Redesigning PKI to Solve Revocation, Expiration, and Rotation Problems

Presented at Black Hat USA 2017, July 27, 2017, 9:45 a.m. (50 minutes)

As the previous Director of Security at companies like Linksys, Belkin, and Wink, I learned hard lessons about the pitfalls of PKI. This was especially true on IoT devices, where the responsibility was on consumers or site managers to update & fix devices when security issues arose. I've experienced expired keys that killed device connections, private keys being accidentally dropped on consumer devices, and breaches that required replacing all keys on devices, servers, and user applications. This led me to create oneID, now called Neustar TDI, which is an open source framework that replaces PKI with one that has real-time revocation, key rotation, key reset/replacement, and individual identities for every device, server, service, and user. It starts with the premise that every server, service, network, device, and user will be compromised at some point, so we should start our security model with that assumption and build protection to limit that as much as possible. It specifically does not trust anything by default and trust continually has to be proven, rather than trusting and checking for revocation. It puts the SOC or NOC in control rather than the users or site managers.

Presenters:

• Brian Knopf - Sr Director of Security Research & IoT Architect, Neustar
  Brian Knopf is a security researcher who created an identity management product at oneID, specifically designed for IoT, that was acquired by Neustar. He is now the Sr Director of Security Research working on IoT, replacements for PKI, and other products to secure IoT devices. Brian is also part of the @BuildItSecurely & @IAmTheCavalry research groups. He is the creator of the 5-Star IoT Security, Safety, and Privacy Rating. His work on securing IoT devices has been reported in Ars Technica, Network World, Forbes, & The Guardian among others. Brian has also briefed DHS on securing IoT and presented at the IoT Village at DEF CON, BSides, IEEE, and ISSA on security. Brian formerly was the Director of Product & Application Security at Linksys and Belkin, and the Principal Security Advisor for Wink. He has helped build over 40 different IoT devices from concept to production release.

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#redesigning-pki-to-solve-revocation-expiration-and-rotation-problems-7125
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Redesigning PKI to Solve Revocation Expiration and Rotation Problems.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Redesigning PKI to Solve Revocation Expiration and Rotation Problems.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=mx5UpY-FQtc
• https://www.blackhat.com/docs/us-17/thursday/us-17-Knopf-Redesigning-PKI-To-Solve-Revocation-Expiration-And-Rotation-Problems.pdf
• https://www.blackhat.com/docs/us-17/thursday/us-17-Knopf-Redesigning-PKI-To-Solve-Revocation-Expiration-And-Rotation-Problems-wp.pdf

Similar Presentations:

• LocoMocoSec 2018 / Revocation is broken, here's how we're fixing it
• DerbyCon 1.0 (2011) / Exploiting PKI for Fun & Profit or The Next Yellow Padlock Icon?
• Black Hat USA 1998 / Open Network PKI Design Issues or ãBusiness as Usualä