Connect with us   ​  

Fraser Tweedale

Fraser is a software engineer at Red Hat where he works on FreeIPA (identity management), Dogtag (X.509 PKI) and related security projects.  By night he programs in Haskell and is exploring theorem proving, dependent types, category theory and other exciting intersections of mathematics and computer science.

Twitter: @hackuador

Presentation Title
Network-bound encryption with Tang and Clevis

Full disk encryption and, more generally, encryption of secrets at 
rest are part of the information security doctrine. Unfortunately 
these practices have costs in the form of latency (downtime), 
repetition (productivity loss), proneness to error (typos; "was that 
'1' or 'l'?") or other challenges in supplying a decryption 
passphrase when needed (e.g. headless systems). These hurdles, 
aside from the inherent costs, have resulted in an alarming 
incidence of advice on the web to, e.g. leave TLS private keys 
sitting around in the clear. 

We can do better. 

*Tang* [1] is a protocol and (along with the client-side *Clevis*) 
software implementation of *network bound encryption*; that is, 
automatic decryption of secrets when a client has access to a 
particular server on a secure network. It uses *McCallum-Relyea 
exchange*, a novel two-party protocol based on ElGamal encryption 
that allows Alice to cooperate with Bob to encrypt and decrypt a 
secret without Bob (let alone Eve) being able to learn the secret. 

In this talk I will outline the use cases, explain McCallum-Relyea 
exchange and provide an overview of the network protocol, design and 
implementation of Tang and Clevis. There will be a live demo 
showing the setup and operation of Tang and Clevis to automatically 
decrypt LUKS volume keys and TLS private keys in Apache. The talk 
will conclude with a discussion of assumptions, limitations and 
threats in the Tang protocol, and how the protocol can play a part 
in more complex access policies (wherein *Shamir's Secret Sharing* 
makes an appearance). 

*Note: Tang and Clevis were formerly a single project called Deo[2].* 



Conference Highlights

New Venue
Don't miss the best cyber security conference in Australia at the Surfers Paradise Marriott, only 150 m from Surfers Paradise beach

Conference MC
Comedian and Mathematician Adam Spencer will host the conference, Gala Dinner and Speed Debate

Career Café
Retreat to the back of the exhibition away from the noise for a real coffee at the AusCERT2016 Career Café and chat with specialist Infosec recruiters