Certificates and Keys

I want to talk about certificates. But first let's define a few terms. A key is a number in binary form, which is stored in a text file. That being said, a digital certificate is a pair of public and private keys. It is created by a certificate authority like Verisign. The digital certificate is used for encryption and decryption. The certificate is assigned to either an individual or an organization.

Now that we know what digital certificates are, we can define a key server as a machine which holds the public keys of the digital certificates. There are some potential problems with certificate use. Some applications do not take them. And some unscrupulous individuals forge digital certificates. Finally it can take a lot of work to get the certificates in the first place.

Let us put aside the certificate problems and talk some more about them. A digital certificate can hold a lot of information such as the version, serial number, issuer name, period of validity, and public key. For companies, you are going to want to set up a certificate policy. The policy covers issues like where logs are stored, whether keys get backed up, and validity periods. Armed with all this information, I am ready to discuss what PKCS is next time. See you then.

Texas Instruments Ownage

The online edition of IEEE Spectrum magazine alerted me to some major calculator hackage. A dude cracked the TI-83 Plus calculator from Texas Instruments. He got the signing key figured out. Now the key can be used to transfer your own O/S onto the calculator.

There was just one problem. The dude posted the key on his blog. The result was a cease and desist order from Texas Instruments. Damn. Apparently he was charged with violating the DCMA. The guy submitted and took down his post. Ouch. That's weak.

Another dude wrong about the incident. He linked to a page that had the signing key. I bet you can guess what happened. Texas Instruments slapped him with a cease and desist order. WTF?

Open Source Encryption

I read an article about the legality of open source encryption software. If the software has strong encryption, and is available to all, then it may be violating some laws. Specifically the Bureau of Industry and Security (part of the Department of Commerce) will have some things to say about it.

Now I don't want to waste any time right now discussing whether it is wrong or right to block export of encryption technology. What I did find interesting was the top encryption algorithms used by open source developers. These include familiar names like DES, AES, and Diffie-Hellman. However another top algorithm was ElGamal. I have never heard of ElGamal before.

A little research shows that ElGamal is an asymmetric algorithm. It dates all the way back to 1985. It is mostly found in open source cryptographic applications. Perhaps that is why it is foreign to me. I normally do not keep on top of the open source scene.

Mail and Tunneling

You would think that hackers would try to intercept network communications. However this is a difficult task if safeguards are used. Instead most hackers like to attack data at rest. In other words, they will try to get at data sitting on a machine, not stuff passing through the network.

If you want to encrypt email you send, there are two main options: (1) S/MIME and (2) PGP. MIME is an old standard that let's you attach binary files (like images) to email. S/MIME is a secure version of that protocol.

PGP stands for Pretty Good Privacy. It is a program written by Phil Zimmerman. There is a free version called GnuPGP. This program covers encryption and the storing of keys on your machine.

Let me close by talking about secure network connections. A VPN is a virtual private network. It let's you connect to a machine over the Internet. The encryption can be applied to just the data. You can also do tunneling where even the packet headers of the transmitted data as well. Popular tunneling protocols include IPSec and PPTP.

Next time look for a discussion on passwords, keys, and certificates.

Booth Babe Syndrome

A video from the Hack Day 2009 conference was released that cause a bit of a stir. They had some booth babes doing lap dances as entertainment. The video seems to have disappeared. However some pictures are still floating around.

The event was held in Taiwan. Many said it was the wrong place for such lewd behavior. Others thought it was fine to skip being politically correct. They have this thing going on at DefCon right?

Hey. The hackers conferences are fully of dudes. And most of those dudes will probably enjoy a bunch of booth babes making things interesting. So if they give out free lap dances, I say more power to them. Next time I will return to our regularly scheduled cryptography discussion.

Algorithms

Last time we discussed asymmetric key algorithms. Now allow me to talk about a familiar name in cryptography. This is the Diffie Hellman algorithm, also known as DH. It is named after the two researchers who first documented it. These guys are Whit Diffie and Martin Hellman.

The Diffie Hellman algorithm is one that allows two parties to perform a key exchange over an insecure connection. The use a technique where it would be hard for a person watching the communications to reverse engineer the key they share. The end communication is a symmetric one, where the two parties share the same key.

Next let me briefly cover PGP. It stands for pretty good privacy. This is an encryption program that allows users to communicate via secure email. This is a system that uses asymmetric keys.

Finally there is also a newer topic in cryptography called elliptical curve cryptography (ECC). It also uses asymmetric keys. This technique is good for encrypting large amounts of data. I will not go into the mathematics behind this technique right now. Perhaps that is a research topic for another day. Next time I will go over some other mail encryption methods, and also discuss tunnelling.

Asymmetric Keys

Last time I discussed symmetric keys. Now I will talk about asymmetric keys, where a different keys are used to encrypt and decrypt the data. You use the public key to encrypt. Only the private key can then decrypt the data. An example of an asymmetric encryption algorithm is RSA.

RSA was invented by Ron Rivest, Adi Shamir, and Leonard Adleman. Thus you get R-S-A for their last names. You can use RSA to encrypt keys which themselves can later be used to do symmetric encryption/decryption.

Next time I will talk about Diffie Hellman and PGP.

Symmetric Algorithms

Let's go over some of the popular symmetric encryption algorithms. These include DES, 3DES, IDEA, and AES. Like most things in cryptography, you are going to see a lot of acronyms.

DES stands for Digital Encryption Standard. It is a block cipher with a 56 bit key. The algorithm goes through 16 rounds to get the final data.

3DES stands for Triple DES. You can probably guess that it is three times as strong as plain DES. It uses three different 56-bit keys for encryption.

IDEA is the International Data Encryption Algorithm. IDEA is part of PGP. It uses a 128 bit encryption key.

Finally AES is the Advanced Encryption Standard. AES uses the Rijndal algorithm. It is named after the two creators of the algorithm. You pronounce it rhine-doll.

Next time I am going to start up with asymmetric keys.

All About Ciphers

Today I want to go into ciphers. Remember cipher is another name for the algorithm used to encrypt data. There are two main types of ciphers. They are the block and stream cipher.

A block cipher works on a chunk of characters at a time. Examples of block ciphers are the popular DES, 3DES, and AES ciphers. You should also know about Cipher Block Chaining (CBC). This is where you exclusive OR (XOR) data with itself and the key table to encrypt the data.

Stream ciphers on the other hand work on one character at a time. An example of a stream cipher is RC4. Another example is the Secure Telephone Unit #3 (STU-III).

Next time I will enumerate the popular block ciphers, including DES and AES.

Randomness

Last time I said I would start discussing key tables. So let's do this. A key table is used to encrypt data. It is based on an original key. Other names for a key table are key setup or initialization. This is where some algorithms go wrong, and allow crackage.

The generation of random numbers is an integral part to encryption. So how exactly do you generate random numbers? When a computer does it, we call it the RNG (Random Number Generator). However there is a technique generate quasi-random numbers called PRNG, or Pseudo RNG. It allows you to "seed" the generator with a value. That value determines what numbers get generated. Every time you use the same seed, you get the same results.

Finally I want to go a little further with symmetric encryption algorithms. In particular, I want to mention a few implementations of symmetric encrption. The popular ones are DES, 3DES, and AES. However there is also IDEA and TwoFish. I will not go into the particulars of these right now. Perhaps we will review them next time.

Secure Sockets Layer

The Secure Sockets Layer is known as SSL. It is an encryption method to handle data sent from the web browser to the server. All the data sent is encrypted. It is a standard for such web transmissions. The encryption comes in 40 and 128 bit varieties.

Mathematicians create cryptographic systems. One example is RC4, which was created by RSA Data Security. RC4 is used by SSL. Keys for encryption are made from long prime numbers. I have mentioned before that the keys themselves are frequently encrypted.

Know this. Every algorithm is breakable. You just want to ensure you are using an algorithm that is difficult enough to break based on the data carried in the payload. Hackers don't know or care about crypto algorithms. They are too light weight for such work. Instead they work on tricking people out of their passwords.

Encryption stronger than 40 bits is prohibited from being exported out of the USA. This seems like a strange rule. But it is enforced. Be careful with strong encryption methods. Next time I will cover topics like the key table, as well as different techniques for random number generation.

Crypto Keys

One of the biggest weaknesses with crypto keys is sharing their use. Don't do it. Even if the key is secure, you have other problems. Cryptanalysis is the art of breaking ciphers. That sounds like cloak and dagger stuff.

They are two varieties of keys: symmetric and asymmetric. The main difference is that the same keys encrypts and decrypts the data in symmetric processing. While asymmetric processing uses a different key for encrypting and decrypting.

I just had a college class exam. One of the choice in a multiple choice questions was S-HTTP. Now I will share what I know with you. S-HTTP stands for Secure HTTP. It allows encryption to be added to web browsing. In my next post I will go into some SSL details.

Crypto Ciphers

Recall that a cipher is an algorithm which hides data from prying eyes. A very simple example of a cipher is the substitution cipher. This is a one for one replacement of characters. The Germans used such a cipher called Enigma in World War II.

Another cipher example is the transposition cipher. This is where you change the order of characters. It can become complicated depending on the strategy used to do the reordering.

Next let's talk about the hash. A hash is a one way function. That means you can transform your original data using the hash. However you cannot easily transform the hashed data back into your original text.

Hashes are used to validate the integrity of some data. You send your original data unencrypted. Then you also send the hash of the data using encrypted methods. The recipient can also compute the has of your original data, verifying that it was unaltered in transit.

Next time I will go over keys and their use in encryption.

Cryptography for Dummies

I studied up a book I got from the library called Cryptography for Dummies. Yeah it is a Dummies book. But I learned much from it. I took six pages of notes during my read. This book is from 2004. But much of the information still holds true today.

The subject of cryptography is complex. They have a lot of classes in my college on cryptography and security in general. That does not mean cryptography is all hi tech. You can use it in low tech systems.

An algorithm is a technology to hide data. It is also called a cipher. The specification on the DES algorithm is 7 pages long. Time for another read I guess.

I plan to be writing about the lessons I learned from this book for a long time. My next post will start with different types of ciphers.