As a graduate student at the Massachusetts Institute of Technology in 1996, Amit Sahai was fascinated by the strange notion of a zero-knowledge proof, a type of mathematical protocol for convincing someone that something is true without revealing any details of why it is true. As Sahai mulled over this counterintuitive concept, it led him to consider an even more daring notion: What if it were possible to mask the inner workings not just of a proof, but of a computer program, so that people could use the program without being able to figure out how it worked?

The idea of obfuscating a program had been around for decades, but no one had ever developed a rigorous mathematical framework for the concept, let alone created an unassailable obfuscation scheme. Over the years, commercial software companies have engineered various techniques for garbling a computer program so that it will be harder to understand while still performing the same function. But hackers have defeated every attempt. At best, these commercial obfuscators offer a speed bump, said Sahai, now a computer science professor at the University of California, Los Angeles. An attacker might need a few days to unlock the secrets hidden in your software, instead of a few minutes.

Secure program obfuscation would be useful for many applications, such as protecting software patches, obscuring the workings of the chips that read encrypted DVDs, or encrypting the software controlling military drones. More futuristically, it would allow people to create autonomous virtual agents that they could send out into the computing cloud to act on their behalf. If, for example, you were heading to a remote cabin in the woods for a vacation, you could create and then obfuscate a computer program that would inform your boss about emails you received from an important client, or alert your sister if your bank balance dropped too low. Your passwords and other secrets inside the program would be safe.

You could send that agent into the computing wild, including onto untrusted computers, Sahai said. It could be captured by the enemy, interrogated, and disassembled, but it couldnt be forced to reveal your secrets.

As Sahai pondered program obfuscation, however, he and several colleagues quickly realized that its potential far surpassed any specific applications. If a program obfuscator could be created, it could solve many of the problems that have driven cryptography for the past 40 years problems about how to conduct secure interactions with people at, say, the other end of an Internet connection, whom you may not know or trust.

A program obfuscator would be a powerful tool for finding plausible constructions for just about any cryptographic task you could conceive of, said Yuval Ishai, of the Technion in Haifa, Israel.

Precisely because of obfuscations power, many computer scientists, including Sahai and his colleagues, thought it was impossible. We were convinced it was too powerful to exist, he said. Their earliest research findings seemed to confirm this, showing that the most natural form of obfuscation is indeed impossible to achieve for all programs.

Then, on July 20, 2013, Sahai and five co-authors posted a paper on the Cryptology ePrint Archive demonstrating a candidate protocol for a kind of obfuscation known as indistinguishability obfuscation. Two days later, Sahai and one of his co-authors, Brent Waters, of the University of Texas, Austin, posted a second paper that suggested, together with the first paper, that this somewhat arcane form of obfuscation may possess much of the power cryptographers have dreamed of.

This is the first serious positive result when it comes to trying to find a universal obfuscator, said Boaz Barak, of Microsoft Research in Cambridge, Mass. The cryptography community is very excited. In the six months since the original paper was posted, more papers have appeared on the ePrint archive with obfuscation in the title than in the previous 17 years.

However, the new obfuscation scheme is far from ready for commercial applications. The technique turns short, simple programs into giant, unwieldy albatrosses. And the schemes security rests on a new mathematical approach that has not yet been thoroughly vetted by the cryptography community. It has, however, already withstood the first attempts to break it.

Excerpt from:
Cryptography Breakthrough Could Make Software Unhackable

NSA Utah Data Center Administration Building. Image courtesy of nsa.gov

If anyone had insisted a year ago that there was a giant government warehouse in Utah that was poring through every electronic communication sent from around the world, from text messages to emails to web traffic, they would be accused of having paranoid delusions. Now in 2014, though, its yesterdays news.

After former NSA contractor Edward Snowden leaked information on the United States security programs that are looking through each piece of data we transmit, thus pulling back the curtain on how much our privacy has truly been invaded, the world has changed as our eyes were opened. Encryption is becoming a very important topic in online news, and so is the underlying field, called cryptography.

As consumers living in a post-Edward Snowden world, we should remain aware of what cryptography applications are out there, and how we can utilize them to keep our information (and thus, ourselves) safer. This article is intended to discuss some of the more practical usages of cryptography in modern computing, including PGP/GPG encryption, encrypted chat programs such as Cryptocat, the anonymous Tor browser, and will touch on a major buzz item of 2013, Bitcoin.

All technologies written about in this article are currently (at the time of publishing) legal to use in the United States.

Some Common Cryptography Terms:

Cryptography: The study and practice of techniques for secure communication in the presence of adversaries.

Adversary: A third party who may attempt to decipher an encrypted message. Hackers, rival companies, and identity thieves are all common adversaries in the cryptographic sense.

Encryption: The process of encoding messages or information in such a way that only authorized parties can read it.

See the original post here:
Cryptography Apps: How To Keep Your Personal Info Private

Summary: Facebook is open sourcing a new security tool intended to help developers write apps that are more secure and efficient on Android.

The term "conceal" might not be the most ideal moniker for a new tech and data-related product these days in the wake of the revelations about the National Security Agency.

That might even go double when the product is about cryptography.

Nevertheless, Conceal fits the bill as the title of Facebook's new set of Java APIs for enabling cryptography on Android.

Even though the world's largest social network is celebrating its 10th birthday this week (today, in fact), Facebook itself is handing out plenty of gifts. They range from a fancy new news reader app dubbed Paper to a tear-inducing personalized video reel chronicling Facebook users' shared moments over the last decade.

As a treat for mobile developers, Facebook is open sourcing a new security tool intended to help them write apps that are more secure and efficient on Android.

Subodh Iyengar, a software engineer at Facebook, explained in a blog post on Monday that these tools specifically target woes surrounding caching and storage.

He stressed that Conceal was designed as a smaller alternative to existing Java cryptography libraries in order to use memory more efficiently.

Conceal doesn't implement any crypto. Instead, it uses specific cryptographic algorithms from OpenSSL. OpenSSL's crypto library is about 1MB when built for armv7. By using only the parts of OpenSSL we needed, we were able to reduce the size of OpenSSL to 85KB. We believe providing a smaller library will reduce the friction of adopting state of the art encryption algorithms, make it easier to handle different Android platform versions, and enable us to quickly incorporate fixes for any security vulnerabilities in OpenSSL as well.

Facebook itself is using Conceal to store image files on SD cards, which the Menlo Park, Calif.-headquartered company asserted will help protect private user data through the encryption of data stored on these cards while moving other data around for faster processing.

More:
Conceal: Facebook's new Java APIs for cryptography on Android

SPYING AGENCIES the US NSA and UK GCHQ have been accused of a hacking attack on a Belgian cryptography expert in one of the latest internet spying revelations.

Belgian newspaper De Standaard reported that professor Jean-Jacques Quisquater is the latest victim to be named in the scandal and that his personal computer fell victim to the spooks.

"A new Belgian episode in the NSA scandal: Belgian professor Jean-Jacques Quisquater, internationally renowned expert in data security was the victim of hacking," it reported.

"And, as was the case in the Belgacom hacking affair, there are indications the American secret service NSA and its British counterpart, the GCHQ might be involved."

The attack on the 67 year old Quisquater, who is a professor at the Universit Catholique de Louvain, was uncovered during the Belgacom hacking investigations. According to De Standaard, the professor has lodged a formal complaint.

The newspaper reported that both attacks used similar methods, and explained that the professor was lured into a trap through a socially engineered fake Linkedin message.

The message purported to come from the European patent office. Quisquater holds 17 patents dating back to 2007.

In an email to the Gigaom news website Quisquater confirmed that the police alerted him to the intrusion and that he was acting on its information.

"The Belgian federal police (FCCU) sent me a warning about this attack and did the analysis," he said, adding that the motive remains unknown.

"We don't know [why]. There are many hypotheses (about 12 or 15) but it is certainly an industrial espionage plus a surveillance of people working about civilian cryptography."

More here:
US and UK spy agencies accused of swoop on Belgian cryptography expert