Fribid and browser security software
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 64 | |
| Author | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/45891 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
FOSDEM 201158 / 64
3
7
10
11
17
19
21
28
33
34
35
37
40
44
48
49
52
55
57
59
62
63
64
00:00
Physical systemTotal S.A.Computing platformSource codeComputer animation
00:29
Projective planePhysical systemSoftwareDifferent (Kate Ryan album)FreewareGame controllerSource codeComputer animation
00:50
Different (Kate Ryan album)Physical system
01:05
AuthenticationPublic key certificateToken ringPhysical systemPlastikkarteTelecommunicationSource codeComputer animation
01:26
WhiteboardGame theoryTable (information)PressureMetropolitan area networkSoftwareMessage passingPlug-in (computing)Endliche ModelltheoriePlastikkarteInformation securityAlpha (investment)Token ringDatabaseElectronic signatureInformationLibrary (computing)Functional (mathematics)WindowSource codeComputer animation
04:15
Domain nameIP addressElectronic signatureChainSource codeXML
05:05
Software bugSoftwareExtension (kinesiology)Standard deviationObject (grammar)Web pageSelf-organizationElectronic signatureCommunications protocolProcess (computing)Identity managementImplementationGreatest elementExterior algebraAuthorizationPasswordData dictionaryFunction (mathematics)CrosswindReal numberParameter (computer programming)BitSign (mathematics)Public-key cryptographyInformation securitySystem callSoftware testingBasis <Mathematik>Group actionFamilyOrder (biology)Video gameClient (computing)Thermal expansionSource codeComputer animation
10:10
Goodness of fitMultiplication signPublic-key cryptographyToken ringMereologyElectronic signatureStandard deviationInterface (computing)WebsiteArithmetic meanFile formatException handlingCommunications protocolPhysical lawLatent heatArithmetic progressionImplementationProjective planeNeuroinformatikMessage passingSoftware testingSoftwareLink (knot theory)Network topologyDifferent (Kate Ryan album)Information securityWeb browserHash functionProduct (business)AuthenticationElectric generatorSign (mathematics)Cellular automatonKey (cryptography)Form (programming)Object (grammar)Physical systemInformation privacyIdentity managementNormal (geometry)Vulnerability (computing)ProgrammschleifeTheory of relativityTimestampEvent horizonBuildingAuthorizationSource codeComputer animation
Transcript: English(auto-generated)
00:03
And even in Sweden there are three different systems that we use. So there are incompatibilities around each other. And Europe is even worse here, even more. So even more income-modability. And unfortunately in Sweden all of them are provider.
00:22
And absolutely nothing to work on. For a total of 64-bit platforms. Okay, so we have three different EID systems in Sweden. FreeVid, which is a free software project in Poland.
00:45
It's a non-stop EID system. And it solves this problem as well. Okay, so this is not exhaustive. There are much more systems in Europe. And many of them are proprietary.
01:02
We have a lot of work to do, we could say. Okay, third bank ID. This is the EID. It has a certificate. It can be a source token and it can also be a smart card. This is unlike most other systems. Most people don't use soft tokens for electronic ID.
01:23
It does some work to use cell phones for authentication. It's the same card, it can work as an ID store.
01:40
Okay, so FreeVid as the official software is proprietary. FreeVid is re-versioning here. It's been one year since the public release. So it's quite unstable and alpha most features are there. But for example enrollment is not implemented yet.
02:05
We have some soft tokens and smart cards. And smart cards is what is done through OpenST. You can actually use anything here. Take the information.
02:24
FreeVid. You can even see it. That's something really special about that. We use the security library, crypto library. We use OpenSSL. In the beginning we used NSS actually.
02:40
But we found that it was too centric. It had a database oriented model where it's hard to use tokens that are separate from the database. For example they are on a file or on a USB stick or something. So we decided to go for OpenSSL instead. And of course we've been messy for smart card support.
03:04
It works pretty well. We also use FreeVid. It's a browser plug-in. We use the Netscape plug-in API. It's a really old API from Netscape.
03:24
It works in pretty much all browser except in the floor. So without the signature, the way you get a signature from the Minecraft software, it's really simple.
03:41
You send a mouse value and from here you want to design the plug-in. And then you call a function on it and that's where you get a confirmation window. Where you see the game casino message you want to find.
04:02
And you can also get a password and translate your token to you as well. So when this is done, you get an XML signature.
04:25
Let me ask you about the domain name and IP address. Which is probably there. IP address and domain name are probably there.
04:44
I'm in the other land, looking at fishing and so on. Otherwise it's a difficult XML signature. So this is the chain and the signature.
05:08
It's a bit more complicated. It's not that hard. It's also based on standards. It's in its name. It uses 10 than 7.
05:26
The protocol itself is all standardized. It uses some extensions to these protocols. They are not the true standards.
05:40
That has made it harder to implement in OpenSSL as well. You need to create an ASM. It is quite technical. You need to create an ASM on objects. It's a lot more special.
06:08
Did you build this? Of course it's a secret protocol. It still uses a lot of standards.
06:30
One problem here is that the server-side software is not completely available.
06:41
So testing your software. There are also, to make it even harder, there are also different implementations. You'd better generate completely the same outputs. Make everything 100% compatible.
07:01
As we deal with legally finding signatures, the only way to test things is to actually assign things. That makes debugging a bit fantastic and a bit harder. Sometimes there was a bug on a page when you registered a new business.
07:21
That's obviously something that's hard to test yourself. You need to register a new business. How many businesses do you have now? Well, as I told you, we use MSS initially.
07:44
Sorry, I should be interrupting you. We say secret protocol. Who controls that protocol? It's like a corporation of the Swedish banks. They form an organization that has created their own.
08:02
I won't tell you. No. Even if you sign an NDA? I don't know. I don't think so. They have their own client, so they want to control everything. Oh, dear.
08:23
Another very minor annoyance. This protocol is blocking JavaScript calls. That's a design in the protocol. And that means that when this sign dialogue appears, when you enter your pin, your crosswind is chosen.
08:42
We have a real argument for that. This is something we really can't do anything about. In the future, we're going to develop push. Don't use blocking calls.
09:02
To speak about the process security software in YAML. How we should make it, what we should think about. Also, we might not just want to use it for electronic identity because there are many other places.
09:23
I mean, the technology you use in the bottom is public key. You can read signatures and so on. And that can afford to use for other things. For example, an alternative to passwords, authority for session IDs, which prevent things like
09:43
to be dealing with a password database, a copy of a password, some dictionary attacks, anything like that. Of course, if this is just what you want, you can use TLS. If you just want authentication, you can use TLS,
10:03
SSL, the same thing. But then you don't get the signatures. And why do you want to see that? You probably don't know that. For example, you may want to store a signature.
10:22
You want to prove to someone a third party that it's an agreement that's in vain and so on. There's also a question of, should you see what you're signing? So this is something that actually
10:40
all EI protocols don't do. And I think all of them actually rely on the software and the computer for the software to place a message in it. And that means that if the computer gets compromised, then it will change the message. That is the place the user is treated
11:02
as he's signing something else. And that is something that's really hard to do nothing about. But if you display the message that you're signing, you can go to a place to prevent some kinds of attacks. When in the middle of the day and so on,
11:20
probably you use SSL in this case. It's still additional security because you don't have the security holes in SSL implementation protocol. One more thing that you need is time stamping. This is because the signatures need to be lost for a very long time.
11:41
Typically, it can be ten years or so. It's typically mandated by some law somewhere. The time stamping means that you're typically hashed everything you're signed on. And if you're time stamping,
12:01
and this means that if the crypto-algorithm behind the signature, if that is broken some time later, then hash will prove that the signature was made while the crypto-system was still not broken. This means that you can use
12:22
you can rely on your signature for a long time. There are two different approaches. One is more centralized. One where you use the trusted third party. You can also use certain publishing or hashes, essentially,
12:43
because it's in some place where you can verify it. Another problem is not specific to signature generation. It's not a problem of the cell.
13:01
There's no standard for doing enrollment. The generating key pairs are not standardized at all. There are some vendor-specific approaches like key and tagging and FIFOS. I think that form has some JavaScript object or something that you can use the YAML key pair in the browser.
13:20
It's mostly or it's un-stalled and it's just different approaches for each browser. This is something that would something that each of the or I think most of the EI systems back to them as well have their own solution.
13:41
We also have the question of how do you protect privacy In some cases, you might not want to reveal your identity but you still want to be able to again turn outside. For example, you book something and you want to be able to later on book it. In this case, you of course don't want to use
14:02
normal EI loops. I don't think there's a good solution to this. There's no standing good solution. A simple solution is just a different key pair each time.
14:24
You have to use it for tokens because the hard part is you cannot allow for many different tokens. Of course, you will also want to build on if you create some new standard you will want to only implement a layer between
14:43
the web site and the CNC11 interface. You don't want to be able to you don't have to use CNC11. And that doesn't mean you can use software as well. Signature formats are not going to be
15:01
they are actually standardized. I think pretty much all of the I'm not sure all of them most of the UCM EI use XR because PICIDE is an exception you can use X1DC but for the other hand, X1DC is a
15:21
please test them too. X1C. Great. So here are some different existing for further existing software and also standards that are for specification that are in progress
15:41
and they don't have implementations yet. For example we have EIDs, PBIDs, SVID software, we also have the Wasp project which is a please not implement it yet.
16:01
The implementation Pete, is it Do you have any comments? Do you have any comments on the Wasp? On the Wasp? It's something I started a few years ago It's a suggestion for a signature
16:21
in browser. Ok. A lot of signature in browser specification. There are some that were referenced So it has a product called DPD-Auth authentication
16:41
DPD Please tend to use for signing as well and probably this is not exhaustive So I think we were actually finished before time
17:01
Very well. So I made a tiny URL link This is the link to the tree that we did So We've linked to different standards and different projects and different related things
17:21
Ok? Questions?