serious CVEs are rarely about the crypto • But the (most widely deployed) crypto trust chain is fragile • Key pieces of the core Internet network stack are virtually unexamined, and little understood
serious CVEs are (rarely) about the crypto • But the (most widely deployed) crypto trust chain is fragile • Key pieces of the core Internet network stack are virtually unexamined, and little understood
say: o XML parsers (libxml2, Expat, SimpleXML…) o Image generators (libpng…) o Internationalization libraries (libIDN) o Compression (libzma) o ASN.1 & x509 (everywhere) o Middleware core: BouncyCastle, Spring, Struts… o Deeper: libCurl, libBFD, IPSec netkey, pluto, l2tp
Introducing TLS Maturity Model community.qualys.com/blogs/securitylabs/2015/06/08/introducing-tls-maturity- model Bulletproof SSL and TLS www.feistyduck.com/books/bulletproof-ssl-and-tls Thomas Ptacek: Cryptographic Right Answers gist.github.com/tqbf/be58d2d39690c3b366ad Mozilla: Security/Sever Side TLS wiki.mozilla.org/Security/Server_Side_TLS
Initiative (CII) • Ambitious Scope o Independent review o Coordinating closely with OpenSSL core team o Delayed for v. 1.1 maturity (significant refactor) o Diverse, complex codebase o Linux, BSDs, Windows, OSX, SRV5 (AIX, HP-UX, Solaris) o Intel x86 (incl. AES-NI), ARMv7, MIPS, PowerPC, Alpha… o FIPS module
the core code in the next major release of OpenSSL • Demonstrate viability of a reusable open source test harness framework • Foster web-scale peer-reviewed public tools & data sets for protocol & negotiation analysis
Sodium crypto library https://www.gitbook.com/book/jedisct1/libsodium/details Moxie Marlinspike and Trevor Perrin: Advanced cryptographic ratcheting https://whispersystems.org/blog/advanced-ratcheting Andrew Gerrand: The State of Go http://talks.golang.org/2015/state-of-go-may.slide Daniel Stenberg: TLS in HTTP/2 http://daniel.haxx.se/blog/2015/03/06/tls-in-http2 GoLang team: Go crypto library https://godoc.org/golang.org/x/crypto
rkt coreos.com/blog/rocket Let's Encrypt: A public open certificate authority letsencrypt.org US CIO: HTTPS-Everywhere for Government cio.gov/https-everywhere-for-government Open Threat Exchange: OTX v. 2.0 www.alienvault.com/blogs/security-essentials/otx-20-beta-finally-a-way- beyond-the-rhetoric-of-threat-intelligence Verizon DBIR 2015 www.verizonenterprise.com/resources/reports/rp_data-breach-investigation- report-2015_en_xg.pdf
your threat model o VZ DBIR: 99.9% of successful exploits last year relied on a CVE more than a year old o Intelligence & defense collaboration & sharing is critical o Stronger security chain will require better cooperation, more open exchanges, and trust