1
00:00:17,630 --> 00:00:23,729
okay do you hear<font color="#E5E5E5"> me</font><font color="#CCCCCC"> the drugging</font><font color="#E5E5E5"> okay</font>

2
00:00:20,970 --> 00:00:25,890
<font color="#E5E5E5">great</font><font color="#CCCCCC"> so welcome to my</font><font color="#E5E5E5"> talk I'm Dominic</font>

3
00:00:23,730 --> 00:00:27,779
<font color="#E5E5E5">and this is joint work with</font><font color="#CCCCCC"> two of my</font>

4
00:00:25,890 --> 00:00:30,210
brightest master students Fabien and

5
00:00:27,779 --> 00:00:32,668
Gregoire<font color="#CCCCCC"> and</font><font color="#E5E5E5"> yes we are looking</font><font color="#CCCCCC"> into</font>

6
00:00:30,210 --> 00:00:35,399
<font color="#CCCCCC">that</font><font color="#E5E5E5"> ATP it's a quite an old standard</font>

7
00:00:32,668 --> 00:00:37,849
box<font color="#CCCCCC"> tool</font><font color="#E5E5E5"> it's used so we got a nice</font>

8
00:00:35,399 --> 00:00:40,559
<font color="#E5E5E5">response from one of the authors of the</font>

9
00:00:37,850 --> 00:00:42,899
standard on<font color="#CCCCCC"> Twitter and yeah he's</font>

10
00:00:40,559 --> 00:00:46,620
wondering if we can can learn<font color="#E5E5E5"> something</font>

11
00:00:42,899 --> 00:00:50,219
<font color="#E5E5E5">so</font><font color="#CCCCCC"> let's</font><font color="#E5E5E5"> learn something</font><font color="#CCCCCC"> here um let's</font>

12
00:00:46,620 --> 00:00:54,328
look at the current<font color="#E5E5E5"> status of end-to-end</font>

13
00:00:50,219 --> 00:00:57,570
<font color="#E5E5E5">security and voice calls so keep in mind</font>

14
00:00:54,329 --> 00:01:00,239
<font color="#CCCCCC">end-to-end security</font><font color="#E5E5E5"> not just client</font><font color="#CCCCCC"> -</font><font color="#E5E5E5"> -</font>

15
00:00:57,570 --> 00:01:02,340
cloud provider<font color="#E5E5E5"> so public switch</font>

16
00:01:00,239 --> 00:01:05,128
telephone network<font color="#CCCCCC"> what we have is not</font>

17
00:01:02,340 --> 00:01:07,049
<font color="#E5E5E5">enter and secured</font><font color="#CCCCCC"> pretty obvious</font><font color="#E5E5E5"> then we</font>

18
00:01:05,129 --> 00:01:10,560
have the<font color="#E5E5E5"> session initiation protocol and</font>

19
00:01:07,049 --> 00:01:13,619
like RTP and<font color="#CCCCCC"> SFTP</font><font color="#E5E5E5"> it's also not</font>

20
00:01:10,560 --> 00:01:16,170
end-to-end secure by design<font color="#CCCCCC"> okay let's</font>

21
00:01:13,619 --> 00:01:19,530
go<font color="#E5E5E5"> on then we have something</font><font color="#CCCCCC"> that's</font>

22
00:01:16,170 --> 00:01:23,610
<font color="#E5E5E5">called DTLS at the</font><font color="#CCCCCC"> Datagram transport</font>

23
00:01:19,530 --> 00:01:26,189
layer security<font color="#E5E5E5"> used to exchange a secret</font>

24
00:01:23,610 --> 00:01:29,520
for<font color="#CCCCCC"> smtp that's end-to-end encryption</font>

25
00:01:26,189 --> 00:01:32,820
<font color="#E5E5E5">and then we have end-to-end encryption</font>

26
00:01:29,520 --> 00:01:37,110
and authentication that zip plus<font color="#E5E5E5"> SATP</font>

27
00:01:32,820 --> 00:01:39,539
plus let<font color="#CCCCCC"> ftp</font><font color="#E5E5E5"> and obviously for an evil</font>

28
00:01:37,110 --> 00:01:45,049
operator<font color="#E5E5E5"> it gets more</font><font color="#CCCCCC"> difficult down the</font>

29
00:01:39,540 --> 00:01:45,049
line<font color="#E5E5E5"> so we are</font><font color="#CCCCCC"> looking into this space</font>

30
00:01:46,009 --> 00:01:55,320
so<font color="#CCCCCC"> um</font><font color="#E5E5E5"> first I wanted</font><font color="#CCCCCC"> to introduce</font><font color="#E5E5E5"> like</font>

31
00:01:52,159 --> 00:01:57,600
what we did in the beginning<font color="#E5E5E5"> so if we</font>

32
00:01:55,320 --> 00:01:59,908
just<font color="#E5E5E5"> have slipped with encryption</font><font color="#CCCCCC"> olney</font>

33
00:01:57,600 --> 00:02:02,369
<font color="#CCCCCC">or on or no encryption there is a</font>

34
00:01:59,909 --> 00:02:04,469
similar<font color="#E5E5E5"> setup like this this is a pretty</font>

35
00:02:02,369 --> 00:02:06,869
simplified view with just one tip server

36
00:02:04,469 --> 00:02:09,090
<font color="#E5E5E5">but to get the point across</font>

37
00:02:06,869 --> 00:02:12,510
<font color="#CCCCCC">yes Alice and</font><font color="#E5E5E5"> Bob they're doing a call</font>

38
00:02:09,090 --> 00:02:13,710
they're using a sip server<font color="#E5E5E5"> and if you</font>

39
00:02:12,510 --> 00:02:15,390
are an evil operator

40
00:02:13,710 --> 00:02:17,460
<font color="#E5E5E5">you can do some men in the middle here</font>

41
00:02:15,390 --> 00:02:19,470
<font color="#CCCCCC">from</font><font color="#E5E5E5"> East dropping</font><font color="#CCCCCC"> it's very very simple</font>

42
00:02:17,460 --> 00:02:23,700
we did an implementation for<font color="#CCCCCC"> the server</font>

43
00:02:19,470 --> 00:02:25,710
<font color="#E5E5E5">Camarillo and so we just rewriting some</font>

44
00:02:23,700 --> 00:02:28,560
headers in<font color="#E5E5E5"> the session initiation and</font>

45
00:02:25,710 --> 00:02:30,090
redirecting the<font color="#E5E5E5"> caller from</font><font color="#CCCCCC"> Ella's</font><font color="#E5E5E5"> to</font>

46
00:02:28,560 --> 00:02:32,190
the special client that is<font color="#CCCCCC"> running</font><font color="#E5E5E5"> on</font>

47
00:02:30,090 --> 00:02:35,490
<font color="#E5E5E5">the server for</font><font color="#CCCCCC"> example the special</font>

48
00:02:32,190 --> 00:02:38,130
client takes the call<font color="#CCCCCC"> thus its own call</font>

49
00:02:35,490 --> 00:02:40,590
to Bob and then connect those<font color="#E5E5E5"> multimedia</font>

50
00:02:38,130 --> 00:02:42,960
streams and you get your eavesdropping

51
00:02:40,590 --> 00:02:47,250
<font color="#E5E5E5">or via typing so very very simple it</font>

52
00:02:42,960 --> 00:02:49,140
works<font color="#E5E5E5"> are on Bob side is it says ellos</font>

53
00:02:47,250 --> 00:02:53,760
and ellas at example.com

54
00:02:49,140 --> 00:02:57,989
so how<font color="#E5E5E5"> to protect against this this is</font>

55
00:02:53,760 --> 00:02:59,549
<font color="#E5E5E5">that</font><font color="#CCCCCC"> Ltd the same setup</font><font color="#E5E5E5"> are what the</font>

56
00:02:57,990 --> 00:03:01,410
users are<font color="#CCCCCC"> seeing is a little bit</font>

57
00:02:59,550 --> 00:03:03,030
different<font color="#E5E5E5"> there is something that</font><font color="#CCCCCC"> is</font>

58
00:03:01,410 --> 00:03:06,060
<font color="#E5E5E5">called and short of indication string</font>

59
00:03:03,030 --> 00:03:08,580
here it's pretty<font color="#E5E5E5"> small here</font><font color="#CCCCCC"> story</font><font color="#E5E5E5"> so</font>

60
00:03:06,060 --> 00:03:10,620
it's<font color="#E5E5E5"> just four characters</font><font color="#CCCCCC"> that is shown</font>

61
00:03:08,580 --> 00:03:12,270
on<font color="#E5E5E5"> the screen and</font><font color="#CCCCCC"> on the</font><font color="#E5E5E5"> other side also</font>

62
00:03:10,620 --> 00:03:14,160
four characters shown on the screen<font color="#CCCCCC"> and</font>

63
00:03:12,270 --> 00:03:16,350
<font color="#E5E5E5">Alice</font><font color="#CCCCCC"> involved need to compare these</font>

64
00:03:14,160 --> 00:03:18,450
strings<font color="#E5E5E5"> and when they're different there</font>

65
00:03:16,350 --> 00:03:20,730
<font color="#CCCCCC">is an attack so they are different there</font>

66
00:03:18,450 --> 00:03:23,450
is<font color="#E5E5E5"> an attack here this is how the</font><font color="#CCCCCC"> ITP</font>

67
00:03:20,730 --> 00:03:29,010
<font color="#CCCCCC">works from</font><font color="#E5E5E5"> your user</font><font color="#CCCCCC"> user's perspective</font>

68
00:03:23,450 --> 00:03:30,959
<font color="#E5E5E5">okay what are we doing now so that</font><font color="#CCCCCC"> a DB</font>

69
00:03:29,010 --> 00:03:33,720
<font color="#E5E5E5">is a pretty complex protocol in my</font>

70
00:03:30,960 --> 00:03:35,760
opinion and it basically<font color="#E5E5E5"> boils down to</font>

71
00:03:33,720 --> 00:03:38,190
in a DC Hellman key exchange<font color="#E5E5E5"> there's</font>

72
00:03:35,760 --> 00:03:42,239
authenticated<font color="#E5E5E5"> using these short of a</font>

73
00:03:38,190 --> 00:03:45,960
<font color="#CCCCCC">negating strings to keep this string</font>

74
00:03:42,240 --> 00:03:47,910
short<font color="#E5E5E5"> as the name suggests they are</font>

75
00:03:45,960 --> 00:03:51,780
<font color="#E5E5E5">doing a hash commitment to constrain the</font>

76
00:03:47,910 --> 00:03:53,460
<font color="#E5E5E5">tecar to just one try for call in this</font>

77
00:03:51,780 --> 00:03:56,250
paper<font color="#E5E5E5"> we</font><font color="#CCCCCC"> are doing a real world</font>

78
00:03:53,460 --> 00:03:58,890
<font color="#CCCCCC">a relation of</font><font color="#E5E5E5"> real world implementations</font>

79
00:03:56,250 --> 00:04:01,020
<font color="#E5E5E5">and we are explicitly not looking</font><font color="#CCCCCC"> into</font>

80
00:03:58,890 --> 00:04:04,500
<font color="#E5E5E5">closed networks</font><font color="#CCCCCC"> we are excluding attacks</font>

81
00:04:01,020 --> 00:04:06,690
where the<font color="#CCCCCC"> you assume that</font><font color="#E5E5E5"> the attacker</font>

82
00:04:04,500 --> 00:04:10,260
do stuff some<font color="#CCCCCC"> speechless entities we are</font>

83
00:04:06,690 --> 00:04:11,430
<font color="#E5E5E5">not doing this we assume</font><font color="#CCCCCC"> that the short</font>

84
00:04:10,260 --> 00:04:16,858
authentication strings have<font color="#CCCCCC"> been</font>

85
00:04:11,430 --> 00:04:18,840
compared correctly<font color="#E5E5E5"> okay so in the paper</font>

86
00:04:16,858 --> 00:04:20,548
we looked<font color="#E5E5E5"> into the following</font>

87
00:04:18,839 --> 00:04:22,679
implementations<font color="#E5E5E5"> there is a cure with</font>

88
00:04:20,548 --> 00:04:24,719
soft form for<font color="#CCCCCC"> IRSC sip simple for</font>

89
00:04:22,680 --> 00:04:27,930
<font color="#E5E5E5">Android there's jitsi it's a</font>

90
00:04:24,720 --> 00:04:31,710
<font color="#E5E5E5">cross-platform client we have lint sound</font>

91
00:04:27,930 --> 00:04:34,260
and we have signal so in<font color="#E5E5E5"> in the paper we</font>

92
00:04:31,710 --> 00:04:36,810
are<font color="#E5E5E5"> certain protocol tests and for non</font>

93
00:04:34,260 --> 00:04:38,670
protocol<font color="#CCCCCC"> test and in the</font><font color="#E5E5E5"> presentation I</font>

94
00:04:36,810 --> 00:04:40,910
will<font color="#E5E5E5"> just show the interesting results</font>

95
00:04:38,670 --> 00:04:44,940
<font color="#CCCCCC">and skip the rest</font>

96
00:04:40,910 --> 00:04:49,140
<font color="#E5E5E5">okay so let's dive deep down into that</font>

97
00:04:44,940 --> 00:04:52,560
<font color="#CCCCCC">FTP</font><font color="#E5E5E5"> this is an extremely simplified view</font>

98
00:04:49,140 --> 00:04:55,370
of<font color="#E5E5E5"> that ATT so there</font><font color="#CCCCCC"> see</font><font color="#E5E5E5"> is much longer</font>

99
00:04:52,560 --> 00:04:57,690
<font color="#E5E5E5">so if you</font><font color="#CCCCCC"> if you look into it there is</font><font color="#E5E5E5"> a</font>

100
00:04:55,370 --> 00:04:59,700
on the left side<font color="#E5E5E5"> we</font><font color="#CCCCCC"> have</font><font color="#E5E5E5"> the responder</font>

101
00:04:57,690 --> 00:05:01,230
on<font color="#CCCCCC"> the right side the initiator they're</font>

102
00:04:59,700 --> 00:05:02,880
exchanging<font color="#E5E5E5"> some hello messages and</font>

103
00:05:01,230 --> 00:05:04,800
random values that's not that important

104
00:05:02,880 --> 00:05:08,670
what is important you can<font color="#E5E5E5"> you can find</font>

105
00:05:04,800 --> 00:05:10,380
<font color="#CCCCCC">the diffie-hellman here so P</font><font color="#E5E5E5"> VI is the</font>

106
00:05:08,670 --> 00:05:13,200
public value<font color="#E5E5E5"> for diffie-hellman on the</font>

107
00:05:10,380 --> 00:05:16,200
<font color="#E5E5E5">initiator slide that's up there then we</font>

108
00:05:13,200 --> 00:05:18,890
<font color="#E5E5E5">have</font><font color="#CCCCCC"> PV err it's the responder is public</font>

109
00:05:16,200 --> 00:05:21,180
value and obviously they are doing a

110
00:05:18,890 --> 00:05:24,690
<font color="#CCCCCC">difficult</font><font color="#E5E5E5"> key exchange so this is like</font>

111
00:05:21,180 --> 00:05:26,610
the shared secret<font color="#E5E5E5"> we get all of this</font><font color="#CCCCCC"> on</font>

112
00:05:24,690 --> 00:05:29,370
the<font color="#CCCCCC"> initiators side and this</font><font color="#E5E5E5"> is</font><font color="#CCCCCC"> the one</font>

113
00:05:26,610 --> 00:05:33,260
on<font color="#E5E5E5"> the responder side so what's the</font>

114
00:05:29,370 --> 00:05:36,000
trick<font color="#CCCCCC"> here arm</font><font color="#E5E5E5"> it's not</font><font color="#CCCCCC"> sink it's not</font>

115
00:05:33,260 --> 00:05:38,610
yeah it's not doing this at the<font color="#E5E5E5"> same</font>

116
00:05:36,000 --> 00:05:41,250
time<font color="#CCCCCC"> they are doing a hash commitment</font><font color="#E5E5E5"> so</font>

117
00:05:38,610 --> 00:05:43,410
instead of directly<font color="#E5E5E5"> are transmitting the</font>

118
00:05:41,250 --> 00:05:46,230
public value<font color="#CCCCCC"> or the initiator is</font>

119
00:05:43,410 --> 00:05:47,850
transmitting a hash of the<font color="#CCCCCC"> publicly</font><font color="#E5E5E5"> so</font>

120
00:05:46,230 --> 00:05:50,010
you're<font color="#E5E5E5"> kind of committing to</font><font color="#CCCCCC"> the public</font>

121
00:05:47,850 --> 00:05:53,700
value<font color="#E5E5E5"> without revealing it over the</font>

122
00:05:50,010 --> 00:05:55,260
<font color="#CCCCCC">network</font><font color="#E5E5E5"> and this kind of constraints the</font>

123
00:05:53,700 --> 00:05:58,020
attacker<font color="#E5E5E5"> to just won't try in the</font>

124
00:05:55,260 --> 00:05:59,670
beginning so we don't<font color="#CCCCCC"> have</font><font color="#E5E5E5"> like an</font>

125
00:05:58,020 --> 00:06:02,219
offline<font color="#E5E5E5"> brute-force attack of edom</font>

126
00:05:59,670 --> 00:06:05,040
instead we have an online<font color="#E5E5E5"> attack of is</font>

127
00:06:02,220 --> 00:06:06,540
just one<font color="#E5E5E5"> file and in the end the</font>

128
00:06:05,040 --> 00:06:09,510
<font color="#CCCCCC">shortest indication string is kind of a</font>

129
00:06:06,540 --> 00:06:11,670
key duration of the shared secret the

130
00:06:09,510 --> 00:06:14,340
IDS<font color="#CCCCCC"> of responder and initiator and</font><font color="#E5E5E5"> the</font>

131
00:06:11,670 --> 00:06:17,430
hash of all<font color="#CCCCCC"> messages okay so</font><font color="#E5E5E5"> first thing</font>

132
00:06:14,340 --> 00:06:21,479
you<font color="#CCCCCC"> need to notice you need this check</font>

133
00:06:17,430 --> 00:06:23,970
so it's the hash<font color="#E5E5E5"> that has been committed</font>

134
00:06:21,480 --> 00:06:27,180
previously really the hash of the public

135
00:06:23,970 --> 00:06:30,470
value<font color="#E5E5E5"> that you received so this is one</font>

136
00:06:27,180 --> 00:06:33,540
of<font color="#E5E5E5"> our</font><font color="#CCCCCC"> test</font><font color="#E5E5E5"> it's very obvious test and</font>

137
00:06:30,470 --> 00:06:38,010
there's one implementation<font color="#CCCCCC"> failing it so</font>

138
00:06:33,540 --> 00:06:40,950
<font color="#E5E5E5">Lin phone didn't check this so we don't</font>

139
00:06:38,010 --> 00:06:41,480
<font color="#E5E5E5">have to be constrained to one try taker</font>

140
00:06:40,950 --> 00:06:45,170
in

141
00:06:41,480 --> 00:06:47,270
we have well I can not unlimited but we

142
00:06:45,170 --> 00:06:50,080
<font color="#CCCCCC">haven't attacker is much more</font><font color="#E5E5E5"> ruthless</font>

143
00:06:47,270 --> 00:06:53,229
capabilities and we implemented<font color="#CCCCCC"> that and</font>

144
00:06:50,080 --> 00:06:54,710
yeah it works<font color="#CCCCCC"> so there</font><font color="#E5E5E5"> are two kind of</font>

145
00:06:53,230 --> 00:06:56,900
representations of the short

146
00:06:54,710 --> 00:06:59,450
authentication string one<font color="#E5E5E5"> for 16-bit and</font>

147
00:06:56,900 --> 00:07:00,109
one for 20<font color="#E5E5E5"> bits that's shown here and</font>

148
00:06:59,450 --> 00:07:02,900
<font color="#E5E5E5">yeah</font>

149
00:07:00,110 --> 00:07:05,930
not many tries or needed to<font color="#CCCCCC"> crack this</font>

150
00:07:02,900 --> 00:07:13,489
<font color="#E5E5E5">obviously this has been</font><font color="#CCCCCC"> fixed and in</font>

151
00:07:05,930 --> 00:07:15,320
phone okay so next<font color="#E5E5E5"> attack</font><font color="#CCCCCC"> so if you do</font>

152
00:07:13,490 --> 00:07:18,290
this if you Hellman key exchange will

153
00:07:15,320 --> 00:07:20,300
set FTP and<font color="#E5E5E5"> you press the confirm button</font>

154
00:07:18,290 --> 00:07:21,080
<font color="#E5E5E5">that you're short authentication string</font>

155
00:07:20,300 --> 00:07:26,270
is the right one

156
00:07:21,080 --> 00:07:27,680
let it be stores this inside<font color="#E5E5E5"> a cache so</font>

157
00:07:26,270 --> 00:07:30,169
the next time you do a call to the same

158
00:07:27,680 --> 00:07:31,880
<font color="#E5E5E5">person</font><font color="#CCCCCC"> you no longer</font><font color="#E5E5E5"> need to compare</font>

159
00:07:30,170 --> 00:07:35,570
short authentication strings<font color="#CCCCCC"> because you</font>

160
00:07:31,880 --> 00:07:37,730
did<font color="#E5E5E5"> in the</font><font color="#CCCCCC"> first call this is stored</font>

161
00:07:35,570 --> 00:07:41,450
<font color="#E5E5E5">inside the cache and next time they just</font>

162
00:07:37,730 --> 00:07:44,890
<font color="#E5E5E5">use what is inside the cache duty</font>

163
00:07:41,450 --> 00:07:48,620
duration on it so it's like similar -

164
00:07:44,890 --> 00:07:52,669
yeah like self-healing properties<font color="#CCCCCC"> okay</font>

165
00:07:48,620 --> 00:07:54,880
<font color="#CCCCCC">so um there is a special scenario here</font>

166
00:07:52,670 --> 00:07:58,220
what is<font color="#E5E5E5"> also written in the error see I</font>

167
00:07:54,880 --> 00:08:00,740
just<font color="#CCCCCC"> read result if either party</font><font color="#E5E5E5"> can't</font>

168
00:07:58,220 --> 00:08:03,620
discovers the cache mismatch<font color="#E5E5E5"> the user</font>

169
00:08:00,740 --> 00:08:05,180
agent who must who makes this discovery

170
00:08:03,620 --> 00:08:07,310
must treat this as a possible security

171
00:08:05,180 --> 00:08:09,680
then and<font color="#E5E5E5"> must alert their own you know</font>

172
00:08:07,310 --> 00:08:12,170
<font color="#CCCCCC">that there</font><font color="#E5E5E5"> is a heightened risk of an</font>

173
00:08:09,680 --> 00:08:17,540
<font color="#E5E5E5">end</font><font color="#CCCCCC"> until attack</font><font color="#E5E5E5"> so this means if I do</font>

174
00:08:12,170 --> 00:08:23,150
LS<font color="#CCCCCC"> does call</font><font color="#E5E5E5"> - both are the dish</font><font color="#CCCCCC"> secret</font>

175
00:08:17,540 --> 00:08:27,560
<font color="#CCCCCC">is safe</font><font color="#E5E5E5"> second call to</font><font color="#CCCCCC"> Bob</font><font color="#E5E5E5"> on and</font><font color="#CCCCCC"> Alice</font>

176
00:08:23,150 --> 00:08:30,890
looks into the cache and there is there

177
00:08:27,560 --> 00:08:34,820
<font color="#CCCCCC">is a cache miss mesh so this doesn't</font><font color="#E5E5E5"> fit</font>

178
00:08:30,890 --> 00:08:38,210
<font color="#E5E5E5">to the one that is used by Bob then</font>

179
00:08:34,820 --> 00:08:41,599
there is maybe a security incident here

180
00:08:38,210 --> 00:08:43,430
and there is security<font color="#E5E5E5"> warning in</font><font color="#CCCCCC"> jitsi</font>

181
00:08:41,599 --> 00:08:45,680
this is displayed here<font color="#E5E5E5"> and expected</font>

182
00:08:43,429 --> 00:08:47,689
<font color="#CCCCCC">retain shared</font><font color="#E5E5E5"> secret is missing I don't</font>

183
00:08:45,680 --> 00:08:50,420
<font color="#E5E5E5">think anybody and user would understand</font>

184
00:08:47,690 --> 00:08:54,480
<font color="#E5E5E5">what</font><font color="#CCCCCC"> is saying here but they implemented</font>

185
00:08:50,420 --> 00:08:57,689
it at<font color="#E5E5E5"> least</font><font color="#CCCCCC"> it's a must in</font><font color="#E5E5E5"> diversity</font>

186
00:08:54,480 --> 00:09:01,030
so I think<font color="#E5E5E5"> it's a questionable</font>

187
00:08:57,690 --> 00:09:03,550
requirement because n Jesus maybe just

188
00:09:01,030 --> 00:09:06,220
dismiss it<font color="#CCCCCC"> t sub simple and then</font><font color="#E5E5E5"> phone</font>

189
00:09:03,550 --> 00:09:10,560
do<font color="#CCCCCC"> not implement this and while checking</font>

190
00:09:06,220 --> 00:09:15,190
<font color="#E5E5E5">this out we found a bug in GT so</font>

191
00:09:10,560 --> 00:09:19,479
actually they not<font color="#CCCCCC"> just show this on a</font>

192
00:09:15,190 --> 00:09:21,280
case in<font color="#CCCCCC"> mismatch they also show this</font><font color="#E5E5E5"> if</font>

193
00:09:19,480 --> 00:09:24,760
there is<font color="#E5E5E5"> just one entry inside the cache</font>

194
00:09:21,280 --> 00:09:28,360
and they're<font color="#E5E5E5"> creating a second entry they</font>

195
00:09:24,760 --> 00:09:31,390
also show the flag<font color="#E5E5E5"> because yeah there</font>

196
00:09:28,360 --> 00:09:35,170
was one<font color="#CCCCCC"> missing initiation</font><font color="#E5E5E5"> of an object</font>

197
00:09:31,390 --> 00:09:37,660
here so we fixed it<font color="#CCCCCC"> so the</font><font color="#E5E5E5"> security</font>

198
00:09:35,170 --> 00:09:40,870
warning was raised for other

199
00:09:37,660 --> 00:09:42,300
<font color="#CCCCCC">participants new clients of</font><font color="#E5E5E5"> Bob so and</font>

200
00:09:40,870 --> 00:09:47,980
<font color="#E5E5E5">nobody complained</font><font color="#CCCCCC"> sue</font>

201
00:09:42,300 --> 00:09:50,620
okay<font color="#E5E5E5"> let's just so lots of tech I won't</font>

202
00:09:47,980 --> 00:09:51,940
<font color="#CCCCCC">present in the presentation that's</font><font color="#E5E5E5"> what</font>

203
00:09:50,620 --> 00:09:56,580
we call the<font color="#E5E5E5"> shared men in the middle</font>

204
00:09:51,940 --> 00:10:00,670
<font color="#E5E5E5">attack so let's consider the following</font>

205
00:09:56,580 --> 00:10:03,780
like LS bought and<font color="#CCCCCC"> Eve are friends they</font>

206
00:10:00,670 --> 00:10:08,140
know<font color="#E5E5E5"> each other they talk a lot on phone</font>

207
00:10:03,780 --> 00:10:10,480
<font color="#E5E5E5">so an elephant is to a normal phone call</font>

208
00:10:08,140 --> 00:10:11,800
they both confirm the shot of<font color="#CCCCCC"> engagement</font>

209
00:10:10,480 --> 00:10:14,290
<font color="#CCCCCC">ring</font>

210
00:10:11,800 --> 00:10:18,069
the shared secret is stored inside<font color="#E5E5E5"> the</font>

211
00:10:14,290 --> 00:10:19,480
cache<font color="#CCCCCC"> on both sides so very nice second</font>

212
00:10:18,070 --> 00:10:21,820
time they don't<font color="#E5E5E5"> need to confirm the</font>

213
00:10:19,480 --> 00:10:24,100
short vacation string then there<font color="#E5E5E5"> is a</font>

214
00:10:21,820 --> 00:10:24,610
call between<font color="#E5E5E5"> Ethan</font><font color="#CCCCCC"> Bob same thing</font>

215
00:10:24,100 --> 00:10:27,160
happens

216
00:10:24,610 --> 00:10:29,560
they both confirm the SAS everything is

217
00:10:27,160 --> 00:10:33,540
<font color="#E5E5E5">correct nice second call no need to</font>

218
00:10:29,560 --> 00:10:36,520
check SAS and<font color="#E5E5E5"> the third step</font><font color="#CCCCCC"> arm</font>

219
00:10:33,540 --> 00:10:37,630
each is no evil

220
00:10:36,520 --> 00:10:40,240
he was conducting<font color="#E5E5E5"> a man-in-the-middle</font>

221
00:10:37,630 --> 00:10:44,260
attack<font color="#E5E5E5"> like we showed</font><font color="#CCCCCC"> in the beginning</font>

222
00:10:40,240 --> 00:10:46,150
like<font color="#CCCCCC"> an evil operator</font><font color="#E5E5E5"> and it's just</font>

223
00:10:44,260 --> 00:10:49,090
placing herself in the<font color="#E5E5E5"> middle between</font>

224
00:10:46,150 --> 00:10:51,790
elephant<font color="#CCCCCC"> Bob and yeah actually it works</font>

225
00:10:49,090 --> 00:10:53,860
because there are shared secrets between

226
00:10:51,790 --> 00:10:57,270
elephant decent with leaves and Bob

227
00:10:53,860 --> 00:11:00,280
so no SAS confirmation required

228
00:10:57,270 --> 00:11:02,740
everything works and<font color="#CCCCCC"> also the zip</font>

229
00:11:00,280 --> 00:11:06,209
address is shown<font color="#E5E5E5"> on the on Ellis own</font>

230
00:11:02,740 --> 00:11:09,449
shows<font color="#E5E5E5"> Bob at example.com</font><font color="#CCCCCC"> anon</font><font color="#E5E5E5"> box shown</font>

231
00:11:06,209 --> 00:11:14,039
so what is missing<font color="#CCCCCC"> here I mean very</font>

232
00:11:09,449 --> 00:11:17,358
obvious attack<font color="#E5E5E5"> why does this work</font><font color="#CCCCCC"> so in</font>

233
00:11:14,039 --> 00:11:19,829
that<font color="#E5E5E5"> edit</font><font color="#CCCCCC"> II there is</font><font color="#E5E5E5"> no binding</font><font color="#CCCCCC"> of the</font>

234
00:11:17,359 --> 00:11:22,709
identity is used in 1080p to the<font color="#CCCCCC"> order</font>

235
00:11:19,829 --> 00:11:25,769
protocol<font color="#E5E5E5"> so they explicitly designed</font><font color="#CCCCCC"> the</font>

236
00:11:22,709 --> 00:11:29,878
<font color="#CCCCCC">TTP to work independently of</font><font color="#E5E5E5"> the session</font>

237
00:11:25,769 --> 00:11:31,769
protocol<font color="#E5E5E5"> so the the cache look up just</font>

238
00:11:29,879 --> 00:11:35,999
uses the Zetas TP ID which is<font color="#E5E5E5"> just a</font>

239
00:11:31,769 --> 00:11:42,269
random<font color="#CCCCCC"> ID it's not a good address</font><font color="#E5E5E5"> so</font>

240
00:11:35,999 --> 00:11:42,869
this just works<font color="#E5E5E5"> um so in signal there is</font>

241
00:11:42,269 --> 00:11:47,239
no cash

242
00:11:42,869 --> 00:11:49,829
you cannot confirm it<font color="#E5E5E5"> so the secure</font>

243
00:11:47,239 --> 00:11:51,839
accurate<font color="#CCCCCC"> softphone they actually</font>

244
00:11:49,829 --> 00:11:53,608
implement the<font color="#CCCCCC"> RFC</font><font color="#E5E5E5"> compliant protection</font>

245
00:11:51,839 --> 00:11:57,119
again there are<font color="#E5E5E5"> C knows about this</font>

246
00:11:53,609 --> 00:12:01,169
somehow<font color="#E5E5E5"> and</font><font color="#CCCCCC"> you can actually enter a</font>

247
00:11:57,119 --> 00:12:03,839
string for the<font color="#E5E5E5"> participants and</font><font color="#CCCCCC"> that is</font>

248
00:12:01,169 --> 00:12:07,470
stored<font color="#E5E5E5"> beside the Zetas TP ID inside the</font>

249
00:12:03,839 --> 00:12:10,259
cache and if you do a second<font color="#CCCCCC"> call</font><font color="#E5E5E5"> this</font>

250
00:12:07,470 --> 00:12:11,129
<font color="#E5E5E5">is like</font><font color="#CCCCCC"> this</font><font color="#E5E5E5"> it address its LS and this</font>

251
00:12:10,259 --> 00:12:14,879
is the z TP

252
00:12:11,129 --> 00:12:17,209
ID<font color="#E5E5E5"> so there is a mismatch</font><font color="#CCCCCC"> here but I</font>

253
00:12:14,879 --> 00:12:22,439
mean the user needs to<font color="#E5E5E5"> see this right</font>

254
00:12:17,209 --> 00:12:26,069
it's even<font color="#E5E5E5"> I mean</font><font color="#CCCCCC"> I don't think you I say</font>

255
00:12:22,439 --> 00:12:28,169
<font color="#E5E5E5">if it would do usability study I'm not</font>

256
00:12:26,069 --> 00:12:32,128
sure<font color="#CCCCCC"> people will even</font><font color="#E5E5E5"> get why they need</font>

257
00:12:28,169 --> 00:12:33,929
<font color="#CCCCCC">to enter a name here so and the other</font>

258
00:12:32,129 --> 00:12:38,659
implementations are insecure there is no

259
00:12:33,929 --> 00:12:42,419
way to to see which set a TP ID is used

260
00:12:38,659 --> 00:12:45,419
<font color="#E5E5E5">okay</font><font color="#CCCCCC"> I have some time left right that's</font>

261
00:12:42,419 --> 00:12:48,449
good so I will<font color="#CCCCCC"> do a short quiz ok</font>

262
00:12:45,419 --> 00:12:50,339
security<font color="#CCCCCC"> indicators</font><font color="#E5E5E5"> let also nice topic</font>

263
00:12:48,449 --> 00:12:52,949
we just look briefly at security

264
00:12:50,339 --> 00:12:55,949
indicators and applications we did<font color="#CCCCCC"> no</font>

265
00:12:52,949 --> 00:13:00,179
user study but just we will do now a

266
00:12:55,949 --> 00:13:03,329
short you<font color="#E5E5E5"> the study with you</font><font color="#CCCCCC"> ok so what</font>

267
00:13:00,179 --> 00:13:06,899
is n 2<font color="#CCCCCC"> n TQ left or right who's for</font><font color="#E5E5E5"> left</font>

268
00:13:03,329 --> 00:13:10,069
who's for right<font color="#CCCCCC"> ok maybe through</font><font color="#E5E5E5"> let's</font>

269
00:13:06,899 --> 00:13:13,549
first left<font color="#CCCCCC"> left-hander</font><font color="#E5E5E5"> and up for left</font>

270
00:13:10,069 --> 00:13:13,549
<font color="#CCCCCC">ok right ok</font>

271
00:13:13,620 --> 00:13:17,490
<font color="#E5E5E5">okay this was easy the students enter</font>

272
00:13:15,630 --> 00:13:20,160
into cute<font color="#E5E5E5"> if the green lock I can write</font>

273
00:13:17,490 --> 00:13:22,940
this is this is an open locks about<font color="#E5E5E5"> it's</font>

274
00:13:20,160 --> 00:13:28,110
red<font color="#E5E5E5"> so okay that that is easy</font>

275
00:13:22,940 --> 00:13:30,810
here's GT by the way okay<font color="#E5E5E5"> this is more</font>

276
00:13:28,110 --> 00:13:40,940
<font color="#CCCCCC">difficult</font><font color="#E5E5E5"> okay which one is entering</font>

277
00:13:30,810 --> 00:13:40,939
<font color="#E5E5E5">secure who is for left with four eyes</font>

278
00:13:41,630 --> 00:13:48,030
<font color="#E5E5E5">okay a yeah you can see there is a cross</font>

279
00:13:44,430 --> 00:13:50,459
inside the lock right on the top so this

280
00:13:48,030 --> 00:13:52,470
<font color="#E5E5E5">is insecure this is I mean even there is</font>

281
00:13:50,460 --> 00:13:54,990
a green icon<font color="#E5E5E5"> but that doesn't have to do</font>

282
00:13:52,470 --> 00:13:57,900
anything with security<font color="#CCCCCC"> so just the lock</font>

283
00:13:54,990 --> 00:14:02,430
<font color="#CCCCCC">I mean it's a closed lock with the cross</font>

284
00:13:57,900 --> 00:14:03,390
<font color="#E5E5E5">I don't know okay last one what is the</font>

285
00:14:02,430 --> 00:14:08,790
<font color="#E5E5E5">key what</font><font color="#CCCCCC"> is insecure</font>

286
00:14:03,390 --> 00:14:18,540
who's<font color="#CCCCCC"> for left who's for right okay what</font>

287
00:14:08,790 --> 00:14:19,620
about this yes<font color="#E5E5E5"> we will also quite</font>

288
00:14:18,540 --> 00:14:22,589
confused and we couldn't<font color="#CCCCCC"> really</font>

289
00:14:19,620 --> 00:14:24,180
reproduce<font color="#E5E5E5"> this but but we we</font><font color="#CCCCCC"> asked the</font>

290
00:14:22,590 --> 00:14:27,320
<font color="#E5E5E5">support about this and actually</font><font color="#CCCCCC"> this</font>

291
00:14:24,180 --> 00:14:29,910
says<font color="#E5E5E5"> dead now it comes the following</font><font color="#CCCCCC"> so</font>

292
00:14:27,320 --> 00:14:32,460
we have that<font color="#CCCCCC"> ATP for the voice</font>

293
00:14:29,910 --> 00:14:36,030
communication<font color="#CCCCCC"> and for the video it's</font>

294
00:14:32,460 --> 00:14:38,910
clear<font color="#E5E5E5"> it's not encrypted but there is no</font>

295
00:14:36,030 --> 00:14:42,620
voice<font color="#E5E5E5"> there is</font><font color="#CCCCCC"> no</font><font color="#E5E5E5"> like long click or</font>

296
00:14:38,910 --> 00:14:47,719
information what is for what and yes

297
00:14:42,620 --> 00:14:52,800
<font color="#E5E5E5">it's really confusing</font><font color="#CCCCCC"> okay so that's it</font>

298
00:14:47,720 --> 00:14:56,490
come<font color="#CCCCCC"> to my conclusion current status Lin</font>

299
00:14:52,800 --> 00:14:58,709
phone has been<font color="#E5E5E5"> fixed the back in</font><font color="#CCCCCC"> GT we</font>

300
00:14:56,490 --> 00:15:01,530
<font color="#E5E5E5">fix directly upstream that's what was</font>

301
00:14:58,710 --> 00:15:04,710
very very<font color="#E5E5E5"> easy</font><font color="#CCCCCC"> signal long longer</font><font color="#E5E5E5"> uses</font>

302
00:15:01,530 --> 00:15:06,900
<font color="#CCCCCC">at</font><font color="#E5E5E5"> ATP this is an independent</font><font color="#CCCCCC"> decision</font>

303
00:15:04,710 --> 00:15:09,120
of<font color="#CCCCCC"> Moxie</font><font color="#E5E5E5"> knob there's not not</font><font color="#CCCCCC"> the</font>

304
00:15:06,900 --> 00:15:13,810
influence for<font color="#CCCCCC"> our research</font><font color="#E5E5E5"> it's been</font>

305
00:15:09,120 --> 00:15:16,300
done in<font color="#E5E5E5"> parallel and</font><font color="#CCCCCC"> yen</font><font color="#E5E5E5"> for the future</font>

306
00:15:13,810 --> 00:15:18,638
yeah most apps<font color="#E5E5E5"> fall back to insecure</font>

307
00:15:16,300 --> 00:15:20,439
mode if the data<font color="#E5E5E5"> P say it and if you</font>

308
00:15:18,639 --> 00:15:24,910
<font color="#E5E5E5">think</font><font color="#CCCCCC"> about the</font><font color="#E5E5E5"> security indicators</font><font color="#CCCCCC"> I</font>

309
00:15:20,439 --> 00:15:26,230
don't<font color="#E5E5E5"> think you will notice Chapman in</font>

310
00:15:24,910 --> 00:15:29,350
the middle<font color="#CCCCCC"> tags needs to</font><font color="#E5E5E5"> be discussed</font>

311
00:15:26,230 --> 00:15:32,989
and that's it thanks

312
00:15:29,350 --> 00:15:32,989
[Applause]