expressing human trust in distributed systems the
play

Expressing Human Trust in Distributed Systems: the Mismatch Between - PowerPoint PPT Presentation

Dec 29, 2022 •231 likes •615 views

Expressing Human Trust in Distributed Systems: the Mismatch Between Tools and Reality Sean W. Smith Department of Computer Science Dartmouth College Hanover, NH USA http://www.cs.dartmouth.edu/~sws/ April 15, 2005 joint work with various

  1. Expressing Human Trust in Distributed Systems: the Mismatch Between Tools and Reality Sean W. Smith Department of Computer Science Dartmouth College Hanover, NH USA http://www.cs.dartmouth.edu/~sws/ April 15, 2005 joint work with various students Vox Clamantis in Deserto

  2. Overview ? ● Background on PKI ● Problems with mental models ● Problems with expressiveness ● (research) Vox Clamantis in Deserto

  3. Public Key Cryptography Vox Clamantis in Deserto

  4. Public Key Cryptography Infrastructure Vox Clamantis in Deserto

  5. Public Key Cryptography Infrastructure ● Signed communication Basic Uses: ● Encrypted communication ● Authentication Vox Clamantis in Deserto

  6. Public Key Cryptography Infrastructure ● Signed communication Basic Uses: ● Encrypted communication ● Authentication ● Alice needs to learn Bob's public key Basic Problem: ● A CA Basic Approach: ● signs an X.509 identity cert ● binding Bob's name to his public key ● How does Alice obtain Bob's cert? Basic Worries: ● How does she decide to believe his CA? ● How does she check if this CA has changed its mind? Vox Clamantis in Deserto

  7. Problem: Mental Models Does what people think the machines do match what the machines really do? ● digital signatures on office documents ● server-side SSL ● client-side SSL ● passwords Vox Clamantis in Deserto

  8. Digital Signatures If Alice's tools tell her that X has a valid signature from Bob, should she conclude that Bob signed that virtual piece of paper? With a quick exploration, we could subvert: ● Word (without macros) ● Excel (without macros*) ● PDF ● HTML email using: ● PGP and S/MIME signatures ● DST's CertainSEnd ● Assured Office/ProSigner/E-Lock ● Acrobat Visible Signatures Vox Clamantis in Deserto

  9. Server-Side SSL SERVER CERT ` SERVER PRIVATE KEY If Alice's browser tells her that she has an https connection to bob.com, should she believe it? Vox Clamantis in Deserto

  10. Standard Browser Signals Vox Clamantis in Deserto

  11. Standard Browser Signals SSL warning window Vox Clamantis in Deserto

  12. Standard Browser Signals "https", security icons Vox Clamantis in Deserto

  13. Standard Browser Signals security page Vox Clamantis in Deserto

  14. Standard Browser Signals server certificate Vox Clamantis in Deserto

  15. Web Spoofing Revisited Attacks : For IE/Windows and Netscape/Linux (circa 2001 -2002), we built a malicious server that spoofed: ● Location bar ● SSL icon ● SSL warning windows ● SSL certificate info ● (and password prompts) Defenses : Prototyped and validated "secure GUI" countermeasures in Mozilla (Usenix 02) ● Didn't get adoped ● Users have strange beliefs about online trust ● The problem has only grown worse Vox Clamantis in Deserto

  16. Client-Side SSL SERVER CERT CLIENT CERT CLIENT SERVER PRIVATE KEY PRIVATE KEY Does "client-side authenticated request" ⇒ "user authorized the request" ? Vox Clamantis in Deserto

  17. The "Browser" Keystore Microsoft CSP, "high" or "medium" security keypair Vox Clamantis in Deserto

  18. Keyjacking #1 Suppose the adversary adds one user-level executable... INTERNET EXPLORER ATTACK.DLL CRYPT32.DLL CLIENT PRIVATE KEY Result : adversary gets key, even with medium/high security Countermeasure : make key non-exportable Vox Clamantis in Deserto

  19. Keyjacking #2 Suppose the adversary writes devious server content... Martha.com 1. Request 2. Martha’s Malicious Frameset Claire 3. Stealth request Victor.com Result : often, adversary fools victim server Countermeasure : careful server content, browser configs Vox Clamantis in Deserto

  20. Mystery If Claire approves using her key for victor.com once, IE appears happy to keep using it for SSL handshakes to that server. Let's follow all the rules: ● WinXP Pro, current SP, current updates ● "High security" key ● Followed DoD DMS key hygiene guidelines Result : IE will still use Claire's key without telling her Vox Clamantis in Deserto

  21. Keyjacking #3 Add one user-level executable, with two parts... Countermeasures? ● Magic button? ("kill SSL state" or kill browser) ● Make key non-exportable? ● Aladdin eToken USB? ● Spyrus Rosetta USB ● Careful server content? Vox Clamantis in Deserto

  22. Keyjacking #3 Add one user-level executable, with two parts... Countermeasures? ● Magic button? ("kill SSL state" or kill browser) ● Make key non-exportable? ● Aladdin eToken USB? ● Spyrus Rosetta USB ● Careful server content? All your keypairs are belong to us Vox Clamantis in Deserto

  23. Keyjacking #3 Add one user-level executable, with two parts... Countermeasures? ● Magic button? ("kill SSL state" or kill browser) ● Make key non-exportable? ● Aladdin eToken USB? ● Spyrus Rosetta USB ● Careful server content? All your keypairs are belong to us SHEMP: Proxy certs, TPMs, XACML Vox Clamantis in Deserto

  24. Passwords Assumption: knowledge of password ⇒ identity of user Reality: CS38 hw Vox Clamantis in Deserto

  25. Passwords Assumption: knowledge of password ⇒ identity of user Reality: CS38 hw ● Plastic Dinosaurs and Squirt Guns Vox Clamantis in Deserto

  26. Passwords Assumption: knowledge of password ⇒ identity of user Reality: CS38 hw ● Plastic Dinosaurs and Squirt Guns 80% success rate. "Alice" got 100%. Vox Clamantis in Deserto

  27. Passwords Assumption: knowledge of password ⇒ identity of user Reality: CS38 hw ● Plastic Dinosaurs and Squirt Guns 80% success rate. "Alice" got 100%. ● Email link to spoofed site, using IE URL flaw Vox Clamantis in Deserto

  28. Passwords Assumption: knowledge of password ⇒ identity of user Reality: CS38 hw ● Plastic Dinosaurs and Squirt Guns 80% success rate. "Alice" got 100%. ● Email link to spoofed site, using IE URL flaw 83% success rate. 36% had vulnerability. 3% of the rest noticed. Vox Clamantis in Deserto

  29. Passwords Assumption: knowledge of password ⇒ identity of user Reality: CS38 hw ● Plastic Dinosaurs and Squirt Guns 80% success rate. "Alice" got 100%. ● Email link to spoofed site, using IE URL flaw 83% success rate. 36% had vulnerability. 3% of the rest noticed. ● Self-signed SSL site Vox Clamantis in Deserto

  30. Passwords Assumption: knowledge of password ⇒ identity of user Reality: CS38 hw ● Plastic Dinosaurs and Squirt Guns 80% success rate. "Alice" got 100%. ● Email link to spoofed site, using IE URL flaw 83% success rate. 36% had vulnerability. 3% of the rest noticed. ● Self-signed SSL site 93% success Vox Clamantis in Deserto

  31. Passwords Assumption: knowledge of password ⇒ identity of user Reality: CS38 hw ● Plastic Dinosaurs and Squirt Guns 80% success rate. "Alice" got 100%. ● Email link to spoofed site, using IE URL flaw 83% success rate. 36% had vulnerability. 3% of the rest noticed. ● Self-signed SSL site 93% success including two faculty (from social science) Vox Clamantis in Deserto

  32. Problem: Expressiveness Does standard PKI express what's important in human scenarios? ● name ≠ person ● name ≠ property ● property ≠ property ● formal delegation ● ad hoc delegation Vox Clamantis in Deserto

  33. Name ≠ Person Did that mail really come from the "John Wilson" I'm thinking of? One name, many persons One person, many names One person, many accounts ● John.Wilson@dartmouth.edu ● jwilson@ists.dartmouth.edu One account, many capitalizations ● John.Wilson@foo.com ● john.wilson@foo.com Vox Clamantis in Deserto

  34. Name ≠ Property Did that mail really come from the person with property P ? What about the name-P binding? ● TCPA/TCG attestation about a remote machine ● Is "Martin Wyburne" the Dean? ● Who should sign the mail firing the CEO? Multiple people speak for P ● "Effie Cummings" sent the mail from "Dean Wyburne" Vox Clamantis in Deserto

  35. Property ≠ Property What does property P over there really mean? Name of predicate ● Who is the "Office of the Registrar" at UVM? Natural implications of predicate ● Dave Nicol and the soccer coach at UIUC Similarly named predicates may mean opposite things ● "Dean's List" at MSU ● "Dean's List" at Princeton Vox Clamantis in Deserto

  36. Delegation How do we express formal and ad hoc delegation relationships? Subcontracting ● "Modus Media" vs. https://www.palmstore.com ● john@linklings.com is the "Dartmouth Ph.D. Admissions committee Less formal authorization ● Sharing passwords at NYU ● Dean of First-Years... and her admin assistant ● Stopping forgery of mail from the college president Ad hoc relationships ● Giving a visitor "inside" access in EAP-TLS WLAN Vox Clamantis in Deserto

  37. Research Angles ● name equivalence Expressiveness: ● non-identity attributes ● delegation ● ontology mapping ● X.509 SubjectAltName PKI Tools: ● X.509 attribute certs/PERMIS ● X.509 proxy certs ● SDSI/SPKI, XACML, hybrids ● HEBCA ● Trust Management Other areas: ● HCISEC Vox Clamantis in Deserto

Recommend

The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt

The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt

The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt Introduction For secure distributed systems, ACLs are inadequate Password-based protocols are insecure in a networked environment Centralized

252 views • 12 slides
TrustNeighborhoods: Visualizing Trust in Distributed File Sharing Trust in Distributed File

TrustNeighborhoods: Visualizing Trust in Distributed File Sharing Trust in Distributed File

3D Trust Visualization TrustNeighborhoods: Visualizing Trust in Distributed File Sharing Trust in Distributed File Sharing Systems Niklas Elmqvist [elm@lri.fr] Philippas Tsigas [tsigas@chalmers.se] Chalmers University of Technology Chalmers

531 views • 21 slides
Can We Really Trust the Greek New Testament? Isnt the Bible just another human book, subject

Can We Really Trust the Greek New Testament? Isnt the Bible just another human book, subject

Can We Really Trust the Greek New Testament? Isnt the Bible just another human book, subject to error and expressing different opinions about God? Isnt the Bible full of contradictions and errors? Hasnt the Bible been changed over the

285 views • 26 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/19/2018 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

131 views • 9 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/17/2017 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

572 views • 7 slides
Outline Introduction Background Distributed DBMS Architecture Distributed Database Design

Outline Introduction Background Distributed DBMS Architecture Distributed Database Design

Outline Introduction Background Distributed DBMS Architecture Distributed Database Design Distributed Query Processing Distributed Transaction Management Building Distributed Database Systems (RAID) Mobile Database Systems Privacy, Trust,

620 views • 20 slides
Trust and Reputation Management in Distributed Systems Mster en Investigacin en Informtica

Trust and Reputation Management in Distributed Systems Mster en Investigacin en Informtica

Trust and Reputation Management in Distributed Systems Mster en Investigacin en Informtica Facultad de Informtica Universidad Complutense de Madrid Flix Gmez Mrmol NEC Laboratories Europe, Alemania (felix.gomez-marmol@neclab.eu)

466 views • 35 slides
Foundations of Distributed Trust Christian Cachin, University of Bern #BDLT19, Vienna, September

Foundations of Distributed Trust Christian Cachin, University of Bern #BDLT19, Vienna, September

Foundations of Distributed Trust Christian Cachin, University of Bern #BDLT19, Vienna, September 2019 What is distributed trust? What is distributed trust? Do not trust any single node Tolerate corrupted nodes Everyone gets to

801 views • 50 slides
A brainstorm of attention magnets TEXT TASK I P FACT finding out expressing self E C

A brainstorm of attention magnets TEXT TASK I P FACT finding out expressing self E C

A brainstorm of attention magnets TEXT TASK I P FACT finding out expressing self E C PLAY being entertained playing TEXT TASK I nterest P ersonalization Real world; curiosity; amazing Expressing and sharing; facts; human interest

490 views • 26 slides
Distributed Systems Reasons for distributed systems Resource sharing sharing and

Distributed Systems Reasons for distributed systems Resource sharing sharing and

CSC 4103 - Operating Systems Motivation Spring 2007 Distributed system is collection of loosely coupled processors that do not share memory Lecture - XXII interconnected by a communications network Distributed Systems

477 views • 4 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts &

Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts &

Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts & Design , George Coulouris, et al. and Engineering Distributed Objects , Wolfgang Emmerich Outline What is a Distributed System? Examples of

565 views • 18 slides
Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts &

Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts &

Introduction to Distributed Systems Material adapted from Distributed Systems: Concepts & Design , George Coulouris, et al. and Engineering Distributed Objects , Wolfgang Emmerich Outline What is a Distributed System? Examples of

961 views • 36 slides
Distributed Systems of distributed systems Types of Distributed Describe various

Distributed Systems of distributed systems Types of Distributed Describe various

Objectives/Outline (selected topics from chapter 16 & 18) Objectives Outline Provide a high-level overview Introduction Distributed Systems of distributed systems Types of Distributed Describe various methods for

436 views • 9 slides
Coordinating distributed systems Marko Vukoli Distributed Systems and Cloud Computing Previous

Coordinating distributed systems Marko Vukoli Distributed Systems and Cloud Computing Previous

Coordinating distributed systems Marko Vukoli Distributed Systems and Cloud Computing Previous lectures Distributed Storage Systems CAP Theorem Amazon Dynamo Cassandra 2 Today Distributed systems coordination Apache

1.57k views • 62 slides
Distributed Systems - III What about distributed systems? No common clock or memory

Distributed Systems - III What about distributed systems? No common clock or memory

CSC 4103 - Operating Systems Distributed Coordination Spring 2007 Ordering events and achieving synchronization in centralized systems is easier. Lecture - XXIV We can use common clock and memory Distributed Systems - III What

286 views • 4 slides
Webs of Trust in Distributed Environments Bringing Trust to Email Communication BSc.

Webs of Trust in Distributed Environments Bringing Trust to Email Communication BSc.

Webs of Trust in Distributed Environments Bringing Trust to Email Communication BSc. Presentation - Info-Lunch, 03.11.2004 Fighting Spam Hmmm, tasty!! Spamassassin Program for filtering unwanted Email messages Classifies Emails with

424 views • 30 slides
Towards a Theory of Formal Distributed Systems Why and how distributed systems can solve

Towards a Theory of Formal Distributed Systems Why and how distributed systems can solve

Towards a Theory of Formal Distributed Systems Why and how distributed systems can solve distributed problems ? Towards = immature or not ready for presenting Formal = unrealistic or useless Masafumi Yamashita (Kyushu Univ.) Table of

578 views • 33 slides
Tr I nc: Small Trusted Hardware for Large Distributed Systems Dave Levin University of Maryland

Tr I nc: Small Trusted Hardware for Large Distributed Systems Dave Levin University of Maryland

Tr I nc: Small Trusted Hardware for Large Distributed Systems Dave Levin University of Maryland John R. Douceur Jacob R. Lorch Microsoft Research Thomas Moscibroda Trust in distributed systems Selfish Malicious Participants Participants

1.62k views • 124 slides
CSE 452 Distributed Systems Arvind Krishnamurthy Distributed Systems How to make a set of

CSE 452 Distributed Systems Arvind Krishnamurthy Distributed Systems How to make a set of

CSE 452 Distributed Systems Arvind Krishnamurthy Distributed Systems How to make a set of computers work together Correctly Efficiently At (huge) scale With high availability Despite messages being lost and/or taking a

779 views • 29 slides
CSE 452 Distributed Systems Tom Anderson Distributed Systems How to make a set of computers

CSE 452 Distributed Systems Tom Anderson Distributed Systems How to make a set of computers

CSE 452 Distributed Systems Tom Anderson Distributed Systems How to make a set of computers work together Reliably Efficiently At (huge) scale With high availability Despite messages being lost and/or taking a variable

833 views • 40 slides
Distributed File Systems: An Overview of Peer-to-Peer Architectures Distributed File Systems

Distributed File Systems: An Overview of Peer-to-Peer Architectures Distributed File Systems

Distributed File Systems: An Overview of Peer-to-Peer Architectures Distributed File Systems Data is distributed among many sources Ex. Distributed database systems Frequently utilize a centralized lookup server for addressing

500 views • 15 slides
WHAT WE TALK ABOUT WHEN WE TALK ABOUT DISTRIBUTED SYSTEMS ALVARO VIDELA DISTRIBUTED SYSTEMS

WHAT WE TALK ABOUT WHEN WE TALK ABOUT DISTRIBUTED SYSTEMS ALVARO VIDELA DISTRIBUTED SYSTEMS

WHAT WE TALK ABOUT WHEN WE TALK ABOUT DISTRIBUTED SYSTEMS ALVARO VIDELA DISTRIBUTED SYSTEMS FOR THE IKEA FAMILY ALVARO VIDELA HTTP://BIT.LY/DIST-SYS101 @HINTJENS DISTRIBUTED SYSTEMS A DISTRIBUTED SYSTEM IS ONE IN WHICH THE FAILURE

1.58k views • 118 slides
Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

5/27/2017 Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure Sessions processes cannot

253 views • 9 slides

More recommend