You are here

crypto

Cerf and the "secure from the start" Internet

Early Arpanet Map

Vint Cerf, co-intentor of TCP/IP, talked recently about the technology available to "secure the Internet" when it first arrived. News sites claimed "The Internet could have been secure from the start, but the tech was classified." 

 That's really not what he said. And it's not true.

 

If the Internet had been made "secure from the start," then none of us would be using it. 

Post category: 

On-line cipher tools

This is a follow-on of my "Grade School Crypto" introduction to the fundamentals of cryptography. While constructing examples from my class, I came across a nice little web site called "Count On," that includes a page of basic crypto tools.

Post category: 

Stout nails in RC4's coffin

Cipher disk

Two important announcements this week about RC4:

First, Cisco has downgraded the RC4 encryption cipher and marked it as a cipher to "avoid." In other words, web sites should NOT use it to protect things like passwords. This is a revision of their published recommendations for cryptographic algorithms.

Wordpress tag: 
Post category: 

Strong vs Weak Cloud Security

It's always good to hear from an expert, especially an accurate one.

This article in The Register talks about "really secure" email service versus "almost secure" email service, using Lavabit as an example. Lavabit provided somewhat secure email service in that all emails were encrypted with a hefty secret key. But each key was itself stored on the email server, and encrypted with the owner's password.

Wordpress tag: 
Post category: 

RC4, SSL, and deck chairs on the Titanic

ChromeChrome has sensibly increased the key sizes it expects in public-key transactions (see here and here). However, Chrome still silently accepts RC4 encryption, even though RC4 has been vulnerable to attack for over a decade. 

This is like putting a heavy padlock on a cardboard box.

Even so, 7 out of the top 10 US web sites still use RC4. This includes sites with a lot to lose like Amazon and eBay as well as Google itself. The other weaklings in the Top 10 are LinkedIn, Wikipedia, Twitter, and Google's Youtube (as weak as their owner).

Wordpress tag: 
Post category: 

Internet crypto cracking is no real surprise

Old Lock LogoThe Guardian has recently published a report on how the NSA and the UK's GCHQ have been routinely cracking cryptography used on the Internet. Seriously, this is no surprise. Lots and lots of sites routinely use "RC4" encryption, whose vulnerablility has been well known for over a decade

I also hadn't realized the extent to which American citizens in general are considered "the enemy" by the NSA. Their duplicitous role in Internet standards is breathtaking. It may be the grandest example of social engineering. Ever.

Post category: 

A gentle crypto introduction


Grade School CryptoLast week I produced an introductory crypto video. It uses animation to illustrate simple substitution ciphers. The 10-minute video introduces the concepts of algorithm, key, key sharing, modular arithmetic, cipher disks, and code cracking via frequency analysis.

I used a 3D modeling package to produce cartoon characters for Bob, Alice, and Eve. In the back story they are school children, and only Eve has a cell phone. Bob and Alice use simple ciphers to share texts via Eve's cell phone, and the ciphers keep Eve from reading the texts first.

Wordpress tag: 
Post category: 

Practical Cryptography: Science or Engineering?

There are comments flying around as to whether cryptography should be approached as a science or as engineering. It apparently started on Twitter. Bruce Schneier has weighed in and linked to an interesting essay by Colin Percival

The actual border lands might not be surveyed yet, but I believe there's a distinct field of cryptographic engineering, just as computer architecture can be independent of circuit design. In both cases we try to establish design rules so that engineers can build things with predictable properties. In both cases we can push the envelope of those rules and yield disaster. 

We establish an engineering discipline by trying to codify the design rules, teach them, build with them, and assess the results. That's what we see in security/cryptographic engineering these days. It's healthy even though we end up with occasional vulnerabilities.

Post category: 

Quantum Computations, Crypto, and Chicken Little

UCSB qbit processorYet again, the sky is falling.

Researchers at UCSB have demonstrated a "quantum processor" that correctly operates "Schor's algorithm for factoring primes" all of 48% of the time (Photo left, courtesy of UCSB). This has produced all sorts of dire predictions about existing cryptographic mechanisms. 

This is nonsense. We don't know enough about quantum computing to believe that a practical quantum computer architecture can follow Moore's law. And so-called "quantum cryptography" is not the answer.

Post category: 

OS X Lion: No encrypted RAID after all

Full disk encryptionI installed Lion last night and spent today figuring out what does - and does not - work. As a huge fan of full-disk encryption (FDE), I'm disappointed in their drive encryption.

RAID may have been improved, but Lion's encryption features, including Time Machine encryption, are not compatible with Apple's RAID.

The diagram at right (from Elementary Information Security) shows how full-disk encryption (FDE) typically integrates into the system software. The diagram doesn't show where the RAID software might reside. I'd expect it to be very closely tied to the device driver. However, it appears instead that Apple placed the FDE below the RAID software. Perhaps this improves performance, or perhaps the choice was driven by design decisions invisible outside Cupertino.

The Time Machine improvement: they have explicitly documented how to switch in a new mirrored drive for an old one. I haven't tried their suggested process since the upgrade. I'd tried the suggested process a couple of years ago, only to have it fail. So we'll see how it goes.

Post category: 

Pages

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer