical at scale over the internet
Public Key Infrastructure: Establishing Trust in Keys
Ways to establish trust in keys:
• Fingerprint verification• Verify a cryptographic hash of a public key through aseparate channel, or “trust on first use” (TOFU).
• This is used by SSH for host keys.nadiah$ ssh portal.cs.princeton.edu@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@The RSA host key for portal.cs.princeton.edu has changed,and the key for the corresponding IP address 128.112.155.171is unknown. This could either mean thatDNS SPOOFING is happening or the IP address for the hostand its host key have changed at the same time.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that a host key has just been changed.The fingerprint for the RSA key sent by the remote host isSHA256:9yBBea9Z0ER6asvvtNf6fRXVra6LOQ3OVZLtYKVpNc8.Please contact your system administrator.
Public Key Infrastructure: Establishing Trust in Keys
Ways to establish trust in keys:
• Fingerprint verification• Verify a cryptographic hash of a public key through aseparate channel, or “trust on first use” (TOFU).
• This is used by SSH for host keys.• This is also used by encrypted messaging apps like Signal
Public Key Infrastructure: Establishing Trust in Keys
Ways to establish trust in keys:
• Hard code public keys in software• “Certificate pinning” used by browsers
Public Key Infrastructure: Establishing Trust in Keys
Ways to establish trust in keys:
• Certificate Authorities• A certificate authority is a kind of commercial trustedintermediary.
• Certificate Authorities verify public keys and sign them inexchange for money.
• If you trust the certificate authority, you transitively trust
the keys it signs.
• This is used for TLS, software signing keys.
Public Key Infrastructure: Establishing Trust in Keys
Ways to establish trust in keys:
• Web of Trust• In a web of trust, you establish trust in intermediaries of
your choice.
• You then transitively trust the keys they sign.• This is used by PGP.
nadiah$ gpg --edit-key [email protected]> trustpub 1024D/567B4BAD created: 2010-12-19 expires: never usage: SC
trust: unknown validity: unknownsub 1024g/EFE31B86 created: 2010-12-19 expires: never usage: E[ unknown] (1). Ronald L Rivest <[email protected]>
Please decide how far you trust this user to correctly verify other users’ keys(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don’t know or won’t say2 = I do NOT trust3 = I trust marginally4 = I trust fully5 = I trust ultimatelym = back to the main menu
Your decision?
Constructing a secure encrypted channel
• To ensure confidentiality and integrity: Encrypt and MAC data• To negotiate shared symmetric keys: Diffie-Hellman keyexchange
• To ensure authenticity of endpoints: Digital Signatures
• To ensure an adversary can’t reuse a signature later, addsome random unique values (“nonces”)
c = AESke(m), t = MACkm(c)
ga
gb
ke, km = KDF(gab) ke, km = KDF(gab)
RSApubB, SignB(ga, gb)
Constructing a secure encrypted channel
• To ensure confidentiality and integrity: Encrypt and MAC data• To negotiate shared symmetric keys: Diffie-Hellman keyexchange
• To ensure authenticity of endpoints: Digital Signatures• To ensure an adversary can’t reuse a signature later, addsome random unique values (“nonces”)
c = AESke(m), t = MACkm(c)
random ra, ga
random rb, gb
ke, km = KDF(gab) ke, km = KDF(gab)
RSApubB, SignB(ga, gb, ra, rb)
TLS: Transport Layer Security
• TLS provides an encrypted channel for application data.
• Used for HTTPS: HTTP inside of a TLS session
• Used to be called SSL (Secure Sockets Layer) in the 90s.
SSL 1.0 Terribly insecure; never released.
SSL 2.0 Released 1995; terribly insecure.
SSL 3.0 Released 1996; insecure since 2014.
TLS 1.0 Released 1999; deprecated and will be
removed from major browsers in 2020.
TLS 1.1 Released 2006; deprecated and will be
removed from major browsers in 2020.
TLS 1.2 Released 2008. Ok.
TLS 1.3 Standardized in August 2018 and is being
rolled out now; major change from TLS 1.2.
TLS 1.2 with Diffie-Hellman Key Exchange
Step 1: The client (browser) tells the server what kind of
cryptography it supports.
client hello: client random
[list of cipher suites]
Cipher suites: list of options like:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
This says to use
• elliptic curve Diffie-Hellman for key exchange• RSA digital signatures• 128-bit AES for symmetric encryption• GCM (Galois Counter Mode) AES mode of operation• SHA-256 for hash function
TLS 1.2 with Diffie-Hellman Key Exchange
Step 1: The client (browser) tells the server what kind of
cryptography it supports.
client hello: client random
[list of cipher suites]
Cipher suites: list of options like:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Server cipher suite configuration can be confusing and difficult for
sysadmins. Many insecure options like
TLS_DHE_RSA_WITH_DES_CBC_SHA
or
TLS_NULL_WITH_NULL_NULL
Subtle protocol errors around cipher suite negotiation.
TLS 1.2 with Diffie-Hellman Key Exchange
Step 2: The server tells the client which kind of cryptography
it wishes to use.
client hello: client random
[list of cipher suites]
server hello: server random, [cipher suite]
certificate = public RSA key + CA signatures
TLS 1.2 with Diffie-Hellman Key Exchange
Step 3: The server sends over its certificate which contains
the server’s public key and signatures from a certificate
authority.
client hello: client random
[list of cipher suites]
server hello: server random, [cipher suite]
certificate = public RSA key + CA signatures
Certificates and Certificate Authorities in TLS
Website public keys are encoded into certificates.
Certificates signed by CAs.
Browsers come with set of trusted CAs.
To verify a certificate, browsers verify chain of digital
certificates back to trusted root CA.
Certificates typically valid for 3 months to multiple years.
Sample certificate
Who are we trusting?
Who is this cert for?
Who are we trusting?
Who is this cert for?
CSE’s pub key info
Where we should check for revocation
information
Revocation
• Problem: keys get compromised• Attacker with a key can impersonate you and readmessages encrypted to you
• Key expiration helps, but not enough
• CA and PGP PKIs support revocation• “I, Alice, revoke my public key . . . do not use it.”• Signs revocation with her private key• Others can verify Alice’s signature, stop using key
Root CAs on OS X
Which CA can issue a certificate for fbi.gov?
Which CA can issue a certificate for google.com?
CA Hacks and Vulnerabilities
There is a long history of CAs getting hacked or doing the
wrong thing.
• 2011: Comodo and DigiNotar CAs hacked, used to issuefraudulent certificates for Hotmail, Gmail, Skype, Yahoo
Mail, Firefox...
• Fraudulent certificates later used in man-in-the-middleattack against Iran.
• 2013: TurkTrust issued fraudulent certificate for Gmail.• 2014: Indian NIC issue certs for Google and Yahoo!• 2016: WoSign issues cert for GitHub.
Mitigations:
• Certificate pinning.• Hard code certificates for some sites in browser.
• Certificate Transparency.• Public append-only log of certificate issuances to trackfraudulent certs.
TLS 1.2 with Diffie-Hellman Key Exchange
Step 3: The server sends over its certificate which contains
the server’s public key and signatures from a certificate
authority.
client hello: client random
[list of cipher suites]
server hello: server random, [cipher suite]
certificate = public RSA key + CA signatures
server kex: p, g, ga, SignRSAkey(p, g, ga)
To protect against man-in-the-middle attacks, the server
uses its public key to sign the Diffie-Hellman key exchange.
TLS also allows client authentication, but this is rare.
TLS 1.2 with Diffie-Hellman Key Exchange
Step 4: The server initiates a Diffie-Hellman key exchange.
client hello: client random
[list of cipher suites]
server hello: server random, [cipher suite]
certificate = public RSA key + CA signatures
server kex: p, g, ga, SignRSAkey(p, g, ga)
To protect against man-in-the-middle attacks, the server
uses its public key to sign the Diffie-Hellman key exchange.
TLS also allows client authentication, but this is rare.
TLS 1.2 with Diffie-Hellman Key Exchange
Step 5: The client responds with its half of the Diffie-Hellman
key exchange.
client hello: client random
[list of cipher suites]
server hello: server random, [cipher suite]
certificate = public RSA key + CA signatures
server kex: p, g,ga, SignRSAkey(p, g, ga)
client kex: gb
KDF(gab,random) →kmc , kms , ke
KDF(gab,random) →kmc , kms , ke
client finished: MACkmc (dialog)
server finished: MACkms (dialog)
Encke(request)
TLS 1.2 with Diffie-Hellman Key Exchange
Step 6: The client and server derive symmetric encryption
keys from the shared secret using a key derivation function.
client hello: client random
[list of cipher suites]
server hello: server random, [cipher suite]
certificate = public RSA key + CA signatures
server kex: p, g,ga, SignRSAkey(p, g, ga)
client kex: gb
KDF(gab,random) →kmc , kms , ke
KDF(gab,random) →kmc , kms , ke
client finished: MACkmc (dialog)
server finished: MACkms (dialog)
Encke(request)
TLS 1.2 with Diffie-Hellman Key Exchange
Step 7: The client and server verify the integrity of the
handshake using the MAC keys they have derived.
client hello: client random
[list of cipher suites]
server hello: server random, [cipher suite]
certificate = public RSA key + CA signatures
server kex: p, g,ga, SignRSAkey(p, g, ga)
client kex: gb
KDF(gab,random) →kmc , kms , ke
KDF(gab,random) →kmc , kms , ke
client finished: MACkmc (dialog)
server finished: MACkms (dialog)
Encke(request)
TLS 1.2 with Diffie-Hellman Key Exchange
Step 8: The client and server can now send encrypted
application data (e.g. HTTP) using their secure channel.
client hello: client random
[list of cipher suites]
server hello: server random, [cipher suite]
certificate = public RSA key + CA signatures
server kex: p, g,ga, SignRSAkey(p, g, ga)
client kex: gb
KDF(gab,random) →kmc , kms , ke
KDF(gab,random) →kmc , kms , ke
client finished: MACkmc (dialog)
server finished: MACkms (dialog)
Encke(request)
TLS 1.2 with RSA Key Exchange
TLS versions prior to 1.3 also supported using RSA public key
encryption to share the premaster secret (shared secret
master key).
client hello: client random
[supported cipher suites]
server hello: server random, [RSA cipher suite]
certificate = RSA pubkey k2048 + CA signaturesclient key exchange: RSAenck2048(pms)
KDF(pms,random) →kmc , kms , ke
KDF(pms,random) →kmc , kms , ke
client finished: Authkmc (dialog)
server finished: Authkms (dialog)
Encke(request)
TLS 1.2 with RSA Key Exchange
TLS versions prior to 1.3 also supported using RSA public key
encryption to share the premaster secret (shared secret
master key).
client hello: client random
[supported cipher suites]
server hello: server random, [RSA cipher suite]
certificate = RSA pubkey k2048 + CA signatures
client key exchange: RSAenck2048(pms)
KDF(pms,random) →kmc , kms , ke
KDF(pms,random) →kmc , kms , ke
client finished: Authkmc (dialog)
server finished: Authkms (dialog)
Encke(request)
TLS 1.2 with RSA Key Exchange
TLS versions prior to 1.3 also supported using RSA public key
encryption to share the premaster secret (shared secret
master key).
client hello: client random
[supported cipher suites]
server hello: server random, [RSA cipher suite]
certificate = RSA pubkey k2048 + CA signaturesclient key exchange: RSAenck2048(pms)
KDF(pms,random) →kmc , kms , ke
KDF(pms,random) →kmc , kms , ke
client finished: Authkmc (dialog)
server finished: Authkms (dialog)
Encke(request)
TLS 1.2 with RSA Key Exchange
TLS versions prior to 1.3 also supported using RSA public key
encryption to share the premaster secret (shared secret
master key).
client hello: client random
[supported cipher suites]
server hello: server random, [RSA cipher suite]
certificate = RSA pubkey k2048 + CA signaturesclient key exchange: RSAenck2048(pms)
KDF(pms,random) →kmc , kms , ke
KDF(pms,random) →kmc , kms , ke
client finished: Authkmc (dialog)
server finished: Authkms (dialog)
Encke(request)
TLS 1.2 with RSA Key Exchange
TLS versions prior to 1.3 also supported using RSA public key
encryption to share the premaster secret (shared secret
master key).
client hello: client random
[supported cipher suites]
server hello: server random, [RSA cipher suite]
certificate = RSA pubkey k2048 + CA signaturesclient key exchange: RSAenck2048(pms)
KDF(pms,random) →kmc , kms , ke
KDF(pms,random) →kmc , kms , ke
client finished: Authkmc (dialog)
server finished: Authkms (dialog)
Encke(request)
What if a private key gets stolen or compromised?
If an adversary obtains a server certificate private key:
• With Diffie-Hellman key exchange, the adversary can:• impersonate the server to anyone.
• With RSA key exchange, the adversary can:• impersonate the server to anyone.• decrypt any traffic from now and any point in the past.
""0 t 10 (!WI. 01!()9) S:.tbpocna 10 Tcst!1'y aelb:e, G~ Jury
TO:
DaHas, TX 75204
United States District Court "" ., Eastern District of Virginia
SUBPOENA TO TESTIFY BEFORE THE GR,.-\ND JURY
YOU ARECQMMA.,'lDED 10 appear and testify before !be Uoited States district court at the time, date.;me place shown below to lesify before the court's grand jury. When you arrive, you must remain at the C::Ill" until the judge or II court offioer allows yO\! to leave.
Pltte: UNITED ST A YES DlSTRlCT COURT ~Dl COllrthouseSqulrf Alex8ndriJ. Vir,inI8l2314
II: tnd Time: July lG, lUll
________________ J-____ __
You mUll also brin& with)'O\l the folJowill& docume:1ts. clcctroni~!y l10red lnformu ion. or objecu (bll!!'.K ifr.Ol "?plica.bl,,):
9:30 AM
In .. ddifion to your !,l:"l'SunHI"flpear"nce,you arc direeled to b ring 10 the grano jury the public lind private encryptiun I;c)'5 used by l:.Ivabil.CQn. in any SSl.. (See orl! S<:>ekel L:.I,,<!r) or TLS (Tr:u"pon Secllrlty I...'lyer) session$, inciudln: HTrrS ::I<~iOM with dients usin: the !lIvabil.com web site lind enl"rYflled SMTP ~"Ommun ieation~ (or Imcrnct '.:ommUn iC2{iQn~ u~ing other- protocols) ~lh mail lCrvCr.;;
Any utt:c r in form:Hl on necessary to ~ccompl!$fl tht insu ll2t1on :lncl use of tile ptnltrap device ordered by Jud?;e BIlc;h"nnn 011 June 28, 2013, unubtrusively :o nd wiln minimum ;ntenerenl:"t to the serviee" th2t arc >lctorded persons with respect 10 whom Ihe inst:lllati(ln and use illo take place;
If such information i3 electronically slof'1:d or unable to ~ physically transported to the ;:rand jury, you mtty provide ~ co fly of t be information to the Feder ... l BurtllU of [nv~tig<ltion. Provi$ion of tlds illformalion to tile FBr doc~ nOt excuse your personal appellnlnce.
Julv (I 2013 CL£RJ(
·f'!.c n&me, lId=, email.Md!el-:phonenu.mbecofthcUr.ill:d StIIleS ~lomey,-orllSSistc! United Stu~~y'who requests this s~bpoal;l, tL"t':
". 1'I0~n.)'
JU.Ul1 W. Wi1li" m$l;"ittd Sr",r~ Attonu,.'s SII,hljn: ] [00 J\lm l '~un ,\Venlle ,\ll· .• ~"drh. , Vlq~;r.i~ 1131~ p03} 299·nOO -_ ... - ...... .
.' .. ,., .. i '.'. , ,.4.>:" "',1\ " t :'.",,,~ fll'::~"" 1 , I.t ... , .... r',' ,.f. .•
" " '-". ,.' .':;'" i • . ; ', ':i,'~" '., ; ..... ,(, ... ; '-r:''- ~ .'." ." ;,:' j • .- .~I ~ "., . , .... :" ,,1 1 ,~1 ~ ,""""1;:,,:-, \,\~""H, .. , ,,,,,,.;, "'; <.i:"'~ • .', .. "
.A:·'~ :i.'.'.lJ." \·J:I.;:~(t,' ,1:,1'1-..".,,,,,,'.,,:_,,. i;, -.:" ',~. },; ,,",I;' 'j'::"'. ,'" '.,,:. ', )1' , .. ; ." ,;,,,,,,.; 1\. · · f·c.;~ ... f-'~.··"~ ' · !.~~''- ... "' ..... ~,
' .. , . .... ':,' ".1 .:.\.1. ,, :,'''(;, ~. 1 '.-,' - ' •• : ... '.1 .• ; .... '!:.. ' '. •. -:- ' .' , .", : ~ , . '. ~'., . ' ",.!> , .. ,.,: .".I.,.;r,:. 'J. ;';.1 . ,,': .• f; i~, '\O.);"v~ , :; :_-'-' ,) .... , .
. '.,'. ; ; .,'.('.: •. ,.,;. ~/.J~ i . \"l :, ,;' "'.~"1~·; · .~ ." : . :. ' .. ' " ;, . ~'-" j
;.-" ,: ro',' . : ... " ' ~"~f,~' '~I~·f." : ,~.-;-, .. ; ! , I;.; 1">" l<;; '~",f:'" .. ~: "-'~ . I, \'-1".;' .• ,,:, .. \. "":""~1 .' ;'~~'''' """'"-''' ' ' ~ ,! ". ,. ,' .,j ''' ' '; ''''''' ' 1,,1."" :;, ... ~t .. ,i..-, .',~~. ';;. '1'- ' , . /.", .- ',,:
.: ' .. "". ,, ~~.: ... ,:1',.,"' ... !~; \f_.',,-, ~tl "; ::' 'IW"~' " .. ,;,.~"
. ,; ;: __ L~i '\:.;/;~~'.:~;~~;~~i;~~~:··~~·;ii;<·~:~ ;~).~ '; :);r,; ~'· : ~;:;:,: ~~ '.~,.~J.;:;.~ i ~.;:"'~:~ ;t\;:.!.;.;:-'"g';.~~·;·~/:;'~~ ";l\~~~ !" :;·.~r
.' ' ..: • '" ; ,~. , .,," . , , . ',- ' ," ", " . .-.~ ;' "'''.''''. ;J' .. --":-; ,, '.'<;': :' .. '" - ·t:.· ;,', '. ,;, ".:,,~, ; ... ,,:,-,.._;,;~, .. ",, "': ,: . •... , • • " :-t~" •. , .• ; .. .,. ,. "" ,,""t' ", 1.:' ! '.;. ~:. ;:.' . " \ "i-",' ,_, ." "" ,':, , .::" .", ' r.· '. \:-: . '< , '." ~".':,~;·r!::.". .. ;. (~;' ' : . .....
f :: . '.' '; ,",:" '!,. '.', .,: , .. ~.' . '" r" . :, "; ~.,,~~ ... :. '." . ,J ,., '.-,.' • •
, ; ,,~' ... ",..-' " •... k· . . ' t- .;1\,.1.".",: .(·t · '.-,:'
, .. ~f'" ,' .. . : >;.: ... ~ ',; , . ' ." : ' ...... ,. ::. " ., :.,,-,' : .... :{.~ •. ; -" .. ;,; • • -..-:: ' : ,1 ',,, :. ;::;:: X .. ' _ ." ~'l.. _.
, ... c' ... ; ':';i". }'." ' .' 'l'<', , _,;;'. ~!- " !"o ':r"'.'~\o" ;·.,'·v' .''-10 .. ·0 - ~ . J." " b.~ ' r b·':· :'·",y,",," ;:I~ , ')l.4;'"' . _:~.;; l, . . ' ' , __ ,-":.-•.. ; .,,"::;'''.' ~~";,- :" "' : ,,~,; :';., ;,'.>(,' :,~. 1;,·' ,I,: :"
." c . .... , .. ;'",",) .. ,·"t "': . :'! .'~J ,'" ,:,>:("";u ""n,. ".<, .... lI.;.~:!'~ " , . :' "~,,~,;, ~"- \;) '- ".k', ,, .. i:io-<: .. ,,,,l"'.:' 1 .I'l',~:!.~"" .r; . ' .. ~( ;.; •. '
'}; ', .. ''- .,.",,~"""" ~\.,,_ '."~~:A.\':~;" ~'~ 'f!(.'.<'.'" "., .";~ , .• _~\. ,: -'; '. -, l :'" "~'. I---",'~ ! .).1 .• •. ~ . f' ,J.-I:fo':-<~~ • ' . , ; . , ';' .i!;:J,';, "1 ~ ~."
,' • • • ,..t _,.,1: I .• : • ; ! ·.jOt:", ... ~ ~',"'~" ~ .(.;.~ .. ':I" ! ~"; ""J~ ',", '(:~, ". .. . '~ " .t.~'i-"', : .~', .::: -":~, ' . -... ,.,., .V ,~ •• i'"' i .' <"", .4'1 .•• ,"~ .. ; '..,.:,r.:~ .," .. ' ""}"'~""" ... 7· .;>{,, : (.".,(."". ,.,~."
· ." .. ' v·:-:. '.,-'. ,~, :' ' ,,. ., ,.',\'·'I>"'.t ..... ll ,r .~" ..... , ... 1.<' .~ , .. 1 >'.~, .'-'" \', ·'11 " .... ,-,. ;~,., "~,"' . : t,: i , I ,.;.;, '.~\, .... . . , •. ; .. t,
.~ '- '. ;::.-. ' :,'!.-" .. " ..... , i;,,> .. ',Ii" r'''''' '1'l .\ I ' ...... -. . ~ r. ., ..... ... ~ ;.:"., . . : ';.!'! :. : " , j . : . . ~.".,.:, ~: ;1t.<l:,J'. ~ '., .\' \'. ~ ' ... '; ~ ",',~ I' .. : '! ' t: · 'j', , _~ .. ,;. '''~,;·'sl~)~·,-!''" h:\ '''-: ,.~\/.! · ;,' ·. >,!I>
, ,',. I X .. ~",." .. ;.'~d 1,1-.[-" ,':' :.lr.:.)l, ~t> '" J .. ' ,J;;.:',~", ..... , 'N ........ ; '_"'_' . ~n,' ,~ " . ' •. !.I' .' -..: .~ , " .,.,,:,~ .. ~ ,:.Ii; ">'''-',,".I>"'':',~' . : «>"
"'" '1~' '''-···' , ~:, ' 1';'W/s"'J ~.:-t "'.;",;.; "' ~"-'::~''"'''-'I;.i''; C ," '<$. '" ',.', . " .' .• 0, t';:""XV'~.~ " :'~"",'I : ... ;~, :;.,,: 1<.';~I)t-(.':, h\<.': ••
..... :, ,;.',"1';<1" 1.;'.\, ri.>' ;""'1" .•. "'1 ,.; ...... '''~·'1.:'r! ,', ,.,., ., :".~ ,', •. ~.~,." ,'.~ :;;. ';; , ' .. "".';,,, ~.-'~",;,o,'~J;: , ,,-,",, · .... In·' ."'·, .'; .•. ,.
• ' "';:""" :1 ;.". •. >1\,",,'''''.> ~)~""h""·X •. -1,. , \, ~'.f .. \ ., : :., ,~: , :, 1, '> ;t .~, ';;;"; =,' , n·, ,. :'>0:;' :l~,h' ~'" rf'.';·'<'!II).'" t=':'(',1~' '.J~j ,,; .. ':" , '. ' . ' ,.t.~.! ..... ,, : ~ "I ~." i ... .,..~'.~·l1-"",," ·'~~'·," " I ,;;0: "" •. , t ·,,· , ;, .~< 0 •. "0 T; '~~'.: " "" .. , .<-1';';" . '~. '; ' ,";:":' .~ ""~ ' ~';'~" , ~ '.'
; ," .: '.\ , "I •. ;' .. I.'oj.:.,,;, .. ,,", l~ q' .,,; I; J-! \. ; , • (.~. ,"c,,',':'" .:' < :~« , ) ;~ .• ,'~ \',.,... \~, --,,·,,··t · .;~":"";,,
' . ':',"; 1.';-
, .·f,.':·.' .. , .• ~ ,"( '1' .~'.-~;: '.t: ·~.r ."\1.~ :1 ',', . '.' .... < ' .• " . , .. ,~,- '; ""'.-:,; '-" , ~ • .,,,. < .. ' ,. " '- \"0( ;.' ~ .. • ••• • -.-.
~. " ':':""''''''' .''Y~' ' ' .:",~ .. ,~,-< .... 1.;_ " .• ' , .. ,., •. " ... ..> .,.. .... :., . .... "h~ , ·;,f ·i.' .'"..~ .. ,., ... ~"' .... ~" .. ;''''..".,'¥ •. ,,' ._ .' . . '!.'~.- . : ·"','l·."'· .,.~n'~.~,"'·,'t:~,: " ~11 s:;~,1~:r: ' . ';"~'J \'-;!'! ,bV:,~· I>
,~., ' .• ~ ' .' "",~,\,, ':, '.\' ,," ,,::.,,.,.1," ','.' ', ~'~.'I<"r. ! :., ..... : ·~<.';..M · ". ',: "·"",,"t ':1". ·'·,., Vo.! ~\';;>'<:'·-;;·I.~(...: ·;.'"j..·· · n ,',,: .'~, " ,:,:. ,;,.~ .", ''''.v.,' ~·s;. i<~~ ;~_ :·!,.,)' .. _ , !'I,~,·~ ,;.,.\. ,,, ,~; ,', · .' .:'-':', : . ~.: 'I) ; ~.; .;: -. ' : ,'I, ,:;_ .,j'~,-, 1''::1.) oIl) :.;; ~.", ", ;:.,~ ., .. ' • , .. •• :.: ' ., ,,:'" :, ~:.'" '. , 'I.;". , ~ "~l"."\':"":, .' ,-;-. ". :,' . , :,,,',, ',-.. " ' : '., \, .. ':, .• .• ' )' '" ,:,:'".,;' , . " '~r:; " .... ·. ·.~ .. ""A',""; , .. \ .... " ' .~;.
, .;' ,., ;, I.; ,," "~:.'''~·1, ;;-" '.~) J' :': :01> H! .... .- ; "-~' .• :: ., .. "":, .• '->\ "' ; f'~I'·'·'."I!" ;"·~';:'~i.·!.·",, , .. ,,:{. ~';"
.. ' , .f·' _··\' .v " '~''''',f,·''',.~,:,. ,'·I.;''; <' ·''';':' , ·." , .-.!.-n ''' ., :", ... ",:", '-,~ ·,, -',l·.'-'<'{J·,
:.0::;;" '.;;
. ,'.-.! .'., 'I:'~ "' ''''r "";-""'''' ' .'';' . .,;~.~,, " .' N' , .. ,. ""' , ~ ~', :' i,';,~ I; " ,-: '''';' ~'."-" l~ I d.1 ),o'!~; ';.'" . . .... , .•• ".,_~ ..... , • :'," :'.-':." ,_.
~-"" .). .. ·"c':,; '.' " .... , r ~.:.;;~ •.. ~. -'If ",.'.,:", ;",'{,:-.'1 •• '.' ~, .. ; .• , '" . ~.
· '.-- _ ... ." ·;·'~'\;"; r"';,~,:'I-(),-w,"o1, ' $· .. ~:n.~ '::"·,"'" ;'.::,";". t .1 '. : ',"' ',.: '" I.':' ,t: ::':"i "~"':'''''' '' t .. (. V.,;: .... ,~ ,\,. l.-;\f'-'.-r; •. ,,;.,; Y, .... ~ : _.
" " .: ,:-;\: - . "~:_:'" -,' , ' . '~ " ',',t ..... ,' :.' ';0 r.'';' .1,,, .. .. , .' •. : ;,... .. ~'>Y'V''''' .! ~":,;;. : ... ;. I~,~·;~.,·::;~,.y,',,": .. ~ i ."" 1'.# ."":"": ·.i·· .. ' ~'-i ~~'-
'." : i:.; ,f'-{ "<i ~. ",'" n,:·~ .'~ ':·::t.1'~I· '. ,.:' .~., 0:" ::;.~ . .. " • ~~'" -, .. .. \" ••• ' :~ " '" -y. i '.:':> ""; ". ; ": '.,:; ,. 1 .... . ··,'1 ... ·',·
., ',' .. _' "',.,; ",' '~.' ~., '.~ .' ~I'''_'.:!'' v. ', .>.t •. ~."" :,. ,,(.~"., ::. '_ ,', '_.' '. ~. , I ~. " ",!,·, . ;' 'Nor,', .; (1.. ·" 'h.O",,~, li", ... , I .I.' ,;,0 :fJ
<~ ~ " .' . : ·~ ":ii't.~ .. · ... l,~' , ,~;"j)'( ''' . ~ k·,,,.,.:I, 11!! ~ .. ,! •• ,~ ; .~!; "1 " ~~,~ . :,. •. ..,: r. ,~: :'.: ; ; ,.·::..l' .... <·,~:;.~:;lI'"'~HX:J: ... f.f.' ....... '-l.U" '10" ,<' '. ~, r _!."1_ ":'\J',V; !,:i~'.~ :J.I.'I:.o'!.~( 'll • " y.,;(J'}.~ ;:~ .lf;<'-i"j"·L, /.; , .: :.:
.~ , :; :':-t , N~'.'" U;':,.:i';";'"ri!l:,t.:K. :....Jo. ,\'7<_~" ,~.H>';"in' ;,,,.,,;1(> ,;; , .. ; .. "\ .• ~,, "h ·_ ,·),'.'1I!.t !I" , ,,,,,,,' '' ''''~ ~/, ,.. .... !";¥-nt)) :_ ~>" "¥·'.~"'.;H,,"~ . ~ ·.;'"I.~i. V; i.'I;~·~! .... ,~.W'Q" \ ' 't",,~,I;,>"I." ~""""'~>J.. ~,;~<),,"W')"rr: ,,' , ' ~)~ ~' ...... ;''';1'. '.:;' .II ;:"': :M '.""'':<'jJ! >~Il~.~cr:, ~'.d";', ;>)0:.:;.,
...,~ , " .'.~~~:·'~·:'\:.Ic',. , oJ .' ,\. ) I ~X't_,1\"" t'"',"'.,' .• , .... -,~, •• :,':t. ~ Y,. :; .,";' ;.). ~ .' . .., "'·."I~,,~, '.';'I.", '1.;~-( : .' ,"'~l, .~~ 0:11,1 ,'~.~ .• , :.~;.
.: "":~I • "'.I ,': '_ ' .•.. : ... , .,~1tT-;;~t,: , :.:L' .~ i' ,-,( , '"' :! ·.~'I ~. : r:t.· ... ,':· 'C::. {,~,. . ••. ::" r~' ,.,::,~ I ,,\~"' .• , ;>1_ .... ,' .... ,\ . ,"",-: •. :>':' .... ,,", ~"' , • ',,' ;.,. ~ ". 'r",,, .. :'1 ;"tii ~>Jo,~,~:,~:~):·.; ~''''·I:.c:'l':~'' l'':t{t''''''''·:f'(~' ';"r '~i..- ,,:~"'.,~:::' <1_ l'<tI'h« ~ :>r."1 !"II ~~ :'C);"I!,_" : .,j "~''l:'''~,j'~ ;'f:~: ',J;; .~ ;.;~ ... '. "" !~.:~":: ''''(.~~J),'C, ."tl. ' '''.'¥J ~J ,~'::- '~";''->0:'.' ":.",(':'~T:~" ,«; ~,; .f . :.~:, ' . , ; '.'~·);. ·~~r, '" ,,..,,, :1ti '''~':f ! .' :>'I.,,:J ~.r.:.7. :, t :r''':, ,:;,t :if, I ' '<:;."'. ,. '_'." [ ;: "~ I" " f-<! ;~11 ;0, .. -;,,:1" 0:"""; "'<:"" .• ~' ;;. ,~! 1'" "
'. ~,:", '", ;0 , ... :<>1' " ,~ ... , 1,!,J.';-;'~' "" ~.; -,,~ , ";,,,~y~ :~'~1 " '::"~"_
' _'~ . ~~:;, .::';! '.:. :··.~·,~,!".:,l : ". k:.'t}"<'J"...:/o":<:.' .• VI-;'''')';-'' """ : /:;,: , .. ~"..:,.~.;>/-, .. :, •. ,W;,";,'_~,(f",-,{((,~ .• , ., :,' . . _' ., " " "'~~\ r :_.~., 1";" : .t,,';.t~'" \<~ >. . I-;_~I ',":., .';
, ' .- , :.~ , '''~ ;n' [;.~. ,,:/ Yo, '~"/ '~'J' ~:".l<,';!' .... " k' : ."'~ . ,<,-",,, ~" '\ '\ ,11'; :. "" , .c,:, ·l:.f;'·· ;. ~ .' .. ,,:.,s.; " .) ''';~'' ' ... '''1~II';'·:Il; ~':~·': , ' ~" '.~' ;.'- ~\ •• I.~·N' .,,':;;,.'.;.' ' :r.-:::~,f:,·Xii':'M!~·"'::'~""'~'h~ ~J"-;A\" I,.~, •• \ ' :" .:oi \o.' 1:\ :-'"(~''''~.:I,~ :'''' '-n·' .:.,.!,'"f." 111 •. .-~ .~!,i.l · :A'Y. ::--': :'
.) ."" """';"',i " "'c'" 'i .~.'; I, .. ~~· .... ' ,0:, ' . 'tN ;, ,!,< .'~i'''"".' ~~,: ,.:. ' ~".'" _,,;~ " ~. ~"""'f~":-" ~) ,~· .. ·""r , ',,, ,I",.,' ~ ... ",. \', "
" " • " I ' t · , .'''1>'.' , ·11,;.~ ., ..... ,,: .• 1 '.1-1' ~\-'~~~~',;::.' .''''' .' ...... ' .. , .~_':, 'f·_" i ....... ·;., : .. ..:.,:-._%,: , ' ,';'\1" t\o''I''I''~; ',1. ;.J,,":I •... , - ,.' .. ·~"~I,Y.,,,,,,-,,,,,"~:tJ"-, , .1~'v''11.-l '·'"~'''''''''''''''·
, .•.. H;l:;~r', ';< ' N".' W·"~ .. , 'J""""'~:"":;t'~"r>:._,,,>.r"; ;
'.' .. ", ," ..... ' .,."" ,~ ,¥o''''; ' <, .... / ,-~,r. · .• I':,o.,) .) IJ •• , .' 1<' ~:' •• ·'IM";·I '-" .. _ ~ ,.'1 " ~\··.I\'h.V:::·"'''''' '~ ,: .• • , l·~;:~",.,·,1}, flI:I.' ...... )"'.'1 'fflr ';" ~w.,,,=,, .. : .
::.
.... r . • -, ,k"':;'-,.I.;;.-n.:I.;1 I . \>t.."',,., ~ ,'.,11''''.''1 ,".>l:':\"'T,,, N V""; '. ,
.-::, .- .: ';' ··"l-:'''.'fI ,.~. ,1 :::';,(h;o,.' r.u .. ..-,I J.;;,o~"1 C(" '} . :(:;.;" •
. . ~" '-(!'·'-·h';::'C""'.'l;ll~': .. • •• n ).-O<~' ;:'··~.':'';'''''J '''U:'''' ,.1:C r'",: ., '",: .. \",.~, ",.'<':': ." ':' .i'I::~'-:!h:"': l ·i'¥t~ ~~".v,;£.i'l,,· .. ·.>"'I':I:' ,-' "'.,~ " ~",,-"'.,;~ :v,.~, 'I,LJI ': O!. ;""",., ." ~""I'>i:""~\."9J '1"";":~" '~I~rt,f.)~ , ,." ~ , {(. "ii ~>.u I,1,:I<::n ..... , »r·'I';-,\~v?o!r..~;~""" ~ '
, •.. : ,(,(,.,.1';:".\,,: "!x.,?,"';li'lvlf"':"';lJl!;"'_·'\l"~-'I': W.';'O,· ·.>' ,,~
;. ' ';,; .. ,:, :1', _,,,: ~' ; h':"."'~::;"'::""" ; '·."::;..' iltl1 : ,tc· \ : 'I'N'::,': '.-:,.'.'
I; '~.~';". , ..... !~J"I :-( N ~,! ... :~<,,-,,;.y~ -" t o"';," .JH1'iO'; ' >:,!i"",I<';, ,1 ,-.~ : · .... iv" · "' _/W"" / , '.>:;, ';-''' :.:''''_''~' ' ; 'j:J. , ."'" ......
u;; (". , I"" .,;, tI·, I ,;' ft ' .': ' ~." , ,}I\ '· '-"'1':" :" , ;-, ·.<Il~>.,r;.!· ~ :';:'",-, ,:,'':-';\ ">r . '.~-h·;·;, .:), ''',<'': , '. ; ,h.J.!f.' "(r.,;,:.".].' ;
I .'",n~, "';':."» mf,,'!'J I."I,,",''''-.:.,,';:~ iX .. ',.':" ,.:;.. ·'t.'.l.·:·i~ ','·"(' r..". , , ..... ~;. "~:"'!' M i , .:-.: ,I~,,"l,~ ,:1<.', :-:.:"'; : ... ",-, \": •. "'~;"'!. ; ; .
; ;'- ; ' , ~'.\.~ ," ' 1-.; ;' .. :(): .1:.-;\';"1; ,;· ...... r-r::,J;;t.+ . . ,i:.,.~(j'J':<;I, "
.; ,) ··,_'i~,'.f .. \",:,>.,(' ;;'c:i',·.""~!.,:·"'. ";_' <; : '>'''~ '-:, >, .• .. '1 .'\.' ~. :~I.;·" ·:'; "'·;r .. '.'~'v:;M';"'~?~·:, ." \ " ~'
• " " . , . _"1"'_ '( ....... ..,.-.. ! 1';-, .. ··, :;o,::;·';,~.\·N'-'.r:'" f"·,,.:, '.' '} . :";- .. ' ,. "'.!' ,1 ,,-.~~ I .,~:, ' I-v~",.~, r .. ( ... ~ r;:;:,~,"~ 1;.'.1 , ," ;
' .:J ' ... , .• ~.~,~.,. A.1"' . .-.. , .. ~ ... .,. ... ·,:": • .'i:·,, .. " ·,,>,·.
.... :. "
. _ ;: ... ,.:: .... ,' i·i·'·;':.).·~":\,"1:;:""" "'·;"'·"'·· ''''''''' ~ ''~ ,~ "~" .. 'c'''''':( ~ ... . ,.,,,~ ' WI.n<':''>:1'<)o ~;'l<>:1m',"-'¥l.~, ' .~. ,,' ',.~.' ;~' .~1" · "-; .... "'·,n''-·:'1 ?>~.'~:;'~·':'-':·:I:l~" !'-r.,,~,,\,
"'( ,~-:_, ... ,'d X'1.';'. - , :':; ;~~;~:' "'" ·l'a":r-if.' ;-'.'H. t~f"'~~~i ~ "';. 0 , .'.: '; "l~""'. ;,~ :" \,·,.r·' .1 '.' '~.;':'.,"";':. , r.:"~.'~"l-:'''' r,.F.:iV, ~n::~':''> ;' :,::;"," .-, ~ .. , ,"" ,(' "!f .,t .. r:,,·:::. i: !r! :!;~:';:;' :'" \l1i l(:3<h .<~u.;:'·W:lw " , :,.;- ._ ,~," ...... , , .. , ~"!~ •• '~';', , -<~T, ~ ~ .., .... ;:.;,:.., , _ r· , ':;~' .• I,"·""· ..~ ,. " • .'.' •• " ,Jo!,' ,-. ... ~."".~.<")<-"' .•. ~'''; ... (") I.~ ,,·,,;. .,.' ~?". , . . '; .~; ... " .. ~., "( '.1 ,' , .• : ." .,,,; • . :l ,~~v,,_!.;:,l1',~ .... Y.',,;~. , '.", • ~!';"'.i"i:4.'h' .. ~i, ,,;' ... r".:'. ;Jt ":;',,~,. " .," .. ~ ... . ;0:; ,·" •• '" .:'.-1,
... . ~" . ; .. ( ';'.,,<, .'~:""''-'~'~'.:' :,"'·¥ 'As",.C ;\:<" .;",,;·, . J "'(~i;1.'-;; i'('~ !,.. :."''" 1'-'':~ .... ·r', ,I • • ;'-''' ",;': 'll'"','.11".!;lt"":~ ~·".";;"-··i .< .. '"r; .. 10 . , .. / :' t.'iH:.l.:!. "1'; , ' .. ;
'''.~ . ,,~, .. ' .• ;',," ... , ,,~,:.~,,~;'.l ': ":('.' ~ , : , •. ~(~.:->~~.-,. 0-,.-," __
'!',-".' .~ , .'.\I>' .. , . ." '.-"l"/"',' ...... ', .. ,. i->«I,",j' ".r."" , .. ,,,' .. .• ~,;. : , ,-r.:.;; ~ '~I'-':·k',.,,>.(~,,,,,;_,, 'i', ~ .""(.-:: .. >1 ";-; '' ' '' .
. ;, .. i " • ,-,.,." '" " '::-. " .. "'so ) .,j, : ... :,,,,, , .• ~~ ,,; . ..,~ . i: " t'f,l~. ~.,.. •
"i' -.. , ," .;' .. : :N,\ ; '-': .~"-1' J'o1:~ ' J,''':''''''':,(/' •. ~ . ;);.~.,: " .'''' (J;"> -" '" I "
,;', .~; '.~--:~;:. :: .. .t;~ ~,~~~~';4:~ > ;~::t;:;~:::~~;~ ~~':i;,;~:~~~""" , .... ' " ' . . ;-:. ,_./: .; .• ·"9!.··~' I:i""""."t: l :" ., ~ ",-: .r·' ,,- ;',:
I. """. ,~:,,,~·.·:"-:''''· ';\':'; l ·'''! ?.n - .'._"".V!!,·· >.~;." "'c', ,, :, ". __ :·1. ':'.' ;::1. :r . '. " ~, ,_, , , ,; ',;! •. t.',,'.·,,' '.' ~ ~', ':.:
August 2013
https://xkcd.com/538/
“Actual actual reality: nobody cares about his secrets. Also, I would
be hard-pressed to find that wrench for $5.”
TLS v. 1.2 and below have had a lot of vulnerabilities
• Early versions of SSL developed before cryptographicprotocol design was fully understood.
• Later protocol versions retained insecure options forbackwards compatibility.
TLS 1.3 is being deployed now
Developed over several years as a collaboration between
cryptographers from industry and academia.
Standardized August 2018 by IETF.
Major differences from TLS 1.2 and below:
• RSA key exchange removed.• Protects against passive decryption attacks.
• Only secure Diffie-Hellman parameters allowed.• Protects against attacks exploiting bad choices ofparameters.
• Handshake encrypted immediately after key exchange.• Limits the amount of metadata visible to a passiveeavesdropper.
• Protocol downgrade protection.• Protects against protocol being downgraded to priorinsecure versions.
TLS 1.3 deployment difficulties
TLS 1.3 deployment is slower than it should be.
Major reasons:
• HTTPS proxies extremely common in industry.• Many of them rely on RSA key exchange to makepassive decryption and traffic analysis easier.
• Removing RSA key exchange breaks all these boxes.• Man-in-the-middle hardware is also quite common.• Bad implementations have hard-coded values like TLSversions and there is no way to update them.
The “crypto wars” and the historical development of TLS.
International Traffic in Arms Regulations
April 1, 1992 version
Category XIII--Auxiliary Military Equipment ...
(b) Information Security Systems and equipment, cryptographic devices,software, and components specifically designed or modified therefore,including:
(1) Cryptographic (including key management) systems, equipment,assemblies, modules, integrated circuits, components or software with thecapability of maintaining secrecy or confidentiality of information orinformation systems, except cryptographic equipment and software asfollows:
(i) Restricted to decryption functions specifically designed to allow theexecution of copy protected software, provided the decryption functionsare not user-accessible.
(ii) Specially designed, developed or modified for use in machines forbanking or money transactions, and restricted to use only in suchtransactions. Machines for banking or money transactions include automaticteller machines, self-service statement printers, point of sale terminalsor equipment for the encryption of interbanking transactions.
...
Timeline of US cryptography export control
• Pre-1994: Encryption software requires individualexport license as a munition.
• 1994: US State Department amends ITAR regulations toallow export of approved software to approved
countries without individual licenses. 40-bit symmetric
cryptography was understood to be approved under
this scheme.
• 1995: Netscape develops initial SSL protocol. Includesweakened “export” cipher suites.
• 1996: Bernstein v. United States; California judge rulesITAR regulations are unconstitutional because “code is
speech”
• 1996: Cryptography regulation moved to Department ofCommerce.
• 1999: TLS 1.0 standardized. Includes weakened “export”cipher suites.
• 2000: Department of Commerce loosens regulations onmass-market and open source software.
Commerce Control List: Category 5 - Info. Security
(May 23, 2019 version)
a.1.a. A symmetric algorithm employing a key lengthin excess of 56-bits; not including parity bits; or
a.1.b. An asymmetric algorithm where the security of thealgorithm is based on any of the following:
a.1.b.1. Factorization of integers in excess of 512 bits (e.g., RSA);
a.1.b.2. Computation of discrete logarithms in a multiplicativegroup of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or
a.1.b.3. Discrete logarithms in a group other than mentionedin 5A002.a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellmanover an elliptic curve);
...
a. Designed or modified to perform ?cryptanalytic functions.?
Commerce Control List: Category 5 - Info. Security
(May 23, 2019 version)
2.c. An ‘‘asymmetric algorithm’’ where thesecurity of the algorithm is based on any of thefollowing:
2.c.1. Shortest vector or closest vectorproblems associated with lattices (e.g.,NewHope, Frodo, NTRUEncrypt, Kyber,Titanium);
2.c.2. Finding isogenies betweenSupersingular elliptic curves (e.g.,Supersingular Isogeny Key Encapsulation); or
2.c.3. Decoding random codes (e.g.,McEliece, Niederreiter).
Technical Note: An algorithm described byTechnical Note 2.c. may be referred to as beingpost-quantum, quantum-safe or quantum-resistant.
US Politicians on Cryptography
“The government must be wary of suffocating [the
encryption software] industry with regulation in the new
digital age, but we must be able to strike a balance between
the legitimate concerns of the law enforcement community
and the needs of the marketplace."— U.S. Vice President Al
Gore, September 1997
“Because, if, in fact, you can’t crack that [encryption] at all,
government can’t get in, then everybody is walking around
with a Swiss bank account in their pocket – right? So there
has to be some concession to the need to be able to get into
that information somehow.” — President Obama, March
2016
“To think that Apple won’t allow us to get into her cellphone?
Who do they think they are?” — US Presidential Candidate
Trump, 2016
Deliberately weakened cryptography in TLS
• SSLv2, SSLv3, and TLS 1.0 included options forweakened cryptography to comply with US export
control in the 90s.
• Browsers outside the US were supposed to requestweakened cryptography, and those in the US were
allowed to request normal strength cryptography.
• Browsers were updated long ago to never request theseweakened options once US regulations changed.
• Even though the political situation changed, manyservers never removed these options.
• 2015–2016: A series of academic, mostly impracticalattacks (FREAK, Logjam, DROWN) show that even
current browsers at the time could be vulnerable.