Blog‎ > ‎

Google Key Distribution End-to-End & CloudFlare Keyless SSL

posted Sep 21, 2014, 4:28 AM by Sami Lehtinen   [ updated Sep 21, 2014, 4:35 AM ]
Studied: Google Key Distribution End-to-End

My comment: This tells that if they take such bad security of their systems, you shouldn't trust them with nay secrets anyway! It's common misunderstanding, that using 'strong cryptography' would turn common people into high security experts. Even if you can very securely communicate with their devices, it really doesn't mean that rest of the system or their personal behavior would be up to the required security level. Ie, software can't make things secure after all. It requires much more than that.

Keywords only: KeyDistribution High level key distribution / key discovery plans. Featured Updated Aug 15, 2014 by evn@google.com Overview Convergence and Certificate Transparency. End-to-End
Key Directory, Public Key, Identity Providers, Monitors, Revocation, Certificate Transparency, Verifiable Map, Defective, Malicious, Compromised, Transparency, verify fingerprints manually, caveats. Redundancy. To prevent this, a user could choose to register to the key directory in a way that doesn't allow key rotations (every new key must be signed by it's previous key), but it has the inconvenience of not being able to recover after losing all copies and backups of a key. Bruteforce, OpenPGP Key Blocks,

Studied: CloudFlare Keyless SSL

My comment: Doing it is not special as they claim, see PCKS #11. Nice thing otherwise. I'm sure some of the largest CDN / network operators are doing something kind of similar, but they're not marketing it as well as CloudFlare. Many of things have been done internally in many companies, but maybe they might consider it a trade secret, and not be boasting about it.

Keywords only: Keyless SSL: The Nitty Gritty Technical Details 19 Sep 2014 by Nick Sullivan. CloudFlare's Keyless SSL Transport Layer Security (TLS). Hardcore tech enthusiasts. Confidentiality and authentication. Securely communicating, symmetric encryption: strong block cipher, Authentication, public keys. Certificates, public key cryptography, technical details, web certificates, CFSSL. Secure Sockets Layer (SSL) protocol, Internet Engineering Task Force (IETF). RSA and Diffie-Hellman (DH). Modern cryptography, TLS handshake. Forward secrecy (FS, PFS), ECDSA, Elliptic curves,
elliptic curve DSA, random bytes. Nonce. “pseudorandom function”, Cipher suite, unique identifier, key establishment, hash function, Advanced Encryption Standard (AES), Cipher Block Chaining (CBC)
Secure Hashing Algorithm (SHA), Cipher Suite: “ECDHE-ECDSA-AES256-GCM-SHA384”, Elliptic Curve Diffie-Hellman Ephemeral (ECDHE), Elliptic Curve Digital Signature Algorithms (ECDSA), Galois/Counter mode (GCM), cipher suites. Server Name Indication (SNI), Key Exchange, validating, validation, session key, private key, premaster secret, Ephemeral Diffie-Hellman, modular arithmetic. Discrete logarithm, pre-master secret, security and performance, hardware security module (HSM), scale, load balancing, cryptographic oracle, X.509 Extended Key Usage, strongest ciphers available, round-trips, connection latency, persistent connections. Abbreviated handshake, session resumption, session tickets, session IDs, ID, ticket, advanced session resumption capabilities, worldwide session resumption. Keys rotated, rotating, key generator, Kyoto Tycoon. Anycast network, data center, caching, cache an encrypted, NGINX, authenticated replication. Reference implementation, persistent connections.

Thoughts after this reading & blogging keywords marathon? Well, actually Kindle creates quite sparse highlights file. So I think I'll have to write Python script which automatically parses and compacts and dedupes these dumps.