1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
|
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Leap Encryption Access Project</title>
<meta name="description" content="Tools für sichere Kommunikation im Netz">
<meta name="author" content="Varac">
<meta name="apple-mobile-web-app-capable" content="yes" />
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<link rel="stylesheet" href="../tools/reveal.js/css/reveal.min.css">
<link rel="stylesheet" href="../tools/reveal.js/css/theme/default.css" id="theme">
<!-- For syntax highlighting -->
<link rel="stylesheet" href="../tools/reveal.js/lib/css/zenburn.css">
<!-- If the query includes 'print-pdf', use the PDF print sheet -->
<script>
document.write( '<link rel="stylesheet" href="../tools/reveal.js/css/print/' + ( window.location.search.match( /print-pdf/gi ) ? 'pdf' : 'paper' ) + '.css" type="text/css" media="print">' );
</script>
</head>
<body>
<div class="reveal">
<div class="slides">
<section>
<h2>LEAP Encryption Access Project</h2>
</section>
<section>
<h2 style="margin-bottom:1em;">Encryption should be<br />simple to provide and easy to use</h2>
<ul>
<li>Tools for secure network communications</li>
<li>Decentralization of service providers</li>
</ul>
</section>
<section>
<section>
<h2>Crypto is Hard</h2>
<h4 class="fragment">But wait, you said...</h4>
<h2 class="fragment" style="line-height:1.2em">Encryption should be<br /><em style="padding-right:0.2em;">simple</em> to provide and <em style="padding-right:0.2em;">easy</em> to use</h2>
<h4 class="fragment">So...</h4>
</section>
<section>
<h2>Solve the Hard Problems</h2>
<div class="fragment">
<h3>The “Big 7”</h3>
<ol>
<li>Authenticity problem</li>
<li>Meta-data problem</li>
<li>Asynchronous problem</li>
<li>Group problem</li>
<li>Resource problem</li>
<li>Availability problem</li>
<li>Update problem</li>
</ol>
</div>
</section>
<section>
<h2>Authenticity problem</h2>
<blockquote style="margin-bottom:2em;">Public key validation is very difficult for users to manage, but without it you cannot have confidentiality</blockquote>
<li class="fragment"><span style="font-weight:bold;">Nicknym</span> - auto discovery and validation of public keys, transparently!</li>
</section>
<section>
<h2>Meta-data problem</h2>
<blockquote style="margin-bottom:2em;">Existing protocols are vulnerable to meta-data analysis, even though meta-data is often much more sensitive than content</blockquote>
<div class="fragment">
<ul>
<li>Downgrade-proof <strong>DNSSEC/DANE</strong></li>
</ul>
<p style="margin-top:1.1em;">With one or more opportunistic schemes:</p>
<ul>
<li>Auto <strong>alias pairs</strong></li>
<li><strong>Onion routing</strong> headers</li>
<li>Third party <strong>dropbox</strong></li>
<li><strong>Mixmaster</strong> with signatures</li>
</ul>
</div>
</section>
<section>
<h2>Asynchronous problem</h2>
<blockquote style="margin-bottom:2em;">For encrypted communication, you must currently choose between forward secrecy or the ability to communicate asynchronously</blockquote>
<div class="fragment">
<ul>
<li>OpenPGP vs. OTR</li>
<li>Stop-gap: Layer forward secret transport atop OpenPGP</li>
<li>Long term: Collaborate with others to create new encryption protocol standards</li>
</ul>
</div>
</section>
<section>
<h2>Group problem</h2>
<blockquote style="margin-bottom:2em;">In practice, people work in groups, but public key cryptography doesn’t</blockquote>
<ul>
<li class="fragment" data-fragment-index="1">First we...ummm</li>
<li class="fragment" data-fragment-index="2">Interesting work in secure file backup/sync/sharing (e.g. Wuala and SpiderOak)
<li class="fragment" data-fragment-index="3">Proxy re-encryption</li>
<li class="fragment" data-fragment-index="3">Ring signatures</li>
</ul>
</section>
<section>
<h2>Resource problem</h2>
<blockquote style="margin-bottom:2em;">There are no open protocols to allow users to securely share a resource</blockquote>
<ul>
<li class="fragment" data-fragment-index="1">Yup, still got nothin' :/</li>
<li class="fragment" data-fragment-index="2">"Read-write-web", meet ["Group problem" solution here]
<li class="fragment" data-fragment-index="2">Again, possibilities from file sync (Lazy Revocation and Key Regression)
</ul>
</section>
<section>
<h2>Availability problem</h2>
<blockquote style="margin-bottom:2em;">People want to smoothly switch devices, and restore their data if they lose a device, but this very difficult to do securely</blockquote>
<li class="fragment">Soledad - Synchronization of Locally Encrypted Documents Among Devices<br /><em class="fragment">phew! we weren't out of ideas!</em></li>
</section>
<section>
<h2>Update problem</h2>
<blockquote style="margin-bottom:2em;">Almost universally, software updates are done in ways that invite attacks and device compromises</blockquote>
<li class="fragment">Thandy (thanks, Tor!)</li>
</section>
</section>
<section>
<h2>So, what have you got?</h2>
</section>
<section>
<h2>Services</h2>
<p>Encrypted Internet Proxy aka VPN</p>
<p>Email</p>
<p>Chat (in progress)</p>
</section>
<section>
<h2>Services in Planning</h2>
<p>Client-Encrypted Filehosting</p>
<p>Voip</p>
<p>Collaborative Text Editor</p>
</section>
<section>
<section>
<h2>For Users</h2>
<li>Bitmask-Client for Mac OS, Linux, Android (Windows coming)</li>
</section>
<section>
<img width="600" height="640" src="../img/de/bitmask-client-0.3.4.png" alt="Bitmask-Client">
</section>
</section>
<section>
<section>
<h2>For Providers</h2>
<ul>
<li>Automate Installation and Configuration of the services</li>
<li>Secure Crypto presets (TLS parameters, etc)</li>
</ul>
</section>
<section>
<h2>leap-platform</h2>
<p>Puppet recipes for configuring the server</p>
<pre><code data-trim contenteditable>
# smtp TLS
postfix::config {
'smtp_use_tls': value => 'yes';
'smtp_tls_CApath': value => '/etc/ssl/certs/';
'smtp_tls_CAfile': value => $ca_path;
'smtp_tls_cert_file': value => $cert_path;
'smtp_tls_key_file': value => $key_path;
'smtp_tls_ask_ccert': value => 'yes';
'smtp_tls_loglevel': value => '1';
'smtp_tls_exclude_ciphers':
value => 'aNULL, MD5, DES';
# upstream default is md5 (since 2.5 and older used it), we force sha1
'smtp_tls_fingerprint_digest':
value => 'sha1';
'smtp_tls_session_cache_database':
value => 'btree:${queue_directory}/smtp_cache';
'smtp_tls_security_level':
value => 'may';
# see issue #4011
'smtp_tls_protocols':
value => '!SSLv2, !SSLv3';
}
</code></pre>
</section>
<section>
<h2>Provider Config</h2>
<p>Server Layout, IPs, contact details, etc</p>
<pre><code data-trim contenteditable>
$ cat provider.json
//
// General service provider configuration.
//
{
"domain": "example.org",
"name": {
"en": "example"
},
"description": {
"en": "You really should change this text"
},
"contacts": {
"default": "admin@example.org"
},
"languages": ["en"],
"default_language": "en",
"enrollment_policy": "open"
}
$ cat nodes/web1.json
{
"ip_address": "99.231.92.23",
"services": "webapp",
"tags": "production"
}
</code></pre>
</section>
<section>
<h2>Leap-cli</h2>
<p>Command Line Tools for Admins</p>
<pre><code data-trim contenteditable>
$ leap --yes deploy
Deploying to these nodes: web1, vpn1, couch1
= updated hiera/couch1.yaml
= updated hiera/web1.yaml
= checking node
- [web1] ok
- [couch1] ok
- [vpn1] ok
= synching configuration files
- hiera/web1.yaml -> web1:/etc/leap/hiera.yaml
- hiera/vpn1.yaml -> vpn1:/etc/leap/hiera.yaml
- hiera/couch1.yaml -> couch1:/etc/leap/hiera.yaml
- files/branding/tail.scss, files/branding/head.scss -> web1:/etc/leap
= synching puppet manifests
- /home/demo/leap/demo/leap_platform/[bin,puppet] -> web1:/srv/leap
- /home/demo/leap/demo/leap_platform/[bin,puppet] -> vpn1:/srv/leap
- /home/demo/leap/demo/leap_platform/[bin,puppet] -> couch1:/srv/leap
...
</code></pre>
</section>
<section>
<!--<h2>Leap-cli Screencasts</h2>-->
<!--<li><a href="http://shelr.tv/users/524415e69660807910000021">Shelr Screencasts</a> - Setup and Installation of a Provider</li>-->
<h2>Setting up a new Provider</h2>
<iframe border='0' height='684' id='shelr_record_52444667966080752b000024' scrolling='no' src='http://shelr.tv/records/52444667966080752b000024/embed' style='border: 0' width='885'></iframe>
</section>
<section>
<!--<h2>Leap-cli Screencasts</h2>-->
<!--<li><a href="http://shelr.tv/users/524415e69660807910000021">Shelr Screencasts</a> - Setup and Installation of a Provider</li>-->
<h2>Initializing and deploying nodes</h2>
<iframe border='0' height='684' id='shelr_record_52444667966080752b000024' scrolling='no' src='http://shelr.tv/records/52444667966080752b000024/embed' style='border: 0' width='885'></iframe>
</section>
</section>
<section>
<section>
<h2>Provider Online</h2>
<p><a href="https://bitmask.net">Bitmask.net</a> - Reference Provider of LEAP </p>
<p>soon to be open for beta testers</p>
</section>
<section>
<h2>Interested Providers</h2>
<ul>
<li><a href="https://calyxinstitute.org">The Calyx Institute</a></li>
<!--<li><a href="https://genopoly.org">Genopoly.org</a></li>-->
<li><a href="https://riseup.net">The Riseup Collective</a></li>
<li>...</li>
</ul>
</section>
</section>
<section>
<h2>Etc</h2>
<p>Website: <a href="https://leap.se">https://leap.se</a></p>
<p>Github Mirror: <a href="https://github.com/leapcode">https://github.com/leapcode</a></li>
<p>Made with <a href="https://github.com/hakimel/reveal.js">reveal.js</a></li>
</p>
</section>
</div>
</div>
<script src="../tools/reveal.js/lib/js/head.min.js"></script>
<script src="../tools/reveal.js/js/reveal.min.js"></script>
<script>
// Full list of configuration options avai lable here:
// https://github.com/hakimel/reveal.js#configuration
Reveal.initialize({
controls: true,
progress: true,
history: true,
center: true,
theme: Reveal.getQueryHash().theme, // available themes are in /css/theme
transition: Reveal.getQueryHash().transition || 'default', // default/cube/page/concave/zoom/linear/fade/none
// Optional libraries used to extend on reveal.js
dependencies: [
{ src: '../tools/reveal.js/lib/js/classList.js', condition: function() { return !document.body.classList; } },
{ src: '../tools/reveal.js/plugin/markdown/marked.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
{ src: '../tools/reveal.js/plugin/markdown/markdown.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
{ src: '../tools/reveal.js/plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } },
{ src: '../tools/reveal.js/plugin/zoom-js/zoom.js', async: true, condition: function() { return !!document.body.classList; } },
{ src: '../tools/reveal.js/plugin/notes/notes.js', async: true, condition: function() { return !!document.body.classList; } }
]
});
</script>
</body>
</html>
|
