Bringing Elliptic Curve Cryptography into the Mainstream

•

6 gefällt mir•1,602 views

In this talk I will describe how CloudFlare helped take elliptic curve cryptography from a promising technology with low adoption to core part of the HTTPS revolution. Two years ago, almost every public key used on the web for HTTPS was an RSA key. In 2013, the zmap team from University of Michigan scanned the entire web and found fewer than twenty non-RSA certificates. Over the next two years, CloudFlare took that number into the millions with the Universal SSL project. We’ll describe how using ECDSA (Elliptic Curve Digital Signature Algorithm) keys instead of RSA keys played a crucial role in enabling this project. With Universal SSL, any website can become HTTPS-enabled for free. Elliptic curve cryptography is not just useful for HTTPS, there are other protocols for which it provides an advantage over RSA. One of these is DNSSEC, the algorithm that lets administrators digitally sign DNS records for authenticity. DNSSEC been described as difficult deploy and dangerous because of the potential to abuse it in amplification/reflection attacks. In October 2015, CloudFlare launched its automated DNSSEC beta program. We’ll describe some of the tweaks we made to easily scale DNSSEC to millions of zones and how ECDSA keys helped solve some of the protocol’s major issues.

Technologie

Elliptic Curve Cryptography
Bringing it to the mainstream
Stanford Security Lunch
November 4, 2015
Nick Sullivan
@grittygrease
nick@cloudﬂare.com

HTTPS Adoption (2013)
• 2,545,693 valid RSA 2048-bit certiﬁcates 
Analysis of the HTTPS Certiﬁcate Ecosystem, Durumeric, Kasten, Bailey, Halderman (2013)
• Zero valid ECDSA certiﬁcates
9

11
CACloudFlare
CloudFlare Edge
DNS
CSR
TXT?
Proof
TXT?
Proof
Certiﬁcate
Proof

Goal
Enable HTTPS by default
for ~2 million free
customers
12

Issue: Scale
~30 Trillion Requests/
Day
13

What is expensive in TLS?
• Private key Operations
• Bulk encryption
14

Bulk Encryption
• Basically free with modern Intel processors
• AES-GCM on Haswell is ~1 cycle per byte
15

Private Key Operations
• Orders of magnitude slower than symmetric crypto
• RSA ~2,000,000 cycles per signature on Haswell
• ~500 Quadrillion Cycles/Day
16

We can do better
• Session resumption (~33%)
17

ECDSA
Elliptic Curve Digital Signature Algorithm

ECDSA
• Digital signature algorithm based on elliptic curve crypto
• Widely studied, no sub-exponential discrete logarithm
• Standardized NIST Curves (P256, P384, P521)
• NSA Suite B (Secret and Top Secret)
19

ECDSA Advantages
• Smaller keys (256bit EC ~ 3072bit RSA)
• Faster signatures (~800K vs 2M)
• Vlad Krasnov improved to ~375K by using x86_64 asm
• Merged into OpenSSL, Golang
• Saves 300 Quadrillion Cycles/Day (given 100% HTTPS)
21

ECDSA Downsides
• Slower signature veriﬁcation
• Less ubiquitous
• Roots were added in
• Some systems don’t support ECDSA (Android 2, Windows XP)
• Patent encumbrances
• Not quantum-safe: subject to Shor’s algorithm
22

Universal SSL
• Free ECDSA certiﬁcates for all customers
• HTTPS enabled by default
• Total number of HTTPS sites is  
up by over 2 million
• SNI-only so scans undercount
23

Cache Poisoning (Kaminsky’s attack)
26
Resolver Authoritative
Server
Q: what is the IP address of cloudﬂare.com
A: 198.41.213.157
A:6.6.6.6
A:6.6.6.6
A:6.6.6.6
A:6.6.6.6
A:6.6.6.6
A: 6.6.6.6
A: 6.6.6.6

Man-in-the-middle
27
Resolver
Authoritative
Server
Q: what is the IP address of cloudﬂare.com
A: 198.41.213.157A: 6.6.6.6

DNSSEC signature veriﬁcation
28
A
example.com. A RRSIG
example.com.
DNSKEY KSK
example.com.
DNSKEY KSK
.
Verisign
Authoritative
(i.e. CloudFlare)
ICANN
DS
example.com.
DS
com.
Root Key
DNSKEY ZSK
example.com.
DNSKEY RRSIG
example.com.
DS RRSIG
com.
DNSKEY KSK
com.
DNSKEY ZSK
com.
DNSKEY RRSIG
com.
A RRSIG
.
DNSKEY ZSK
.
DNSKEY RRSIG
.

Solution: DNSSEC (done right)
Digital signatures in the DNS
Live-signed answers
Elliptic curve keys
30

Solution: DNSSEC (done right)
cloudflare.net. 300 IN A 104.20.36.89
cloudflare.net. 300 IN A 104.20.37.89
cloudflare.net. 300 IN RRSIG A 13 2 300 20151105181354 20151103161354 35273
cloudflare.net. 1lj7NV/tLbTWAk/HeiU4UvxwTDPG8nXGEn408Rm7HELyL0HE3QRQTMha /
Y0yTIAJWvQFKwGm2lg61Gpf9uy7uQ==
ietf.org. 1800 IN A 4.31.198.44
ietf.org. 1800 IN RRSIG A 5 2 1800 20161012164049 20151013154322 40452 ietf.org.
DlaOfMqEIkbTBY8Rv8WJf2MqXBzT64sUr+Ms5zEfV4IIdKhiQoQqU8vH Ga+PcZak5DzfXwXuklriXPI7jN5Zqk/
UnTsX62on0SQft/YkgAogMdZI U5znPsgkq+gX/BA2AkRpBOEBDiPS8sRgJb4r38kZ05BNLTvlweg3hIcX
m1JHfbXuyAE4C6bRmD/h5erxvO6Q2UA2EFWHjcrIAAhmLRqHxeq8uhCJ AZMSJyTuJxB+6z+59v4/QxP
+z3NnBdzxcTea1aUVYG/zbqiHkNpgRzrN 708UrrqkUwWDodrOYoHndfYoWqI61ifvBkUref0cn0IKWOolfHMsCjdl
y6BdTA==
31

Issues addressed
Fix zone enumeration with live signing
Fix live signing with ECDSA — in the Go language
Vlad performance improvements
Ampliﬁcation-neutral
32

ECDSA - Miscellaneous
• Randomness breaks ECDSA
• Fixed by RFC 6979
• Patent issues
• ECDSA is not supported by Red Hat
• A Riddle Wrapped in an Enigma
• Koblitz & Menezes paper on Suite B
• Are the NIST curves safe?
33

Elliptic Curve Cryptography
Bringing it to the mainstream
Nick Sullivan
@grittygrease
nick@cloudﬂare.com

Weitere ähnliche Inhalte

Was ist angesagt?

Sullivan heartbleed-defcon22 2014

Cloudflare

The latest version of the TLS protocol, TLS 1.3, was just released in August 2018. TLS 1.3 is faster and more secure than TLS 1.2. In this webinar we cover what’s new in TLS 1.3 and how to use it with NGINX, plus other new features in NGINX Open Source and NGINX Plus. Join this webinar to learn: - What’s new in TLS 1.3 and why it's faster and more secure than TLS 1.2 - How to use TLS 1.3 with NGINX Plus and NGINX Open Source - About two-stage rate limiting, simplified OpenID Connect, and 2x faster NGINX and ModSecurity WAF performance - More with a live demo of TLS 1.3 in action https://www.nginx.com/resources/webinars/tls-1-3-new-features-nginx-plus-r17-nginx-open-source-emea/

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA

NGINX, Inc.

Two of the major concerns for serving information over the internet are latency and security. Reducing latency improves response times, making content delivery seem more instantaneous and improving user experience. The most common approach to improving security is TLS, where data is sent over an authenticated encryption tunnel between a server and a client. The Internet’s architecture and the physical realities of how networks are spread geographically can cause these two goals to be competitive. This talk introduces a model to deal with private key security in this situation.

Sullivan handshake proxying-ieee-sp_2014

Cloudflare

NGINX is one of the most popular images on Docker Hub and has been at the forefront of the web since the early 2000's. In this talk we will discuss how and why NGINX's lightweight and powerful architecture makes it a very popular choice for securing containerized applications as a sidecar reverse proxy within containers. We will highlight important aspects of application security that NGINX can help with, such as TLS, HTTP, AuthN, AuthZ and traffic control.Additional Sponsor InformationDuring our session we will be Raffling off a swag pack to live attendees. We'll also be offering 30% off our swag store that can be shared via social. Details below:URL: swag-nginx.com Code: DOCKERCON30 Value: 30% off

DockerCon Live 2020 - Securing Your Containerized Application with NGINX

Kevin Jones

On-demand recording: https://nginx.webex.com/nginx/lsr.php?RCID=82f9c75402528464d3625813e313f8a4 The new NGINX Microservices Reference Architecture (MRA) goes into depth on the entire architecture. Join this webinar to explore all three models in the MRA: the Proxy Model, the Router Mesh Model, and the Fabric Model. The Proxy Model gives you a leg up into microservices, including support for API gateways. The Router Mesh Model adds power, with a second server exclusively for microservices support. And the Fabric Model pairs an NGINX Plus instance with every microservice instance for secure SSL/TLS communications between service instances. Check out this webinar to learn about building a secure and scalable microservices app: * When to take the leap into deploying microservices * Why you should consider adopting the MRA for your app * How to choose a model that works for your app * How to start the process of converting a monolith to microservices

The 3 Models in the NGINX Microservices Reference Architecture

NGINX, Inc.

Sullivan white boxcrypto-baythreat-2013

Cloudflare

In today’s world, you may not know if the hardware you are running software on is secure or not. How can you ensure that, regardless of the hardware security, the software stays protected? CloudFlare’s systems engineer, Nick Sullivan shares advanced techniques on how to protect your server software. These techniques include anti-reverse engineering methods, secure key management and designing a system for renewal.

Running Secure Server Software on Insecure Hardware Without Parachute

Cloudflare

Botconf ppt

Cloudflare

Bridges and Tunnels: A Drive Through OpenStack Networking

markmcclain

Serverless for the Cloud Native Era with Fission

NATS

GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...

wallyqs

Flawless Application Delivery using Nginx Plus By leveraging these latest features: • Support for HTTP/2 standard • Thread pools and socket sharding and how it can help improve performance • NTLM support and new TCP security enhancements • Advanced NGINX Plus monitoring, management and visibility of health & load checks Catch this exclusive Google Hangout live! November 4th, 2015 | 2.00-2.30PM IST | 4.30-5.00PM SGT About the speaker: Sandeep Khuperkar, Director and CTO at Ashnik will be heading this session. He is an author, enthusiast and community moderator at opensource.com. He is also member of Open Source Initiative, Linux Foundation and Open Source Consortium Of India.

NGINX Plus PLATFORM For Flawless Application Delivery

Ashnikbiz

DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud

Colin Estep

Data and information security is crucial and essential for most of the IT environments. As data is more often stored in the cloud securing it becomes a non trivial challenge. IBM Advanced Crypto Service Provider (ACSP) is a solution that enables remote access to the IBM’s cryptographic coprocessors. Such approach allows for utilization of strong hardware based cryptography as a service (“cryptography as a service”) in distributed environments where data security cannot be guaranteed. ACSP is a “network hardware security module (NetHSM)” that provides access to cryptographic resources via IBM Common Cryptographic Architecture (CCA) interface and the PKCS#11 standard. More at https://ibm.box.com/v/acsp-vault-ibm-forum-2015 Video recording from that presentation can be found at https://vimeo.com/smartcoders/acsp-vault-ibm-forum-2015

Advanced Crypto Service Provider – cryptography as a service

Smart Coders

On-demand webinar: nginx.com/resources/webinars/monitoring-highly-dynamic-distributed-services-nginx-amplify In this webinar, we describe the challenges of monitoring highly dynamic and distributed systems, and show how NGINX Amplify can help. Cloud services, containers, and microservices provide flexibility of deployment, but conventional monitoring tools can't always keep up with rapidly changing systems. NGINX Amplify helps you overcome challenges in collecting logs and metrics and acting on the results. Join us in this webinar to discover: - The specific characteristics of distributed systems, immutable infrastructure, and systems that use a microservices architecture. - Why NGINX and NGINX Plus are the go-to application delivery solutions with popular with users of container technologies such as Docker and cloud technologies such as AWS. - What special challenges you may find in monitoring and managing containerized, distributed, and microservices-based systems. - How NGINX Amplify overcomes monitoring and management challenges.

Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify

NGINX, Inc.

Certificate based access type in openstack Manila @ openstack paris nov. 2014

Deepak Shetty

On demand version can be accessed at https://www.nginx.com/resources/webinars/mra-ama-part-7-circuit-breaker-pattern/ The circuit breaker pattern is an emerging standard for use in app development and deployment, particularly with microservices apps. Popular architectures such as Istio and linkerd use the circuit breaker pattern for resiliency. This pattern is an important component in what can become fully resilient, “self-healing” application architectures. In this webinar, we describe the use of the circuit breaker pattern with NGINX Plus, which has specific features that support the use of this pattern, and in the NGINX Microservices Reference Architecture. Attendees of the live webinar will have the opportunity to ask questions.

MRA AMA Part 7: The Circuit Breaker Pattern

NGINX, Inc.

The Web is broken. HTTP is inefficient and expensive, especially for large files. Webpages are being deleted constantly, with the average lifespan of a web being 100 days. The Web's centralization limits opportunity and innovation. And it causes problems in the developing world, with natural disasters or faulty connections. We can do better. In this talk, I'll explain IPFS, a project intended to replace HTTP and build a better web. IPFS is a peer-to-peer hypermedia protocol to make the web faster, safer, and more open. In addition, IPFS will use Filecoin as a reward mechanism. Filecoin aims to provide a decentralized network for digital storage through which users can effectively rent out their spare capacity, receiving filecoins as payment. Filecoin raised 200M$ last month, breaking all records in blockchain ICOs to date.

Redecentralizing the Web: IPFS and Filecoin

Facultad de Informática UCM

Using NGINX as an Effective and Highly Available Content Cache

Kevin Jones

NATS vs HTTP

Apcera

Was ist angesagt? (20)

Sullivan heartbleed-defcon22 2014

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA

Sullivan handshake proxying-ieee-sp_2014

DockerCon Live 2020 - Securing Your Containerized Application with NGINX

The 3 Models in the NGINX Microservices Reference Architecture

Sullivan white boxcrypto-baythreat-2013

Running Secure Server Software on Insecure Hardware Without Parachute

Botconf ppt

Bridges and Tunnels: A Drive Through OpenStack Networking

Serverless for the Cloud Native Era with Fission

GopherCon 2017 - Writing Networking Clients in Go: The Design & Implementati...

NGINX Plus PLATFORM For Flawless Application Delivery

DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud

Advanced Crypto Service Provider – cryptography as a service

Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify

Certificate based access type in openstack Manila @ openstack paris nov. 2014

MRA AMA Part 7: The Circuit Breaker Pattern

Redecentralizing the Web: IPFS and Filecoin

Using NGINX as an Effective and Highly Available Content Cache

NATS vs HTTP

Ähnlich wie Bringing Elliptic Curve Cryptography into the Mainstream

ION Bucharest, 12 October 2016 - DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.

ION Bucharest - Deploying DNSSEC

Deploy360 Programme (Internet Society)

Signing DNSSEC answers on the fly at the edge: challenges and solutions

APNIC

IoT Secure Bootsrapping : ideas

Jean-Baptiste Trystram

DANE and Application Uses of DNSSEC

Shumon Huque

Dns protocol design attacks and security

Michael Earls

TLS/SSL - Study of Secured Communications

Nitin Ramesh

The latest version of the TLS protocol, TLS 1.3, was just released in August 2018. TLS 1.3 is faster and more secure than TLS 1.2. In this webinar, we cover what’s new in TLS 1.3 and how to use it with NGINX, plus other new features in NGINX Open Source and NGINX Plus. Join this webinar to learn: - What’s new in TLS 1.3 and why it's faster and more secure than TLS 1.2 - How to use TLS 1.3 with NGINX Plus and NGINX Open Source - About two-stage rate limiting, simplified OpenID Connect, and 2x faster NGINX and ModSecurity WAF performance - More with a live demo of TLS 1.3 in action Watch On-demand: https://www.nginx.com/resources/webinars/tls-1-3-new-features-nginx-plus-r17-nginx-open-source/

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source

NGINX, Inc.

State of the Web

CASCouncil

An Introduction to DANE - Securing TLS using DNSSEC

Carlos Martinez Cagnazzo

The Trusted Cloud Transfer Protocol (TCTP)

Mathias Slawik

SSL overview

Todd Benson (I.T. SPECIALIST and I.T. SECURITY)

DNS - MCSE 2019

Milad Es'Haghi

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...

Felipe Prado

ieeehs042204d

John Hines

As presented by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon/ContainerCon 2016: Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications. Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment. Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.

Using hypervisor and container technology to increase datacenter security pos...

Black Duck by Synopsys

As presented at LinuxCon/ContainerCon 2016: Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications. Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment. Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.

Using hypervisor and container technology to increase datacenter security pos...

Tim Mackey

Servers.com Company Presentation 2020

Servers.com

Consul and Complex Networks

slackpad

Alternatives and Enhancements to CAs for a Secure Web

CASCouncil

Nginx Deep Dive Kubernetes Ingress

Knoldus Inc.

Ähnlich wie Bringing Elliptic Curve Cryptography into the Mainstream (20)

ION Bucharest - Deploying DNSSEC

Signing DNSSEC answers on the fly at the edge: challenges and solutions

IoT Secure Bootsrapping : ideas

DANE and Application Uses of DNSSEC

Dns protocol design attacks and security

TLS/SSL - Study of Secured Communications

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source

State of the Web

An Introduction to DANE - Securing TLS using DNSSEC

The Trusted Cloud Transfer Protocol (TCTP)

SSL overview

DNS - MCSE 2019

DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...

ieeehs042204d

Using hypervisor and container technology to increase datacenter security pos...

Servers.com Company Presentation 2020

Consul and Complex Networks

Alternatives and Enhancements to CAs for a Secure Web

Nginx Deep Dive Kubernetes Ingress

Kürzlich hochgeladen

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Enterprise Knowledge

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

CNv6 Instructor Chapter 6 Quality of Service

giselly40

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Real Time Object Detection Using Open CV

Khem

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Friends Colony Women Seeking Men

Delhi Call girls

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

A Call to Action for Generative AI in 2024

Results

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Delhi Call girls

Microsoft's Threat Matrix for Kubernetes helps organizations understand the attack surface a Kubernetes deployment introduces to their environments. This ensures that adequate detections and mitigations are in place. By covering over 40 different attacker techniques, defenders can learn about Kubernetes-specific mitigations and controls to deploy to their environments. In this session, we will explore the MS-TA9013 Host Path Mount technique, which is commonly used by attackers to perform privilege escalation in a Kubernetes cluster. Attendees will learn how attackers and defenders can: * Escape the container's host volume mount to gain persistence on an underlying node * Move laterally from the underlying node into the customer's cloud environment * Analyze Kubernetes audit logs to detect pods deployed with a hostPath mount * Deploy an admission controller that prevents new pods from using a hostPath mount

Breaking the Kubernetes Kill Chain: Host Path Mount

Puma Security, LLC

In an era where artificial intelligence (AI) stands at the forefront of business innovation, Information Architecture (IA) is at the core of functionality. See “There’s No AI Without IA” – (from 2016 but even more relevant today) Understanding and leveraging how Information Architecture (IA) supports AI synergies between knowledge engineering and prompt engineering is critical for senior leaders looking to successfully deploy AI for internal and externally facing knowledge processes. This webinar be a high-level overview of the methodologies that can elevate AI-driven knowledge processes supporting both employees and customers. Core Insights Include: Strategic Knowledge Engineering: Delve into how structuring AI's knowledge base is required to prevent hallucinations, enable contextual retrieval of accurate information. This will include discussion of gold standard libraries of use cases support testing various LLMs and structures and configurations of knowledge base. Precision in Prompt Engineering: Learn the art of crafting prompts that direct AI to deliver targeted, relevant responses, thereby optimizing customer experiences and business outcomes. Unified Approach for Enhanced AI Performance: Explore the intersection of knowledge and prompt engineering to develop AI systems that are not only more responsive but also aligned with overarching business strategies. Guiding Principles for Implementation: Equip yourself with best practices, ethical guidelines, and strategic considerations for embedding these technologies into your business ecosystem effectively. This webinar is designed to empower business and technology leaders with the knowledge to harness the full potential of AI, ensuring their organizations not only keep pace with digital transformation but lead the charge. Join us to map a roadmap to fully leverage Information Architecture (IA) and AI chart a course towards a future where AI is a key pillar of strategic innovation and business success.

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

Earley Information Science

Sara Mae O’Brien Scott and Tatiana Baquero Cakici, Senior Consultants at Enterprise Knowledge (EK), presented “AI Fast Track to Search-Focused AI Solutions” at the Information Architecture Conference (IAC24) that took place on April 11, 2024 in Seattle, WA. In their presentation, O’Brien-Scott and Cakici focused on what Enterprise AI is, why it is important, and what it takes to empower organizations to get started on a search-based AI journey and stay on track. The presentation explored the complexities of enterprise search challenges and how IA principles can be leveraged to provide AI solutions through the use of a semantic layer. O’Brien-Scott and Cakici showcased a case study where a taxonomy, an ontology, and a knowledge graph were used to structure content at a healthcare workforce solutions organization, providing personalized content recommendations and increasing content findability. In this session, participants gained insights about the following: Most common types of AI categories and use cases; Recommended steps to design and implement taxonomies and ontologies, ensuring they evolve effectively and support the organization’s search objectives; Taxonomy and ontology design considerations and best practices; Real-world AI applications that illustrated the value of taxonomies, ontologies, and knowledge graphs; and Tools, roles, and skills to design and implement AI-powered search solutions.

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Enterprise Knowledge

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

Explore 'The Codex of Business: Writing Software for Real-World Solutions,' a compelling SlideShare presentation that delves into digital transformation in healthcare. Discover through a detailed case study how Agile methodologies empower healthcare providers to develop, iterate, and refine digital solutions that address real-world challenges. Learn how strategic planning, user feedback, and continuous improvement drive success in deploying technologies that enhance patient care and operational efficiency. Ideal for healthcare professionals, IT specialists, and digital transformation advocates seeking actionable insights and practical examples of technology making a real difference.

The Codex of Business Writing Software for Real-World Solutions 2.pptx

Malak Abu Hammad

Kürzlich hochgeladen (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf

Artificial Intelligence: Facts and Myths

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

What Are The Drone Anti-jamming Systems Technology?

Presentation on how to chat with PDF using ChatGPT code interpreter

CNv6 Instructor Chapter 6 Quality of Service

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Real Time Object Detection Using Open CV

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

08448380779 Call Girls In Friends Colony Women Seeking Men

08448380779 Call Girls In Civil Lines Women Seeking Men

A Call to Action for Generative AI in 2024

Axa Assurance Maroc - Insurer Innovation Award 2024

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Breaking the Kubernetes Kill Chain: Host Path Mount

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

The Codex of Business Writing Software for Real-World Solutions 2.pptx

Bringing Elliptic Curve Cryptography into the Mainstream

1. Elliptic Curve Cryptography Bringing it to the mainstream Stanford Security Lunch November 4, 2015 Nick Sullivan @grittygrease nick@cloudﬂare.com

4. DNS

5. HTTP

6. HTTPS The “S” stands for TLS

9. HTTPS Adoption (2013) • 2,545,693 valid RSA 2048-bit certificates  Analysis of the HTTPS Certificate Ecosystem, Durumeric, Kasten, Bailey, Halderman (2013) • Zero valid ECDSA certificates 9

10. CloudFlare Reverse Proxy 10

11. 11 CACloudFlare CloudFlare Edge DNS CSR TXT? Proof TXT? Proof Certiﬁcate Proof

12. Goal Enable HTTPS by default for ~2 million free customers 12

13. Issue: Scale ~30 Trillion Requests/ Day 13

14. What is expensive in TLS? • Private key Operations • Bulk encryption 14

15. Bulk Encryption • Basically free with modern Intel processors • AES-GCM on Haswell is ~1 cycle per byte 15

16. Private Key Operations • Orders of magnitude slower than symmetric crypto • RSA ~2,000,000 cycles per signature on Haswell • ~500 Quadrillion Cycles/Day 16

17. We can do better • Session resumption (~33%) 17

18. ECDSA Elliptic Curve Digital Signature Algorithm

19. ECDSA • Digital signature algorithm based on elliptic curve crypto • Widely studied, no sub-exponential discrete logarithm • Standardized NIST Curves (P256, P384, P521) • NSA Suite B (Secret and Top Secret) 19

20. EQUATIONS!!! 20

21. ECDSA Advantages • Smaller keys (256bit EC ~ 3072bit RSA) • Faster signatures (~800K vs 2M) • Vlad Krasnov improved to ~375K by using x86_64 asm • Merged into OpenSSL, Golang • Saves 300 Quadrillion Cycles/Day (given 100% HTTPS) 21

22. ECDSA Downsides • Slower signature veriﬁcation • Less ubiquitous • Roots were added in • Some systems don’t support ECDSA (Android 2, Windows XP) • Patent encumbrances • Not quantum-safe: subject to Shor’s algorithm 22

23. Universal SSL • Free ECDSA certiﬁcates for all customers • HTTPS enabled by default • Total number of HTTPS sites is   up by over 2 million • SNI-only so scans undercount 23

24. What about DNS? 24

25. Authoritative Servers 25

26. Cache Poisoning (Kaminsky’s attack) 26 Resolver Authoritative Server Q: what is the IP address of cloudﬂare.com A: 198.41.213.157 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A:6.6.6.6 A: 6.6.6.6 A: 6.6.6.6

27. Man-in-the-middle 27 Resolver Authoritative Server Q: what is the IP address of cloudﬂare.com A: 198.41.213.157A: 6.6.6.6

28. DNSSEC signature veriﬁcation 28 A example.com. A RRSIG example.com. DNSKEY KSK example.com. DNSKEY KSK . Verisign Authoritative (i.e. CloudFlare) ICANN DS example.com. DS com. Root Key DNSKEY ZSK example.com. DNSKEY RRSIG example.com. DS RRSIG com. DNSKEY KSK com. DNSKEY ZSK com. DNSKEY RRSIG com. A RRSIG . DNSKEY ZSK . DNSKEY RRSIG .

29. 29

30. Solution: DNSSEC (done right) Digital signatures in the DNS Live-signed answers Elliptic curve keys 30

31. Solution: DNSSEC (done right) cloudflare.net. 300 IN A 104.20.36.89 cloudflare.net. 300 IN A 104.20.37.89 cloudflare.net. 300 IN RRSIG A 13 2 300 20151105181354 20151103161354 35273 cloudflare.net. 1lj7NV/tLbTWAk/HeiU4UvxwTDPG8nXGEn408Rm7HELyL0HE3QRQTMha / Y0yTIAJWvQFKwGm2lg61Gpf9uy7uQ== ietf.org. 1800 IN A 4.31.198.44 ietf.org. 1800 IN RRSIG A 5 2 1800 20161012164049 20151013154322 40452 ietf.org. DlaOfMqEIkbTBY8Rv8WJf2MqXBzT64sUr+Ms5zEfV4IIdKhiQoQqU8vH Ga+PcZak5DzfXwXuklriXPI7jN5Zqk/ UnTsX62on0SQft/YkgAogMdZI U5znPsgkq+gX/BA2AkRpBOEBDiPS8sRgJb4r38kZ05BNLTvlweg3hIcX m1JHfbXuyAE4C6bRmD/h5erxvO6Q2UA2EFWHjcrIAAhmLRqHxeq8uhCJ AZMSJyTuJxB+6z+59v4/QxP +z3NnBdzxcTea1aUVYG/zbqiHkNpgRzrN 708UrrqkUwWDodrOYoHndfYoWqI61ifvBkUref0cn0IKWOolfHMsCjdl y6BdTA== 31

32. Issues addressed Fix zone enumeration with live signing Fix live signing with ECDSA — in the Go language Vlad performance improvements Ampliﬁcation-neutral 32

33. ECDSA - Miscellaneous • Randomness breaks ECDSA • Fixed by RFC 6979 • Patent issues • ECDSA is not supported by Red Hat • A Riddle Wrapped in an Enigma • Koblitz & Menezes paper on Suite B • Are the NIST curves safe? 33

34. Elliptic Curve Cryptography Bringing it to the mainstream Nick Sullivan @grittygrease nick@cloudﬂare.com

Bringing Elliptic Curve Cryptography into the Mainstream

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Bringing Elliptic Curve Cryptography into the Mainstream

Ähnlich wie Bringing Elliptic Curve Cryptography into the Mainstream (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Bringing Elliptic Curve Cryptography into the Mainstream