MCH2022 Curated content

Bring Your Own IDentity

Thanks to DNSSEC and DANE, it is possible to automatically verify user@domain.name identities by checking with domain.name servers. The real problem however, is integration with existing protocols, instead of inventing something completely new and perhaps web-only. The purpose of our work on Realm Crossover mechanisms has been to design generic solutions that extend many different application protocols, without changing their protocol specs.
For clients, being able to control an online identity is not just a cool matter of adding their domain name at the end. It also means that they control how long the identity exists, if it is an alias, if it can be a group account with members that they control. (We made identity and access control libraries to support all that, along with identities that are only usable until a timeout, from a certain remote domain, under a particular communication topic, and so on.) For servers, being able to authenticate users from any domain is an answer to many questions that otherwise stagnate: * Why does every HTTP server want us to create an account under its domain, instead of letting us use our own? * Why do we constantly need to confirm our email address by clicking links? * Why not authenticate SMTP senders and subject others to the most stringent spam filtering? * Why not publish a mailing list archive in IMAP, available only to subscribers and searchable with their own tooling? * Why not use AMQP as an automation-friendly document push protocol with authenticated senders for form submission, bill processing, blog publications, document archiving, ... * Why not share your MQTT dataflow with external parties, so they don't need to keep a web page open to be notified about, say, a newly posted document? * Why not share your PGP keys and contact information in your own LDAP directory but with access control to decide who may see what? All these questions stagnate on problems like *You would need to have accounts for all users in the World*. So that is what we solved in this project. This project expands the usefulness of many protocols by changing the way their implementations handle authentication; instead of local accounts, they follow a backlink to the client's domain. We designed and built the extensions needed for the backend, and made a few first implementations. We are hoping to show the usefulness of adopting these ideas in your own tooling. We present a number of generic mechanisms for Realm Crossover: 1. SASL tokens can be relayed to a Diameter server under the domain.name; 2. Kerberos supports Realm Crossover, and a keying handshake can do this on-demand; 3. X.509 certificates and PGP keys can be assured with DANE-akin structures for clients or by a lookup in an LDAP server for domain.name. For each, some form of domain-owned identity provider is run to assert identity when an external service needs it. The level of security is a matter of the user and their domain.name; an external service should not have to force down the security level of the client's domain. These three Realm Crossover mechanisms cover the majority of application protocols, the notable exceptions being the oldest ones, like Telnet, FTP and HTTP. Specifically for HTTP, we have defined an authentication mechanism that adds SASL; this means that new security mechanisms can be defined in SASL, where it benefits many protocols; it also means that authentication shifts from the HTTP application to the server, where the coding environment is better suited for such responsibilities. We end with a demo, showcasing a useful authentication flow: * Client desktop, with FireFox and a HTTP-SASL plugin * Server domain, running Apache with HTTP-SASL module under an independent domain * Server identity client, using Diameter to relay SASL to the Client Domain * Client Domain, running an identity provider with SASL over Diameter

Additional information

Type Talk
Language English

More sessions

7/22/22
MCH2022 Curated content
Elger "Stitch" Jonker
Abacus 🧮
⚠️ Warning! This talk may contain hackers. There may be hackers in the room. There may be hackers surrounding the room. There may be hackers recording this. There may be hackers listening in. There may be hackers that exfiltrate data. There may be hackers wearing shirts. There may be hackers carrying spying devices. OH NO! There are hackers EVERYWHERE! What can we do now, except having a party?
7/22/22
MCH2022 Curated content
SETUP, de Transmissie & Rodrigo Ferreira
Abacus 🧮
What do big tech, synthesizers, the crucifixion and Matthäus Passion have in common? Find the answer in the tech performance The Silicon Passion. We’ve all embraced big tech —but is it a warm hug or a strangulation? Bear witness to a debate of biblical proportions between tech nerds, technology and its users. In The Silicon Passion SETUP, in collaboration with de Transmissie (David Schwarz en Derk Stenvers) and Rodrigo Ferreira, is looking for a way out of the pit that technology has ...
7/22/22
MCH2022 Curated content
Clairvoyance 🔮
Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.mch2022.org/Static:Lightning_Talks
7/22/22
MCH2022 Curated content
Kliment
Hardware Hacking Area 🤖
In this workshop, we will learn how to assemble tiny parts on circuit boards by building an electronic touch-activated purring kitten. Anyone can do it. Yes, even you who never touched anything electronic before. Takes 120mins, 20€/kit, avoid caffeine immediately before. Max 10 participants per session, sign up on PAPER at the Hardware Hacking Area.
7/22/22
MCH2022 Curated content
Mikko Hypponen
Abacus 🧮
This is a submission for a keynote talk at MCH2022. The Internet is both a familiar, comfortable place as well as a bottomless rabbit hole you can lose yourself in. The Internet has always been like this from its inception, the difference now is the scale and consequences are almost immeasurable - and it tests the limits of human imagination. When you look into the mirror of the Internet what you see reflected back depends on what you are looking for. It has become largely a reflection of ...
7/22/22
MCH2022 Curated content
Bjarni Rúnar Einarsson
Battery 🔋
Have you ever forgotten a passphrase or lost a hardware token? Lost access to enough Bitcoin to buy a pizza or two? Encryption is fundamental to securing our liberties, but key and password management remain difficult even for professionals, let alone the general public. This talk presents Passcrow, an Open Source project attempting to address one of crypto's largest usability issues: password and key recovery in a decentralized environment.
7/22/22
MCH2022 Curated content
Klaus Agnoletti
Clairvoyance 🔮
Utilizing collaborative security to collect data on attacks we were able to detect Log4J in a quite unusual but effective manner. We'll show you how CrowdSec enables the entire infosec community to stand together by detecting attempts to exploit a critical 0day, reporting them centrally thereby enabling anyone to protect themselves shortly after the vulnerability was made public. The unusual part is that this is done using FOSS software and by analyzing logs of real production systems but in a ...