Category Archives: Cryptography

Book Review: Security Without Obscurity

Posted on by

benrothke (2577567) writes Having worked at the same consulting firm and also on a project with author J.J. Stapleton (full disclosure); I knew he was a really smart guy. In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world. When it comes to the world of encryption and cryptography, Stapleton has had his hand in a lot of different cryptographic pies. He has been part of cryptographic accreditation committees for many different standard bodies across the globe. Keep reading for the rest of Ben's review.The premise of the author and the need for the book is that the traditional information security CIA triad (confidentiality, integrity, availability) has led to the situation where authentication has to a large part gotten short shrift. This is a significant issue since much of information security is built around the need for strong and effective authentication. Without effective authentication, networks and data are at direct risk for compromise.

The topic itself is not exactly compelling (that is, unless you like to read standards such as ANSI X9.42-2003: Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, ISO/IEC 9798-1:2010: Information technology Security techniques Entity authentication,etc.), so the book is more of a detailed technical reference. Those looking for a highly technical overview, interoperability guidance, and overall reference will find the book most rewarding.

For those who don't have a general background on the topic; it may be a book too deep and technical for those looking for something more in line of a CISSP preparation guide.

For those that want to know the deep underpinnings of how encryption algorithms work; they can simply read the RFC's and standards themselves. What the book brings to the table are details about how to effectively implement the standards and algorithms in the enterprise; be it in applications, policies; or the specific procedures to meet compliance and standards requirements. And that is where Stapleton's many decades of experience provide significant and inestimable value.

There are many reasons why authentication systems fail and many times it is due to interoperability issues. Stapleton details how to ensure to minimize those faults in order to achieve seamless authentication across multiple technologies and operating systems.

The 7 chapters cover a dense amount of information around the 3 core topics. The book is for the reader with a solid technical background. While it may be listed as an exploratory text, it is not like a For Dummies title.

As per its title, it covers confidentiality, authentication and integrity; in addition to other fundamental topics of non-repudiation, privacy and key management.

One of the ways Stapleton brings his broad experience to the book is in the many areas where he compares different types of cryptosystems, technologies and algorithms. This enables the reader to understand what the appropriate type of authentication is most beneficial for the specific requirement.

For example, in chapter 7, the book provides a really good comparison and summary of different cryptographic modules, including how they are linked to various standards from NIST, NSA, ANSI and ISO. It does the same for a comparison of cryptographic key strengths against various algorithms.

An interesting observation the book makes when discussing the DES encryption algorithm, is that all of the talk of the NSA placing backdoors in it are essentially false. To date, no known flaws have been found against DES, and that after being around for over 30 years, the only attack against DES is an exhaustive key attack. This type of attack is where an adversary has to try each of the possible 72 quadrillion key (256permutations as the key is 56 bits long) until the right key is discovered.

See the rest here:
Book Review: Security Without Obscurity

Google unveils independent “fork” of OpenSSL called “BoringSSL”

Posted on by

Google is releasing its own independently developed "fork" of OpenSSL, the widely used cryptography library that came to international attention following the Heartbleed vulnerability that threatened hundreds of thousands of websites with catastrophic attacks.

OpenBSD developers "removed half of the OpenSSL source tree in a week."

"But well also be more able to import changes from LibreSSL and they are welcome to take changes from us," Adam Langley, a widely respected cryptography engineer and Google employee, wrote in a blog post introducing BoringSSL. "We have already relicensed some of our prior contributions to OpenSSL under an ISC license at their request and completely new code that we write will also be so licensed."

While it wasn't immediately clear how the forks will functionor when it makes sense to use one over anotherthe following exchange from this Hackernews forum may provide some clues.

matteotom So from what I understand, Google has a bunch of OpenSSL patches they use. They used to re-apply those patches to each new OpenSSL release, but now they're going to keep their own branch (BoringSSL) and pull and merge changes from OpenSSL?

What are the costs/benifits of one method over the other?

agl I think the costs and benefits are pretty much what you would expect. If your diff from upstream is small, then the tradeoff strongly favours rebasing against upstream and tracking it.

However, as the diff becomes larger, the tradeoff shifts. I think we passed that point a while back but, since we were going to switch models anyway, I took some time to clean up some bits of the code too.

tedunangst Fewer surprises. You don't wake up one day and discover that TLS heartbeats have appeared in your library as a result of previous upgrades. Every upstream change has to be reviewed because that's the only way it gets in. Also, local changes are much less likely to be lost as a result of merge conflicts.

The downside is that you may miss some upstream changes that you do care about.

Go here to see the original:
Google unveils independent “fork” of OpenSSL called “BoringSSL”

How to stay anonymous online

Posted on by

One year after the first revelations of Edward Snowden, cryptography has shifted from an obscure branch of computer science to an almost mainstream notion: It's possible, user privacy groups and a growing industry of crypto-focused companies tell us, to encrypt everything from emails to IMs to a gif of a motorcycle jumping over a plane.

But it's also possible to go a step closer toward true privacy online. Mere encryption hides the content of messages, but not who's communicating. Use cryptographic anonymity tools to hide your identity, on the other hand, and network eavesdroppers may not even know where to find your communications, let alone snoop on them. "Hide in the network," security guru Bruce Schneier made his first tip for evading the NSA. "The less obvious you are, the safer you are."

Though it's hardly the sole means of achieving online anonymity, the software known as Tor has become the most vouchsafed and developer-friendly method for using the Internet incognito. The free and open source program triple-encrypts your traffic and bounces it through computers around the globe, making tracing it vastly more difficult. Most Tor users know the program as a way to anonymously browse the Web. But it's much more. In fact, Tor's software runs in the background of your operating system and creates a proxy connection that links with the Tor network. A growing number of apps and even operating systems provide the option to route data over that connection, allowing you to obscure your identity for practically any kind of online service.

Some users are even experimenting with using Tor in almost all their communications. "It's like being a vegetarian or a vegan," says Runa Sandvik, a privacy activist and former developer for Tor. "You don't eat certain types of food, and for me I choose to use Tor only. I like the idea that when I log onto a website, it doesn't know where I'm located, and it can't track me."

Here's how you can use the growing array of anonymity tools to protect more of your life online.

Web browsing The core application distributed for free by the non-profit Tor Project is the Tor Browser, a hardened, security-focused version of Firefox that pushes all of your Web traffic through Tor's anonymising network. Given the three encrypted jumps that traffic takes between computers around the world, it may be the closest thing to true anonymity on the Web. It's also rather slow. But the Tor browser is getting faster, says Micah Lee, a privacy-focused technologist who has worked with the Electronic Frontier Foundation-one of the organisations that funds the Tor Project-and First Look Media. For the past month or so, he's tried to use it as his main browser and only switch back to traditional browsers occasionally, mostly for flash sites and others that require plugins.

After about a week, he says, the switch was hardly noticeable. "It may not be entirely necessary, but I haven't found it that inconvenient either," Lee says. "And it does have real privacy benefits. Everyone gets tracked everywhere they go on the Web. You can opt of out of that."

Email The simplest way to anonymously send email is to use a webmail service in the Tor Browser. Of course, that requires signing up for a new webmail account without revealing any personal information, a difficult task given that Gmail, Outlook, and Yahoo! Mail all require a phone number.

Runa Sandvik suggests Guerrilla Mail, a temporary, disposable email service. Guerrilla Mail lets you set up a new, random email address with only a click. Using it in the Tor Browser ensures that no one, not even Guerrilla Mail, can connect your IP address with that ephemeral email address.

Encrypting messages with webmail can be tough, however. It often requires the user to copy and paste messages into text windows and then use PGP to scramble and unscramble them. To avoid that problem, Lee instead suggests a different email setup, using a privacy-focused email host like Riseup.net, the Mozilla email app Thunderbird, the encryption plugin Enigmail,and another plugin called TorBirdy that routes its messages through Tor.

Excerpt from:
How to stay anonymous online