cybersecurity and internet governance
Post on 05-Apr-2017
605 Views
Preview:
TRANSCRIPT
1
Kenny Huang, Ph.D. 黃勝雄博士
Executive Council, APNICAuthor, RFC3743 IETFKeynote. SITCON 18 Mar 2017huangksh@gmail.com
Cybersecurty and Internet Governance網路安全與網路治理
亞太網路資訊中心董事
Internet Governance Definition
8
IG Definition @ WSIS Tunis 2005 :The development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.
Internet Governance Layers
9
Telecom infrastructure (cable, wireless, ...)
Protocols, standards and services (DNS, TCP/IP, SSL...)
Content and applications (HTML, FTP, XML)
Source: Diplo
IG Concepts in ARPANET – Technology Track
11
1969 1983
ü System requirements
ü Standardization
ü Entity for managing technical standards
RFC 01 RFC 03
IETFWorking Group
Steve Crocker
RFC 883
RFC 882
ü Domain name concept
ü Tree hierarchyü DNS operation
1984
RFC 1035
RFC 1034
ü DNS delegationü ccTLD, gTLDü Single Root
1987 1994
ISC:PaulVixie
BIND
UC Berkeley
Jon Postel acted as RFC Editor 1969-1998
IG Concepts in ARPANET – Registry Track
14
1969
HOSTS.TXThostname IP addresshostname IP address
hostname IP addresshostname IP addresshostname IP addresshostname IP address
SRI maintained HOSTS.TXTSRI (Stanford Research Institute)
Jon Postel managedAssigned Number List
Copy to other sites
1981
ü Namesü Numbersü Critical Internet
Resources
ü Registry operation
ü Uniqueness of name – Single Internet
IG Concepts for Architecture and Authority
15
1969 1987 1988 1998
RFC 1035
RFC 1034
18 Sep1998 established
16 Oct1998 passed away
Root ZoneOperator
ü Execute IANA functions
ü Root zone governance
ü TLD legal issue
The IANAfunctions manageprotocolparameters,Internetnumberresourcesand domainnames.ICANNperformsthesefunctions onbehalfoftheglobalInternetcommunity.
17
Source : ICANNRootDNS AnycastRoot Source :RIPE
IETF48 Root Server Operators’ statement (1998 Dec)ü Operate reliably, for the common good of the
Internetü Recognize IANA as the source of the root dataü Invest sufficiently to ensure responsible
operationü Facilitate the transition, when needed and with
proper noticeü Recognize the other root server operators
ü Multistakeholderü Recognize IANAü Single Internetü Internet as public
good
IG Concepts for Number Community
18
1992 20011993 1997 2005
ü Multistakeholder Model
ü Self regulationü Member voting
right
ü IP address allocation
ü Policy development process
1999
ü ASO ICANN Board selection
ü Global address policy
ü Accountabilityü Transparency
üGovernanceüFinanceüPolicy
Critical Information Infrastructure (CII)
19
InternetNumberingArchitecture
InternetNamingArchitecture
ü Critical Information Infrastructure Protection
20
source:http://www.savetheinternet.eu
Net Neutrality
Theprinciple thatInternetserviceproviders shouldenableaccesstoallcontentandapplicationsregardlessofthesource,andwithoutfavoringorblockingparticularproductsorwebsites.
21
ISPblockingandtieringcases2004:ISPMadisonRiverblockingVanage’sVoIPservices2006:ISPAOLblockedaccesstowww.dearaol.com2007:ISPComcastblockedBitTorrent2008:ISPTele2blockedaccesstothepirateboy.com2009:IPREDlawtomonitorallSwedishwebtraffic2010:ItalianISPsblockaccesstoPirateBoy
資料來源 :Telesperience
ISPTrafficEngineeringTechniqueTrafficdiscriminationisnecessaryasaroutinepartofnetworkmanagement
22
Degree of Enforcement
完全中⽴ (FullNeutrality)強調網路必須完全中⽴,無任何差別待遇,封包使⽤FCFS模式傳輸。主要⽀持者包含學者Susan P.Crawford(CardozoLawSchool;曾任 FCC主席)。資料類別特許的差別待遇 (Allowdiscriminationbasedontypeofdata)此主張認為網路資料有不同服務需求,例如封包延遲Latency、或不連續Jitter情況。ISP可以針對應⽤服務屬性來調整差別待遇。主要⽀持者包含學者TimWu(ColumbiaUniversity LawSchool)⾮阻斷或⾮節流下之個別訊務排序IndividualprioritizationwiththrottlingorblockingISP認為在沒有阻斷(block)或不造成阻塞情況下,ISP可以依不同服務或客⼾需求進⾏訊務排序。主要⽀持者包含 Comcast,AT&T不直接強制 (Nodirectenforcement)許多國家並沒有網路中⽴相關法律,但可以參考其他法律來管制,例如反競爭法,美國FCC在無網路中⽴法之前也是參考市場合理實務提出管制命令。
ISP市場競爭度美國Comcast/Netflix案件中法院裁定 Comcast違反網路中⽴主因:⼤多數網路使⽤者在寬頻(25Mbps)服務只有單⼀寬頻服務供應商可選擇。在此情境下,ISP差別待遇⾜以影響市場競爭,寬頻 ISP負有更⼤責任維持服務的中⽴性,避免影響網路使⽤者的權益。
ü Improve connectivity
ü neutral Internet exchange and peering
CERT (Computer Emergency Response Team)
üCERT was first used in 1988 by CERT Coordination Center at CMU. CERT and CSIRT (computer security incident response team) are used interchangeably.
üFIRST (Forum of Incident Response and Security Team) is the global association of CSIRTs
üAPCERT Established 2003. Annual events include (1)AGM (2)APCERT Drill
23
24
ü Allocation and assignment of three sets of unique identifiers of the Internet: domain names, IP addresses, and protocol parameters
ü Operation and evolution of the DNS root name server systemü Policy development reasonably and appropriately related to these technical
functions
ü Multistakeholderü Accountabilityü TransparencyüGovernanceüFinanceüPolicy
UN IG Initiatives – Political Track
25
2003 20062005 2010
ü Multistakeholderü Multilateral ü Inclusionü Sustainability
2015
Technical TopicsüCritical Internet resourcesüCapacity buildingüSecurityüAccessüInternationalization
IANA Stewardship Transition
26
USGov.NTIA
PerformIANAFunctions ICANN
APNIC
contracted 5RIRs(APNIC)
Perform IANAFunctions ICANN
APNIC
contracted
Before1Oct2016 After1Oct2016
Audit&Review Audit&Review
Confidentiality Integrity Availability
prevents unauthorized use or
disclosure of information
safeguards the accuracy and
completeness of information
authorized users have reliable and timely access to
information
Goals of Information Security
28
29
ISO27001ISO27001– aglobalrecognizedstandardthatprovidesabestpracticeframeworkforaddressingtheentirerangeofcyberrisksü People,processes,technologyü Systematicapproachforestablishing,implementing,
operating,monitoring,reviewing,maintaining,andimprovinganorganization‘sinformationsecuritytoachievebusinessobjectives
KeyelementsofimplementingISO227001ü DeterminethescopeoftheISMSü Considerthecontextoftheorganizationandinterestedpartiesü Appointaseniorindividualresponsibleforinformationsecurityü Conductariskassessment– identifyrisks,threats,andvulnerabilitiesü Appointriskownersforeachoftheidentifiedrisksü Implementappropriatepoliciesandproceduresü Conductstafftrainingü Conductaninternalauditü ImplementcontinualimprovementoftheISMS
Layered Defence
30
1.informationsecuritypolicy2.awaernessandtranining3.backupsandcontinuity4.physicalsecurity5.authentication6.accesscontrols7.monitoring8.firewallsandfiltering9.encryption10.anti-malware11.threatintelligence12.auditandreview13cyberinsurance
DDoS2005NxGbps
Source:thousandsofdevices
DDoS2017NxTbps
Source:millionsofdevices
0
200
400
600
800
1000
1200
1400 Gbps
32
DDoS As A Service
33
Source: tripwire, May 26 2016
400,000 Bots for Rent
Source : bleepingcomputer, Nov 24 2016
Operation of a DDoS attack
34
attacker computers
real users
target serversInternet
SERVICE OFFLINE
out of resources
Protection: Technology vs. Insurance
35
FIRSTPARTYCOVERAGEüdamagetodigitalassetsübusiness interruptionücyberextortionüprivacybreachexpenses
THIRDPARTYCOVERAGEü privacyliabilityü networksecurityliabilityü internetmedialiabilityü regulatory liabilityü contractualliability
CyberLiability Insuranceisinexepensive effectivecoverage.Coveragelimitsstartingat$100,000withannualpremiums startingaslowas$250
1. Keycompanies include:AIG,Marsh,Allianz2. Falsesenseofsecurity3. Growthofmarketandriskwillincrease
insurancepremium
1. Greaterprotectionfromthreats2. Insurancedriving implementation
oftechnologysolutions tocomplywithpolicyrequirement
Cyber War Case - Afghanistan
• Two-way cyber war measures• Cyber offensive capability• Cyber dependence :
• Degree to which a nation relies upon cyber-controlled systems
• Cyber defensive capability• “We have the most bandwidth running though our society
and are more dependent on that bandwidth. We are the most vulnerable.“ – former Admiral McConnell.
• Afghanistan 2001• US had conducted a cyber war plan, but no targets for
cyber warriors, that gives Afghanistan an advantage.• If Afghanistan had any offensive cyber capability, the
cyber war would have shifted in different way
36
Cyber War Case - China
• Offense vs. defense• US has the most sophisticated offensive capability, but it can’t
make up its weaknesses in defensive position. Cyber defense trainings are offensive focus.
• China cyber warriors are tasked with both offense and defense in cyberspace.
• China advantages in cyber war• Ownership : Internet in China is like an intranet of a company.
Government is the only service provider• Censorship
• Great Firewall of China provides security advantages • The technology that Chinese use to screen emails/message provide the
infrastructure to stop malware• Install software on all computers to keep children from gaining access to
pornography – Give China control over every desktop in the country. • Critical infrastructure: For electric power system, US relies on
automation controlled system, but China require a large degree of manual control.
37
Cyber War Strength
38
USCyberOffense: 8CyberDependence :2CyberDefense: 1Total: 11
RussiaCyberOffense: 7CyberDependence :5CyberDefense: 4Total: 16
ChinaCyberOffense: 5CyberDependence :4CyberDefense: 6Total: 15
IranCyberOffense: 4CyberDependence :5CyberDefense: 3Total: 12
NorthKoreaCyberOffense: 2CyberDependence :9CyberDefense: 7Total: 18
Source: Richard Clarke, 2010
DDoS vs. Cyberwar
39
Cyberwar initiated country Counterpart countryInternet DMZ
1. DDoS can only attack DMZ zone. DMZ was built for that purpose.2. DDoS attacks are compelling. The targets can be easily identified. It gives
enemy an advantage of increasing defensive capability, or relaxing cyber dependence.
Cryptography
40
encrypt decrypt
encrypt decrypt
Hello Hello$7@#
ciphertext
SymmetricCryptography
Hello Helloa@xfciphertext
AsymmetricCryptography
Publickeyexchange
A
A
B
B
Browser SSL Connection
41
1. Server sends a copy of its asymmetric public key2. Browser creates a symmetric session key and encrypt it with the server’s public key3. Server decrypts the asymmetric public with its private key to get the symmetric session
key4. Server and Browser now encrypt and decrypt all transmitted data with the symmetric
session key. This allow a secure channel because only the Browser and the Server know the symmetric session key.
Symmetrickey128/256bit(fast);PKIkey1024/2048bit(slow)Mostsecurecommunicationsystems(SSL;SSH;VPN..)usesymmetrickeyencryption
1
2
3
4
43
CA1
CA2 CA3
CA4 Alice
BobCertificatepointingfromissuerto
RootCAdirectlytrustedbyrelyingparties
Sub-CA
HierarchicalPKIArchitecture
MeshPKIArchitecture
CA1
CA2 CA3
CA1CA2CA2CA1
CA1CA3CA3CA1
CA1CA3CA3CA1
Alice
Bob Charlie
Certificatepointingfromissuerto
TrustedCApointforAlice
CA
CrossCertificate
Doug
Finance
Bob
HRDept
Charlie
Account
BridgePKIArchitecture
BridgeCA
Alice
PublicKeyInfrastructureArchitecture
44
Certificate Authority vs. IG AuthorityItcanbedonebydeployingDNSSECandDANEandgiveupCA'sandX.509certificate hierarchies.CAcanissueacertforanydomainnameandinsteaduseDNSSECandDANE
OECD
CIIP (Critical Information Infrastructure Protection)
45
üInformationcomponents supporting thecriticalinfrastructure
üInformationinfrastructuresupporting essentialcomponents ofgovernmentbusiness
üInformationinfrastructureessentialtothenationaleconomy
US
Systemsandassets,whetherphysicalorvirtualtotheUSthattheincapacityofdestructionofsuchsystemsandassetswouldhaveadebilitatingimpactonsecurity, nationaleconomicsecurity,nationalpublic healthorsafety,oranycombination ofthosematters.
CIIP
Directive(EU)2016/1148ANNEXII:IXP、RootDNS、TLDRegistry
EU
ETSI Lawful Intercept Model
46
administrationfunction
IRImediationfunction
contentmediationfunction
IRI :interceptrelatedInformation
CC :contentofcommunication
INIinternalnetwork interface
IIFinternalinterception function
HI3contentofcommunication
NetworkInternalFunctions
HI2Interceptrelatedinformation
HI1administrativeinformation
NWO/AP/SvP Domain
LEMFLawEnforcementMonitoringFacility
networkoperator /accessprovider /serviceprovider
HI:handover interface
(ETSI)
BackendOperator
Potential Registry-LEA Implementation
47
TLDRegistryDataEscrowAgent(ICANNapproved)
ContractualCompliance
FinanceSystem
EBERO
LawEnforcement
Agency
JurisdictionalConsiderations
invoice
DataEscrowAlerts
gTLD Failover Design
(KennyHuang,2015)
Internet Routing Security - Detour
48
A path that originates in one country, cross international boundaries and returns back to origin country
BGP Routing
49
AS4134ChinaTelecom
AS7018AT&T
AS3356Level3
AS2828X0Comm.
AS6167Verizon
AS22394Verizon
Customer Provider
Peer Peer
legend
3356,6167,2239466.174.161.0/24
6167,2239466.174.161.0/24
2239466.174.161.0/24
China Telecom hijacks Verizon Wireless
50
AS4134ChinaTelecom
AS7018AT&T
AS3356Level3
AS2828X0Comm.
AS6167Verizon
AS22394Verizon
4134,22724,2272466.174.161.0/24
3356,6167,2239466.174.161.0/24
AS22724ChinaTelecom
Apr, 2010
Prefix Hijacks
China Telecom announced 50,000 prefixes (15% routes)
Pakistan Telecom hijacks YouTube
51
AS18174AlliedBank
AS58467LahoreStock
AS18173AgeKhan
AS3491PCCW
AS3327LinuxTelecom
AS25462RETNLtd
AS36561YouTube
17557208.65.153.0/24
3491,17557208.65.153.0/24
36451208.65.153.0/22
AS17557PakistanTelecom
Feb 2008
Subprefix Hijacks
Moratel Leaks a Route to PCCW
52
AS23947Moratel
AS3491PCCW
AS4436nLayer
AS15169Google
3491,23947,151698.8.8.0/24
151698.8.8.0/24
23947,151698.8.8.0/24
Why Bother Internet Governance
54
Jurisdiction Law
OrganizationRules
InternationalLaw / Treaty
InternetGovernance
MultistakeholderStandardTechnologyArchitecturePolicyProcedureBest PracticesCooperationCoordination
IGRegime
Cybersecurity Attributes Recap
56
Confidentiality
pPhishingpPacket sniffingpPassword attack
Integrity
pMITM (Man-in-The-Middle)
pIP spoofing
Availability
pDDoSpSYN flooding
DNSKEYroot
DS.taipei
DNSKEY.taipei
DS101.taipei
DNSKEY101.taipei
root
TLD:.taipei
SLD:.101.taipei
ISPrecursiveresolver
1usermakesrequestfora.taipeidomain
2ISPresolververifiestheroot’sDSkey
3rootpointstheISPtothe.taipeiTLDandgivestheISPthe.taipeiDSkey
4ISPverifies.taipei’sDSkey5.taipeipointstheISPtothe101.taipeiSLDandgivetheISPthe101.taipeiDSkey.
6ISPverifies101.taipei’sSLDDSkey
7RequestedSLDinformationisretrievedandsentbacktoISP
8ISPsendsSLDinformationbacktouser
9Useraccesstrusted101.taipeidomain
1
8
2
3
4
5
6
7
Userstubresolver
9
Secure Name Space - DNSSEC
57
ICANN DNSSEC vs. Cybersecurity
58
ConfidentialityX
IntegrityX
Availability
Stakeholders1.ICANN, gTLD &
ccTLD operators2.Root operators3.IETF
Phishing Man-in-The-Middle
Secure Internet Routing - RPKI
59
APNIC
8.0.0/8Level3
8.8.8.8/24Google
66.174.0.0/16VerizonWireless
66.174.0.0/24AS22394
66.174.0.0/16AS6167
8.0.0.0/9AS3356
ROA
8.8.8.0/24AS15169
cert
legend
PRKI : Resource Public Key Infrastructure
RIR’s RPKI vs. Cybersecurity
60
Confidentiality
IntegrityX
Availability
Stakeholders1.RiRs (e.g. APNIC)2.ISPs3.IETF4.LEA (Law Enforcement
Agent)
IP spoofing Route hijacking
Secure Communication : Technology
61
RFC 7457 Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram (DTLS)
RFC 2409 The Internet Key Exchange (IKE)
RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
RFC 7258 Pervasive Monitoring Is an Attack
RFC 7525 Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
RFC 4307 Cryptographic Algorithm for Use in the Internet Key Exchange Version 2 (IKEv2)
Remove support for DH1024
Proposed DH1024
Proposed DH 2048
IETF Technologies vs. Cybersecurity
62
ConfidentialityX
IntegrityX
Availability
Stakeholders1.IETF2.Developers3.LEA (Law Enforcement
Agent)
Strong cryptography Enforced Internet encryption
Secure Internet Root
63
a b c ….. k l m
…..Site1 Siten
…..Host1 Hostn
Sites(unique locationand BGP route)
Root letters(unique IP anycast address)
Servers(internalload balancing)
User
Recursive resolver
Horizontal distributionMultiple lettersMultiple operators
Vertical distributionMultiple sitesMultiple servers
Impact of The Attack
64
1. TheRootDNShandles thesituationwell2. ResilienceoftheRootDNSisnotanaccident,butthe
consequenceoffaulttolerantdesignandgoodengineering
3. Truediversity isthekeytoavoidcollateraldamage
Root vs. Cybersecurity
65
Confidentiality
Integrity
AvailabilityX
Stakeholders1.Root operators2.IETF
Divergent model Robust and resilient Infrastructure
Cybersecurity Future Evolution
66
Prevention, 80%
Monitoring, 15%
Response, 5%
Prevention, 33%
Monitoring, 33%
Response, 33%
NOW FUTURE
Source:RSAConference2016Singapore
source: IntotheGrayZone:ActiveDefenseby thePrivateSectoragainstCyberThreats
Cybersecurity Phased Strategy
Defense防禦 Diverge分歧 Attack攻擊
67
Potential Cooperation for Cybersecurity and Internet Governance
68
Case : Crypto–Ransomware
Source : EUROPOL
69
Check Whois database, Found In Romania
Traceroute, ends up inNetherlands
1
2
It’s not useful
French Cyber Investigator
Source : EUROPOL
70
MLAT* from French to Romania
1 month later, Romania LE goesto the indicated company
3
4
MLAT: Mutual Legal Assistance Treaty
Source : EUROPOL
71
Scenario 1 : Romania company cooperateFound server is in Germany
Second MLAT from French to Germany
5
6
Scenario 2 : Romania company uncooperative, victim of ID theft
5
Source : EUROPOL
72
1 month later, Germany LE goes to seize the server
7
To late !!Decryption keys have been movedto another server ..
8
Source : EUROPOL
LEA and RIRs Cooperation
73
Question ?ü How can we ensure that IP addresses
are announced in the country where they are actually registered?
ü Can the RIR database reflect the location of an ISP handling an IP address?
Internet Policy Proposal
ü Require registration of all IP sub-allocation to downstream ISPs to entire chain of sub-allocations are accurately reflected in WHOIS
ü NOT disclose end-user information but instead focus on downstream ISP providing connectivity to the end-user
Source : EUROPOL
top related