36C3 preroll music
Herald: Now for the next talk, he has
worked for six years in the field of
cryptography for the uni Karlsruhe - Oots.
Applause
Oots: OK, so thanks for the introduction
and welcome to my talk. As our Herald just
said, I've been working in the area of
cryptography for the better part of the
last six years. And I noticed that many
people today have kind of a mental image
of what cryptography is and what
encryption is. But sometimes this mental
image does not really coincide with what
is actually going on. So I wanted to give
an introductory talk to cryptography that
is available to a broad audience. So to an
audience that does not have any prior
exposure to cryptography and maybe even to
an audience that does not have a
background in maths or computer science.
So as I said before, this talk is
specifically aimed at a non-technical
audience, even though it's 36C3. We
probably have a fairly technical audience.
And this is a foundation's talk. So I
will not be speaking about fancy research
or cutting edge results. I will be talking
about the plain basics. Okay. So apart
from working in cryptography, I enjoy
doing applied cryptography, number theory
and pwning, so exploiting all kinds of
memory, corruption, bugs and programs.
Okay. This is a picture of my parents'
cat. Just because every talk should have
pictures of cats in them. And this is –
applause Thanks. So this is my checklist
for this talk. The first item I think we
already did that. And so for the remainder
of the talk,
I want to explain what encryption
is, what it does and what it does not do.
I want to explain authentication, which is
some ... which fixes a problem that
encryption does not solve. I want to
explain certificates because they help a
lot with both encryption and
authentication. And in the end, I want to
explain a little how the things that I'm
going to introduce work together and can
be combined to build more useful things.
Okay. So let's start with the first point
here. I would like to explain encryption.
So encryption is basically a solution to a
problem. So let's talk about the problem
we have before we get to the solution. The
problem here is or one of the classical
problems is that two parties want to
communicate. So we cryptographers commonly
call them Alice and Bob and Alice wants to
send a message to Bob. So in this case,
it's just a very stupid message. Just a
simple hello. But cryptography has been
used in diplomacy and military for
hundreds of years. So imagine that this
message is something more critical. And
the problem we want to solve is that there
might be an eavesdropper who is wanting to
listen in on the connection and read the
message, read the content that is being
sent from Alice to Bob. And what some
people think how cryptography works is
something like the following, which is
kind of close to the real thing, but not
really, is that Alice applies some kind of
encryption procedure to her plain text
message to produce some random
unintelligible gibberish, which we call
the cipher text. And then Alice sends the
cipher text to Bob. And Bob has the
decryption procedure, knows how to
decrypt. So to invert the encryption
procedure and recover the plain text
message. And now the point that some
people get wrong is some people think that
the knowledge how to decrypt is actually
secret. But that is not true today. So in
1883, a person named Auguste Kerckhoffs
formulated a couple of principles that
ciphers used for military applications
should adhere to, and one of these. And
one of these requirements became well-
known as Kerckhoffs principle and it
reads "A cipher should not require secrecy
and it should not be a problem if the
cipher falls into enemy hands". So
rephrasing this a little, the cipher that
you are using should be secure
enough that you can even tell your enemy
or the attacker how the encryption process
is working and how the decryption process
is working without harming the security of
the encryption. Or to rephrase this yet
another time, if the cipher you are using
is so insecure that you cannot tell anyone
how it works, then maybe you shouldn't be
using it in the first place. So let's get
back to this image. So now, if the
attacker knows how to decrypt the message,
then obviously this very simple scheme
does not yield anything useful. And so
what people did is people introduced key
to this image. So now the
encryption procedure and the decryption
procedure use a key which goes into the
computation that is going on. So Alice
does some kind of computation based on the
message and the key to produce the cipher
text. And Bob, who has the same key, can
invert this encryption operation and
recover the plain text. However, as long
as the key is only known to Alice and Bob,
but not to the attacker, the attacker
cannot use the decryption procedure. So
one general word here. I will not go into
the details of how these boxes operate.
So within these boxes, which represent
computations, there is some math or
computer science going on. And I would
like to not explain how these things
operate internally in order to keep this
talk available to a broad audience. OK, so
a problem that we have here is that Alice
and Bob have to agree on the key in
advance. So Alice cannot simply send over
the key to Bob, because if she did, then
the attacker who is eavesdropping on the
connection learns the key as well as the
message, and then the attacker could just
decrypt the same as Bob. OK, so this does
not work. This is a terrible attempt. So
for quite some years, actually, until the
70s and 80s of the last century, people
were only using this scheme. And this is
what we call symmetric encryption because
we could just flip the image around and
Bob could be sending a message to Alice
instead because encryption and decryption
uses the same key. And if there is
symmetric encryption, you can guess there
is something else which is called
asymmetric encryption and there is ... for
asymmetric encryption, there is a pair
of keys. One of them is used for
encryption and one of them is used for
decryption. And now if we have an
asymmetric encryption scheme, we can do
something like the following. So Bob
generates a pair of these keys, one for
encryption and one for decryption. And he
keeps the decryption key to himself. This
is why the decryption key is called the
secret key. However, Bob can publish the
encryption key for everyone to see. So,
for example, it could be put in a kind of
public registry like a phonebook or
whatever. And now Bob can send his public
key to Alice and an eavesdropper who is
listening in on the connection will learn
the public key, but that's not a problem
because the key is public anyway. And now
after we have done this, Alice can use
Bob's encryption key to encrypt her
message and send that over to Bob. And now
Bob can decrypt the message with his
secret decryption key. However, the
eavesdropper here cannot simply decrypt
the message because even though the
eavesdropper has the encryption key, it
does not have the decryption key and thus
the eavesdropper cannot decrypt. Okay,
however, this solution is still kind of
risky. There is still a problem with this
and it is we still have to make sure the
keys are distributed in advance. Okay, so
if we used this simple scheme where Bob is
sending his public key to Alice, then
there is a problem. If the attacker is not
simply passively eavesdropping on the
connection, but is willing to actively
interfere with the connection. So, for
example, the eavesdropper might intercept
the public key that Bob is sending to
Alice and replace it with his or her own
public key. And then Alice would think
that the key she received belongs to Bob
and use this key to encrypt her message to
Bob, and then suddenly the attacker can
read the message again. So at this point,
let's summarize about encryption, so
encryption conceals the content of data.
And this is pretty much what it does and
pretty much the only thing that it does.
In particular, it does not conceal the
fact that there is communication going on.
So an eavesdropper who is listening in on
the connection obviously can see Alice
sending a message to Bob. And thus the
eavesdropper knows there is communication
going on between Alice and Bob and this
alone could be quite dangerous for Alice
and Bob. So imagine if Alice was working
for an intelligence agency and Bob was a
journalist and the attacker sees Alice
sending lots of documents to Bob, then
this might be a strong indication that
Alice is a whistleblower and Alice could
be put into jail. So something more
that is not concealed by encryption
is the amount of data that is being
exchanged. So if Alice is sending just a
very short message to Bob then the
eavesdropper can guess that the message
that is being transferred is not a 20 GB
file or something. So all this kind of
metadata is something that encryption does
not conceal. And there is a couple of more
problems with encryption. One of them is
that the attacker might change the
message. Protecting from changes to the
message is not the job of encryption.
Another problem is that keys must be
exchanged in advance, which I already
talked about. And there's more problems.
So, for example, an attacker might simply
record a message when it is sent. And
later, just replay this message to Bob. Or
an attacker might go ahead and block a
message altogether. So intercept the
message and throw it into the trash to
make sure it never arrives at Bob's site.
Okay, and the first problem here, an
attacker might change the message which
actually leads me to the second part of my
talk, which is authentication. So on my
talk checklist, let's mark encryption as
done. Okay, so now what is authentication?
Authentication enables the detection of
changes to data. It does not prevent
changes from happening. It only enables
the recipient to detect the changes after
they have happened. OK. So, for example,
or one example where something like
authentication was needed is when Alice,
um, when Bob was sending his public key to
Alice, but this is by far not the only
scenario where authentication is needed.
So imagine if Alice is running a
charitable organization. So, for example,
she's saving refugees from drowning in the
Mediterranean Sea. And Bob wants to donate
to Alice to help her do that. Then Alice
has to send her bank account number to Bob
so that Bob can make the donation. And
notice that in this scenario, the message
that Alice is sending to Bob, her bank
account number, is nothing that is secret.
It does not have to be encrypted because
this information is public knowledge.
However, we do want to make sure that the
message that arrives at Bob is indeed the
correct bank account number. So to prevent
something like this from happening where a
criminal might intercept the message and
replace the bank account number so Bob
would send his money to the criminal's
bank account instead of Alice's. And one
way to realize authentication is, again,
by having a pair of keys, one of them is
used for authentication and one of them is
used for verification. So checking if a
message has been changed or not. And the
authentication key must be kept secret.
Thus it is called the secret key, whereas
the verification key can be made public
and it is called the public key. And now
if you have a setup like this, then Alice
can go ahead and take the message that she
wants to send to Bob and apply some
computation to it together with the secret
key, the authentication key to produce
something that we call a signature or a
digital signature. And then Alice sends
this signature over to Bob along with her
bank account number. And Bob will take the
signature that he receives and the bank
account number he receives and apply some
kind of computation to them to... and this
computation will determine if the bank
account number has been changed or is in
fact original. So if the attacker changes
the bank account number, then Bob will be
able to detect this change by checking the
signature. And this holds even if the
attacker does not only change the bank
account number, but also the signature.
Okay? So these things are designed in a
way which hopefully makes it impossible
for any attacker to come up with a valid
signature for anything else than the
original message. OK. So the only thing
that Bob will ...the only way that Bob
will accept the signature is if the
attacker does not, in fact, change the
bank account number. And in this case, it
is safe for Bob to transfer the money. OK,
but here. OK. So here is a different
solution to this problem. And it's
actually pretty much the same, except that
now we have just a single key which is
used for both authentication and
verification. And in this case, things
simply have a different name. They work in
exactly the same way, except that the
signature is called a message
authentication code or a MAC for short.
OK. But in both of these scenarios,
whether we have two distinct keys or just
one key, we still have the problem of key
distribution. OK. So imagine if in the
segment a scenario with two keys, Alice
was sending her public key to Bob, then we
would have the same attack as before,
namely the attacker could just go ahead
and change the key that Alice is sending
to Bob and exchange it for his own key.
And so if the attacker is sending his own
public key, his only… his own verification
key to Bob, then obviously the attacker
can create a valid signature for his
forged bank account number.
And Bob would accept this. OK, so again,
we have this problem of key distribution,
which is that the verification key must be
known to Bob in advance. OK. And this
leads me to my next... the next section of
my talk. So let's mark authentication as
done and go on with certificates. So a
certificate is a document that confirms
that a specific public key belongs to a
specific entity, for example a person or
an organization. And if we want to use
certificates, let's just go back to the
sender scenario we had before. So Alice
wants to send her bank account number,
her public key and a signature for her
bank account number to Bob and an attacker
might change the public key and the bank
account number and the signature. And now
if we add certificates into this, we need
to add something that we call a
certificate authority. And this is a
trusted third party, which will create
certificates which confirm the association
between a person and a public key. So
before Alice is sending a message to Bob,
she will walk up to the certificate
authority and say "Hey certificate
authority. This is my public key. I'm
Alice. Please give me a certificate."
And then the certification authority will
check that Alice is indeed Alice and that
Alice indeed owns this public key. And if
Alice passes these checks, then the
certification authority will create a
certificate and hand that to Alice, and
the certificate is just a document which
says that the certification authority has
verified that the silvery key here on the
slides belongs to Alice. And now once
Alice has the certificate, she can just
send her public key to Bob together with a
certificate. And then Bob, if he knows the
certificate authority's public key can
check that the certificate is indeed
correct. So it was indeed created by the
certificate authority. And if he trusts
the certificate authority, he will know
that the silvery key is, in fact, Alice's.
And then afterwards, Bob will be convinced
that the silvery key is Alice's and he can
check the message that Alice is sending to
Bob and make sure it has not been changed.
OK. So we're not completely free from the
key distribution problem yet, however,
because still Bob has to know the public
key of the certification authority in
advance. Okay. So Bob does not need to
know Alice's public key in advance, but he
needs to know the public key of the
certification authority in advance. And in
practice, there's not just a single
certification authority, but there's a
whole bunch of them and certification
authorities can even create certificates
for other certification authorities and so
on. So now Bob does not have to know all
the public keys of everyone he's
communicating with, but he only has to
know the public keys of a couple of
certification authorities. Okay, so let's
summarize about certificates. So as I said
before, certificates confirm that a
specific public key belongs to a specific
entity like a person or an organization.
But we're still not completely free from
the key distribution problem because
people have to know the certificate
authority's public keys. And another
problem here is that this scheme gives an
enormous amount of power to a
certification authority. So if an attacker
can compromise a certification authority,
then he could force the certification
authority to create fake certificates,
connecting fake keys to real identities.
OK so he could create a fake certificate,
which says that the certification
authority has checked that the attackers
public key belongs to Alice. And fixing
this problem about the certification
authorities' power is something that
cryptographers are still working on. So
that's still a problem today. And in fact,
this problem is not just theoretical.
There is a number of incidents that have
happened with certification authorities.
So one famous example is the "Diginotar"
case where in fact a certification
authority named Diginotar was hacked and
the attackers created a fake certificate
for a google.com domain or one of the
other Google domains. I don't exactly
remember. And then these certificates
showed up being used in Iran. OK, so this
is not just a theoretical problem. This
has, in fact, happened before. OK, so this
concludes what I wanted to say about
certificates. So let's move on and see how
these things can be put together to build
more complex but also more useful tools.
So one of the tools I want to introduce is
called authenticated encryption and it's
basically a combination of encryption and
authentication. So for some reason, people
use this phrase mostly in the symmetric
case where there is one key for encryption
and decryption and one key for
authentication and for verification.
But you could pretty much recreate the
same scheme in an asymmetric fashion.
And that is also being done in practice.
In this case, people just don't call it
authenticated encryption. So one way to
build authenticated encryption is so if
Alice wants to send a message to Bob, then
she will encrypt the message using the
encryption key and send the cipher text
over to Bob. And then she will use a copy
of the cipher text and compute a message
authentication code from it using the
second key that she has. And then, Bob, as
Alice is going to send over that message
authentication code to Bob, too. And now
Bob can decrypt the message using the key
he has. And additionally Bob can check if
this message has been changed or whether
it is original by using the verification
procedure. OK, so again, this kind of
authentication does not prevent changes
from happening. But Bob can check whether
a change has happened. And in fact, this
kind of authenticated encryption can
actually boost the security of the
encryption scheme. OK, so another thing I
wanted to talk about is called hybrid
encryption. And this is the combination of
symmetric encryption and asymmetric
encryption. And the reason why this is
interesting is that asymmetric encryption
is usually quite slow compared to
symmetric encryption. So if you wanted to
send a very long message to Bob and you
only had a public key encryption scheme,
so an asymmetric encryption scheme,
then it would take a very long time to
encrypt the message and to decrypt the
message. So however, you can combine
asymmetric encryption and symmetric
encryption in a way that makes the
encryption process faster, and the way you
do this is so if Alice wants to send a
message to Bob, Alice first generates a
new key for the symmetric encryption
scheme. And Alice will encrypt her message
with this key and send the cipher text
over to Bob. And afterwards, Alice will
take the symmetric key that she has just
generated and encrypt this key with Bob's
public key, and then that is sent over to
Bob as well. And now Bob can decrypt the
symmetric key using his secret decryption
key - the kind of golden one here on the
slides - to recover the symmetric key. And
afterwards, Bob can use the freshly
recovered symmetric key to decrypt the
actual message. However, an eavesdropper
listening in on the connection cannot
decrypt the message because it does not
have the symmetric key and it cannot
decrypt the symmetric key because it does
not have Bob's secret decryption key. OK.
So you can continue to build on these kind
of things and what you end up with is
something called transport layer security
or TLS for short. And transport layer
security is a network protocol that
combines much of the things that I've
introduced so far. So it combines
encryption either symmetric or hybrid and
it combines it with authentication. So
MACs and signatures and certificates and
all the other things. And it adds in a
couple of more things to detect replays of
messages. So if an attacker was to simply
replay a message recorded earlier, this is
something that TLS can detect. And TLS
can also detect if a message has been
suppressed by the attacker. So within a
connection. So what TLS does is it kind of
establishes a secure connection between
two entities. So say Alice and Bob over an
insecure network which is controlled by
the attacker. And one application where
TLS is commonly used is for sending
e-mails. So, for example, when you're
sending an email from, say, Alice wants to
send an email to Bob, then the e-mail is
usually not sent directly. But Alice sends
the message to her own email server and
then Alice's e-mail server will forward
this email to Bob's e-mail server. And
when Bob goes online and checks his
e-mails, the e-mail will be downloaded to
his device like his phone or desktop
computer or whatever device Bob is using.
And while Alice can make sure that when
she's uploading her message, her e-mail to
her own server, that this connection is
secure just by encrypting the message. So
essentially using TLS and all the things
that involves like encrypting the message
and authenticating the message and so on.
However, Alice cannot check if her own
e-mail server also uses a secure
connection to forward this e-mail to Bob's
server. OK. So let us take a more detailed
look here. So each of these green locks
signifies a secure connection. This means
that when a message is sent then or each
time a message is sent over a secure
connection, there is some encryption and
authentication going on on the sender side
and some decryption and verification going
on on the receiving side. OK, so if Alice
wants to send an e-mail to Bob, then Alice
will build up a secure connection and send
the email over it. And this will involve
encrypting the e-mail and authenticating
the e-mail. And Alice's server will
decrypt the e-mail and verify that this
has not been changed. And then Alice's
server will forward the e-mail to Bob's
server, which involves, again, encrypting
it and authenticating it. And Bob's server
will decrypt and verify it. And then
again, the same process repeats when the
e-mail is sent or is downloaded by Bob
from his server. However, in this case so
even though the message is encrypted every
time it is sent over a network, it is
known in plain text by Alice's server and
Bob's server. Right. Because Alice is
sending the message. So she is encrypting
it and Alice's server is decrypting it. So
Alice's server can read the message in
plain text. And the same goes for Bob's
server. And this is what we call transport
encryption because the e-mail is encrypted
every time it is being sent over network.
And a concept opposed to this is what we
call end to end encryption, where Alice,
before sending the message, Alice encrypts
it, but not with a key that is known to
her server, but directly with Bob's public
key. And she might even sign it with her
own secret authentication key. And then
Alice sends this already encrypted
message over a secure channel to her own
server, which involves encrypting the
message again and authenticating it again,
and then Alice's server will decrypt the
message and verify that it has not been
changed, however, the server cannot remove
the second layer of encryption, right? So
the e-mail is encrypted two times. One
time was with Bob's key and a second time
so that the server can decrypt it. And now
the server can remove the second
encryption. But the first one is still
there. So, Alice's server cannot read
the e-mail. And then the process repeats,
the already encrypted message is encrypted
a second time and decrypted again at Bob's
server and then it is when it is
downloaded by Bob it is encrypted again
and decrypted again. And then finally,
Bob, who has the secret key, the secret
decryption key can remove the inner layer
of encryption. And so Bob can read the
message. However, the servers in between
cannot read the message just because it is
still encrypted with Bob's public key. OK,
so with that, I would like to wrap up.
Sorry. So I would like to wrap up. So
here's a couple of take home messages. So
the first one is encryption conceals the
content of data. And that's pretty much
all it does. It does not conceal the
metadata and it does not prevent the
message that is being sent from being
changed. That is the job of
authentication. Authentication enables the
detection of changes to data and both for
encryption and for authentication. You
need to have pre-shared keys or are maybe
not really pre-shared keys, but key
distribution has to happen beforehand. And
one way to make this problem of key
distribution simpler is with certificates.
So certificates confirm that a specific
public key is owned by a specific entity.
And if you have all these things,
encryption and authentication and
certificates, you can build a network
protocol which takes care of securely
transmitting a message from one place to
another. And you can apply that to get
transport encryption. But transport
encryption is inferior to end to end
encryption in the sense that with
transport encryption, all the
intermediaries can still read the e-mail
or the message being sent. However, with
end to end encryption, they cannot. And
with that, I'd like to close and that I
will be happy to answer your questions if
there are any questions which you cannot
ask today you can send me an email at this
email address on the slides. I will try to
keep that email address open for one or
two years.
applause
Herald: Thank you for your talk. And now
we would come to the question part, if you
have any question, you can come up to
microphones in the middle of the rows. Are
there any questions from the Internet? We
have plenty of time. If anyone comes up.
With a question, you're invited. We have a
question on microphone two, please.
Mic 2: Thanks for your good talk, and I
would like to know how can you change a
message that was properly decrypted
without the other receiving part noticing
that the decryption doesn't work anymore?
Oots: That depends on the encryption
scheme that you're using. But for quite a
number of encryption schemes, changing the
message is actually quite simple. So there
is a really large number of encryption
schemes which just work by changing a
couple of bits. Okay. So the message is
made up of bits and your encryption scheme
gives you a way to determine which of the
bits to change and which not to change. So
when you were encrypting, you use the
encryption scheme to figure out which bits
must be flipped. So change from zero to
one or from one to zero and you just apply
this bit change to the message that is
being sent and then the receiver can just
undo this change to recover that original
message, whereas an attacker who does not
know which bits have been flipped cannot.
However. So still the attacker can just
flip a couple of the bits, and in this
case, so say the bit has been flipped by
Alice and it is being flipped another time
by the attacker. So the bit is at its
original value again. And then Bob, who
knows how to decrypt, will flip in another
time. So it's changed again. And thus the
message has been changed. And there's a
couple of things you can do with this kind
of with this kind of changes to the
messages so that the decryption simply
does not fail. It just maybe outputs the
wrong message.
Herald: OK. Next question from microphone
six, please.
Mic 6: You stated that encryption does not
cover metadata. Are there any thoughts
about that?
Oots: Any thoughts?
Mic 6: Yeah. Any solution for maybe
encrypting metadata? I don't know.
Oots: So much of this is pretty hard to
come by. So, I mean, for emails, there is
the idea of also encrypting the subject,
which is usually not encrypted, however.
So if you want to hide the length of the
message, what you can do is simply pad the
message. So just end random garbage at the
end of it to kind of hide how long it is.
Exactly. So the attacker will still have
an upper bound on your message length, but
it does not, so it knows that the message
you're sending is that most as long as the
cipher texts you're sending. But it
doesn't know maybe it's shorter. So if you
want to hide your identity while
communicating, you should be going for
something like Tor where you're not
connecting directly to the person you want
to communicate with, but via a couple of
intermediaries in a way that none of the
intermediaries know both you and the final
recipient.
Mic 6: Thank you
Herald: Okay, then I believe we had a
question from the Internet.
Internet: Yes, uh, the Internet is asking,
can you say anything about the additional
power consumption of the encryption layers
on a global scale?
Oots: Sadly, I think I can not. So I do
not exactly know how much power
consumption is caused by the encryption,
however. So in terms of computation, at
least, symmetric encryption is quite cheap
in the sense that it takes a couple of
processor cycles to decrypt. I don't
know. Sixteen blocks or something. So you
can usually decrypt hundreds of megabytes
per second with a processor. At least with
a modern one. So I don't know any numbers,
but I mean you can guess that if everyone
in the first world countries is using
encryption, then in the sum there is a
pretty large amount of energy going into
it.
Herald: Next question. Microphone two,
please.
Mic 2: You mentioned a couple of times
that an attacker might be able to replay a
message. I haven't really understood. If
I'm an attacker, how does this benefit me
that I am able to do that?
Oots: So imagine if Alice is sending an
order to her bank to transfer some money.
And every time the bank is receiving such
an order, it will initiate the bank
transfer. Then as an attacker, that would
be pretty cool to exploit because you once
eavesdrop on Alice sending such an order
to the bank and then later on you can just
repeat the same order to the bank and more
money will be sent. So if you were the
recipient, that would be pretty cool and
you could just deplete Alice's bank
account.
Herald: Then a question from microphone
three.
Mic 3: I was in a talk about elliptic
curve cryptography, and I'm wondering
where it is would we apply now in your
example or in your process you showed us.
Oots: Um, let me maybe just go to another
slide. Um. So typically encryption is
applied or elliptic curves are applied
within these encryption and decryption
boxes. Okay. So there is a lot of
mathematics going on in these
computations, which I did not explain
because I wanted to keep this talk
accessible to a broad audience. But one
way to realize such an encryption
procedure is by using elliptic curves
within these boxes.
Herold: OK. Microphone one, please.
Mic 1: Another limitation I could think of
or how to overcome this is devices like
IOT devices that have low power and
limited processing capability. So how do
you adapt this complex encryption? The
encryption competition for those devices?
Oots: There is some research going on on
encryption schemes that are particularly
lightweight, so particularly suited for
resource constrained devices. But as far
as I know, pretty much all of them have
some weaknesses that came out of them. So
they security wise, they do not offer the
same guarantees as the ones that you use
if you have the resources for it.
Herald: On microphone two, please.
Mic 2: Yeah. Hi. You mentioned the
enormous power that certificate
authorities have in the picture of
certification and authentication. I was
wondering if there I mean, what are the
possible solution or the proposed solution
at the moment? What is the state of the
art on solving that problem?
Oots: So one solution that is currently
being pushed is called certificate
transparency. And that works by basically
creating a public or lots of public log
files where each certificate that is ever
created must be added to the log file. And
so if you're Google dot com or if you are
Google and you see someone entering
Google's certificate into the log file and
you know that you didn't ask for the
certificate, then you know that there is a
fake certificate out there. And so
whenever you get a certificate, you are
expected to check if the certificate is
actually contained in one of the public
log files. Does that answer the question?
Mic 2: Yes. But how does appending a
certificate would work? So, for example,
making sure the certificate is recognized
Alice as legitimate.
Oots: OK. So the idea is whenever you get
a certificate, it will be put in a log
file and everyone who gets the certificate
is expected to check that the log file is
actually there.
Mic 2: So it is the certificate authority
that also pushes the certificate to the
log?
Oots: That's how it's expected to work.
Yes.
Mic 2: OK. Thank you.
Oots: You're welcome.
Herold: Then we have one more question
from the Internet.
Internet: The Internet wants to know can
we or where can we get an authentication
for a PGP key and how to apply it on a key
afterwards. Is there a possibility
somehow?
Oots: I guess that depends. So with PGP,
the common model is that there is not a or
there is not a central certification
authority or a bunch of them, but so you
have kind of a social graph of people who
know each other and exchange e-mails. And
each of these e-mails, each of these users
should authenticate the public keys of
their peers. OK? So when you want to
communicate with someone who you do not
already know, but who's maybe a friend of
a friend of yours, then hopefully your
friend will have authenticated the public
key of his friend. And if you trust your
friend, you can then check that your
friend, in fact, has created a kind of a
certificate for his friend.
Herald: Are there more questions from the
Internet? One more? Yes, please.
Internet: I don't know if it's a question
regarding your talk, really, but someone
wants to know. Would you recommend
startTLS and SSL/TLS in e-mail?
Oots: So as far as I'm concerned, I would
always opt for using encryption on the
outermost layer. So first, building a
secure connection to your email server and
then doing SMTP or whatever over that
connection. So I think directly
establishing the connection in a secure
manner is as is a better way to do it than
with startTLS.
Herold: I believe that what is it, was it
for questions? Please have a last round of
applause for Oots!
applause
36c3 postroll music
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!