BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Pentabarf//Schedule 0.3//EN CALSCALE:GREGORIAN METHOD:PUBLISH X-WR-CALDESC;VALUE=TEXT:Security devroom X-WR-CALNAME;VALUE=TEXT:Security devroom X-WR-TIMEZONE;VALUE=TEXT:Europe/Brussels BEGIN:VEVENT METHOD:PUBLISH UID:13798@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T103000 DTEND:20230204T105500 SUMMARY:Enabling FIDO2/WebAuthn support for remotely managed users DESCRIPTION:
Passwordless and multi-factor authentication (MFA) are becoming a trend and their usage will increase in the near future. However, most of the solutions target the web/online pattern, or the local users, thus leaving centralized identity management for console and POSIX system applications lacking those capabilities.
For the last year FreeIPA and SSSD have been working on enabling FIDO2/WebAuthn support for remotely managed users. One part of it is enabling a user stored in a LDAP server to locally authenticate in a system using a FIDO2 key. Another part is to use FIDO2 authentication to obtain a Kerberos ticket. This opens a new world to organizations to tighten their security, while maintaining strict control as to who access their systems.
This talk will focus on the progress in FIDO2/WebAuthn authentication in SSSD by providing the implementation state, the solution details and a demo. Additional information on the possible expansion of the solution will also be provided.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_remote_fido/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Alexander Bokovoy":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Iker Pedrosa":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:14072@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T110000 DTEND:20230204T112500 SUMMARY:FIDO beyond the browser DESCRIPTION:FIDO security keys can be used effectively to secure access to websites and applications, rendering phishing attacks harmless with hardware-protected cryptographic keys while keeping a low-friction user experience.Security keys can however also be used for different use cases, that don't necessarily involve a browser.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_fido_beyond/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Joost van Dijk":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:14100@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T113000 DTEND:20230204T115500 SUMMARY:AMENDMENT Hardening Linux System with File Access Policy Daemon DESCRIPTION:Are you a sysadmin and feeling paranoid? Let's promote security hardening to another level. Perhaps, with the concept of Application Whitelisting you will be able to sleep again.
In this session we are going to harden a Linux system with a file access policy daemon - fapolicyd. This daemon enables administrators to block or allow specific applications and executables using a fine-grained policy. We plan to explore the daemon’s possibilities and we want to get through its configuration. We will analyze multiple variations of set ups and evaluate their security aspects. We are going to demonstrate with an altered binary how integrity checking enablement prevents malicious attack. After the session, attendees will understand how to follow a problem and design their own policy with security in mind.
This presentation is based on Red Hat/Fedora Linux environment.
Please note that this talk replaces one entitled "Sudo logs for Blue Teamers" that was due to have been given by Peter Czanik, who has sent his apologies but is now unable to attend as he has fallen ill. We wish him a speedy recovery.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_fapolicyd/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Radovan Sroka":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:14124@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T120000 DTEND:20230204T122500 SUMMARY:Elliptic curves in FOSS DESCRIPTION:Since the first implementation of elliptic curves over finite fields for the GnuPG and the implementation on OpenSSL of the curves over finite and binary fields, back in the 2000s, many things have happened over this mathematical construction. We've witnessed instances like the birth and death of certain isogenies or searching for algorithms that resist quantum computing, which are only a few to mention.
We moved from the NIST curves on the P1363 to use Edwards variety, and there is a recent proposal with Double-odd curves. So the assortment is increasing, but we need to squeeze them more. For each new curve, all users always share the same group. This talk will review the path walked and evaluate the progress in implementing the Double-odd Jacobi Quartic in Libgcrypt and GnuPG.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_elliptic_curves_in_foss/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Sergi Blanch-Torné":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:13606@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T123000 DTEND:20230204T125500 SUMMARY:OpenSSL in RHEL: FIPS-140-3 certification DESCRIPTION:OpenSSL 3.0 key feature was FIPS-140-2 certification. As FIPS-140-2 is sunseting, we had to significantly patch OpenSSL to make it FIPS-140-3 capable.
The presentation briefly describes major changes in OpenSSL 3.0 architecture, what happened to Old Good API and why deal with new, the provider concepts, and changes necessary to match the new standard.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_fips_in_openssl/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Dmitry Belyavskiy":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:14044@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T130000 DTEND:20230204T132500 SUMMARY:Kerberos PKINIT: what, why, and how (to break it) DESCRIPTION:The Kerberos PKINIT extension replaces password authentication withX.509 PKI. This bring some advantages but also new risks. Thispresentation explains and demonstrates how PKINIT works, andpresents a novel attack against FreeIPA's PKINIT implementation.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_kerberos_pkinit/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Fraser Tweedale":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:13986@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T133000 DTEND:20230204T135500 SUMMARY:Remote Attestation with Keylime DESCRIPTION:In various scenarios, it is necessary to attest the integrity of a remote machine, making sure that the system was booted securely, essential files were not modified and that only allowed software is executed. For this purpose, we present Keylime as a remote attestation solution. It leverages the trust from the Trusted Platform Module (TPM) in combination with UEFI Measured Boot and the Linux Kernel Integrity Measurement Architecture (IMA) which are probably available on your system today. We will present how Keylime works and real world applications for remote attestation.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_keylime/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Anderson Sasaki":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Thore Sommer":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:14084@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T140000 DTEND:20230204T142500 SUMMARY:AMENDMENT Hybrid Public Key Encryption in PQ world? DESCRIPTION:Hybrid Public Key Encryption is a new standard which got finalized in February 2022. It uses asymmetric encryption to transfer a symmetric key between two participants which is then used to encrypt the communication. The standard itself is not post-quantum resistant. The presentation explains how to make it post-quantum resistant.
Please note that this is a late addition to the schedule, and the programme because the presenter Naveen Srinivasan of previously selected talk "How do you trust your open source software?" was not able to attend on the last minute.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_hpke_pq/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Norbert Pócs":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:14255@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T143000 DTEND:20230204T145500 SUMMARY:Where does that code come from? DESCRIPTION:You clone a Git repository, then pull from it. How can you tell its contents are “authentic”—i.e., coming from the “genuine” project you think you’re pulling from? With commit signatures and “verified” badges ✅ flourishing, you’d think this has long been solved—but nope! This is in essence the problem GNU Guix, as a software deployment tool and GNU/Linux distribution, had to solve as we will see in this talk.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_where_does_that_code_come_from/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Ludovic Courtès":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:13929@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T150000 DTEND:20230204T152500 SUMMARY:Whom Do You Trust? DESCRIPTION:The level of privacy awareness once reserved for messaging applications is reaching other forms of online collaboration such as office suites. Many companies, including "big tech", claim that their platforms enable users to privately collaborate. However, the definition of what privacy actually means varies widely. While there are no ways to verify claims made about proprietary software, the impact on users is very tangible.
CryptPad is an end-to-end encrypted open source collaboration suite. It seeks to reconcile collaboration and privacy. Users make changes to documents and these are encrypted by their client (web browser) before being sent to the server for real-time synchronization. In this talk I will detail CryptPad's privacy definition and introduce the assumed threat model of an honest-but-curious server. While users have to trust the server to not actively attack their privacy, they can nevertheless protect themselves against a passively sniffing server. I will show why end-to-end encryption is not enough, but must be combined with open source to achieve reasonable privacy in this model.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_whom_do_you_trust/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Theo von Arx":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:14190@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T153000 DTEND:20230204T155500 SUMMARY:IntelOwl Project DESCRIPTION:Intel Owl is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. It integrates a number of analyzers available online and a lot of cutting-edge malware analysis tools. It is for everyone who needs a single point to query for info about a specific file or observable.This Lightning Talk will guide the audience through how this software works and how it can be leveraged by security analysts to save time and optimize their work during their day-to-day activities.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_intelowl/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Matteo Lodi":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:14136@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T160000 DTEND:20230204T162500 SUMMARY:What Does Rugby Have To Do With Sigstore? DESCRIPTION:Cosign, fulcio, rekor are all components in keyless signing with Sigstore. Each piece has its responsibility to provide a smooth developer experience for container signing. How does it all work together to complete that complicated dance to tie identity to cryptographic signatures? And what's more cryptic than rugby? In this talk, James and Lewis will educate attendees about sigstore and container signing using examples from the best sport in the world, rugby. If you're interested in learning more about sigstore and what a hooker does, this talk is for you.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_rugby_sigstore/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="James Strong":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Lewis Denham-Parry":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:13933@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T163000 DTEND:20230204T165500 SUMMARY:How to protect your Kubernetes cluster using Crowdsec DESCRIPTION:The CrowdSec project aims at providing a crowdsourced approach to common infrastructure defense problems by distributing free & open-source software allowing you to protect yourself and share information about malevolent actors.
In this Presentation, we will:
Current developments in the field of quantum computer science bring a growing threat against the existing cryptographic algorithms used today, for example in secure Voice over IP and instant messaging applications. Although such a quantum computer has not yet been officially announced, some governments recommends protecting data against this type of attack by 2030. The encrypted data shared today could be stored and decrypted soon thanks to this breakthrough innovation.
The National Institute of Standards and Technology (NIST) launched in 2017 an international competition to standardise "post quantum algorithms". Such algorithms are expected to be resilient to an attack made by a generalist post quantum computer. They are meant to replace in the long term the algorithms that are used today in many secure protocols relying on cryptographic key exchange mechanisms. The Linphone application is most likely the first open source communication software in the world to have implemented the NIST finalist algorithm in the encryption key category, CRYSTALS-Kyber, as of today. One of the key steps: the development of a modified version of the standardized ZRTP encryption protocol.
A few challenges we have taken:
Reach the same level of effectiveness even if cryptographic keys are much larger
Remain resilient to classic attacks
Be interoperable with encryption features offered by previous versions
The different steps that have been carried out:
Integration of KEM in ZRTP protocol: creation of a modified version of ZRTP that accepts a key exchange algorithm of the type of Key Encapsulation Mechanism
Hybridation : conception of an encryption engine combining a classic (EC)DH and a post quantum encryption. Modification of the ZRTP protocol so that it can negotiate two different key exchange algorithms at the same time and securely combine results.
Fragmentation: addition of a mechanism to fragment ZRTP packets
Integration in Linphone of this new ZRTP library with post quantum capacities and of configuration settings to activate/deactivate the post quantum mode
Building of performance tests
Computer attacks occur in a constantly changing environment. To meet these challenges, it is necessary to implement a global approach to risk management within the organization.
The mapping of the Information System allows to have a global view of all the elements which compose the information system to obtain a better readability, and thus a better control.
The elaboration of a cartography participates in the protection, the defense and the resilience of the information system. It is an essential tool for the control of its Information System and is an obligation for Operators of Vital Importance (OVI) and is part of a global risk management and a global risk management approach.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_mercator/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Didier Barzin":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:13941@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T180000 DTEND:20230204T182500 SUMMARY:Hardware-backed attestation in TLS DESCRIPTION:Authentication among distributed workloads is a critical yet complex task. PKI-based authentication relies heavily on software to anchor the trustworthiness of workloads, therefore failing to reliably convey the security state of the workload in the face of impersonation and persistent attackers. This is most apparent in cases where the underlying platform is particularly exposed and out of the control of the owner, such as in cloud computing and IoT. Hardware features have thus been introduced to enable remotely verifiable “trust metrics” using attestation. Such hardware-backed features provide a cryptographic proof of the software stack, and strong guarantees that the cryptographic keys used by the workload are properly protected from exfiltration. However, remote attestation comes with its own need to share and verify metadata, which must be engineered into existing software. While the protocol used to exchange this metadata is largely irrelevant to the actual attestation procedure, its positioning in the networking stack can enable specific use-cases and enhance the performance of the entire system. An appealing approach is to allow the creation of secure channels (such as TLS connections) using attestation metadata as the authentication mechanism. Current designs either rely on running an attestation protocol on top of an existing secure channel, or modify the semantics of certificates to convey attestation information when establishing the secure channel.
Our work focuses on standardising attestation metadata as first-class credentials in TLS. This new approach allows native, opaque metadata to be conveyed for authentication during the TLS handshake instead of (or together with) x509 certificates. Supporting flexibility in deployments without compromising on security has been a prime goal. Thus, we aim to cater to interaction models in which either the client, the server, or both can attest themselves, leveraging any hardware backend, and using different verification topologies. To showcase the standardisation effort, we are also developing an open-source, end-to-end proof-of-concept implementation of one of the interaction models supported. The PoC builds on top of two Linux Foundation projects – Parsec to abstract the root of trust attestation primitives, and Veraison to consume and verify the new evidence formats – and modifies mbedTLS to support a subset of the newly defined TLS extensions. As a hardware root of trust, the proof of concept is currently using a TPM2.0, with support for others being considered.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_hw_backed_attestation/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Ionuț Mihalcea":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:13753@FOSDEM23@fosdem.org TZID:Europe-Brussels DTSTART:20230204T183000 DTEND:20230204T185500 SUMMARY:Demystifying StackRox DESCRIPTION:StackRox integrates with every stage of the container lifecycle: build, deploy, and runtime. It has the ability to monitor, scan, and prevent the execution of vulnerable code, and container images in multiple and almost any flavor of your Kubernetes clusters that too from a single control plane. It plays a huge role in its supply chain security pattern by providing continuous scanning via CI/CD pipelines and integration with image registries so that vulnerable and misconfigured container images could be remediated within the same developer environment, with real-time feedback and alerts.
At the end of this session, users will have a fair knowledge on:- How StackRox in a cloud-native way could help to observe, analyze and react on 1:N Kubernetes clusters with minimal human efforts (1: Control Plane, N: Secured Kubernetes Clusters)- How teams could reduce operational overhead and streamline security practices in large-scale environments.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Security URL:https:/fosdem.org/2023/schedule/2023/schedule/event/security_stackrox/ LOCATION:UA2.118 (Henriot) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Rutvik":invalid:nomail END:VEVENT END:VCALENDAR