DOCSLIB.ORG

How to Design a Trustworthy Ipsec VPN Device Employing Nested Tunnels?

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
How to Design a Trustworthy Ipsec VPN Device Employing Nested Tunnels? How to design a trustworthy IPsec VPN device employing nested tunnels? Alexander Spottka Information Security, master's level (60 credits) 2018 Luleå University of Technology Department of Computer Science, Electrical and Space Engineering ABSTRACT nterprises use site-to-site Virtual Private Network (VPN) technology to securely transmit data over insecure networks, such as the Internet. By utilizing commercial VPN products, Eorganizations partially rely on the vendors to keep their communication out of reach from malicious groups or individuals. These VPN servers consist of thousands of subcomponents, which can be grouped into hardware, operating system, general software, protocols, and algorithms. The main idea of this study is to design an IPsec VPN architecture based on IPsec nesting. This is achieved by designing two servers that consist of different subcomponents on each layer. Thus, a vulnerability in one component will not necessarily put the entire IPsec communication at risk. The subcomponents picked for deployment are investigated and reviewed based on their trustworthiness, which will be based on later defined criteria. This trust analysis will act as a potential starting point for providing a framework for future trust assessments. i ACKNOWLEDGEMENTS efore presenting details of this study, I want to thank Combitech, and especially Per Westerberg and Daniel Arvidsson for their support of this thesis. Despite their busy Bschedule, we managed to initiate the thesis. Furthermore, I wish to thank Tero Päivärinta and Parvaneh Westerlund. Even though I decided to pursue this study on late notice, they supported me with detailed feedback and simplicity in the process. Personally, I want to thank my girlfriend Melina who, despite her own work, took care of everything else in order to help me stay focused on the study. Lastly, I need to express my appreciation to have such a caring family at home. My mother Dagmar and brother Matthias especially kept me motivated and helped me unwind after long days of writing. iii TABLE OF CONTENTS Page List of Tables vi List of Figures vii 1 Introduction 1 1.1 Literature Review....................................... 2 1.1.1 Trust.......................................... 3 1.1.2 Hardware ....................................... 4 1.1.3 Operating System .................................. 5 1.1.4 IPsec Applications.................................. 6 1.1.5 Protocols and Cryptography ............................ 6 1.2 Research Question....................................... 7 1.3 Motivation ........................................... 7 1.4 Limitation ........................................... 7 1.5 Target Group.......................................... 8 1.6 Outline ............................................. 8 2 Theoretical Context9 2.1 Assurance and Security ................................... 9 2.2 IPsec............................................... 10 2.2.1 Symmetric vs. Asymmetric cryptography .................... 10 2.2.2 Key Exchange..................................... 11 2.2.3 Functionality of IPsec................................ 11 3 Methodology 13 3.1 Research Method ....................................... 14 3.2 Reliability and Validity.................................... 16 3.3 Ethical Considerations.................................... 17 4 Design 19 4.1 Hardware............................................ 20 iv 4.1.1 UDOOx86....................................... 20 4.1.2 ODROID-XU4..................................... 22 4.2 Operating System....................................... 23 4.2.1 RedHat Enterprise Linux.............................. 23 4.2.2 Debian Jessie..................................... 24 4.3 IPsec Applications....................................... 25 4.3.1 strongSwan ...................................... 26 4.3.2 Libreswan....................................... 27 4.4 Cryptography.......................................... 28 4.4.1 ESP-Encryption Algorithms ............................ 29 4.4.2 Integrity........................................ 31 4.4.3 Diffie-Hellman Group................................ 32 4.4.4 Digital signatures .................................. 33 4.5 Finalized design........................................ 34 5 Implementation 37 5.1 Configuration of the strongSwan servers ......................... 37 5.2 Configuration of the Libreswan servers.......................... 39 6 Demonstration 41 7 Evaluation 43 7.1 Summarized trust score for all ............................... 43 7.2 IPsec Testing and Certification Program Criteria Version 3.0............. 45 7.2.1 IPsec .......................................... 46 7.2.2 Logging......................................... 46 7.2.3 Administration.................................... 47 7.2.4 Authentication using Certificates......................... 47 7.3 Performance .......................................... 48 8 Discussion 51 9 Conclusion 53 9.1 Future research ........................................ 54 A Appendix A 1 Bibliography 5 v LIST OF TABLES LIST OF TABLES TABLE Page 4.1 Pros and cons of SECO and their product: UDOOx86.................... 21 4.2 Trust Score for SECO/UDOOx86................................ 21 4.3 Pros and cons of Hardkernel and their product ODROID-XU4 .............. 22 4.4 Trust Score for Hardkernel / ODROID-XU4.......................... 23 4.5 Pros and cons of RHEL v.7.................................... 24 4.6 Trust Score for RHEL v.7..................................... 24 4.7 Pros and cons of Debian ..................................... 25 4.8 Trust Score for Debian ...................................... 25 4.9 Pros and cons of strongSwan................................... 26 4.11 Pros and cons of Libreswan ................................... 27 4.10 Trust Score for strongSwan ................................... 27 4.12 Trust Score for Libreswan .................................... 28 4.13 Algorithm Choices......................................... 29 4.14 Trust Score for AES, CHACHA20, Camellia ......................... 31 4.15 Trust Score for SHA........................................ 32 4.16 Trust Score for MODP and X25519............................... 33 4.17 Trust Score for RSA, ECDSA, and EdDSA .......................... 34 4.18 Algorithm Choices......................................... 34 4.19 Final design............................................. 35 7.1 Trust Score for Device 1 ..................................... 43 7.2 Trust Score for Device 2 ..................................... 44 7.3 Throughput result......................................... 49 7.4 Average Throughput in relation to baseline.......................... 49 7.5 Latency result ........................................... 50 vi LIST OF FIGURES FIGURE Page 2.1 IP vs. IPsec datagram....................................... 12 3.1 IPsec topology ........................................... 14 4.1 IPsec topology ........................................... 19 4.2 Architecture of the artefact ................................... 36 6.1 Raw ICMP traffic ......................................... 41 6.2 Traffic after establishing one IPsec tunnel .......................... 42 6.3 Traffic after establishing nested IPsec tunnels........................ 42 A.1 UDP throughput no tunnel.................................... 1 A.2 TCP throughput no tunnel.................................... 1 A.3 UDP throughput with tunnel between RHEL machines .................. 2 A.4 TCP throughput with tunnel between RHEL machines................... 2 A.5 UDP throughput with tunnel between Debian machines.................. 2 A.6 TCP throughput with tunnel between Debian machines.................. 2 A.7 UDP throughput with tunnel between both machines ................... 2 A.8 TCP throughput with tunnel between both machines.................... 3 vii HAPTER C 1 INTRODUCTION n times of information becoming one of the world’s most valuable assets, it has become imper- ative to protect it. IT systems have become increasingly abstract and incomprehensible for I the average user. The creation of a global spanning system requires secure communication, free from eavesdropping or manipulation. Virtual Private Networks (VPN) offer the capability to establish secure channels over an untrusted media, such as the Internet. The previous statement can only be deemed true if VPN devices can assure the correctness of their functionality so the user has a high degree of assurance of their safety. This study attempts to clarify the terminology of trust, since Gollman indicates its multiple definitions, leading to miscommunication, and therefore vulnerable structures [1]. Trust cannot be taken as granted, especially since Edward Snowden revealed large scale digital surveillance of intelligence agencies in the United States of America [2], abusing critical vulnerabilities in a wide span of firewall products. Still, the thorough investigation of the correctness of VPN servers is currently unfeasible, since they consist of a high number of subcomponents. As described in the journal paper of Nemec et al. [3], history has shown that particular flaw in a widely used cryptographic library, distributed on Trusted Platform Modules (TPM) and other carriers, such as ID cards and passports, which resulted in roughly a quarter of vulnerable keys within the test machine available in the study. Using a VPN server that contains a flawed TPM endangers confidentiality, integrity, and availability of the established communication channel. This is an example to show
Load more

Recommended publications
  • Kommentarer Till Utgåvan Debian 10 (Buster), 64-Bit PC
    Kommentarer till utgåvan Debian 11 (bullseye), 64-bit PC The Debian Documentation Project (https://www.debian.org/doc/) 5 oktober 2021 Kommentarer till utgåvan Debian 11 (bullseye), 64-bit PC Detta dokument är fri mjukvara; du kan vidaredistribuera det och/eller modifiera det i enlighet med villkoren i Free Software Foundations GNU General Public License version 2. Detta program är distribuerat med förhoppning att det ska vara användbart men HELT UTAN GARAN- TIER; inte ens underförstådd garanti om SÄLJBARHET eller att PASSA ETT SÄRSKILT SYFTE. Läs mer i GNU General Public License för djupare detaljer. Du borde ha fått en kopia av GNU General Public License tillsammans med det här programmet; om inte, skriv till Free Software Foundation, Inc., 51 Franklin Street. Fifth Floor, Boston, MA, 02110-1301 USA. Licenstexten kan också hämtas på https://www.gnu.org/licenses/gpl-2.0.html och /usr/ share/common-licenses/GPL-2 på Debian-system. ii Innehåll 1 Introduktion 1 1.1 Rapportera fel i det här dokumentet . 1 1.2 Bidra med uppgraderingsrapporter . 1 1.3 Källor för det här dokumentet . 2 2 Vad är nytt i Debian 11 3 2.1 Arkitekturer med stöd . 3 2.2 Vad är nytt i distributionen? . 3 2.2.1 Skrivbordsmiljöer och kända paket . 3 2.2.2 Utskrifter och scanning utan drivrutiner . 4 2.2.2.1 CUPS och utskrifter utan drivrutiner . 4 2.2.2.2 SANE och scannrar utan drivrutiner . 4 2.2.3 Nytt generellt kommando ”open” . 5 2.2.4 Control groups v2 . 5 2.2.5 Beständig systemd-journal .
    [Show full text]
  • Horizontal PDF Slides
    1 2 The first 10 years of Curve25519 Abstract: “This paper explains the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 1 2 3 The first 10 years of Curve25519 Abstract: “This paper explains Elliptic-curve computations the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done. free key compression, free key validation, and state-of-the-art 2005.09.15: Software online. timing-attack protection), 2005.09.20: Invited talk at ECC. more than twice as fast as other authors’ results at the same 2005.11.15: Paper online; conjectured security level (with submitted to PKC 2006. or without the side benefits).” 1 2 3 The first 10 years of Curve25519 Abstract: “This paper explains Elliptic-curve computations the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische Universiteit Eindhoven achieving record-setting speeds: e.g., 832457 Pentium III cycles 2005.05.19: Seminar talk; (with several side benefits: design+software close to done.
    [Show full text]
  • Fast Elliptic Curve Cryptography in Openssl
    Fast Elliptic Curve Cryptography in OpenSSL Emilia K¨asper1;2 1 Google 2 Katholieke Universiteit Leuven, ESAT/COSIC [email protected] Abstract. We present a 64-bit optimized implementation of the NIST and SECG-standardized elliptic curve P-224. Our implementation is fully integrated into OpenSSL 1.0.1: full TLS handshakes using a 1024-bit RSA certificate and ephemeral Elliptic Curve Diffie-Hellman key ex- change over P-224 now run at twice the speed of standard OpenSSL, while atomic elliptic curve operations are up to 4 times faster. In ad- dition, our implementation is immune to timing attacks|most notably, we show how to do small table look-ups in a cache-timing resistant way, allowing us to use precomputation. To put our results in context, we also discuss the various security-performance trade-offs available to TLS applications. Keywords: elliptic curve cryptography, OpenSSL, side-channel attacks, fast implementations 1 Introduction 1.1 Introduction to TLS Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a protocol for securing network communications. In its most common use, it is the \S" (standing for \Secure") in HTTPS. Two of the most popular open- source cryptographic libraries implementing SSL and TLS are OpenSSL [19] and Mozilla Network Security Services (NSS) [17]: OpenSSL is found in, e.g., the Apache-SSL secure web server, while NSS is used by Mozilla Firefox and Chrome web browsers, amongst others. TLS provides authentication between connecting parties, as well as encryp- tion of all transmitted content. Thus, before any application data is transmit- ted, peers perform authentication and key exchange in a TLS handshake.
    [Show full text]
  • Post-Quantum Cryptography
    Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago; Ruhr University Bochum & Technische Universiteit Eindhoven 12 September 2020 I Motivation #1: Communication channels are spying on our data. I Motivation #2: Communication channels are modifying our data. I Literal meaning of cryptography: \secret writing". I Achieves various security goals by secretly transforming messages. I Confidentiality: Eve cannot infer information about the content I Integrity: Eve cannot modify the message without this being noticed I Authenticity: Bob is convinced that the message originated from Alice Cryptography with symmetric keys AES-128. AES-192. AES-256. AES-GCM. ChaCha20. HMAC-SHA-256. Poly1305. SHA-2. SHA-3. Salsa20. Cryptography with public keys BN-254. Curve25519. DH. DSA. ECDH. ECDSA. EdDSA. NIST P-256. NIST P-384. NIST P-521. RSA encrypt. RSA sign. secp256k1. Cryptography / Sender Receiver \Alice" \Bob" Tsai Ing-Wen picture credit: By =q府, Attribution, Wikimedia. Donald Trump picture credit: By Shealah Craighead - White House, Public Domain, Wikimedia. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography2 Cryptography with symmetric keys AES-128. AES-192. AES-256. AES-GCM. ChaCha20. HMAC-SHA-256. Poly1305. SHA-2. SHA-3. Salsa20. I Literal meaning of cryptography: \secret writing". Cryptography with public keys Achieves various security goals by secretly transforming messages. BN-254I . Curve25519. DH. DSA. ECDH. ECDSA. EdDSA. NIST P-256. NIST P-384. Confidentiality: Eve cannot infer information about the content NISTI P-521. RSA encrypt. RSA sign. secp256k1. I Integrity: Eve cannot modify the message without this being noticed I Authenticity: Bob is convinced that the message originated from Alice Cryptography / Sender Untrustworthy network Receiver \Alice" \Eve" \Bob" I Motivation #1: Communication channels are spying on our data.
    [Show full text]
  • Crypto Projects That Might Not Suck
    Crypto Projects that Might not Suck Steve Weis PrivateCore ! http://bit.ly/CryptoMightNotSuck #CryptoMightNotSuck Today’s Talk ! • Goal was to learn about new projects and who is working on them. ! • Projects marked with ☢ are experimental or are relatively new. ! • Tried to cite project owners or main contributors; sorry for omissions. ! Methodology • Unscientific survey of projects from Twitter and mailing lists ! • Excluded closed source projects & crypto currencies ! • Stats: • 1300 pageviews on submission form • 110 total nominations • 89 unique nominations • 32 mentioned today The People’s Choice • Open Whisper Systems: https://whispersystems.org/ • Moxie Marlinspike (@moxie) & open source community • Acquired by Twitter 2011 ! • TextSecure: Encrypt your texts and chat messages for Android • OTP-like forward security & Axolotl key racheting by @trevp__ • https://github.com/whispersystems/textsecure/ • RedPhone: Secure calling app for Android • ZRTP for key agreement, SRTP for call encryption • https://github.com/whispersystems/redphone/ Honorable Mention • ☢ Networking and Crypto Library (NaCl): http://nacl.cr.yp.to/ • Easy to use, high speed XSalsa20, Poly1305, Curve25519, etc • No dynamic memory allocation or data-dependent branches • DJ Bernstein (@hashbreaker), Tanja Lange (@hyperelliptic), Peter Schwabe (@cryptojedi) ! • ☢ libsodium: https://github.com/jedisct1/libsodium • Portable, cross-compatible NaCL • OpenDNS & Frank Denis (@jedisct1) The Old Standbys • Gnu Privacy Guard (GPG): https://www.gnupg.org/ • OpenSSH: http://www.openssh.com/
    [Show full text]
  • NUMS Elliptic Curves and Their Efficient Implementation
    Fourℚ-based cryptography for high-performance and low-power applications Real World Cryptography Conference 2017 January 4-6, New York, USA Patrick Longa Microsoft Research Next-generation elliptic curves New IETF Standards • The Crypto Forum Research Group (CFRG) selected two elliptic curves: Bernstein’s Curve25519 and Hamburg’s Ed448-Goldilocks • RFC 7748: “Elliptic Curves for Security” (published on January 2016) • Curve details; generation • DH key exchange for both curves • Ongoing work: signature scheme • draft-irtf-cfrg-eddsa-08, “Edwards-curve Digital Signature Algorithm (EdDSA)” 1/23 Next-generation elliptic curves Farrel-Moriarity-Melkinov-Paterson [NIST ECC Workshop 2015]: “… the real motivation for work in CFRG is the better performance and side- channel resistance of new curves developed by academic cryptographers over the last decade.” Plus some additional requirements such as: • Rigidity in curve generation process. • Support for existing cryptographic algorithms. 2/23 Next-generation elliptic curves Farrel-Moriarity-Melkinov-Paterson [NIST ECC Workshop 2015]: “… the real motivation for work in CFRG is the better performance and side- channel resistance of new curves developed by academic cryptographers over the last decade.” Plus some additional requirements such as: • Rigidity in curve generation process. • Support for existing cryptographic algorithms. 2/23 State-of-the-art ECC: Fourℚ [Costello-L, ASIACRYPT 2015] • CM endomorphism [GLV01] and Frobenius (ℚ-curve) endomorphism [GLS09, Smi16, GI13] • Edwards form [Edw07] using efficient Edwards ℚ coordinates [BBJ+08, HCW+08] Four • Arithmetic over the Mersenne prime 푝 = 2127 −1 Features: • Support for secure implementations and top performance. • Uniqueness: only curve at the 128-bit security level with properties above.
    [Show full text]
  • Simple High-Level Code for Cryptographic Arithmetic - with Proofs, Without Compromises
    Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation Erbsen, Andres et al. “Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises.” Proceedings - IEEE Symposium on Security and Privacy, May-2019 (May 2019) © 2019 The Author(s) As Published 10.1109/SP.2019.00005 Publisher Institute of Electrical and Electronics Engineers (IEEE) Version Author's final manuscript Citable link https://hdl.handle.net/1721.1/130000 Terms of Use Creative Commons Attribution-Noncommercial-Share Alike Detailed Terms http://creativecommons.org/licenses/by-nc-sa/4.0/ Simple High-Level Code For Cryptographic Arithmetic – With Proofs, Without Compromises Andres Erbsen Jade Philipoom Jason Gross Robert Sloan Adam Chlipala MIT CSAIL, Cambridge, MA, USA fandreser, jadep, [email protected], [email protected], [email protected] Abstract—We introduce a new approach for implementing where X25519 was the only arithmetic-based crypto primitive cryptographic arithmetic in short high-level code with machine- we need, now would be the time to declare victory and go checked proofs of functional correctness. We further demonstrate home. Yet most of the Internet still uses P-256, and the that simple partial evaluation is sufficient to transform such initial code into the fastest-known C code, breaking the decades- current proposals for post-quantum cryptosystems are far from old pattern that the only fast implementations are those whose Curve25519’s combination of performance and simplicity. instruction-level steps were written out by hand.
    [Show full text]
  • Secure Authentication Protocol for Internet of Things Achraf Fayad
    Secure authentication protocol for Internet of Things Achraf Fayad To cite this version: Achraf Fayad. Secure authentication protocol for Internet of Things. Networking and Internet Archi- tecture [cs.NI]. Institut Polytechnique de Paris, 2020. English. NNT : 2020IPPAT051. tel-03135607 HAL Id: tel-03135607 https://tel.archives-ouvertes.fr/tel-03135607 Submitted on 9 Feb 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Protocole d’authentification securis´ e´ pour les objets connectes´ These` de doctorat de l’Institut Polytechnique de Paris prepar´ ee´ a` Tel´ ecom´ Paris Ecole´ doctorale n◦626 Ecole´ doctorale de l’Institut Polytechnique de Paris (EDIPP) Specialit´ e´ de doctorat : Reseaux,´ informations et communications NNT : 2020IPPAT051 These` present´ ee´ et soutenue a` Palaiseau, le 14 decembre´ 2020, par ACHRAF FAYAD Composition du Jury : Ken CHEN Professeur, Universite´ Paris 13 Nord President´ Pascal LORENZ Professeur, Universite´ de Haute-Alsace (UHA) Rapporteur Ahmed MEHAOUA Professeur, Universite´ Paris Descartes Rapporteur Lyes KHOUKHI Professeur, Ecole´ Nationale Superieure´ d’Ingenieurs´ de Examinateur Caen-ENSICAEN Ahmad FADLALLAH Associate Professor, University of Sciences and Arts in Lebanon Examinateur (USAL) Rida KHATOUN Maˆıtre de conferences,´ Tel´ ecom´ Paris Directeur de these` Ahmed SERHROUCHNI Professeur, Tel´ ecom´ Paris Co-directeur de these` Badis HAMMI Associate Professor, Ecole´ pour l’informatique et les techniques Invite´ avancees´ (EPITA) 626 Acknowledgments First, I would like to thank my thesis supervisor Dr.
    [Show full text]
  • Alternative Elliptic Curve Representations
    Alternative Elliptic Curve Representations draft-struik-lwig-curve-representations-00 René Struik Struik Security Consultancy E-mail: [email protected] IETF 101draft-struik – London,-lwig-curve- representationsUK, March-002018 1 Outline 1. The ECC Algorithm Zoo – NIST curve P-256, ECDSA – Curve25519 – Ed25519 2. Implementation Detail 3. How to Reuse Code 4. How to Reuse Existing Standards 5. Conclusions draft-struik-lwig-curve-representations-00 2 ECC Algorithm Zoo (1) NIST curves: Curve model: Weierstrass curve Curve equation: y2 = x3 + ax + b (mod p) Base point: G=(Gx, Gy) Scalar multiplication: addition formulae using, e.g., mixed Jacobian coordinates Point representation: both coordinates of point P=(X, Y) (affine coordinates) 0x04 || X || Y in most-significant-bit/octet first order Examples: NIST P-256 (ANSI X9.62, NIST SP 800-56a, SECG, etc.); Brainpool256r1 (RFC 5639) ECDSA: Signature: R || s in most-significant-bit/octet first order Signing equation: e = s k + d r (mod n), where e=Hash(m) Example: ECDSA, w/ P-256 and SHA-256 (FIPS 186-4, ANSI X9.62, etc.) Note: message m pre-hashed draft-struik-lwig-curve-representations-00 3 ECC Algorithm Zoo (2) CFRG curves: Curve model: Montgomery curve Curve equation: By2 = x3 + Ax2 + x (mod p) Base point: G=(Gx, Gy) Scalar multiplication: Montgomery ladder, using projective coordinates [X: :Z] Point representation: x-coordinate of point P=(X, Y) (x-coordinate-only) X in least-significant-octet, most-significant-bit first order Examples: Curve25519, Curve448 (RFC 7748) DH Key agreement:
    [Show full text]
  • The Double Ratchet Algorithm
    The Double Ratchet Algorithm Trevor Perrin (editor) Moxie Marlinspike Revision 1, 2016-11-20 Contents 1. Introduction 3 2. Overview 3 2.1. KDF chains . 3 2.2. Symmetric-key ratchet . 5 2.3. Diffie-Hellman ratchet . 6 2.4. Double Ratchet . 13 2.6. Out-of-order messages . 17 3. Double Ratchet 18 3.1. External functions . 18 3.2. State variables . 19 3.3. Initialization . 19 3.4. Encrypting messages . 20 3.5. Decrypting messages . 20 4. Double Ratchet with header encryption 22 4.1. Overview . 22 4.2. External functions . 26 4.3. State variables . 26 4.4. Initialization . 26 4.5. Encrypting messages . 27 4.6. Decrypting messages . 28 5. Implementation considerations 29 5.1. Integration with X3DH . 29 5.2. Recommended cryptographic algorithms . 30 6. Security considerations 31 6.1. Secure deletion . 31 6.2. Recovery from compromise . 31 6.3. Cryptanalysis and ratchet public keys . 31 1 6.4. Deletion of skipped message keys . 32 6.5. Deferring new ratchet key generation . 32 6.6. Truncating authentication tags . 32 6.7. Implementation fingerprinting . 32 7. IPR 33 8. Acknowledgements 33 9. References 33 2 1. Introduction The Double Ratchet algorithm is used by two parties to exchange encrypted messages based on a shared secret key. Typically the parties will use some key agreement protocol (such as X3DH [1]) to agree on the shared secret key. Following this, the parties will use the Double Ratchet to send and receive encrypted messages. The parties derive new keys for every Double Ratchet message so that earlier keys cannot be calculated from later ones.
    [Show full text]
  • Security Analysis of the Signal Protocol Student: Bc
    ASSIGNMENT OF MASTER’S THESIS Title: Security Analysis of the Signal Protocol Student: Bc. Jan Rubín Supervisor: Ing. Josef Kokeš Study Programme: Informatics Study Branch: Computer Security Department: Department of Computer Systems Validity: Until the end of summer semester 2018/19 Instructions 1) Research the current instant messaging protocols, describe their properties, with a particular focus on security. 2) Describe the Signal protocol in detail, its usage, structure, and functionality. 3) Select parts of the protocol with a potential for security vulnerabilities. 4) Analyze these parts, particularly the adherence of their code to their documentation. 5) Discuss your findings. Formulate recommendations for the users. References Will be provided by the supervisor. prof. Ing. Róbert Lórencz, CSc. doc. RNDr. Ing. Marcel Jiřina, Ph.D. Head of Department Dean Prague January 27, 2018 Czech Technical University in Prague Faculty of Information Technology Department of Computer Systems Master’s thesis Security Analysis of the Signal Protocol Bc. Jan Rub´ın Supervisor: Ing. Josef Kokeˇs 1st May 2018 Acknowledgements First and foremost, I would like to express my sincere gratitude to my thesis supervisor, Ing. Josef Kokeˇs,for his guidance, engagement, extensive know- ledge, and willingness to meet at our countless consultations. I would also like to thank my brother, Tom´aˇsRub´ın,for proofreading my thesis. I cannot express enough gratitude towards my parents, Lenka and Jaroslav Rub´ınovi, who supported me both morally and financially through my whole studies. Last but not least, this thesis would not be possible without Anna who re- lentlessly supported me when I needed it most. Declaration I hereby declare that the presented thesis is my own work and that I have cited all sources of information in accordance with the Guideline for adhering to ethical principles when elaborating an academic final thesis.
    [Show full text]
  • Digital Safety & Security Lt Cdr Mike Rose RN ©
    RNIOA Article 15 [17/05/2020] characteristics linked to their IP address to enable ‘tracking.’ Where internet-based criminality is Digital Safety & Security involved, the acquisition of banking and credit card Lt Cdr Mike Rose RN © data is often the main objective. Introduction The aim of this article is to help people understand Prior to the introduction of the internet, personal the risks they face and how to attempt to mitigate computers for home use were self-contained in that them. So, whether you’re accessing the internet the operating system was bought and installed by with your mobile phone, PC, tablet or laptop, you’re the supplier/user, and external communications potentially exposed to every hacker, digital thief and using the PC were not yet technically developed. spammer across the globe. Not to mention that The most likely risk therefore was the possibility of viruses, trojan horses, spyware and adware are someone switching on unattended, non-password- always just one click away. You wouldn’t drive protected computers and copying sensitive without insurance, a seat belt and a GPS device, information onto an external memory device. so, similarly, when you “surf the net”, you need to Essentially, users were in control of their computing make sure that you are well “buckled up” and well- equipment and paid real money for the services informed. This article is written as a guide to “safe and software they used to a known vendor. surfing” and is just as important for personal users as it is for large tech companies. Malicious websites Spyware, which is software that steals your sensitive data without consent, lurks in many corners of the internet; often in places where you'd least expect it.
    [Show full text]