EBSI digital identity DDoS hardening using IP reputation

[synctext]

Survey Q1 + Starting thesis 10 jan {job next to thesis}

Also interested in the problem of online trust. General intro and overview by Bruce {rockstar of security research} Ten Risks of PKI: What You’re not Being Told about Public Key Infrastructure. Technical discussion on HackerNews on passport failures and public key directories.

{duplicate from # 7423} Topic	Title of paper and URL
strong identity	A Truly Self-Sovereign Identity System
strong identity	TrustVault: A privacy-first data wallet for the European Blockchain Services Infrastructure
strong identity	Zero-Trust Architecture for Legal Entities
strong identity	Distributed Attestation Revocation in Self-Sovereign Identity

More on passport-level digital identity. Warning given :smile_cat: "this is complex stuff". identity is the foundation of trust in the old analog world. Please make a reading list about SSI, EBSI, EBP and eIDAS2

• https://en.wikipedia.org/wiki/Self-sovereign_identity
• The Future of Integrated Digital Governance in the EU: EBSI and GLASS
• https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/identity/eidas-regulations
• https://gouvernement.lu/en/dossiers.gouv_digitalisation%2Ben%2Bdossiers%2B2022%2Bebsilux.html
• https://dl.gi.de/bitstream/handle/20.500.12116/38705/proceedings-05.pdf?sequence=1&isAllowed=y
• worldcoin
• [Rowdy strong identity revocation thesis]()

please note the survey @ Tribler lab methodology: https://github.com/Tribler/tribler/wiki/MasterThesis#10-ects-literature-survey-at-tribler-lab (e.g. try out all known open source wallets for suvey and grade them with stong/weak analysis in a table with screenshots { https://walt.id/ebsi ; https://github.com/walt-id })

[AdiDumi]

why has public key infrastructure failed for 35 years

[synctext]

Ask Google Scholar about PKI failure. First result: https://www.nics.uma.es/pub/papers/JavierLopez2005.pdf With the upcoming European passport this given a nice modern twist to 35(?) years of failure: Failure of Public Key Infrastructure for 35 years: lessons for the European passport-grade digital identity (EBSI) {putting 2 storylines into 1 title}. Shorter attempt: 35 years of failure: European Digital Identity lessons

see 2016 ideas on Self-sovereign identity (SSI). TUDelft Master student full-time on EU digital ID from 2021. Discussed the Literature Survey wiki documentation

{brainstorm in bit harsh term} A fraud-resilient authentication method is notoriously hard to realise. Academic thinkers have offered little help, academic literature extensively documents numerous ideas and design sketches. Public key cryptography was invented in the year: ... In the 35 years since this invention we have failed to utilise this invention. The European Digital Identity project (EBSI) is only the latest in a long line of failed attempts. For instance, "Overview of the German identity card project and lessons learned (2020 update)" and "The giant is lagging behind - How the German electronic ID fails to reap its potential. This survey lists the numerous projects to provide digital identity and also highlights the decades scientific research. To date, no solution exists for the 400 million citizens within the EU. Finally, we list the vital lessons for the upcoming project to provide an EU-wide passport-grade digital identity. Contrary to numerous past projects, a refreshing amount of transparency is provided. For instance, see the detailed public EBSI node operator operational handbook.

Bit of general info news article "Digital Identity: Where We Began, Where We Are And Where We Are Going"

{early brainstorm for master thesis} The above builds expertise on wide scope of upcoming EU digital ID. Security will we essential, but EBSI server is based upon IBM Hyperledger technology. This is expected to only serve a good purpose during development. For full-scale production usage as the underpinning of the entire EU digital economy Hyperledger server probably needs replacing. Ideal outcome would be re-using the infrastructure at Delft to develop a 12-line Kotlin script to bring down such a EBSI Hyperledger server. See 2021 Delft master student who made the first open source Android EBSI v2 communications lib. Good news, save this project with application-level firewall rules????

[AdiDumi]

On the risk of misbehaving RPKI authorities

REGULATION (EU) on eid 'Building trust in the online environment is key to economic and social development. Lack of trust, in particular because of a perceived lack of legal certainty, makes consumers, businesses and public authorities hesitate to carry out transactions electronically and to adopt new services.'

[AdiDumi]

Survey Template

[synctext]

Lots of written documents in the past 35 years, yet no generic solution for digital identity:

• blog-level intro to identity and some history
• in-depth but shot timeline of ID development
• European Identity Toolbox
• architecture reference framework ebsi
• ENISA EU report
• The 'bible' report of digital identity from 2019, still quite relevant
• 'light' reading: Paving a Digital Road to Hell? A Primer on the Role of the World Bank and Global Networks in Promoting Digital ID
• Germany eID
  • {repeated} "Overview of the German identity card project and lessons learned (2020 update)"
  • "The giant is lagging behind - How the German electronic ID fails to reap its potential.
• Switzerland
  • [Digital identity scheme shot down by voters over data privacy concerns]()
• Argentina
  • Problems in Argentina’s justice system exacerbated by public facial recognition: report
• Netherlands
  • analysis paralysis, vision letter to Parliament
  • 2007 update to the National Identity Number with digital identity mentioning
• Taxonomy idea: use "amount of taxpayer money lost" for ranking country eID failures.
  • mistakes made and mistakes to avoid

[AdiDumi]

Additional read:

• Forbes read on the history of id from physical to digital
• Technical standards in eid and examples from countries like India, Pakistan, Estonia, Peru
• History of fingerprint identification
• Estonia's eID
• KSI blockchain used by Estonia eID
• Story of eID in Estonia
• Peru digital eID that also has fingerprint signature
• Examples and reasons of eID
• Global market share of PKI
• Blockchain survey

[synctext]

• Next sprint: update draft!! https://www.overleaf.com/9979318732vyszfmpsqwgm
  • projects in time: SDSI, IRMA, Soverin, Delft, SKI. Please find scientific sources, such as:
• Found lessons and cardinal cause of failure
  • Death by complexity
  • Failure to scale
  • Scalability for amount of use-cases
  • Scalability for amount of citizens
  • Pain&gain sharing. Politics, economics, high investment cost, long-term social benefit, uncertain payback time, socio-economic infrastructure, misalignment of incentives, and market failure for technology providers (eg. 10 year contract == natural monopoly).
  • Chile $276 million contract https://www.biometricupdate.com/202302/chile-extends-idemia-contract-to-supply-and-support-digital-id-documents-by-a-year
• 1996 SDSI-a simple distributed security infrastructure
• 1997 An implementation of SDSI: the simple distributed security infrastructure (brightest and famous authors)
• 2013: Towards practical attribute-based identity management: The IRMA trajectory (3 pages only!)
• 2017 IRMA: practical, decentralized and privacy-friendly identity management using smartphones (2 pages!)
• 2019 Backup and Recovery of IRMA Credentials
• 2019 Self-sovereign identity: A comparison of IRMA and Sovrin (21 pages)
• 2020 Electronic identity services as sociotechnical and political-economic constructs
• By our Lab: Self-Sovereign Identity Solutions: The Necessity of Blockchain Technology
• Dutch failures learn-by-doing
  • 2016 pilots (fail/success??) https://joinup.ec.europa.eu/collection/eidentity-and-esignature/news/netherlands-begins-eid-pilots
  • "Rijksdienst voor Identiteitsgegevens (2018), Plan van aanpak (v1.0). Project vID fase 2"
• Lots of citations: https://www.sciencedirect.com/science/article/abs/pii/S1084804520302058

[AdiDumi]

overleaf Secure Web Client Using SPKI/SDSI SDSI Java imple Simple Public Key Infrastructure Analysis Protocol Analysis and Design Attribute-Based Identity Management Bridging the Cryptographic Design of ABCs with the Real World IRMA Glass

To get more from: Blockchain-based identity management systems: A review

[synctext]

• Making solid progress! Ready in 3 weeks?
• First talk about social identity, then digital identity. Those are different concepts :passport_control:
• Pretty "Figure 1" with 35 years of failure points? timeline Page 1 (or 2), bottom, \pagewidth, broad overview?
• Problem Description is unclear. "Why digital identity has failed us. Broad analysis, history, attempts, taxonomy of failures, taxpayer money lost ". Move all bullets after history lessons and project overview.
• Focus, focus, focus? ID is {too} huge :boom: "Covid ID" :eyes: Restrict to "digital identity, government-driven"?
• Ask google: list of identity project failure.
  • 6 Reasons Why Identity Projects Fail
  • Identity Management in Developing Countries: A SWOT-Analysis
• More countries?
  • Canada:
  • https://medium.com/@supergovernance/the-long-road-of-digital-identity-16e8e497c895
  • 2018 Bankers ID report
  • Building Trust: Lessons from Canada’s Approach to Digital Identity
  • India: A cost-benefit analysis of Aadhaar National Institute of Public Finance and Policy
• Modern hipster blockchain projects
  • uPort Open-Source Identity Management System: An Assessment of Self-Sovereign Identity and User-Centric Data Platform Built on Blockchain
  • Stripe Identity. Identity Tools. focus on authenticity of ID documents
  • Nametag. Identity Tools. ...
  • Fractal ID. Identity Tools. ...
  • Polygon ID. Identity Tools. ...
  • Skiff. Infrastructure Tools. ...
  • kycDAO. Identity Tools. ...
  • Disco. Identity Tools. ...
  • Spruce. Identity Tools.
  • 56 decentral identity app&projects

[AdiDumi]

Almost final draft Missing abstract, conclusion and some table information Literature_Survey_IN4306.pdf

[synctext]

• J.H. Ellis, Communications - Electronics Security Group, Government Communications Headquarters, Research Report No. 3006, The Possibility of Secure Non-Secret Digital Encryption, January 1970. Secret.. the possibility of non-secret crypto is from Jan 1970, 53 years ago

• Just stated that it might be possible, no algorithm for one-way function, no implementation. That was RSA.

• Missing milestone: Trust-on-first-use (TOFU, 2008) Perspectives: Improving SSH-style host authentication with multi-path probing. low-cost and simple key management model

• small errors: "W. Diffie; M. Hellman" wrote the [27] citation. That's just key agreement, not the invention or realisation of public key crypto.

• typos: \event{1996}{SDSI intorduction}

• Dan Boneh, FEBRUARY 1999: twenty years of attacks on the rsa cryptosystem Essence: securely implementing RSA is a nontrivial task. We conclude: deploying public key cryptography such as RSA is also a non-trivial task!

• "III. A HISTORY OF ALTERNATIVES", more like "evolution of PKI"?

• "TABLE I: Overview of the ranking countries eID." the core taxonomy table! Facinating stuff, please at least double the number of countries+failures

  • Just ask Google and include in report https://www.google.com/search?q=failed+identity+projects :eyes:

• EU on ID. "Every time an App or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality. That is why the Commission will propose a secure European e-identity. One that we trust and that any citizen can use anywhere in Europe to do anything from paying your taxes to renting a bicycle. A technology where we can control ourselves what data is used and how." Ursula von der Leyen, President of the European Commission, in her State of the Union address, 16 September 2020

• {early brainstorm for master thesis - PART II} EBSI wallet, wallet-to-wallet communication (known IPv4), overlay (key lookup),data sharing (EBSI-to-EBSI), server hardening! (repeating)The above builds expertise on wide scope of upcoming EU digital ID. Security will we essential, but EBSI server is based upon IBM Hyperledger technology. This is expected to only serve a good purpose during development. For full-scale production usage as the underpinning of the entire EU digital economy Hyperledger server probably needs replacing. Ideal outcome would be re-using the infrastructure at Delft to develop a 12-line Kotlin script to bring down such a EBSI Hyperledger server. See 2021 Delft master student who made the first open source https://github.com/Tribler/tribler/issues/6023#issuecomment-908087676. Good news, save this project with application-level firewall rules????

  • time for coding again!
  • Data-vault code + wallet v2 interfacing with EBSI.
  • big milestone: talk to live EBSI server
  • Check out the code: https://ec.europa.eu/digital-building-blocks/code/projects/EBSI

[AdiDumi]

Ursula von der Leyen statement

[AdiDumi]

Finished final version of the Survey. Worked on the abstract, conclusions, history of PKI evolution, added countries to the survey and completed the taxonomy table. Rephrasing some paragraphs and added more literature about PKI failures and EU eIDs. Literature_Survey_IN4306_final.pdf

[synctext]

• Solid work :1st_place_medal:
• Not explicit what PKI offers
• Difficult to read academic writing style with section opening sentences covering 6 lines sometimes: The core element of the Public Key Infrastructures, key exchange with the RSA cryptosystem, has been the subject of different attacks from its introduction and securely implementing RSA is a nontrivial task, concluding that deploying public key cryptography such as RSA is also a non-trivial task
• Would love to hear even a small success story, I get depressed from these 53 years of failings; However, only a few have succeeded, and there are several reasons behind the failure of PKIs, which can be categorized into technical, economical, legal, and social factors [37].. See wise people of Reddit: is Keybase dead?. That was the best startup we had in PKI space.
• cultural reason is missing, digital authentication infrastructure has overlap with the "identity wars". Storage of government attributes like gender :dancing_men: with cryptographic authentication are notorious, see the "gender X" UK petition for border-crossing identity documents.
• Leading company today seems: https://idk.digidentity.eu/Overview/
• Would be great work for an arXiv upload !!!
• First steps of master thesis: study code our our existing EBSI wallet, study the server code.

[AdiDumi]

The survey is uploaded to arXiv with the lastest version. Literature_Survey_IN4306 (2).pdf

[synctext]

Completed! Today the master thesis work starts :tada:

[AdiDumi]

Studied the code for existing EBSI wallet in the SuperApp Studied the server code and also on the gitlab with the APIs and wallets available now and wallets

[synctext]

Concrete tasks to further explore your thesis focus.

• Try to find an EBSI (pilot) server to talk to .
  • try for at least days to find one, backup plan: study, compile the EBSI data vault superapp
  • Kotlin tooling
• goal: build command-line tooling for performance analysis
• outcome: this server crashes with a workload of 3k `did_write` requests per second. Stable with 2.5k tps.
  • [ ] measure response time, jitter
  • [ ] bandwidth usage
• passkeys, FIDO2, webAuth are heavily pushed by Big Tech.
  • only low-level TOFU for email and e-commerce
  • no bank KYC, passport-grade legal signature, or air-plane boarding
  • However, this is usable and will be HUGE. Deployed to all Apple fans
  • authenticator apps with: time-based one-time password (TOTP; specified in RFC 6238) and HMAC-based one-time password (HOTP; specified in RFC 4226)
  • EBSI will almost be forced to interact with this or be compatible somewhat ??? (or given the EU temperature: "EU passkeys Regulation Act", forcing them to change)
• mental note: this master student working on PKI, athentication and digital identity does not know backup codes
  • see brute force protection against 8-digit passwords
  • Captcha verification kicks in, then lockout :boom:
• Next sprint: 1-page "Problem Description" as MARE.tudelft.nl first stage evaluation doc + also first sample master thesis chapter.
• Either Rowdy or Egbert can help with EBSI daily details.

[synctext]

Please read all these details: https://medium.com/@schwalm.steffen/qualified-ledgers-bridging-the-gap-between-blockchain-technology-and-legal-compliance-c08d24a68db9

[synctext]

Next week we should get an EBSI server image to install, so there is movement...

• possible thesis topic to explore is "Layer 7 attacks" also: ref"
• Datasets of attacks exist
  • https://www.unb.ca/cic/datasets/ddos-2019.html
  • https://www.kaggle.com/datasets/sajid576/sql-injection-dataset
  • https://www.kaggle.com/code/hamzasamiullah/ml-analysis-application-layer-dos-attack-dataset
• Funny related work. "interesting" :clown_face: Using a secondary ledger for protection, "SQL Injection Prevention using Hyperledger Fabric"
• explore mod_security and/or nginx waf

[AdiDumi]

Update sprint:

• key takes from Qualified Ledgers: Bridging the Gap between Blockchain Technology and Legal Compliance:

  • eIDAS 2.0 shaping the regulatory framework for digital identity and trust services within the European Union with an accent on Decentralized digital identities and ecosystems and Self Sovereign identities
  • qualified electronic ledgers aligns with the principles of eIDAS 2.0
  • (EBSI) and its transition into the European Digital Infrastructure Consortium (EDIC) for decentralized infrastructure for public services across Europe
  • EBSI could evolve into a qualified electronic ledger, enhancing security and reliability for various trust services and with DLT intersect with the requirements of eIDAS 2.0, such as digital credentials, cross-border cooperation, and regulatory compliance.
  • German government's decision not to support DLT for their national EUDI wallet because provable security standards, addressed through certification requirements maybe?

• Challenges in Stopping Application Layer DDoS Attacks:

  • distinguishing between attack traffic and normal traffic is challenging, especially in the case of botnets performing HTTP Flood attacks.
  • each bot in a botnet makes seemingly legitimate network requests, making the traffic appear "normal" in origin.

• Solution?

  • tools like a properly configured Web Application Firewall (WAF), are necessary for mitigation(ModSecurity).
  • filter traffic through an IP reputation database. LIKE THIS

• Could not talk to a EBSI pilot server - need a "Verifiable Authorisation To Onboard"

• Found and compiled the DataVault app from old master thesis. Spend days fixing compatibility and version errors. Updated libraries to match the newer kotlin version => working on my phone(except the performance test).

  

[synctext]

• :tada: :tada: :tada:
  • Awesome core thesis idea
  • filter traffic through an IP reputation database.
  • draft thesis title: "IP reputation protection for passport-grade EU SSI ID server" (todo: less abbreviation)
• Related work
  • we have 24 years of experience with reputation systems. Small detail is that we almost have it working with MeritRank.
  • How to Use Project Honeypot with NGINX and ModSecurity 3.0 (threat score between 0 and 255)
  • Requirements: forgiveness? Transparency?
  • Server blocks in remote regions versus consumer ISP ranges
  • Windows exploit sender versus spammer
• fundamental issue is that reputation is tied to your passport-grade ID versus IPv4 address
  • not really totally ambitious, just fundamentally fix The Internet :roll_eyes:
  • ideas:
  • for every successful login, leave IPv4 in table (Goodness table)
  • for all irrefutable attack patterns, leave IPv4 in table (Bad table)
  • Are you a bot? Solve this Captcha or call your local EU municipality
  • You are a bot, you now go straight to bot jail
  • For each /24, /16, and /8 keep a block reputation
    • Multiple public keys of logins (or hashed IDs)
    • Multiple irrefutable attack patterns
    • Mixed :astonished: :open_mouth: :fearful:
    • Keep this smaller then complete BGP routing table (AS count 74,200)
• We completely safe, except for "server-side request forgery" attacks.
• Upcoming sprint. Read related work:
  • Experimental Study of ModSecurity Web Application Firewalls
  • deploy modesecurity and try SlowHTTPTest application-level DoS attack simulator?
• Future: top-down analysis, fixes problem?

[AdiDumi]

Sprint update:

• not as much progress as hoped due to house hunting and stomach flu
• studied more the ModSecurity with Core Rule Set:
  • combination of anomaly scoring = each rule that matches a part of the request contributes to a cumulative score. The more rules a request triggers, the higher its overall score becomes until a threshold set by user
  • and paranoia level the sensitivity or aggressiveness of the rule set, depending on the type of data accessed, problems with false-positives
• working on docker files to have containers running the ModSecurity + SlowHttpTest with docker compose:
  • SlowHttpTest
  • ModSecurity
• Changed dockerfiles from repos, work in progress to make them build, had to add versions, delete packages..
• Paper shows that ModSecurity is vulnerable especially to DoS attacks(multiple types: slow header, slow body, range attacks)
• ModSecurity has been passed even from 2014, presented in Analysis of Slow Read DoS Attack and Countermeasures

Full draft docker magic

``` ARG HTTPD_VERSION="1" FROM httpd:${HTTPD_VERSION} as build ARG MODSEC2_VERSION="1" ARG LUA_VERSION="1" RUN set -eux; \ echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \ apt-get update -qq; \ apt-get install -y -qq --no-install-recommends --no-install-suggests \ automake \ ca-certificates \ g++ \ git \ libapr1-dev \ libaprutil1-dev \ libcurl4-gnutls-dev \ libfuzzy-dev \ libpcre3-dev \ libtool \ libxml2-dev \ libyajl-dev \ lua${LUA_VERSION}-dev \ make \ pkgconf \ wget RUN set -eux; \ wget --quiet https://github.com/owasp-modsecurity/ModSecurity/archive/refs/tags/v${MODSEC2_VERSION}.tar.gz; \ tar -zxvf v${MODSEC2_VERSION}.tar.gz; \ cd ModSecurity-${MODSEC2_VERSION}; \ ./autogen.sh; \ ./configure --with-yajl --with-ssdeep; \ make; \ make install; \ make clean FROM httpd:${HTTPD_VERSION} as crs_release ARG CRS_RELEASE # hadolint ignore=DL3008,SC2016 RUN set -eux; \ apt-get update; \ apt-get -y install --no-install-recommends \ ca-certificates \ curl \ gnupg; \ mkdir /opt/owasp-crs; \ curl -SL https://github.com/coreruleset/coreruleset/archive/v${CRS_RELEASE}.tar.gz -o v${CRS_RELEASE}.tar.gz; \ curl -SL https://github.com/coreruleset/coreruleset/releases/download/v${CRS_RELEASE}/coreruleset-${CRS_RELEASE}.tar.gz.asc -o coreruleset-${CRS_RELEASE}.tar.gz.asc; \ gpg --fetch-key https://coreruleset.org/security.asc; \ gpg --verify coreruleset-${CRS_RELEASE}.tar.gz.asc v${CRS_RELEASE}.tar.gz; \ tar -zxf v${CRS_RELEASE}.tar.gz --strip-components=1 -C /opt/owasp-crs; \ rm -f v${CRS_RELEASE}.tar.gz coreruleset-${CRS_RELEASE}.tar.gz.asc; \ mv -v /opt/owasp-crs/crs-setup.conf.example /opt/owasp-crs/crs-setup.conf FROM httpd:${HTTPD_VERSION} ARG MODSEC2_VERSION ARG LUA_VERSION ARG LUA_MODULES ENV APACHE_ALWAYS_TLS_REDIRECT=off \ APACHE_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \ APACHE_ERRORLOG_FORMAT='"[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"' \ APACHE_METRICS_LOGFORMAT='"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' \ ACCESSLOG=/var/log/apache2/access.log \ BACKEND=http://localhost:80 \ BACKEND_WS=ws://localhost:8080 \ ERRORLOG='/proc/self/fd/2' \ H2_PROTOCOLS='h2 http/1.1' \ LOGLEVEL=warn \ METRICS_ALLOW_FROM='127.0.0.0/255.0.0.0 ::1/128' \ METRICS_DENY_FROM='All' \ MUTEX='default' \ METRICSLOG='/dev/null' \ MODSEC_AUDIT_ENGINE="RelevantOnly" \ MODSEC_AUDIT_LOG_FORMAT=JSON \ MODSEC_AUDIT_LOG_TYPE=Serial \ MODSEC_AUDIT_LOG=/dev/stdout \ MODSEC_AUDIT_LOG_PARTS='ABIJDEFHZ' \ MODSEC_AUDIT_STORAGE=/var/log/modsecurity/audit/ \ MODSEC_DATA_DIR=/tmp/modsecurity/data \ MODSEC_DEBUG_LOG=/dev/null \ MODSEC_DEBUG_LOGLEVEL=0 \ MODSEC_DEFAULT_PHASE1_ACTION="phase:1,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DEFAULT_PHASE2_ACTION="phase:2,pass,log,tag:'\${MODSEC_TAG}'" \ MODSEC_DISABLE_BACKEND_COMPRESSION="On" \ MODSEC_PCRE_MATCH_LIMIT_RECURSION=100000 \ MODSEC_PCRE_MATCH_LIMIT=100000 \ MODSEC_REQ_BODY_ACCESS=on \ MODSEC_REQ_BODY_LIMIT=13107200 \ MODSEC_REQ_BODY_LIMIT_ACTION="Reject" \ MODSEC_REQ_BODY_JSON_DEPTH_LIMIT=512 \ MODSEC_REQ_BODY_NOFILES_LIMIT=131072 \ MODSEC_RESP_BODY_ACCESS=on \ MODSEC_RESP_BODY_LIMIT=1048576 \ MODSEC_RESP_BODY_LIMIT_ACTION="ProcessPartial" \ MODSEC_RESP_BODY_MIMETYPE="text/plain text/html text/xml" \ MODSEC_RULE_ENGINE=on \ MODSEC_SERVER_SIGNATURE="Apache" \ MODSEC_STATUS_ENGINE="Off" \ MODSEC_TAG=modsecurity \ MODSEC_TMP_DIR=/tmp/modsecurity/tmp \ MODSEC_TMP_SAVE_UPLOADED_FILES="on" \ MODSEC_UPLOAD_DIR=/tmp/modsecurity/upload \ PORT=80 \ PROXY_ERROR_OVERRIDE=on \ PROXY_PRESERVE_HOST=on \ PROXY_SSL=off \ PROXY_SSL_CA_CERT=/etc/ssl/certs/ca-certificates.crt \ PROXY_SSL_CERT=/usr/local/apache2/conf/proxy.crt \ PROXY_SSL_CERT_KEY=/usr/local/apache2/conf/proxy.key \ PROXY_SSL_CHECK_PEER_NAME=off \ PROXY_SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ PROXY_SSL_PROTOCOLS="all -SSLv3 -TLSv1 -TLSv1.1" \ PROXY_SSL_VERIFY=none \ PROXY_TIMEOUT=60 \ REMOTEIP_INT_PROXY='10.1.0.0/16' \ REQ_HEADER_FORWARDED_PROTO='https' \ SERVER_ADMIN=root@localhost \ SERVER_NAME=localhost \ SERVER_SIGNATURE=Off \ SERVER_TOKENS=Full \ SSL_CERT=/usr/local/apache2/conf/server.crt \ SSL_CERT_KEY=/usr/local/apache2/conf/server.key \ SSL_CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ SSL_ENGINE=on \ SSL_HONOR_CIPHER_ORDER=off \ SSL_PORT=443 \ SSL_PROTOCOLS="all -SSLv3 -TLSv1 -TLSv1.1" \ SSL_SESSION_TICKETS=off \ SSL_OCSP_STAPLING=On \ TIMEOUT=60 \ WORKER_CONNECTIONS=400 \ # CRS specific variables PARANOIA=1 \ ANOMALY_INBOUND=5 \ ANOMALY_OUTBOUND=4 \ BLOCKING_PARANOIA=1 COPY --from=build /usr/local/apache2/modules/mod_security2.so /usr/local/apache2/modules/mod_security2.so COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/modsecurity.conf-recommended /etc/modsecurity.d/modsecurity.conf COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/unicode.mapping /etc/modsecurity.d/unicode.mapping COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/ COPY src/bin/* /usr/local/bin/ COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/ COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/ COPY src/opt/modsecurity/activate-*.sh /opt/modsecurity/ COPY apache/docker-entrypoint.sh / RUN set -eux; \ echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections; \ apt-get update -qq; \ apt-get install -qq -y --no-install-recommends --no-install-suggests \ ca-certificates \ curl \ gnupg \ iproute2 \ libcurl3-gnutls \ libfuzzy2 \ liblua${LUA_VERSION} \ ${LUA_MODULES} \ libxml2 \ libyajl2; \ update-ca-certificates -f; \ apt-get clean; \ rm -rf /var/lib/apt/lists/* RUN set -eux; \ mkdir -p /etc/modsecurity.d/; \ mkdir -p /tmp/modsecurity/data; \ mkdir -p /tmp/modsecurity/upload; \ mkdir -p /tmp/modsecurity/tmp; \ chown -R $(awk '/^User/ { print $2;}' /usr/local/apache2/conf/httpd.conf) /tmp/modsecurity; \ mkdir -p /var/log/apache2/; \ ln -s /opt/owasp-crs /etc/modsecurity.d/; \ sed -i -E 's|(Listen) [0-9]+|\1 ${PORT}|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|(ServerTokens) Full|\1 ${SERVER_TOKENS}|' /usr/local/apache2/conf/extra/httpd-default.conf; \ sed -i -E 's|(ServerSignature) Off|\1 ${SERVER_SIGNATURE}|' /usr/local/apache2/conf/extra/httpd-default.conf; \ sed -i -E 's|#(ServerName) www.example.com:80|\1 ${SERVER_NAME}|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|(ServerAdmin) you@example.com|\1 ${SERVER_ADMIN}|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|^(\s*CustomLog)(\s+\S+)+|\1 ${ACCESSLOG} modsec "env=!nologging"|g' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|^(\s*ErrorLog)\s+\S+|\1 ${ERRORLOG}|g' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|^(\s*TransferLog)\s+\S+|\1 ${ACCESSLOG}|g' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(LoadModule unique_id_module)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(LoadModule rewrite_module modules/mod_rewrite.so)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(LoadModule proxy_module modules/mod_proxy.so)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(LoadModule proxy_http_module modules/mod_proxy_http.so)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(LoadModule remoteip_module modules/mod_remoteip.so)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(LoadModule socache_shmcb_module modules/mod_socache_shmcb.so)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(LoadModule ssl_module modules/mod_ssl.so)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(LoadModule http2_module modules/mod_http2.so)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(Include conf/extra/httpd-default.conf)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(Include conf/extra/httpd-proxy.conf)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(Include conf/extra/httpd-ssl.conf)|\1|' /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|#(Include conf/extra/httpd-vhosts.conf)|\1|' /usr/local/apache2/conf/httpd.conf; \ echo 'Include conf/extra/httpd-locations.conf' >> /usr/local/apache2/conf/httpd.conf; \ echo 'Include conf/extra/httpd-modsecurity.conf' >> /usr/local/apache2/conf/httpd.conf; \ sed -i -E 's|(MaxRequestWorkers[ ]*)[0-9]*|\1${WORKER_CONNECTIONS}|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \ chgrp -R 0 /var/log/ /usr/local/apache2/; \ chmod -R g=u /var/log/ /usr/local/apache2/ ENTRYPOINT ["/docker-entrypoint.sh"] FROM alpine:3.17 as builder RUN apk add --no-cache build-base git openssl-dev autoconf automake WORKDIR /build COPY . /build RUN ./configure && make FROM alpine:3.17 RUN apk add --no-cache libstdc++ COPY --from=builder /build/src/slowhttptest /usr/local/bin/ ENTRYPOINT ["slowhttptest"] services: slowhttp: build: context: ./slowhttp modsecurity: build: context: ./modsecurity ```

[synctext]

• Steady progress!
• First code of Delft Master thesis experimental environment :rocket:
• Excellent 2014 related work find of a DoS Analysis of Slow Read DoS Attack and Countermeasures on Web servers with 5 Bytes/second attackers.
  • Some stats from famous DDoS attacks: 3.45 Tbps
  • Maximum buzzword paper with very practical content: Experimental studies of the features of using waf to protect internal services in the zero trust structure
• Grand ambition is to make an upstream contribution :thinking: :medal_sports:
  • 3 million docker pulls repo
  • very actively maintained Docker repo
  • OWASP is the defining standard in security
• EBSI no longer in critical thesis path
• How do we deploy this? Can it only see encrypted traffic between EU citizen and the EBSI server or is it part of the server? Is it blind to successful login per /16 IPv4 netrange or not?

[AdiDumi]

Update sprint:

• ModSecurity can be deployed as a reverse proxy for the server so the traffic is not encrypted

• by default, ModSecurity operates at the application layer and is not designed to directly manage login sessions or track successful login attempts. But, it can be configured to work in conjunction with other security mechanisms, such as rate limiting or custom rules, to detect and mitigate potential threats, including brute-force login attacks:
  • Rate Limiting: implement rate limiting rules that throttle the number of login attempts from specific IP netranges. This can help mitigate brute-force attacks by limiting the number of requests allowed within a certain time frame.
  • Custom Rules: custom ModSecurity rules to detect and block login attempts from specific IP netranges. These rules could analyze patterns in the request headers or parameters to identify login attempts and then take appropriate action based on the originating IP address.
• slowhttptest container build and run :heavy_check_mark:
• modsecurity container build and run :heavy_check_mark:
• still problems in connecting the containers but docker-compose and Dockerfile clean up, short and simple commands
• update - connection established between containers :heavy_check_mark:
• working in repo

[synctext]

• solid prototyping, great work as usual
• You now have proven ability to "reverse proxy secure a server" with custom BAN rules
• This sprint would suggest to focus on connecting to the state-of-the-art
• Found in 1 minute
  • https://scholar.google.com/scholar?q=ddos+ip+reputation
  • quite some papers indeed! {sometimes bit old}
  • TrustGuard: A flow-level reputation-based DDoS defense system
  • Collaborative Blockchain Based Distributed Denial of Service Attack Mitigation Approach with IP Reputation System
  • Distributed Defence of Service (DiDoS): A Network-layer Reputation-based DDoS Mitigation Architecture.
• like spam, an unsolved problem since 1978, the DDoS problem is inherent to the fundamental architecture of The Internet
  • old and unsolved problem
  • needs Internet re-architecting :astonished: :scream: :scream: :astonished:
  • So nothing ambitious, just fix The Internet for your master thesis.
• Similar to QUIC we need a computational light mechanism of resuming communication after once in a lifetime registration process :thinking:
  • this is my personal digital signature
  • here you government is the unique key we agreed upon once I was digitally born for all official government communication.

[AdiDumi]

Short sprint update:

• concentrated on related works and state-of-the-art
• started "Problem description" document for MaRe First Stage
• Added Scientific challenges to the problem maybe?
• very similar idea published in 2022: Collaborative Blockchain Based Distributed Denial of Service Attack Mitigation Approach with IP Reputation System - short paper, no system actually deployed so just a concept for now, might be a good start!
• problem that started to affect the Internet and countries from the 90s

Problem_Description_thesis (1).pdf

[synctext]

• as usual, solid progress :rocket:
  • start to look like a thesis
  • Only 5-6 experimental result figures, more text, DONE!
• Good related work section
  • [6] points to DDoS Open Threat Signaling (DOTS) protocol is developed by Internet Engineering Task Force (IETF) for DDoS attacks information sharing and mitigation. Yet is not mentioned in thesis :bomb:
  • The current Internet-standard IETF state-of-the-art solution to servers under attack is telling another server about the attack. Creating a DOTS-the-DOTS server to communicate that the DOTS Server is also under attack is left as an exercise for the reader/s.
  • The related work such as TrustGuard and DiDoS are all unproven ideas :thinking:
  • Use a blockchain (your [7]) for recording a collaboration agreement, because then anonymous strangers on The Internet can no longer mess with you :rofl:
  • Easy solutions don't exist!
  • Using Session Identifiers as Authentication Tokens
  • Great real world experience of a 2AM DDoS https://rule11.tech/dots/
• Fundamental security problem with Internet architecture (e.g. Problem Description)
  • Trusted End-points, that assumption is now false
  • This goes back to 1962 report P-2626 by Polish Internet Architecture inventor Paul Baran
  • Internet legacy architecture from ancient thermonuclear era.
  • Communications between two companies and network domains need to occur to effectively both detect and mitigate an attack. http://puluka.com/home/networking/dots/ The attack traffic is carried by many AS along the way and nobody is interesting in assisting illegitimate traffic.
• Sprint proposal:
  • given IP reputation focus, IETF Dots, Trustguard, and Modsecurity
  • come up with 3 thesis direction for implementation and performance analysis :smile: Easy sprint
  • plus needs to evolve in a generic Fix-The-Internet :+1:
  • {idea III: login-once, light-weight token check for every API call, large-scale zero-trust tracking {epic table of reputations with O(1) in 1 TByte}} { :zap: fails to use coordination by network intermediaries}
  • Zero trust is based on the principle of “never trust, always verify.”

[AdiDumi]

Brainstorming sprint:

• ideas for directions:
  1. Design smart contracts to manage reputation scores and updates on the blockchain. Each reputation update (e.g., positive or negative feedback) is recorded as a transaction on the blockchain, ensuring transparency and immutability. Extend ModSecurity to interact with the blockchain for reputation validation. When processing incoming requests, ModSecurity queries the blockchain to verify the reputation score of the requesting IP address and incorporate a "TrustGuard's like" reputation management techniques to dynamically adjust reputation scores based on network interactions.
  2. Deploy the IETF DOTS protocol with blockchain-based IP reputation management for DDoS mitigation in distributed server environments, real-time threat signaling and coordination during attacks. Manage IP reputation data securely across distributed DOTS agents and servers. Configure DOTS agents to interact with the blockchain for reputation validation and retrieval during DDoS attack mitigation
  3. Zero-Trust Reputation Management for API security, login-once mechanism for API -> authentication tokens -> lightweight token checks into API endpoints to validate the authenticity and permissions of incoming requests -> IP reputation check
  4. Simple reputation scores and updates on the blockchain for every IP or range/16. Define a harsh reputation computation if heavy traffic comes from IP, users usually have something that DDos attackers do not have -> time to get back the reputation -> time for the server to respond to an attack. The important part: to define a good calculation of reputation based on factors like nr request/second + history over time + successful accesses + bad requests etc.
• performance analysis:
  • blockchain transaction throughput
  • overall attack detection rate
  • mitigation success rate
  • system overhead during attack
  • attack detection accuracy
  • response time for blocking malicious traffic

[synctext]

:astonished: :astonished: :astonished: You have a viable roadmap to fix The Internet.

P2P Modsecurity is a brilliant idea. With a bit of tweaking it is also incrementally expandable. However, no smart contracts, gas payments, and Turing incompleteness please.

Re-architecting The Internet using zero-trust principle, Modsecurity, and PUFs

We create a layer of trust The Internet always needed, but never had. In 1962 the architecture of The Internet for the thermonuclear era was written down in report P2626. The highly survivable system structure is fundamentally unsuitable for today's world. For instance, Internet address 180.101.88.232 owned by ISP ChinaNet Jiangsu Province has been launching SSH login attacks for multiple years. First we create a universal trust token. It consists of a non-revocable self-sovereign identity with list of trust attestations. Second, we instrument Modsecurity with trust scoring, real-time threat signalling, coordination with others, and automatic formation of a global web-of-trust. Third, we present a trust model which is grounded in the laws of physics and mathematical axioms. By combing zero-trust principle and physical unclonable functions we create strong identity and web-of-trust framework which can serve as a mid-life upgrade of The Internet.

Roadmap till 31 Oct graduation

• priority is realisation of zero-trust architecture. All performance or specific features are secondary. Proof-of-principle running code.
• Modsecurity IPv4 scoring for just two trivial attack types (SSH login FAIL, SlowHHTPtest).
  • exchange of universal mistrust tokens about attacks
  • both IPv4 mistrust or self-sovereign identity abuse.
  • web-of-trust creation
  • re-usage of either our mature codebase of Python-based IPv8, trustchain, and EVA. Or compiled Kotlin, trustchain, and uTP.
• Modsecurity understanding of the universal trust token
  • add trust attestations to universal trust token
  • trust anchors can sign the self-sovereign ID.
• PUF part: only in text and pictures of prior work, no coding
  • assume trusted hardware for root key generation
  • see our own prior work on a patent-free PUF with open source code for end-to-end verifiable security. (trust, but verify!)
• classical thesis layout: problem, design, implementation and performance analysis
  • first experiment: server hammering. modsecurity login fails. show creation of mistrust records. Repeated offenders get blocked faster using web-of-trust.
  • second experiment: SlowHHTPtest
  • third experiment: SSI wallet collecting trust signatures
  • final experiment: Attack of the stolen wallets. numerous wallet abusive repeated logins, real-time threat signalling, web-of-trust prevents repeated attacks on other Modsecurity instances

update: strong related work of a -simulation- of attack info sharing https://github.com/LukasForst/fides + proper code: https://github.com/stratosphereips/StratosphereLinuxIPS

[AdiDumi]

Back to coding 🎊 The first experiment work in progress. https://github.com/AdiDumi/IpRepMaster Created a simple login python app to protect and containerized it with Apache2 ModSecurity which acts as a proxy for requests and responses. Every login fail is detected by the modsecurity in the response. Clean up on the last docker container used. Made it more simple and efficient (building was taking too long). -> very basic configuration with logging enabled for detection rule.

# Basic configuration
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecStatusEngine Off

# Enable audit logging
SecAuditEngine On
SecAuditLogType Serial
SecAuditLogFormat JSON
SecAuditLogParts ABIJDEFHZ
SecAuditLog /var/log/apache2/modsec_audit.log

Created custom rules for modsecurity to apply on failed login and detect. Lots of options from documentation with different level of details to add to the logging and rules for specific requests https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29

# Log failed login attempts
SecRule REQUEST_URI "/login" "phase:1,log,auditlog,id:1001,msg:'Login attempt detected'"
SecRule RESPONSE_STATUS "@streq 403" "phase:3,log,auditlog,msg:'Failed login attempt detected',id:101"

Logging in an audit.log file that creates JSON for a transaction

```json { "transaction": { "time": "20/May/2024:09:29:53.332742 +0000", "transaction_id": "Zk27Eeazul3OewgjLhj2PAAAAAA", "remote_address": "172.17.0.1", "remote_port": 37570, "local_address": "172.17.0.2", "local_port": 80 }, "request": { "request_line": "POST /login HTTP/1.1", "headers": { "Host": "localhost", "User-Agent": "python-requests/2.32.0", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "keep-alive", "Content-Length": "35", "Content-Type": "application/x-www-form-urlencoded" }, "body": [ "username=admin&password=faspassword" ] }, "response": { "protocol": "HTTP/1.1", "status": 403, "headers": { "Content-Type": "application/json", "Content-Length": "27", "Keep-Alive": "timeout=5, max=100", "Connection": "Keep-Alive" }, "body": "" }, "audit_data": { "messages": [ "Warning. String match \"403\" at RESPONSE_STATUS. [file \"/etc/modsecurity/custom_rules.conf\"] [line \"3\"] [id \"1001\"] [msg \"Failed login attempt detected\"]" ], "error_messages": [ "[file \"apache2_util.c\"] [line 275] [level 3] [client 172.17.0.1] ModSecurity: Warning. String match \"403\" at RESPONSE_STATUS. [file \"/etc/modsecurity/custom_rules.conf\"] [line \"3\"] [id \"1001\"] [msg \"Failed login attempt detected\"] [hostname \"localhost\"] [uri \"/login\"] [unique_id \"Zk27Eeazul3OewgjLhj2PAAAAAA\"]" ], "handler": "proxy-server", "stopwatch": { "p1": 589, "p2": 882, "p3": 75, "p4": 115, "p5": 1215, "sr": 111, "sw": 1115, "l": 0, "gc": 0 }, "response_body_dechunked": true, "producer": [ "ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/)", "OWASP_CRS/3.3.4" ], "server": "Apache/2.4.59 (Debian)", "engine_mode": "ENABLED" } } ```

Working on processing the JSON transaction through a script that runs every time the log file is updates with a new entry(crons). Extract the relevant information about the login fail. Example:

{
  "ip_address": "172.18.0.1",
  "request_method": "POST",
  "request_uri": "/login HTTP/1.1",
  "status_code": 403,
  "message": "Warning. String match \"403\" at RESPONSE_STATUS. [file \"/etc/modsecurity/custom_rules.conf\"] [line \"3\"] [id \"1001\"] [msg \"Failed login attempt detected\"]"
}

Next steps:

• creating rules to block the traffic after some failed attempts
• understand and add the necessary layers and rules from OWASP Core Rule Set (CRS) (really big, not all needed probably)
• connect the ModSecurity servers to a web-of-trust -> IPv8 python?

[synctext]

• Solid progress! Exploring which idea is realistic for a thesis
• Is connecting ModSecurity servers a good idea?
  • enable spreading an attack alert
  • negative feedback to N servers is an attack vector!
• Novel zero-trust architecture
  • blacklisting based on failed logins and spam traffic
  • whitelisting based on trust token
  • {wild idea of the month, speculative research}
  • portable passport-grade trust for 5G
  • trust token in P2P mode for wallet-to-wallet communication
  • using IPv8 and phone-to-phone communication (e.g. NAT puncturing)
  • build a web-of-trust using signatures and blocks.
• high-risk sprint focus: trust token
  • assume public-key crypto
  • login to server, server signs certificate
  • bundle of certificates parsed by ModSecurity
  • becomes a trust token :boom:

[AdiDumi]

Work in progress:

• added openssl private/public key creation for each server
• now I can create multiple docker containers/servers each one with its own key pair -> simulation of distributed servers
• each server has also a unique ID to use in the token
• working on each server adding in the response a signed token with its ID private_key.sign( certificate.encode(), padding.PSS( mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH ), hashes.SHA256() )
• each server checks the token received with a request and checks the integrity of the certificates(by other servers) public_key.verify( signature, certificate.encode(), padding.PSS( mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH ), hashes.SHA256() )
• ModSecurity can call this scripts and decide what to do with the request(drop, forward, more restrictive rules etc)
• using cryptography python package Code for this stage of development (with Dockerfile containing creation of key-pair) repo

[synctext]

:tada: :tada: :tada:

• now time to add more hype (/s) either Edge-AI or zk-snarks. Again, you only need to invent a public trust function to save The Internet...
• Self-sovereign, zero-trust architecture. So users store all the trust tokens. No 'helpfull' Big Tech cloud storage.
• Can ModSecurity do high-performance trust parsing? Function calling, interrupts, stack duplication, cache flush for each UDP packet?
• Fundamental design choice: transparent trust communication or explicit trust protocol
  • eat away the magic trust token. do not interfere with any server protocol, just add another header session management logic, encapsulation. Basically re-building QUIC Permanent Connection ID for trust. Or SIP for trust.
  • passively observe if trust exists and signature is valid; then forward to server.
  • Both? Explicit forwarding server (trust protocol) or transparent DDoS filter (drop or forward)
• Running the ZK-SNARK proving algorithm for 448 million people of the EU
  • that is a bit of a long list of valid input to prove
  • real-time updates for lost IDs, stolen IDs, and revoked IDs.
  • fancy crypto tricks (still poorly understood) for the root-of-all-trust
  • Hyperplonk: Plonk with linear-time prover and high-degree custom gates
  • Sublonk: Sublinear prover plonk
  • zk-creds: Flexible anonymous credentials from zksnarks and existing identity infrastructure
  • much slower then validating a simple signature :exclamation:
• SDSI Reborn???
  • Establishing Identity Without Certification Authorities
  • Our only purpose is to bind several signature to a public key, in order to prove prior existence. No identity needs to be established. Such proof-of-prior-interactions is not a novel concept. It just failed to materialise for 28 years :upside_down_face:
  • re-pimp The Ancient Texts: RFC2692,RFC2693
  • Every server becomes a self-certifying peer. Talk to many peers, collects signatures, build trust, Re-decentralise The Internet. Essential: score the signatures into a trust estimation. Sybil attack, free identity creation
  • great idea, because others also are working on it: called Rate Limiting Nullifier. (idea: make it simple. Follow this approach exclusively with tech that is at least 30-years old; serialised signatures). Swapping signatures with others to enhance privacy is allowed!
• Final thesis experiment? Do this with upcoming EBSI EU digital identity: score of 100% passport-grade trust.
• Be goal-oriented towards EBSI Grand Experiment. So no 10-week expiration token refresh code please

Next sprints: idea gets bigger, experiments become more focused. 15Sep talk to EBSI server or cancel that part.

[AdiDumi]

Experiment update:

• creating the full extension rule set for checking the signatures of a public key and getting a score
• for now in each request there is a public key header and a signature header with the list of servers that signed before [ { "id": 1, "signature": "abc123" }, { "id": 2, "signature": "def456" }, { "id": 3, "signature": "ghi789" } ]
• scripts that check the signatures and computes a score -> 1 signature is wrong? deny, no signature? more strict rules to apply(TODO)
• on a successful response append the server signature to the list and give it back to the user(full circle). The list of signatures is a set(no double check for the same server)
• simple crypto for signing and checking
• still some problems in parsing the signatures in ModSecurity with scripts call in python
• still open issues from ModSecurity that I have to work around it(https://github.com/owasp-modsecurity/ModSecurity/issu es/2167)
• until now, no related work of ModSecurity and cryptography, novel?
• problems with parameters parsing in exec function -> need a workaround for a single parameter or intermediate log

Full Rules set

SecRule REQUEST_URI "/login" "phase:1,log,auditlog,id:1001,msg:'Login attempt detected'"
SecRule RESPONSE_STATUS "@streq 403" "phase:3,log,auditlog,msg:'Failed login attempt detected',id:101"
SecRule RESPONSE_STATUS "^200$" \
    "id:10003, \
    phase:4, \
    t:none, \
    pass"

SecRule RESPONSE_HEADERS:X-User-Public-Key "!@streq 0" \
    "id:10008, \
    phase:4, \
    t:none, \
    pass, \
    setvar:tx.header_value=%{RESPONSE_HEADERS.X-User-Public-Key}, \
    log, \
    msg:'received message', \
    exec:'/app/add_token.py %{tx.header_value}'"

SecRule REQUEST_HEADERS:X-User-Public-Key "!@streq 0" \
     "id:4001, \
     phase:1, \
     t:none, \
     setenv:key=%{REQUEST_HEADERS:X-User-Public-Key}, \
     deny, \
     log, \
     msg:'Missing X-User-Public-Key header'"

SecRule REQUEST_HEADERS:User-Signatures "!@streq 0" \
    "id:4002, \
     phase:1, \
     t:none, \
     setenv:sign=%{REQUEST_HEADERS:User-Signatures}, \
     pass, \
     nolog"

SecRule REQUEST_HEADERS:User-Signatures "!@streq 0" \
    "id:4009,phase:1,t:none,exec:'/app/check_signatures.py %{env.sign} %{env.key}',setenv:EXEC_RESULT=%{TX.exec.ret}"

SecRule ENV:EXEC_RESULT "@eq 0" \
    "id:7002, \
     phase:1, \
     t:none, \
     deny, \
     log, \
     msg:'Python script denied the request'"

SecRule ENV:EXEC_RESULT "!@eq 0" \
    "id:7003, \
     phase:1, \
     t:none, \
     pass, \
     log, \
     msg:'Python script allowed the request'"

[synctext]

• Good point! Your design requires a "connection state table" with each known public key (origin ip:port uniqueness!)
• Server needs to tell modsecurity or other shell utility about successful enrolments and logins
• Protocol agnostic: fail to login, maximum re-tries reached, excessive requests--go away,and welcome message is indistinguishable for modsecurity
• Then we need the concept of sessions and timeouts for stale entries in "connection state table" :fearful:
• DDoS modsecurity with state explosion attack :skull: :skull_and_crossbones: :skull:
• Background note: passport-grade identity infrastructure is -very- costly
  • 1000 Modsecurity servers against cyberattacks is OK :heavy_check_mark:
  • 515 million Euro, just for Greece
  • Denmark contract went to IDEMIA
  • IDEMIA did €2.9 billion in 2023 revenue
• we're adding a new Internet layer: trust
  • current execution environment: modsecurity
  • DDoS as a first focus, 1st line of defence (can be leaky, stochastic)

ToDo: write small text with state-of-the-art in DDoS + IPv4 reputation. Expand experiment.