SlideShare ist ein Scribd-Unternehmen logo

RFC 7435 - Opportunistic security - Some protection most of the time

Olle E Johansson
Olle E Johansson

An introduction to the very important RFC 7435 by Viktor Dukhovni. After you've seen these slides, go read this document.

1 von 13
Downloaden Sie, um offline zu lesen
Opportunistic Security according to the IETF Quotes from RFC 7435 by Viktor Dukhovni RFC Copyright: Copyright (c) 2014 IETF Trust and
 the persons identified as the document authors. All rights reserved.document authors. All rights reserved. 2015-03-01 v1.3/oej
Editor note These are just my selected quotes from the RFC, to inspire you to read the full text. @oej | oej@edvina.net
Definition “Protocol designs based on Opportunistic Security 
 use encryption even
 when authentication is not available, 
 and use authentication when possible, thereby removing barriers to the widespread use of encryption on the Internet.” ENCRYPTION AUTHENTICATION Encryption provides
 confidentiality. Authentication provides
 identity.
ALL or NOTHING “Historically, Internet security protocols have emphasized comprehensive "all or nothing" cryptographic protection against both passive and active attacks.” “As a result, operators often disable these security protocols when users have difficulty connecting, thereby degrading all communications to cleartext transmission.” “With each peer, such a protocol achieves either full protection or else total failure to communicate (hard fail).” FULL PROTECTION TOTAL FAILURE CLEARTEXT!!
ALL or 
 NOTHING Can we have more options than full protection or NOTHING?
The problem with the PKI “The Public Key Infrastructure (PKI) model employed by browsers to authenticate web servers (often called the "Web PKI") imposes cost and management burdens that have limited its use.” “With so many Certification Authorities (CAs), not all of which everyone is willing to trust, the communicating parties
 don't always agree on a mutually trusted CA.” “Without a mutually trusted CA, authentication fails, leading to communications failure
 in protocols that mandate authentication.”
Teaching users to ignore security warnings “In Web PKI interactive applications, security warnings are all too frequent, and end users learn to actively ignore security problems, or site administrators decide that the maintenance cost is not worth the benefit so they provide a cleartext- only service to their users.” “For encryption to be used more broadly, authentication needs to be optional. The use of encryption defends against pervasive monitoring and other passive attacks.” “Even unauthenticated, encrypted communication (defined below) is preferable to cleartext.”
A new perspective FULL SECURITY CLEARTEXT “For encryption to be used more broadly, authentication needs to be optional. The use of encryption defends against pervasive monitoring and other passive attacks.” “Even unauthenticated, encrypted communication (defined below) is preferable to cleartext.”
Definition OPPORTUNISTIC
 SECURITY "Opportunistic Security" (OS) is defined as the use of cleartext as the baseline communication security policy, with encryption and authentication negotiated and applied to the communication when available.
Incrementally more secure 
 To achieve widespread adoption, OS must support incremental deployment. Incremental deployment implies that security capabilities will vary from peer to peer, perhaps for a very long time. OS protocols will attempt to establish encrypted communication whenever both parties are capable of such, and authenticated communication if that is also possible. AUTHENTICATION AND ENCRYPTION CLEARTEXT ENCRYPTION
 NO AUTHENTICATION
Incrementally more secure Thus, use of an opportunistic security protocol" may yield communication that is
 
 Authenticated and encrypted,
 ! unauthenticated but encrypted, 
 
 or cleartext. AUTHENTICATION AND ENCRYPTION CLEARTEXT ENCRYPTION
 NO AUTHENTICATION
Voices against OS Will this make less sessions fully secure - authenticated properly? Setting up encryption without knowing who your talking with (authentication) does not lead to any confidentiality!
Got it? Go read
 RFC 7435!

Empfohlen

PROTOCOL MECHNISM FOR SECURITY ppt
PROTOCOL MECHNISM FOR SECURITY pptPROTOCOL MECHNISM FOR SECURITY ppt
PROTOCOL MECHNISM FOR SECURITY pptD Y PATIL COLLEGE OF ENGINEERING PUNE
 
A framework for securing wireless home networks 1
A framework for securing wireless home networks 1A framework for securing wireless home networks 1
A framework for securing wireless home networks 1Ryan Mc Donagh
 
Network and internet security
Network and internet securityNetwork and internet security
Network and internet securityKaviya452563
 
Data encryption-ciphers
Data encryption-ciphersData encryption-ciphers
Data encryption-ciphersSufficientgrace
 
How Encryption for Strong Security Works
How Encryption for Strong Security WorksHow Encryption for Strong Security Works
How Encryption for Strong Security Workss1170087
 
Firewall
FirewallFirewall
FirewallGarmian
 
Towards a Security-aware Network Virtualization
Towards a Security-aware Network VirtualizationTowards a Security-aware Network Virtualization
Towards a Security-aware Network VirtualizationAchim Friedland
 
Gets cisco security training
Gets cisco security trainingGets cisco security training
Gets cisco security trainingqosnetworking
 

Empfohlen

PROTOCOL MECHNISM FOR SECURITY ppt
PROTOCOL MECHNISM FOR SECURITY pptPROTOCOL MECHNISM FOR SECURITY ppt
PROTOCOL MECHNISM FOR SECURITY pptD Y PATIL COLLEGE OF ENGINEERING PUNE
 
A framework for securing wireless home networks 1
A framework for securing wireless home networks 1A framework for securing wireless home networks 1
A framework for securing wireless home networks 1Ryan Mc Donagh
 
Network and internet security
Network and internet securityNetwork and internet security
Network and internet securityKaviya452563
 
Data encryption-ciphers
Data encryption-ciphersData encryption-ciphers
Data encryption-ciphersSufficientgrace
 
How Encryption for Strong Security Works
How Encryption for Strong Security WorksHow Encryption for Strong Security Works
How Encryption for Strong Security Workss1170087
 
Firewall
FirewallFirewall
FirewallGarmian
 
Towards a Security-aware Network Virtualization
Towards a Security-aware Network VirtualizationTowards a Security-aware Network Virtualization
Towards a Security-aware Network VirtualizationAchim Friedland
 
Gets cisco security training
Gets cisco security trainingGets cisco security training
Gets cisco security trainingqosnetworking
 
The vpn
The vpnThe vpn
The vpnAbhinav Dwivedi
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and CryptographyGayathridevi120
 
Presentation network security
Presentation network securityPresentation network security
Presentation network securitycegonsoft1999
 
Network Security
Network SecurityNetwork Security
Network SecuritySanthoshKumar2759
 
Network security
Network securityNetwork security
Network securitySimranpreet Singh
 
How encryption works
How encryption worksHow encryption works
How encryption workss1180012
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private NetworkBijaya Khadka
 
Network Security
Network SecurityNetwork Security
Network SecurityJaya sudha
 
Enhanced olsr for defense against dos attack in ad hoc networks
Enhanced olsr for defense against dos attack in ad hoc networksEnhanced olsr for defense against dos attack in ad hoc networks
Enhanced olsr for defense against dos attack in ad hoc networksJPINFOTECH JAYAPRAKASH
 
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?BHack Conference
 
Iuwne10 S04 L07
Iuwne10 S04 L07Iuwne10 S04 L07
Iuwne10 S04 L07Ravi Ranjan
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security ApplicationsHatem Mahmoud
 
Cloud security
Cloud securityCloud security
Cloud securityJhanvi Dattani
 
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersUSENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersAditya K Sood
 
voice
voicevoice
voicechaitu64
 
Week13presentation
Week13presentationWeek13presentation
Week13presentationyuki0722_0007
 
Wireless Security, Firewall,Encryption
Wireless Security, Firewall,EncryptionWireless Security, Firewall,Encryption
Wireless Security, Firewall,EncryptionAshwin Harikumar
 
Network Security Certification
Network Security CertificationNetwork Security Certification
Network Security CertificationVskills
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallManish Kumar
 
The Social Web & Your Library
The Social Web & Your LibraryThe Social Web & Your Library
The Social Web & Your LibraryBobbi Newman
 
2013 Enterprise Strategy Outlook
2013 Enterprise Strategy Outlook2013 Enterprise Strategy Outlook
2013 Enterprise Strategy OutlookMiha Kralj
 

Weitere ähnliche Inhalte

Was ist angesagt?

Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and CryptographyGayathridevi120
 
Presentation network security
Presentation network securityPresentation network security
Presentation network securitycegonsoft1999
 
How encryption works
How encryption worksHow encryption works
How encryption workss1180012
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private NetworkBijaya Khadka
 
Network Security
Network SecurityNetwork Security
Network SecurityJaya sudha
 
Enhanced olsr for defense against dos attack in ad hoc networks
Enhanced olsr for defense against dos attack in ad hoc networksEnhanced olsr for defense against dos attack in ad hoc networks
Enhanced olsr for defense against dos attack in ad hoc networksJPINFOTECH JAYAPRAKASH
 
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?BHack Conference
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security ApplicationsHatem Mahmoud
 
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersUSENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersAditya K Sood
 
Wireless Security, Firewall,Encryption
Wireless Security, Firewall,EncryptionWireless Security, Firewall,Encryption
Wireless Security, Firewall,EncryptionAshwin Harikumar
 
Network Security Certification
Network Security CertificationNetwork Security Certification
Network Security CertificationVskills
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallManish Kumar
 

Was ist angesagt? (20)

The vpn
The vpnThe vpn
The vpn
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
 
Presentation network security
Presentation network securityPresentation network security
Presentation network security
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network security
Network securityNetwork security
Network security
 
How encryption works
How encryption worksHow encryption works
How encryption works
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
Network Security
Network SecurityNetwork Security
Network Security
 
Enhanced olsr for defense against dos attack in ad hoc networks
Enhanced olsr for defense against dos attack in ad hoc networksEnhanced olsr for defense against dos attack in ad hoc networks
Enhanced olsr for defense against dos attack in ad hoc networks
 
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
 
Iuwne10 S04 L07
Iuwne10 S04 L07Iuwne10 S04 L07
Iuwne10 S04 L07
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security Applications
 
Cloud security
Cloud securityCloud security
Cloud security
 
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response HeadersUSENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
USENIX CollSec 2010 - Conundrum of Declarative Security in HTTP Response Headers
 
voice
voicevoice
voice
 
Week13presentation
Week13presentationWeek13presentation
Week13presentation
 
Wireless Security, Firewall,Encryption
Wireless Security, Firewall,EncryptionWireless Security, Firewall,Encryption
Wireless Security, Firewall,Encryption
 
Network Security Certification
Network Security CertificationNetwork Security Certification
Network Security Certification
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed Firewall
 

Andere mochten auch

The Social Web & Your Library
The Social Web & Your LibraryThe Social Web & Your Library
The Social Web & Your LibraryBobbi Newman
 
2013 Enterprise Strategy Outlook
2013 Enterprise Strategy Outlook2013 Enterprise Strategy Outlook
2013 Enterprise Strategy OutlookMiha Kralj
 
Kory's Project: Marshes
Kory's Project: Marshes Kory's Project: Marshes
Kory's Project: Marshesbarryrbarber
 
Day 1 2nd_weekcris
Day 1 2nd_weekcrisDay 1 2nd_weekcris
Day 1 2nd_weekcriscristiarnau
 
Is South Africa behind the enterprise cloud curve?
Is South Africa behind the enterprise cloud curve?Is South Africa behind the enterprise cloud curve?
Is South Africa behind the enterprise cloud curve?Brian Pinnock
 
Saved (Part 1)
Saved (Part 1)Saved (Part 1)
Saved (Part 1)jzatko
 
10 11 induction slides
10 11 induction slides10 11 induction slides
10 11 induction slidesBoyd Kassandra
 
Social Media In the Workplace
Social Media In the WorkplaceSocial Media In the Workplace
Social Media In the WorkplaceSimon Young
 
Time management, Portent-style
Time management, Portent-styleTime management, Portent-style
Time management, Portent-styleIan Lurie
 
Risk Management on Banking
Risk Management on BankingRisk Management on Banking
Risk Management on Bankinghamsta
 
How to Sell Social Media to the C Suite _ Shashi Bellamkonda
How to Sell Social Media to the C Suite _ Shashi BellamkondaHow to Sell Social Media to the C Suite _ Shashi Bellamkonda
How to Sell Social Media to the C Suite _ Shashi BellamkondaShashi Bellamkonda
 
The new framework
The new frameworkThe new framework
The new frameworkiansillett
 
Using GO's to Improve Student Learning
Using GO's to Improve Student LearningUsing GO's to Improve Student Learning
Using GO's to Improve Student LearningJim Ellis
 
Apresiasi NSPM Penataan Ruang (srn-ed07)
Apresiasi NSPM Penataan Ruang (srn-ed07)Apresiasi NSPM Penataan Ruang (srn-ed07)
Apresiasi NSPM Penataan Ruang (srn-ed07)Surana Ir, MSc, PU-SDA
 
Linda Rising Born To Cycle
Linda Rising Born To CycleLinda Rising Born To Cycle
Linda Rising Born To Cycledeimos
 

Andere mochten auch (20)

The Social Web & Your Library
The Social Web & Your LibraryThe Social Web & Your Library
The Social Web & Your Library
 
2013 Enterprise Strategy Outlook
2013 Enterprise Strategy Outlook2013 Enterprise Strategy Outlook
2013 Enterprise Strategy Outlook
 
Kory's Project: Marshes
Kory's Project: Marshes Kory's Project: Marshes
Kory's Project: Marshes
 
Day 1 2nd_weekcris
Day 1 2nd_weekcrisDay 1 2nd_weekcris
Day 1 2nd_weekcris
 
4th day
4th day4th day
4th day
 
Classificados da oba_2010
Classificados da oba_2010Classificados da oba_2010
Classificados da oba_2010
 
Etrange
EtrangeEtrange
Etrange
 
Is South Africa behind the enterprise cloud curve?
Is South Africa behind the enterprise cloud curve?Is South Africa behind the enterprise cloud curve?
Is South Africa behind the enterprise cloud curve?
 
Saved (Part 1)
Saved (Part 1)Saved (Part 1)
Saved (Part 1)
 
10 11 induction slides
10 11 induction slides10 11 induction slides
10 11 induction slides
 
Social Media In the Workplace
Social Media In the WorkplaceSocial Media In the Workplace
Social Media In the Workplace
 
Piano
PianoPiano
Piano
 
Time management, Portent-style
Time management, Portent-styleTime management, Portent-style
Time management, Portent-style
 
Comercio electrónico en imágenes
Comercio electrónico en imágenesComercio electrónico en imágenes
Comercio electrónico en imágenes
 
Risk Management on Banking
Risk Management on BankingRisk Management on Banking
Risk Management on Banking
 
How to Sell Social Media to the C Suite _ Shashi Bellamkonda
How to Sell Social Media to the C Suite _ Shashi BellamkondaHow to Sell Social Media to the C Suite _ Shashi Bellamkonda
How to Sell Social Media to the C Suite _ Shashi Bellamkonda
 
The new framework
The new frameworkThe new framework
The new framework
 
Using GO's to Improve Student Learning
Using GO's to Improve Student LearningUsing GO's to Improve Student Learning
Using GO's to Improve Student Learning
 
Apresiasi NSPM Penataan Ruang (srn-ed07)
Apresiasi NSPM Penataan Ruang (srn-ed07)Apresiasi NSPM Penataan Ruang (srn-ed07)
Apresiasi NSPM Penataan Ruang (srn-ed07)
 
Linda Rising Born To Cycle
Linda Rising Born To CycleLinda Rising Born To Cycle
Linda Rising Born To Cycle
 

Ähnlich wie RFC 7435 - Opportunistic security - Some protection most of the time

Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocolKirti Ahirrao
 
Fortinet vs Instasafe Zero Trust - A Comparative Guide
Fortinet vs Instasafe Zero Trust - A Comparative GuideFortinet vs Instasafe Zero Trust - A Comparative Guide
Fortinet vs Instasafe Zero Trust - A Comparative GuideInstaSafe Technologies
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2Olle E Johansson
 
Network security by sandhya
Network security by sandhyaNetwork security by sandhya
Network security by sandhyasandeepsandy75
 
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docxvickeryr87
 
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...IJNSA Journal
 
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...IJNSA Journal
 
2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)geeksec80
 
Performance evaluation of network security protocols on open source and micro...
Performance evaluation of network security protocols on open source and micro...Performance evaluation of network security protocols on open source and micro...
Performance evaluation of network security protocols on open source and micro...Alexander Decker
 
Performance evaluation of network security protocols on open source and micro...
Performance evaluation of network security protocols on open source and micro...Performance evaluation of network security protocols on open source and micro...
Performance evaluation of network security protocols on open source and micro...Alexander Decker
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 
A depth detail about vpn security
A depth detail about vpn securityA depth detail about vpn security
A depth detail about vpn securityEric Fedewa
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLcscpconf
 

Ähnlich wie RFC 7435 - Opportunistic security - Some protection most of the time (20)

Application layer security protocol
Application layer security protocolApplication layer security protocol
Application layer security protocol
 
Fortinet vs Instasafe Zero Trust - A Comparative Guide
Fortinet vs Instasafe Zero Trust - A Comparative GuideFortinet vs Instasafe Zero Trust - A Comparative Guide
Fortinet vs Instasafe Zero Trust - A Comparative Guide
 
PACE-IT: Networking Services and Applications (part 1) - N10 006
PACE-IT: Networking Services and Applications (part 1) - N10 006PACE-IT: Networking Services and Applications (part 1) - N10 006
PACE-IT: Networking Services and Applications (part 1) - N10 006
 
Firewalls
FirewallsFirewalls
Firewalls
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
Network security by sandhya
Network security by sandhyaNetwork security by sandhya
Network security by sandhya
 
Lecture 07 networking
Lecture 07 networkingLecture 07 networking
Lecture 07 networking
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
 
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
2.· Unshielded Twisted Pair (UTP) Cables· Shielded Twisted Pai.docx
 
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
 
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
RESOLVING NETWORK DEFENSE CONFLICTS WITH ZERO TRUST ARCHITECTURES AND OTHER E...
 
2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)2012 04-16-ultrasurf-analysis (2)
2012 04-16-ultrasurf-analysis (2)
 
Firewalls
FirewallsFirewalls
Firewalls
 
Performance evaluation of network security protocols on open source and micro...
Performance evaluation of network security protocols on open source and micro...Performance evaluation of network security protocols on open source and micro...
Performance evaluation of network security protocols on open source and micro...
 
Performance evaluation of network security protocols on open source and micro...
Performance evaluation of network security protocols on open source and micro...Performance evaluation of network security protocols on open source and micro...
Performance evaluation of network security protocols on open source and micro...
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
A depth detail about vpn security
A depth detail about vpn securityA depth detail about vpn security
A depth detail about vpn security
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOL
 

Mehr von Olle E Johansson

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Olle E Johansson
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTNOlle E Johansson
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019Olle E Johansson
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffOlle E Johansson
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack networkOlle E Johansson
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2Olle E Johansson
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Olle E Johansson
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolOlle E Johansson
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)Olle E Johansson
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Olle E Johansson
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Olle E Johansson
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6Olle E Johansson
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
 

Mehr von Olle E Johansson (20)

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTN
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuff
 
Kamailio on air
Kamailio on airKamailio on air
Kamailio on air
 
Webrtc overview
Webrtc overviewWebrtc overview
Webrtc overview
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack network
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
 

RFC 7435 - Opportunistic security - Some protection most of the time

  • 1. Opportunistic Security according to the IETF Quotes from RFC 7435 by Viktor Dukhovni RFC Copyright: Copyright (c) 2014 IETF Trust and
 the persons identified as the document authors. All rights reserved.document authors. All rights reserved. 2015-03-01 v1.3/oej
  • 2. Editor note These are just my selected quotes from the RFC, to inspire you to read the full text. @oej | oej@edvina.net
  • 3. Definition “Protocol designs based on Opportunistic Security 
 use encryption even
 when authentication is not available, 
 and use authentication when possible, thereby removing barriers to the widespread use of encryption on the Internet.” ENCRYPTION AUTHENTICATION Encryption provides
 confidentiality. Authentication provides
 identity.
  • 4. ALL or NOTHING “Historically, Internet security protocols have emphasized comprehensive "all or nothing" cryptographic protection against both passive and active attacks.” “As a result, operators often disable these security protocols when users have difficulty connecting, thereby degrading all communications to cleartext transmission.” “With each peer, such a protocol achieves either full protection or else total failure to communicate (hard fail).” FULL PROTECTION TOTAL FAILURE CLEARTEXT!!
  • 5. ALL or 
 NOTHING Can we have more options than full protection or NOTHING?
  • 6. The problem with the PKI “The Public Key Infrastructure (PKI) model employed by browsers to authenticate web servers (often called the "Web PKI") imposes cost and management burdens that have limited its use.” “With so many Certification Authorities (CAs), not all of which everyone is willing to trust, the communicating parties
 don't always agree on a mutually trusted CA.” “Without a mutually trusted CA, authentication fails, leading to communications failure
 in protocols that mandate authentication.”
  • 7. Teaching users to ignore security warnings “In Web PKI interactive applications, security warnings are all too frequent, and end users learn to actively ignore security problems, or site administrators decide that the maintenance cost is not worth the benefit so they provide a cleartext- only service to their users.” “For encryption to be used more broadly, authentication needs to be optional. The use of encryption defends against pervasive monitoring and other passive attacks.” “Even unauthenticated, encrypted communication (defined below) is preferable to cleartext.”
  • 8. A new perspective FULL SECURITY CLEARTEXT “For encryption to be used more broadly, authentication needs to be optional. The use of encryption defends against pervasive monitoring and other passive attacks.” “Even unauthenticated, encrypted communication (defined below) is preferable to cleartext.”
  • 9. Definition OPPORTUNISTIC
 SECURITY "Opportunistic Security" (OS) is defined as the use of cleartext as the baseline communication security policy, with encryption and authentication negotiated and applied to the communication when available.
  • 10. Incrementally more secure 
 To achieve widespread adoption, OS must support incremental deployment. Incremental deployment implies that security capabilities will vary from peer to peer, perhaps for a very long time. OS protocols will attempt to establish encrypted communication whenever both parties are capable of such, and authenticated communication if that is also possible. AUTHENTICATION AND ENCRYPTION CLEARTEXT ENCRYPTION
 NO AUTHENTICATION
  • 11. Incrementally more secure Thus, use of an opportunistic security protocol" may yield communication that is
 
 Authenticated and encrypted,
 ! unauthenticated but encrypted, 
 
 or cleartext. AUTHENTICATION AND ENCRYPTION CLEARTEXT ENCRYPTION
 NO AUTHENTICATION
  • 12. Voices against OS Will this make less sessions fully secure - authenticated properly? Setting up encryption without knowing who your talking with (authentication) does not lead to any confidentiality!