Thoth • October 25, 2014 7:45 PM

Talk about CALEA abuse:

http://arstechnica.com/tech-policy/2014/10/chp-officers-reportedly-stole-cell-phone-photos-from-women-in-custody/

Another reason to simply just not provide CALEA at all with robust easy to use high assurance mechanism. You give someone a golden key (trusted) or a backdoor (covert), they will use it beyond the box the Law have drawn for them (quote Keith Alexander of NSA) to do anything they want.

TAO :: CrowdFund-Zebra

Yea… that’s a name I give this TAO which is to control/intercept/coerce crowd funding sites like KickStarter to kill off any opposition movements due to crowd funding being so popular these days.

You can control the site admins or people in the crowd funding management team or you can go straight to the members who start a particular crowd funding project. They are all pretty much sitting ducks as they expose their bank accounts and identity online.

Thoth • October 26, 2014 10:18 PM

@65535, AiD, et. al.
Let’s put it in a very crude way, Governments now are runned by “crooks”. They only vcare about their own profits and pockets and not their citizens.

The trust in Governments world-wide have seen a huge erosion, from Middle East, Asia to Europe and Americas.

They use cliche terms to coerce, blackmail and threaten and if they dont succeed, they use extra-judicial means to get what they want fulfilled.

That article I posted above shows as a small example of a larger issue of Government misbehaviours and why everyone should secure their boundaries against their misuse with high assurance security.

@Samsungg Knox et. al.
Is there a specific CC EAL and FIPS 140-2 certification for this one ?

@Fransico
They are trying to use phones as authentication and tracking. Only worsens security and privacy. If you can pull a phone database, you can make correlations and bruteforce their passwords. Don’t forget it uses another provider, Fabrics, to supply that technology. Who knows if the login details would reside at Twitter or Fabrics and the security assurance and incident response they provide (plus cooperation with TLAs). Social technology (Twiiter/FB/GPlus…etc…) are meant to disrupt privacy from it’s core due to their initial design.

@all
For those who just aren’t convince that phone and metadata correlation are very powerful tools for breaching privacy, I would advise the download and trying of the Neo4J graph database tool (http://neo4j.com/) and script some quick Java codes loaded with fake identifiers and metadata. Deanonymization and identity correlations could not get much more easier to automate with tools like Neo4J and other graph databases that supports relationship mappings !

Thoth • October 28, 2014 3:49 AM

@Markus Ottela and Nick P
Regarding TripleSec, I think the use of AES might trigger off alarms and bells to those who are sensitive against the NIST/NSA algorithm. I would and have suggested the use of Serpent cipher in the replacement of NIST/NSA/AES.

Thoth • October 29, 2014 11:15 AM

@Nick P
RE: Spritz: It’s hilarious that you said…
I wouldn’t be surprised NSA and GCHQ poisoned the security market and that’s where everyone thinks CC EAL 4+ and above is “High Assurance”. In fact, I was browsing through a brochure on a datalink encryptor with EAL less than 5 and it claims to be a Government grade encryptor.

If that’s not enough, here’s something you might not be surprised but it may raise your eyebrows. Certain HSMs have a Secure Execution Engine (SEE) where users may load SEE codes into the secure environment of a HSM to execute code securely in the HSM’s secure boundaries. It all sounds good until the application of the license to activate the SEE feature. There is the SEE (EU+10 – EU countries, US, UK, Japan and a few toehr special countries) which basically means you are allowed full access to the SEE engine in the HSM for secure code execution and there is the SEE (Restricted) for Banking which means a restricted subset of the SEE functionalities can be used. Note that I mentioned the word Banking because according to some sources, application of license for the SEE functions for Foreign Governments are not allowed (weapons control) as it is regarded as a controlled item/feature to enable SEE activation. The rationality is if a foreign Government entity were to buy the HSM and uses the SEE for secure execution of codes, it would be disastrous or more troublesome (as reported by certain sources). In fact, sales of HSMs to Foreign Government entities are highly monitored affairs especially those with SEE features and also highly restrictive to obtain permissions from the origin country which makes/delivers the HSM.

I have met companies who tried to pitch sales to me that their FIPS 140-2 Level 1 Software Security Module (and they do not have a concept of CC EAL) are secure….

And … some of them with CC EAL knowledge tells me that the EAL levels are very subjective and low EAL may not mean it is not secure ….

I have seen security products with bloated codebases that glitches every minute and every second (exaggeration – but you know what I mean) and it is marked as secure ….

Let’s put it this way, NSA/GCHQ have managed to poison the entire Security Market and I would propose a hard reset as the only option to recover from this fatal poison. One way is to open up as much open source hardware and software designs built from the base as a EAL 6+/7+ high assurance C1odebase design that does not glitch every minute or second.

Secure protocols created by non-crypto/non-sec people who don’t know anything about side channels, hardware and software that are bloated with too much nonsense and glitches frequently, lots of hidden features … and worse of all … nasty marketing tactics (war/scare mongering).

The first step of remember is to redo security as a whole. The basic security modules that most people rely on are message encryptors, secure credential storage and secure key management that are fully open sourced (hardware and software) for everyone to use without any legal issues as one of the first few steps to reset the security industry.

Thoth • October 30, 2014 8:47 AM

@Markus Ottela
Here is the abstract drawing:
http://imgur.com/gkYJEW0

Regarding the blogger, it’s not really within the scope of the project but it just shows how modern surveillance catches things in real time.

Theoretically AES is still fine but we never know. As Bruce always says, attacks gets better and we know very well that NSA and GCHQ have huge fundings that even the people in charge have no idea what’s going on behind closed doors. We also know that NSA attempted to slip backdoored stuff into the market and attempted to coerce companies to compromise security. You are right that in practice it is still hard to break AES but it is just a cautious and conservative move to have something just in case it breaks (that’s why Nick P suggested chained ciphers being used together).

A better idea is to have a selector to use a fast cipher suite (AES and all those fast ciphers) and a paranoid cipher suite (for those who don’t trust NIST/NSA/GCHQ). Anymore complex than this simple cipher suite selector might complicate matters though.

Thoth • October 31, 2014 12:13 AM

@Nick P & secure hardware et. al.
I would still think the only trusted input is human input.

The best way to do this is to create an oblivious and simplistic key handling mechanism without serial, network, LEDs or any compromise-able channels possible.

With the opens source hardware RNG with an internal CSPRNG (might consider Bruce’s Fortuna PRNG with modifications by Adi Shamir’s team).

To securely generate a key, run the keygen command inside the isolated key handling machine and accept a password to wrap the generated key via strong cryptographic algorithms (includes polyciphering / chained ciphering techniques).

A trusted display will show the wrapped secret key bytes (black keys) and you copy them on a paper or a few pieces of paper.

For a asymmetric key, it will wrap the private key and will let the public key be plain since public key is generally not secretive. Copy the wrapped private key on a sheet of paper or a bunch of papers.

For a secret shared key (Secret Sharing Scheme over a Quorum – K/N or M/N scheme) each of the quorum of secret key or private key would be wrapped by same password or different password which participants in a key handling ceremony can key in the password for themselves and copy the wrapped key bytes onto their bunch of papers.

All the keys would have a BLAKE2 crypto hash set to a 8 bytes or 10 bytes output for key integrity checking. The low number of byte output for the hashed checksum is to make it easy for participants in a key ceremony to copy them down onto their paper. For the paranoid, the checksum could be made longer.

In the instance of keyloading ceremony for an organisation or just a simple keyloading procedure for an individual, the user would input the wrapped key bytes from the papers that have and input their password for wrapping the key.

The above technique is a more manual variant of keyloading which the Thales HSM uses for it’s payment module for handling credit cards.

The Thales Keyloading Device (KD) uses specially formatted smartcards (can only be used in the payment module secure environment boundaries) because the formatted smartcards contain data blobs with ACLs that permits certain executing environments.

The smartcard would be brought before the HSM to have key transfer details prepared in it’s own format in the original HSM written to the smartcards. The smartcard would be inserted into the KD and you acknowledge the settings you load the smartcards that the KD have been used to acknowledge so that the actual keymats can be wrapped by an operator secret key and loaded into the smartcards. The smartcards’ wrapped key and CRC checksum are accessed again via the KD copied out and the copied bytes are transported by couriers. Import key bytes would be to load an empty formatted smartcard and the bytes keyed from the courier secured papers into the KD on the receiving end with smartcard inserted. The smartcard is slot into the receiving end’s HSM and the operator key in the receiving end’s HSM unwraps the key bytes loaded and formed from the smartcard.

My above concept is a simpler format with the use of password protected keys without all the additional complexity. In the event keys need to be securely loaded into a crypto device like the TFC module, it should have a keyfill slot that only accepts a serial port (SafeNet Luna HSM uses a serial port with a keyloading device) connected to my above simplified form of KD to unwrap keys into a secure environment for keyloading activities.

Thoth • October 31, 2014 2:11 AM

@Anura
And the way now it’s used is like a all-purpose-shoot-everyone-down tool.

Fascinating…

Good intentions mostly turned evil I guess…

Thoth • October 31, 2014 10:02 PM

@Nick P
In regads to:

“I’d say all secrets should be derived from a master secret & user password in a way that exporting one secret onto paper can recover anything else in event of device failure.”

I will say that is dangerous. If I understand your meaning correctly, you want subsequent keys (raw keys) to be non-randomly generated from a master secret key (called a module key) and if any of the raw keys are accidentally exposed somehow, the pattern for generating the other raw keys and the possibility of partially or fully discovering the module key maybe worrying although not proven yet.

I would say all the keys should be split into shares and protected. These can be loaded into MicroSD cards and later destroyed for ease (if too lazy to copy by hand). A quorum of MicroSD cards to reload the entire set of keys are required. If MicroSD is a concern, then a specially made IR or some form of light or optics based manner to transmit the data in a closed environment is required.

My model is based on the concept of a trusted and forgetful Key Handling Device (I don’t call it Keyloading Device) because it’s purpose is to load, generate and provision keys. It is more like a personal forgetful and portable HSM that makes the keys for you and help you load your keys into any other secure modules requiring you to provision keys. It can be a small form factor as small as a USB device for portability and additional features like light sensor communications.

The TFC has a transmission and a receiver module and that means keyloading must be done twice. Over a Key Handling Device of sorts (regardless if it’s your version or my version), the idea is to make it “load once, run all”. If the TFC module (RxM and TxM) were to be for the purpose of unwrapping keys and using them directly, it needs a simple and easy way though.

Thoth • November 1, 2014 3:35 AM

@Nick P
My concepts are more generalized which encapsulates TFC within it as well as possibilities of other needs.

Regarding the Key Handling Device, it is an extension of a personal key handling issue most cryptosystems face. It is made abstract in purpose so it can be used in multiple scenarios for handling keys.

The reason for me to mention secret sharing and splitting keys is to allow the use of the scheme for not just individual communications but for a group of people on each side of the channel. This is just yet another extension of TFC to allow two groups or more of people to communicate safely. Another reason is that if one of the shares are lost, it is not as harmful as losing all in one shot and as long as the attackers does not know of the other shares. Of course the person maybe tortured or killed but still if the shares are not known, the security is still not broken. One of the uses is to hide shares of unknown amount while crossing into dangerous terrains. Again, this is in anticipation of me putting into the context of keyloading and possession of keys via the mentioned personal Key Handling Device. Just yet another extension and idea on Key Management for TFC.

Most of TFC documentations do not talk much about the critical part of any cryptosystem which is Key Management and that is what I am trying to supplement. If the user simply does the default stuff (generate new key at program setup and exhange them) and does not move the keys outside the TxM and RxM, far enough to say that would suffice in most scenarios.

The TFC design is a good direction but it leaves much to be desired. It’s tamper “proofing” which in a more accurate sense in the industry is called tamper evident is insufficient and can be worked upon in future iterations if Markus et. al. is willing to continue the development and consideration of advises given by us and others. A tamper proof device is something that is 100% not able to be tampered and it does not exist (same as what is an ideal cipher that does not exist).

Put it in short, my point is to introduce to TFC a generalized method of Key Management and portability concept via a tamper resistant Key Handling Device that has the ability to extend across multiple applications and allows the use of paper-based techniques to record and transfer black keys (encrypted keys) across hostile channels (includes the use of secret sharing schemes as shown above in previous post).

To extend further your work on password-based crypto if the Key Handling Device is not in use, the S/KEY algorithm (http://en.wikipedia.org/wiki/S/KEY) would be a good place to start off for a password-based key permutation function to generate message cryptographic keys. To extend the S/KEY algorithm, I would say the use of DH KEX to generate a random S/KEY session nonce per session or the initial session secret.

If the user is talking to multiple people, the single master secret with user password that you suggests can be more complicated as you need to have a deterministic way of deriving the secrets of other users.

To add on top of the fact that Markus’s work may actually be a modification of what the Cypherpunks created of the original OTR implementation that Pidgin uses, switching to a password-and-master-secret scheme for multiple users would require a rework of the code libraries (not a negative thing) if it can be done so that the security that the OTR protocol is not in some ways compromised.

Put it simply, Nick P’s simple key management without additional device except to know a master secret and a password or my version which is via a Key Handling Device. Both are interesting approach to Key Management and others may chip in other ideas too.

Thoth • November 1, 2014 5:37 AM

@Markus Ottela
In regards to OTP with XOR, I would like to caution that if the attacker knows the plaintext (like the header or some static or predictable data), he can XOR the ciphertext with plaintext to derive parts of the key or even the entire key. Use OTP key over a proper stream cipher for added security.

A good lecture on stream ciphers and OTP mechanics: https://www.youtube.com/watch?v=sRUsl0aqDDY

You might want to study the protocol of TextSecure which uses per-message DHE keys and also a cryptanalysis and improvement suggestion for TextSecure (http://eprint.iacr.org/2014/904.pdf).

There are many ways to derive OTP keys.

1.) One way is to derive a huge chunk of them and try to sneak them across to each other through hostile environments in encrypted form as you mentioned.

2.) Another way is to simply exchange and verify signing public keys face-to-face and then use a randomized DHE based per-message protocol like TextSecure to derive OTP keys on the fly.

3.) Another way is to communicate with DHE-OTP generated on the fly and then over that channel dump a load of like 1000 OTP keys and then default back to that dump of 1000 OTP keys and once both sides are close to 100 keys remaining, start generating and dumping more keys over the network.

This way the chance of being intercepted during the face-to-face meeting and being coerced into decrypting is reduced. If you are simply just comparing DSA signing keys then there is nothing much to lose since it’s public keys that can be shown in the open.