-
Notifications
You must be signed in to change notification settings - Fork 0
/
index_client.html
566 lines (488 loc) · 16.7 KB
/
index_client.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8"/>
<title></title>
<style type="text/css">
.underline { text-decoration: underline; }
</style>
<link rel="stylesheet" href="./reveal.js/css/reveal.css"/>
<link rel="stylesheet" href="./reveal.js/css/theme/solarized.css" id="theme"/>
<link rel="stylesheet" href="./reveal.js/lib/css/zenburn.css"/>
<!-- If the query includes 'print-pdf', include the PDF print sheet -->
<script>
if( window.location.search.match( /print-pdf/gi ) ) {
var link = document.createElement( 'link' );
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = './reveal.js/css/print/pdf.css';
document.getElementsByTagName( 'head' )[0].appendChild( link );
}
</script>
<script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
</head>
<body>
<div class="reveal">
<div class="slides">
<section>
<section id="slide-orgheadline1">
<h2 id="orgheadline1">PGP integration with CISC</h2>
<aside class="notes">
<p>
Dedis project called CISC Identity Skipchain ⇒ goal manage identity on a cothority, simple to use, distributed, secure.
</p>
<p>
Goal of this project = add support for PGP keys, before only SSH.
</p>
</aside>
</section>
</section>
<section>
<section id="slide-orgheadline2">
<h2 id="orgheadline2">A little bit of background</h2>
</section>
</section>
<section>
<section id="slide-orgheadline3">
<h2 id="orgheadline3">PGP</h2>
<ul>
<li class="fragment appear">Pretty Good Privacy.</li>
<li class="fragment appear">Provides cryptographic privacy and authentication for data communication.</li>
<li class="fragment appear">Web of trust: users act as CA.</li>
</ul>
<aside class="notes">
<p>
Web of trust:
</p>
<ul>
<li>Users sign each others key.</li>
<li>User usually need to prove its identity ⇒ ID card, driver license, etc.</li>
<li>Will trust that signature is from someone if trust someone who trusts it ⇒ trust delegation.</li>
</ul>
</aside>
</section>
</section>
<section>
<section id="slide-orgheadline7">
<h2 id="orgheadline7">JVSS</h2>
<ul>
<li class="fragment appear">Joint Verifiable Secret Sharing.</li>
<li class="fragment appear">Can generate threshold digital signature in a distributed way.</li>
</ul>
</section>
<section id="slide-orgheadline4">
<h3 id="orgheadline4">Random shared secret generation</h3>
<p>
Assuming \(n\) signers and a threshold of \(t\).
</p>
<ul>
<li class="fragment appear">Each signer serves the role of the 'dealer'</li>
<li class="fragment appear">Produces \(n-\) shares secret, send share to others.</li>
<li class="fragment appear">Every other signers verifies that the dealing has been made correctly.</li>
</ul>
<p class="fragment (appear)">
⇒ allows to detect cheaters
</p>
<ul>
<li class="fragment appear">When everyone has played the 'dealer' role, each signer combines the \(n\) shares into a global secret.</li>
</ul>
</section>
<section id="slide-orgheadline5">
<h3 id="orgheadline5">Setup phase</h3>
<ul>
<li class="fragment appear">Creation of a long term shared secret.</li>
<li class="fragment appear">Will be used for every signing round.</li>
<li class="fragment appear">Signature created can be checked against it.</li>
</ul>
</section>
<section id="slide-orgheadline6">
<h3 id="orgheadline6">Signing phase</h3>
<ul>
<li class="fragment appear">Creation of a short term shared secret.</li>
<li class="fragment appear">Combined with long term secret.</li>
<li class="fragment appear">Generate a valid signature if at least \(t\) signers.</li>
</ul>
</section>
</section>
<section>
<section id="slide-orgheadline10">
<h2 id="orgheadline10">CISC</h2>
<ul>
<li class="fragment appear">CISC identity SkipChain.</li>
<li class="fragment appear">Goal: provide a simple and secure identity management service.</li>
</ul>
<aside class="notes">
<p>
What we are working on.
</p>
<p>
Help the user to manage her identities.
</p>
</aside>
</section>
<section id="slide-orgheadline8">
<h3 id="orgheadline8">Architecture</h3>
<div class="figure">
<p><img src="./cisc.png" alt="cisc.png" width="75%" height="75%" />
</p>
</div>
<aside class="notes">
<p>
Architecture of CISC
</p>
<ol>
<li>User has manager devices
<ul>
<li>Registered on the Cothority, identified by a key pair</li>
<li>Have voting power to modify/make request to the cothority</li>
</ul></li>
<li>Cothority-servers, set of server running the service
<ul>
<li>Has a private special blockchain on them ⇒ contains identities of the User</li>
<li>Client can make change request, will only be accepted if threshold of devices accept ⇒ prevent one compromised device making unwanted changes</li>
</ul></li>
<li>Clients, person wanting to identify/communicate with the user
<ul>
<li>can be services (Github), IoT devices or real people (contacts)</li>
<li>Can download blockchain and check user's identity</li>
</ul></li>
</ol>
</aside>
</section>
<section id="slide-orgheadline9">
<h3 id="orgheadline9">Skipchain</h3>
<div class="figure">
<p><img src="./skipchain.png" alt="skipchain.png" width="75%" height="75%" />
</p>
</div>
<aside class="notes">
<p>
Blockchain = double linked and called skipchain:
</p>
<ul>
<li>Backward link = same (hash)</li>
<li>Forward link, cannot be hash, since next block not known</li>
<li>Forward link = signature of threshold of manager devices + CoSi signature.</li>
<li>Allows for trust delegation from old keys to new keys
<ul>
<li>Someone trusting old key of client will be able to verify each step until the new head (new keys)</li>
<li>Does not need to trust any intermediary.</li>
</ul></li>
</ul>
<p>
Current implementation SSH, goal, add PGP.
</p>
</aside>
</section>
</section>
<section>
<section id="slide-orgheadline15">
<h2 id="orgheadline15">Problem:<br>Using PGP with more than one device…</h2>
<div class="outline-text-2" id="text-orgheadline15">
</div></section>
<section id="slide-orgheadline11">
<h3 id="orgheadline11">What we want:</h3>
<ul>
<li class="fragment appear">Being able to sign and decrypt message from any device.</li>
<li class="fragment appear">Not losing everything when a device is compromised.</li>
</ul>
</section>
<section id="slide-orgheadline12">
<h3 id="orgheadline12">Same key on every device?</h3>
<ul>
<li class="fragment appear">We can sign and decrypt from any device!</li>
<li class="fragment appear">But…</li>
<li class="fragment appear">If one device is lost, the key is lost…</li>
<li class="fragment appear">All the trust gained is lost!</li>
</ul>
</section>
<section id="slide-orgheadline13">
<h3 id="orgheadline13">Sub-keys</h3>
<ul>
<li class="fragment appear">Linked to a master key, same trust level.</li>
<li class="fragment appear">Signing resolved!</li>
<li class="fragment appear">In case of device loss, revocation of the sub-key.</li>
<li class="fragment appear">Decryption becomes problematic…</li>
<li class="fragment appear">What if there is a man-in-the-middle (freeze attack)?</li>
</ul>
<aside class="notes">
<p>
Create a master key, store it somewhere safe (USB key). We create a sub-key for each device. A sub-key is linked to our master key, thus if our master key is trusted so is our sub-key
</p>
<p>
If we want to sign from any device, the signature will be trusted by someone trusting our master key
</p>
<p>
If we lose a device, we can revoke the sub-key without losing the master key.
</p>
<p>
Decryption becomes a problem: other person needs to know of every sub-key, or risks to use different sub-key from device we use…
</p>
<p>
client not user !
If man-in-the-middle dropping every revocation request ⇒ Neither revocation server nor people wanting to communicate have way of knowing…
</p>
</aside>
</section>
<section id="slide-orgheadline14">
<h3 id="orgheadline14">Using skipchains</h3>
<ul>
<li class="fragment appear">Latest valid key is placed in the skipchain</li>
<li class="fragment appear">Trust displaced in the skipchain.</li>
<li class="fragment appear">Can define a maximum epoch for the block.</li>
<li class="fragment appear">Solves the freeze attack!</li>
<li class="fragment appear">But…</li>
<li class="fragment appear">Interlocutor needs to know how the skipchain works.</li>
</ul>
<aside class="notes">
<p>
When we want to revoke a key, we just create a new block with the key removed (and maybe a new key), trust in the skipchain not to be compromised and have latest valid key.
</p>
<p>
Then we can define a maximum epoch for the block, when there is no new block after a certain time, we can consider that there is a freeze attack occurring.
</p>
<p>
Person wanting to communicate needs to have knowledge of the skipchain in order to know if key is still valid…
</p>
</aside>
</section>
</section>
<section>
<section id="slide-orgheadline19">
<h2 id="orgheadline19">Our solution: CISC and JVSS</h2>
<ul>
<li class="fragment appear">Split our PGP key on a cothority using secret sharing and JVSS:
<ul>
<li class="fragment appear">Have one global public key, sent to PGP servers.</li>
<li class="fragment appear">Each conode only has a share of the key.</li>
</ul></li>
<li class="fragment appear">Use CISC to manage the list of authoritative devices.</li>
</ul>
<aside class="notes">
<p>
Since each conode only has a share of the key, need threshold of compromised node in order to compromise key ⇒ should be a rare event since the cothority is mostly trustworthy.
</p>
</aside>
</section>
<section id="slide-orgheadline16">
<h3 id="orgheadline16">Signing and Decryption</h3>
<ul>
<li class="fragment appear">Everything done using publicly available key.</li>
<li class="fragment appear">Signature will appear to be signed by it.</li>
<li class="fragment appear">Encryption can be made with it.</li>
<li class="fragment appear">We can make a signing/decryption request from any device.</li>
</ul>
<aside class="notes">
<p>
Same trust level as split key.
</p>
</aside>
</section>
<section id="slide-orgheadline17">
<h3 id="orgheadline17">Device loss and freeze attack</h3>
<ul>
<li class="fragment appear">In case of device loss, revoke its access to CISC.</li>
<li class="fragment appear">Attacker can temporarily sign/decrypt.</li>
<li class="fragment appear">Key is not affected at all.</li>
<li class="fragment appear">Also use maximum epoch for solving freeze attack.</li>
</ul>
</section>
<section id="slide-orgheadline18">
<h3 id="orgheadline18">Interoperability</h3>
<ul>
<li class="fragment appear">Public key made available as usual.</li>
<li class="fragment appear">Following skipchain only needed for added security (freeze attack).</li>
</ul>
<aside class="notes">
<p>
No need to follow the skipchain to contact the user with the correct key, since key doesn't change in case of compromised device.
</p>
</aside>
</section>
</section>
<section>
<section id="slide-orgheadline24">
<h2 id="orgheadline24">Implementation in Cothority</h2>
<div class="outline-text-2" id="text-orgheadline24">
</div></section>
<section id="slide-orgheadline20">
<h3 id="orgheadline20">Reality check</h3>
<ul>
<li class="fragment appear">Impossible with current implementation of JVSS to bring own key.</li>
<li class="fragment appear">Threshold decryption not present in <i>dedis/crypto</i>.</li>
</ul>
<aside class="notes">
<p>
Solution: letting JVSS create the key for us, can still make it a sub-key of the key we used before.
</p>
<p>
Not enough time to implement decryption…
</p>
</aside>
</section>
<section id="slide-orgheadline21">
<h3 id="orgheadline21">Interfacing OpenPGP and <i>dedis/crypto</i></h3>
<div class="org-src-container">
<pre><code class="go" >package openpgp
</code></pre>
</div>
<ul>
<li class="fragment appear">Straightforward using OpenPGP implementation of <i>golang/x/crypto</i>.</li>
<li class="fragment appear">Able to create valid OpenPGP signature, public and private keys packet.</li>
</ul>
<aside class="notes">
<p>
Dedis' implementation respects standards!
</p>
</aside>
</section>
<section id="slide-orgheadline22">
<h3 id="orgheadline22">JVSS protocol and JVSS service</h3>
<div class="org-src-container">
<pre><code class="go" >package jvss
</code></pre>
</div>
<ul>
<li class="fragment appear">Separation of the JVSS protocol in two parts.</li>
<li class="fragment appear">Setup protocol:
<ul>
<li class="fragment appear">Creates a shared secret and a public key.</li>
<li class="fragment appear">Sends to the service its secret share.</li>
</ul></li>
<li class="fragment appear">Signing protocol:
<ul>
<li class="fragment appear">Initialized with previously created shares.</li>
<li class="fragment appear">Makes round of signing using the shares.</li>
</ul></li>
<li class="fragment appear">Service allows to save/load shares.</li>
</ul>
</section>
<section id="slide-orgheadline23">
<h3 id="orgheadline23">Adding everything to the CISC application</h3>
<div class="org-src-container">
<pre><code class="go" >package cisc
</code></pre>
</div>
<div class="org-src-container">
<pre class="fragment (appear)"><code class="go" >pgp setup
</code></pre>
</div>
<div class="org-src-container">
<pre class="fragment (appear)"><code class="go" >pgp sign
</code></pre>
</div>
</section>
</section>
<section>
<section id="slide-orgheadline27">
<h2 id="orgheadline27">Benchmark</h2>
<aside class="notes">
<p>
Made on a single machine ⇒ may not be the same in real life.
</p>
</aside>
</section>
<section id="slide-orgheadline25">
<h3 id="orgheadline25">Signing time with number of hosts</h3>
<div class="figure">
<p><img src="./latency.png" alt="latency.png" width="75%" height="75%" />
</p>
</div>
<aside class="notes">
<p>
Scaling of signing time with the number of hosts, quadratic due to JVSS O(n<sup>2</sup>).
</p>
<p>
16 or 32 hosts not that bad.
</p>
</aside>
</section>
<section id="slide-orgheadline26">
<h3 id="orgheadline26">Scaling with number of clients (16 hosts)</h3>
<div class="figure">
<p><img src="./scaling.png" alt="scaling.png" width="75%" height="75%" />
</p>
</div>
<aside class="notes">
<p>
Scaling with the number of clients and interval between each request per clients
</p>
<p>
Done with 16 hosts, looked most promising.
</p>
<p>
With 32 clients and an interval of 15 seconds, takes less than 15 seconds ⇒ could mean that we could do around 130 signatures per minute.
Equivalent to 200'000 signatures per day, estimating that average person at EPFL sends 10-20 e-mails. Implementation could provide decentralized secure e-mail for more or less the EPFL.
</p>
</aside>
</section>
<section >
<p>
From last slide:
</p>
<ul>
<li class="fragment appear">With 32 clients and an interval of 15 seconds, round takes less than 15 seconds.</li>
<li class="fragment appear">We can make around 4 signatures/minute × 32 clients ≅ 130 signatures/minute.</li>
<li class="fragment appear">130 signatures/minute × 60 minutes/hour × 24 hours/day ≅ 200'000 signatures/day.</li>
<li class="fragment appear">Average EPFL user sends 10-20 mails per day.</li>
<li class="fragment appear">We can provide all EPFL (15'000 people) decentralized and secure e-mail.</li>
</ul>
</section>
</section>
<section>
<section id="slide-orgheadline28">
<h2 id="orgheadline28">What's left to be done</h2>
<ul>
<li class="fragment appear">Splitting user's key with JVSS.</li>
<li class="fragment appear">Threshold decryption.</li>
</ul>
<aside class="notes">
<p>
More convenient to use user's defined key.
</p>
<p>
Decryption would be great to have.
</p>
</aside>
</section>
</section>
<section>
<section id="slide-orgheadline29">
<h2 id="orgheadline29">Questions?</h2>
</section>
</section>
</div>
</div>
<script src="./reveal.js/lib/js/head.min.js"></script>
<script src="./reveal.js/js/reveal.js"></script>
<script>
// Full list of configuration options available here:
// https://github.com/hakimel/reveal.js#configuration
Reveal.initialize({
controls: true,
progress: true,
history: false,
center: true,
slideNumber: 'c',
rollingLinks: false,
keyboard: true,
overview: true,
theme: Reveal.getQueryHash().theme, // available themes are in /css/theme
transition: Reveal.getQueryHash().transition || 'linear', // default/cube/page/concave/zoom/linear/fade/none
transitionSpeed: 'default',
multiplex: {
secret: null, // null if client
id: '912f5f4cb475d9ef', // id, obtained from socket.io server
url: 'https://reveal-js-multiplex-ccjbegmaii.now.sh' // Location of socket.io server
},
// Optional libraries used to extend on reveal.js
dependencies: [
{src: "./mouseclick.js"},
{ src: './reveal.js/plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } },
{ src: './reveal.js/plugin/notes/notes.js', async: true, condition: function() { return !!document.body.classList; } },
{ src: 'https://cdnjs.cloudflare.com/ajax/libs/socket.io/1.3.7/socket.io.min.js', async: true },
{ src: './reveal.js/plugin/multiplex/client.js', async: true }]
});
</script>
</body>
</html>