CryptoBlog - Data Security and Information Theory

Seeing what stuxnet…

Mario — Sat, 19 Nov 2011 17:57:03 +0000

… was capable of, it was just a matter of time until someone take a jab to the instalations of an utility company.

Hacking mechanical vibrations

Mario — Thu, 27 Oct 2011 16:20:53 +0000

These WIRED article described an interesting application of the side channel idea to key-log your typing by sensing mechanical vibrations.

We need a “DO NOT TRACK” option for smart-phones!

Mario — Fri, 22 Apr 2011 15:40:14 +0000

smartphones tracking users

Hey Apple, Google, when are you going to have a DO NOT TRACK option on your smartphones’ operating systems?
This is another idea, maybe RIM engineers can come up with a feature like that to give the BlackBerrys a fighting chance.

The fact that most of us carry (voluntarily) a tracking device should not be news for anybody. I guess the news-worthy part is that somebody expossed what Apple and Google where doing. I am not sure it is illegal, have you checked the small font bits of the contract you signed? Me neither.
Believe me, that Apple and Google know where you are and where you have been is not the biggest of our problems with privacy as discussed in here.

(h/t) Raymond who sent this link

More on Cyberwar

Mario — Thu, 07 Apr 2011 06:31:39 +0000

Short Video from PJTV featuring an interview with Paul Rosenzweig.

Attacks on Cryptographic Systems (Part I)

Mario — Tue, 22 Mar 2011 05:27:55 +0000

Soft Attacks
No matter how sophisticated the attack techniques become, one must not forget that when the ultimate goal is to obtain the secret message, coercion or social engineering are often the most effective attack techniques. These attacks are based on using physical or psychological threats, robbery, bribery, embezzlement, etc. The attacks are mostly directed to human links of the data security chain.
Social Networks have become a launching pad for these kind of attacks. In a typical soft attack such as the so-called spear-phishing, e-mail addresses and information about the victims social circle is harvested from social networks and then used to send targeted e-mail with malware that cause to reveal secret information for access to secured systems.
Brute Force Attacks
Assuming, as Kerchoff’s principle recommends, that the algorithm used for encryption and the general context of the message are known to the cryptanalyst, the brute-force attack involves the determination of the specific key being used to encrypt a particular text. When successful, the attacker will also be able to decipher all future messages until the keys are changed. One way to determine the key entails exhaustive search of the key-space (defined as the set of all possible valid keys for the particular crypto-system).
Brute force is a passive, off-line attack in which the attacker Eve passively eavesdrops the communication channel and records cipher text exchanges for further analysis, without interacting with either Alice or Bob.
To estimate the time that a successful brute-force attack will take we need to know the size of the key-space and the speed at which each key can be tested. If is the number of valid keys and we can test keys per second, it will take, on average seconds to find the proper key by brute-force.
The threat that a brute-force attack poses cannot be underestimated in the real world. Most financial institutions use cipher-systems based on DES. Keys of length 56-bits, such as the one used by the
standard implementation of DES, can be obtained by brute-force using computer hardware and software available since the late 1990′s. Indeed, to counter this possibility, most contemporary implementations of DES use a derivative known as Triple-DES (or 3-DES) which uses three different 56-bit keys instead of one. The effective key length for the combined 3-DES key is a more secure 168 bits.
Brute force analysis have been used in combination with other attacks as was the case for the deciphering of the Enigma. The famous bombes were an example of the brute-force approach working in combination with a mathematical method that provided an important reduction of the key-space.

To be continued…..

Securing the Human

Mario — Thu, 17 Mar 2011 04:39:08 +0000

SANS Institute set up an excellent resource for those interested in computer security issues (who is not these days?).
OUCH! and other newsletters carry current information on the security issues and they are published now in several languages. I’ve put a permanent link with the badge in the right column.

Good News for InterNet Freedom

Mario — Sat, 12 Mar 2011 07:18:48 +0000

As reported by the National Post

Canada’s telecom regulator said Friday it will not expand its probe into Internet pricing to look at the billing practices of retail Internet services because market forces are working just fine for consumers.

A related editorial, explains why this is the right approach.

A “Free” internet does not mean that users should not be paying market prices for connectivity or services.

See my previous post.

Fingerprinting Computers – Part II – Hardware

Mario — Mon, 07 Mar 2011 03:49:47 +0000

The fingerprinting of a computer using data accessible or generated by software is subjected to a Replay attack or could be easily disrupted by malware. This method should not be used to authenticate the machine.
In order to defeat Replay attacks, the fingerprinting algorithm needs to generate a one time string, based on some unique property of the hardware and that can be used by the verifier to check the identity of the computer.
One example of such technology is the Intel IPT (Identity Protection Technology) that works by generating a unique 6 digit number every 30 seconds. This number is generated by a section of the chip that is inaccessible to the Operating system and holds some secret key shared with the validator/server. Once a particular processor is linked to a server, the server will be able to identify the CPU and validate the computer. Of course this does not imply user authentication and the intended use of this technology is as an additional factor on a multi-factor authentication scheme.
A Public Key infrastructure (Certificate Authority) is still needed to defeat the Man in the Middle attack.
Technologies that can identify hardware to the chip level are being developed to prevent counterfeiting. These are based on the PUF (Physically Unclonable Functions) that use physical variations of the circuit to extract certain parameters that are unique to each chip and cannot be reproduced nor manipulated without physically tampering with the circuit.
Related:
Power-up of a SRAM as a source of Entropy and Identification
Secure Processors, the ultimate battlefield
A PUF Design for Secure FPGA-Based Embedded Systems

Net Neutrality, another bad idea [Updated]

Mario — Thu, 03 Mar 2011 18:39:58 +0000

What can go wrong with the government dictating how much companies can charge for bandwidth on the internet?
They certainly have a very good track record regulating it.

Regulators are congenitally incapable of grasping that they create more problems than they solve

This is why I am always wary of attempts at regulation.

Fingerprinting Computers – Part I – Your browser.

Mario — Sun, 27 Feb 2011 17:32:27 +0000

Authentication is about the only big open problem in the practice of internet security. The existing encryption and hashing algorithms as well as the key generation/management protocols offer a high degree of security, barring programming/implementation errors.
Authentication technologies face serious challenges mainly because identity is difficult to establish with a 100% certainty even using physical characteristics, i.e., signatures and credentials can be forged, the physical appearance of people can be manipulated, etc.

In some applications, the availability of a technology able to establish the identity of the computer with a 100% certainty, is enough to establish identity (or at least a very important factor). Such technologies could be particularly useful for Digital Right Management applications and for communications between servers.
One way to establish the ID of a computer in the network is through the cataloging of the public information that is available to your browser. For example, if you need to establish the identity of your computer on the Internet for the purposes of an e-commerce transaction, the Verificator may use a script running in your browser that requests and catalog the information about installed drivers, fonts, software and plug-ins, such that the particular setup of your computer can be used as its ID. The Electronic Frontier Foundation has made an enormous contribution to the practical aspects of this issue through the project Panopticlik. Focusing on what this information leak does to privacy, they setup a website that runs a script looking at the information that is “leaked” by the browser in your computer. From that they calculated that on average browsers leak about 18 bits of information, that means your particular computer can be picked up from a set of computers that visit the site. Moreover, the evolution of this fingerprint can be tracked over time with a good degree of accuracy.
For identification purposes, this will need to be complemented with additional information readily available to a piece of software that has access to the OS. Therefore, it is in principle possible to have a ‘software’ based ID method. The problem with this approach is that as the computer administrator has full control over the OS, these parameters can be faked and therefore such system will be subjected to a Man in the Middle attack.

[To be contibued...]

To uniquely identify a person out of the total population of the globe will take less than 33 bits
A very good introduction to the probabilistic concepts behind this can be found here.