Author: linus
Date: 2012-05-24 20:34:41 +0000 (Thu, 24 May 2012)
New Revision: 25660
Added:
projects/presentations/2012-05-24-Swedish-police-IT-forensics.pdf
projects/presentations/2012-05-24-Swedish-police-IT-forensics.tex
projects/presentations/images/NORDUnet-New-Logo-Final-Small.jpg
projects/presentations/images/StenographyOriginal.png
projects/presentations/images/StenographyRecovered.png
projects/presentations/images/cryptography-trafficanalysis.png
projects/presentations/images/direct-users-off-2010-06-01-on-300-2011-05-01-eg.png
projects/presentations/images/networksize-2009-01-01-300-2012-05-23.png
Log:
Add 2012-05-24-Swedish-police-IT-forensics.
Added: projects/presentations/2012-05-24-Swedish-police-IT-forensics.pdf
===================================================================
(Binary files differ)
Property changes on: projects/presentations/2012-05-24-Swedish-police-IT-forensics.pdf
___________________________________________________________________
Added: svn:mime-type
+ application/pdf
Added: projects/presentations/2012-05-24-Swedish-police-IT-forensics.tex
===================================================================
--- projects/presentations/2012-05-24-Swedish-police-IT-forensics.tex (rev 0)
+++ projects/presentations/2012-05-24-Swedish-police-IT-forensics.tex 2012-05-24 20:34:41 UTC (rev 25660)
@@ -0,0 +1,415 @@
+% Copyright 2012 by NORDUnet A/S <info(a)nordu.net>
+% Author: Linus Nordberg <linus(a)nordu.net>
+%
+% This presentation is based on the conference-ornate-20min template
+% by Till Tantau <tantau(a)users.sourceforge.net>. You may redistribute
+% and/or modify it under the terms of the GNU Public License, version
+% 2.
+%
+% To produce a PDF from this document, do something like
+%
+% pdflatex FILE.tex
+%
+% You might want to have packages like tetex, latex-beamer and
+% ghostscript installed.
+
+\documentclass{beamer}
+\mode<presentation>
+{
+ \usetheme{Warsaw}
+ \setbeamercovered{transparent}
+}
+\usepackage[english]{babel}
+\usepackage[latin1]{inputenc}
+\usepackage{times}
+\usepackage[T1]{fontenc}
+\usepackage{url}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\title{Tor f�r IT-forensiker}
+\subtitle{}
+\author{Linus Nordberg, NORDUnet}
+\date[2012-05-24]{IT-forensiska seminariet 2012}
+\pgfdeclareimage[height=0.3cm]{ndn-logo}{../images/NORDUnet-New-Logo-Final-Small}
+\logo{\pgfuseimage{ndn-logo}}
+%
+\AtBeginSection[]
+{
+ \begin{frame}<beamer>{Inneh�ll}
+ \tableofcontents[currentsection,currentsubsection]
+ \end{frame}
+}
+
+% Enable this to make items appear one at a time.
+%\beamerdefaultoverlayspecification{<+->}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{document}
+\begin{frame}
+ \titlepage
+\end{frame}
+%\begin{frame}{outline}
+% \tableofcontents
+%\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\section{Presentation}
+\begin{frame}{Presentation}
+\begin{itemize}
+\item Yrke programmerare
+\pause \item Anst�lld av NORDUnet
+\pause \item Tor-relaterat arbete inkluderar f�rel�sningar, drift av
+ m�ttj�nster och rel�n, utveckling (Tor p� IPv6)
+\pause \item Kontakt linus(a)nordu.net 0x23291265 \\
+ \tiny 8C4C D511 095E 982E B0EF BFA2 1E8B F349 2329 1265
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\section{Vad �r Tor}
+
+\begin{frame}{Ett protokoll och ett program}
+\begin{itemize}
+\item Ett n�tverksprotokoll
+\pause \item Ett program -- fri programvara, BSD-licensierad
+\pause \item �ppna epostlistor, k�llkods-arkiv med specifikationer,
+ f�r�ndringsf�rslag och kod, ``bug tracker'', chatrum
+\pause \item Teknik och urpsrunglig kod fr�n NRL (U.S. Naval Research
+ Laboratory)
+\pause ==> ``onion routing'' 1996
+\pause ==> Tor 2002
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Tre funktioner}
+\begin{itemize}
+\item Anonym och skyddad �tkomst till internet
+\pause \item Kringg� blockering
+\pause \item Anonym och skyddad publicering
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Ett ekosystem av applikationer}
+\begin{itemize}
+\item Browsern Aurora -- Firefox + Torbutton
+\pause \item Vidalia -- en kontrollpanel
+\pause \item Metrics -- analysverktyg och information om n�tet
+\pause \item TBB (Tor Browser Bundle) -- Vidalia + FF + Torbutton
+\pause \item Tails -- en live-CD/USB med TBB
+\pause \item Orbot -- Tor f�r Android
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Vidalia -- en kontrollpanel}
+\parbox{3.5cm}{\sloppy \includegraphics[width=3cm]{../images/vidalia-control-panel}}
+\parbox{7cm}{\sloppy \includegraphics[width=7cm]{../images/vidalia-network-map}}
+\end{frame}
+
+\begin{frame}{En ``non-profit org''}
+\parbox{4.5cm}{\sloppy
+\setbeamercolor{background}[\includegraphics[width=3.8cm]{../images/2009-tor-logo}}
+\parbox{6cm}{\sloppy
+\begin{itemize}
+\item 501(c)(3) -- non-profit (ideell org) f�r forskning och
+ utveckling av teknologi f�r anonymitet och skyddande av personlig
+ integritet p� n�tet (2006)
+\item Historia -- NRL, Electronic Frontier Foundation (EFF)
+\end{itemize}
+}
+\end{frame}
+
+\begin{frame}{En ``non-profit org''}
+\parbox{4.5cm}{\sloppy
+\setbeamercolor{background}[\includegraphics[width=3.8cm]{../images/2009-tor-logo}}
+\parbox{6cm}{\sloppy
+\begin{itemize}
+\item Finansiering -- BBG, Sida, Internews, NSF, NLnet, NRL,
+ individuals, Google, HRW (EFF, DARPa, Bell)
+\item Tor Project Inc (2011) -- Kommersialisering f�r att hitta
+ privata sponsorer
+\end{itemize}
+}
+\end{frame}
+
+\begin{frame}{Community}
+\begin{itemize}
+\item{Forskare} \\ Drexel, Univ of Waterloo, Georgia Tech, Princeton,
+ Boston University, University College London, Univ of Minnesota,
+ MIT, National Science Foundation, Naval Research Labs, Cambridge
+ (UK), Bamberg (Tyskland) \pause
+\item{Programutvecklare} \\ Ca 5 heltid + ca 20 deltid (betalda och
+ obetalda) + 6 GSOC-studenter + m�nga tillf�lliga bugrapport�rer,
+ mindre patchar mm.
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Community}
+\begin{itemize}
+\item{Rel�-operat�rer} \\ 2000-3000, framf�r allt i USA och Europa \pause
+\item{Anv�ndare} \\ Ca 400,000 dagliga anv�ndare \\
+ \tiny \url{https://metrics.torproject.org/users.html}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Infrastruktur}
+Ett frivillign�tverk best�ende av ca 3000 rel�n
+\begin{overlayarea}{8cm}{5cm}
+\begin{center}
+\includegraphics[scale=0.35]{../images/networksize-2009-01-01-300-2012-05-23}
+\end{center}
+\end{overlayarea}
+\end{frame}
+
+%%%%
+\section{Vad �r anonymitet}
+
+\begin{frame}{Enbart kryptering ger inte anonymitet}
+\parbox{6cm}{\sloppy
+\setbeamercolor{background}[\includegraphics[width=5.9cm]{../images/cryptography-trafficanalysis}}
+\parbox{4cm}{\sloppy
+\begin{itemize}
+\item Krypto skyddar data vid �verf�ring \pause
+\item Man kan fortfarande se vem som pratar med vem, hur ofta och hur
+ mycket
+\end{itemize}
+}
+\end{frame}
+
+\begin{frame}{Steganografi ger inte anonymitet}
+\parbox{4cm}{\sloppy
+\includegraphics[scale=0.40]{../images/StenographyOriginal} \\
+\includegraphics[scale=0.40]{../images/StenographyRecovered}
+}
+\parbox{5.5cm}{\sloppy
+\begin{itemize}
+\item Stego d�ljer datat \pause
+\item Man kan fortfarande se att Alice pratar med n�gon, hur ofta och
+ hur mycket
+\end{itemize}
+}
+\end{frame}
+
+\begin{frame}{�nsket�nkande ger inte anonymitet}
+\begin{itemize}
+\item ``Du kan inte bevisa att det var jag''
+\item ``Lova att inte titta''
+\item ``Lova att inte lagra''
+\item ``Lova att inte ber�tta f�r n�gon''
+\end{itemize}
+\end{frame}
+
+\begin{frame}{�nsket�nkande ger inte anonymitet}
+\begin{itemize}
+\item Bevis -- Beh�vs inte, statistisk analys r�cker l�ngt \pause
+\item L�ften -- Kommer de h�llas? Finns incitament och kompetens?
+ Databaser l�cker. \pause
+\item ==> ``Privacy by design, not privacy by policy''
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Blanda sig med m�ngden}
+\begin{itemize}
+\item Anv�ndaren m�ste g�mmas i en massa \pause
+\item Ett system f�r detta m�ste f� anv�ndaren att se ut som alla
+ andra \pause
+\item D�lja vem som pratar med vem \pause
+\item �ven f�r operat�rer av systemet
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Vem anv�nder Tor}
+\begin{itemize}
+\item{Vanliga m�nniskor} \\ Reklamn�tverk, s�kmotorer, kringg� censur. \pause
+\item{Polisen} \\ Unders�kning utan uniformen p�, skydd av privatliv. \pause
+\item{N�taktivister} \\ Blogga, personlig s�kerhet, �tkomst till
+ blockerade sidor. \pause
+\item{Milit�ren} \\ I f�lt, separera privatliv och tj�nstg�ring. \pause
+\item{Personer med skyddad identitet} \\ Offer f�r kvinnofridsbrott
+ beh�ver ocks� internet, t.ex. f�r kontakt med andra.
+\end{itemize}
+\end{frame}
+
+%\begin{frame}{Egypten}
+%\includegraphics[height=6cm]{../images/direct-users-off-2010-06-01-on-300-2011-05-01-eg}
+%\end{frame}
+
+%%%%
+\section{Hur fungerar Tor}
+
+\begin{frame}{Enhopps-proxy}
+\begin{overlayarea}{9cm}{6cm}
+\only<1>{\includegraphics[height=6cm]{../images/single_hop_relay}}
+\only<2>{\includegraphics[height=6cm]{../images/evil_single_hop_relay}}
+\only<3>{\includegraphics[height=6cm]{../images/data_snooping_single_hop_relay}}
+\end{overlayarea}
+\end{frame}
+
+\begin{frame}{Tor g�r tre hopp}
+\begin{center}
+\begin{overlayarea}{8cm}{5.5cm}
+\only<1>{\includegraphics[height=5.3cm]{../images/tor-network}}
+\only<2>{\includegraphics[height=5.3cm]{../images/tor-safe-selection}}
+\only<3>{\includegraphics[height=5.3cm]{../images/tor-safe-path}}
+\end{overlayarea}
+\flushright
+\tiny Diagram: Robert Watson
+\end{center}
+\end{frame}
+
+\begin{frame}{Tor g�r tre hopp}
+\begin{itemize}
+\item Ett komprometterat f�rsta hopp kan se att Alice pratar men inte
+ med vem \pause
+\item Ett komprometterat sista hopp kan se att n�gon pratar med Bob
+ men inte vem
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Tre lager av kryptering}
+\begin{itemize}
+\item Alice v�ljer tre rel�n ur n�tverkslistan (konsensus) \pause
+\item Exit-policyn hos sista rel�t till�ter uppkoppling till Bobs
+ adress och port \pause
+\item Alice f�rhandlar fram nycklar med det f�rsta rel�t (128-bits
+ AES-CTR mha D-H) och s�tter upp en ``circuit'' dit (CREATE/CREATED)
+ \pause
+\item Hoppar vidare till andra rel�t (EXTEND/EXTENDED -->
+ CREATE/CREATED) \pause
+\item Hoppar vidare till tredje och sista rel�t \pause
+\item Sista rel�t s�tter upp TCP-koppel till Bobs tj�nst
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Tre lager av kryptering}
+\begin{center}
+\begin{overlayarea}{8cm}{5.5cm}
+\includegraphics[width=7cm]{../images/tor-keys1}
+\end{overlayarea}
+\end{center}
+\end{frame}
+
+\begin{frame}{Kryptering av transportlager}
+\begin{itemize}
+\item TLS/SSLv3 f�r kryptering och autenticering \pause
+\item Tre versioner av handskakning f�rhandlar fram version \pause
+\item v2 och v3: NETINFO, VERSIONS \pause
+\item v3: CERTS AUTH\_CHALLLENGE, AUTHENTICATE
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Nycklar och certifikat}
+\begin{itemize}
+\item Varje rel� har en ``long term identity key'' som signerar
+ TLS-cert och ``network documents (``server descriptors'' och
+ konsensus) \pause
+\item En ``medium term onion key'' f�r dekryptering av EXTEND-celler \pause
+\item En ``short term connection key'' f�r TLS-koppel
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Server descriptors}
+\begin{itemize}
+\item Ett rel�s beskrivning av sig sj�lvt \pause
+\item Inneh�ller nickname, annonserad kapacitet, timestamp, publik del
+ av identity key, IP-adress och port(ar), onion key (publika delen),
+ exit policy, family, m.m. \pause
+\item Signeras med identity key \pause
+\item Laddas upp till ``directory authorities'' \pause
+\item Bakas ihop till ``konsensus'' -- listan �ver de rel�er som utg�r
+ Tor-n�tverket f�r en timme fram�ver
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Directory authorities}
+\begin{itemize}
+\item �tta stycken i fem l�nder (plus en f�r bryggor) \pause
+\item R�star fram en s.k. konsensus varje timme \pause
+\item Konsensus utg�r n�tverkskartan \pause
+\item Signeras med ``long term key'' \pause
+\item Klienter laddar ner konsensus och v�ljer rel�n ur denna f�r att
+ bygga circuits \pause
+\item Listan p� directory authorities och deras long term keys finns
+ inkompilerad i klienten (och rel�n)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Bryggor}
+\begin{itemize}
+\item Bryggor �r ``semipublika'' rel�n \pause
+\item Fungerar som bryggor mellan internet och Tor-n�tet f�r anv�ndare
+ som inte kan n� publika rel�n p.g.a. blockering \pause
+\item Tor-n�tet har en ``bridge authority'' dit en brygga kan ladda
+ upp sin deskriptor \pause
+\item Bryggor sprids sedan av Tor-projektet via e-post, web, IM,
+ kontakter\pause
+\item Privata bryggor laddar inte upp deskriptorer utan operat�ren
+ sprider sj�lv bryggans address och port
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Hidden services}
+\begin{itemize}
+\item 2004, f�r anti-DoS och fysisk s�kerhet \pause
+\item Lasse �verlier, FFI (Forsvarets forskningsinstitutt)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Svagheter}
+\begin{itemize}
+\item End-to-end timing correlation \pause
+\item Applikationslagret -- browsers l�cker som s�ll \pause
+\item Bittorent l�cker -- se bl.a. papper fr�n NRIA 2010 \\
+ \tiny \url{https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea}
+\end{itemize}
+\end{frame}
+
+%%%%
+\section{Verktyg}
+
+\begin{frame}{Metrics -- m�tdata, statistik, grafer}
+\begin{itemize}
+\item N�tstatus -- konsensus, s�ka p� rel�er \pause
+\item Grafer -- statistik f�r n�t, anv�ndare, nedladdningar, prestanda \pause
+\item M�tdata som ligger till grund f�r graferna \pause
+\item Forskningspapper och tekniska rapporter \pause
+\item Verktyg -- TorDNSEL och ExoneraTor
+\end{itemize}
+\end{frame}
+
+\begin{frame}{TorDNSEL}
+\begin{itemize}
+\item DNS-baserad lista av exitrel�n \pause
+\item Svarar snabbt p� fr�gan ``�r den h�r IP-addressen ett exitrel�
+ just nu?'' \pause
+\item Anv�nds i applikationer f�r att t.ex. kr�va autenticering eller
+ en CAPTCHA \pause
+\item Anv�nd Tor-projektets tj�nst eller k�r den sj�lv
+\end{itemize}
+\end{frame}
+
+\begin{frame}{ExoneraTor}
+\begin{itemize}
+\item Svarar p� fr�gan ``Agerade den h�r IP-adressen och porten
+ Tor-exitrel� vid den h�r tidpunkten?'' \pause
+\item Ladda ner verktyg och databas och st�ll lokala fr�gor \pause
+\item Tj�nst tillhandah�llen av Tor-projektet:
+ \small \url{https://metrics.torproject.org/exonerator.html}
+\end{itemize}
+\end{frame}
+
+%%%%
+\section{Avslutning}
+\begin{frame}{K�llor, tillerk�nnanden}
+\begin{itemize}
+\item Krypto skyddar data vid �verf�ring (Alice, Bob och ondskan): Ilja Hallberg
+\item Tr�det med katten i: GFDL
+ \tiny \url{https://commons.wikimedia.org/wiki/GNU_Free_Documentation_License}
+\item Katten (utan tr�d): GFDL
+ \tiny \url{https://commons.wikimedia.org/wiki/GNU_Free_Documentation_License}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Fr�gor}
+\begin{center}
+Fr�gor?
+\end{center}
+\end{frame}
+
+%%%%
+\end{document}
Property changes on: projects/presentations/2012-05-24-Swedish-police-IT-forensics.tex
___________________________________________________________________
Added: svn:executable
+ *
Added: projects/presentations/images/NORDUnet-New-Logo-Final-Small.jpg
===================================================================
(Binary files differ)
Property changes on: projects/presentations/images/NORDUnet-New-Logo-Final-Small.jpg
___________________________________________________________________
Added: svn:mime-type
+ image/jpeg
Added: projects/presentations/images/StenographyOriginal.png
===================================================================
(Binary files differ)
Property changes on: projects/presentations/images/StenographyOriginal.png
___________________________________________________________________
Added: svn:mime-type
+ image/png
Added: projects/presentations/images/StenographyRecovered.png
===================================================================
(Binary files differ)
Property changes on: projects/presentations/images/StenographyRecovered.png
___________________________________________________________________
Added: svn:mime-type
+ image/png
Added: projects/presentations/images/cryptography-trafficanalysis.png
===================================================================
(Binary files differ)
Property changes on: projects/presentations/images/cryptography-trafficanalysis.png
___________________________________________________________________
Added: svn:mime-type
+ image/png
Added: projects/presentations/images/direct-users-off-2010-06-01-on-300-2011-05-01-eg.png
===================================================================
(Binary files differ)
Property changes on: projects/presentations/images/direct-users-off-2010-06-01-on-300-2011-05-01-eg.png
___________________________________________________________________
Added: svn:mime-type
+ image/png
Added: projects/presentations/images/networksize-2009-01-01-300-2012-05-23.png
===================================================================
(Binary files differ)
Property changes on: projects/presentations/images/networksize-2009-01-01-300-2012-05-23.png
___________________________________________________________________
Added: svn:mime-type
+ image/png