Entries Tagged "encryption"

Page 35 of 56

Roger Williams' Cipher Cracked

Another historical cipher, this one from the 1600s, has been cracked:

Senior math major Lucas Mason-Brown, who has done the majority of the decoding, said his first instinct was to develop a statistical tool. The 21-year-old from Belmont, Mass., used frequency analysis, which looks at the frequency of letters or groups of letters in a text, but initially didn’t get far.

He picked up critical clues after learning Williams had been trained in shorthand as a court stenographer in London, and built his own proprietary shorthand off an existing system. Mason-Brown refined his analysis and came up with a rough key.

Williams’ system consisted of 28 symbols that stand for a combination of English letters or sounds. How they’re arranged is key to their meaning; arrange them one way and you get one word, arrange them another, you get something different. One major complication, according to Mason-Brown: Williams often improvised.

Posted on December 5, 2012 at 6:01 AMView Comments

Stealing VM Keys from the Hardware Cache

Research into one VM stealing crypto keys from another VM running on the same hardware.

ABSTRACT: This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized using a modern VMM (Xen). Such systems are very common today, ranging from desktops that use virtualization to sandbox application or OS compromises, to clouds that co-locate the workloads of mutually distrustful customers. Constructing such a side-channel requires overcoming challenges including core migration, numerous sources of channel noise, and the difficulty of preempting the victim with sufficient frequency to extract fine-grained information from it. This paper addresses these challenges and demonstrates the attack in a lab setting by extracting an ElGamal decryption key from a victim using the most recent version of the libgcrypt cryptographic library.

Two articles.

Posted on November 16, 2012 at 6:13 AMView Comments

Encryption in Cloud Computing

This article makes the important argument that encryption—where the user and not the cloud provider holds the keys—is critical to protect cloud data. The problem is, it upsets cloud providers’ business models:

In part it is because encryption with customer controlled keys is inconsistent with portions of their business model. This architecture limits a cloud provider’s ability to data mine or otherwise exploit the users’ data. If a provider does not have access to the keys, they lose access to the data for their own use. While a cloud provider may agree to keep the data confidential (i.e., they won’t show it to anyone else) that promise does not prevent their own use of the data to improve search results or deliver ads. Of course, this kind of access to the data has huge value to some cloud providers and they believe that data access in exchange for providing below-cost cloud services is a fair trade.

Also, providing onsite encryption at rest options might require some providers to significantly modify their existing software systems, which could require a substantial capital investment.

That second reason is actually very important, too. A lot of cloud providers don’t just store client data, they do things with that data. If the user encrypts the data, it’s an opaque blob to the cloud provider—and a lot of cloud services would be impossible.

Lots of companies are trying really hard to solve parts of this problem, but a truly optimal solution still eludes us.

Posted on November 12, 2012 at 5:47 AMView Comments

Cryptocat

I’m late writing about this one. Cryptocat is a web-based encrypted chat application. After Wired published a pretty fluffy profile on the program and its author, security researcher Chris Soghoian wrote an essay criticizing the unskeptical coverage. Ryan Singel, the editor (not the writer) of the Wired piece, responded by defending the original article and attacking Soghoian.

At this point, I would have considered writing a long essay explaining what’s wrong with the whole concept behind Cryptocat, and echoing my complaints about the dangers of uncritically accepting the security claims of people and companies that write security software, but Patrick Ball did a great job:

CryptoCat is one of a whole class of applications that rely on what’s called “host-based security”. The most famous tool in this group is Hushmail, an encrypted e-mail service that takes the same approach. Unfortunately, these tools are subject to a well-known attack. I’ll detail it below, but the short version is if you use one of these applications, your security depends entirely the security of the host. This means that in practice, CryptoCat is no more secure than Yahoo chat, and Hushmail is no more secure than Gmail. More generally, your security in a host-based encryption system is no better than having no crypto at all.

Sometimes it’s nice to come in late.

EDITED TO ADD (8/14): As a result of this, CryptoCat is moving to a browser plug-in model.

Posted on August 14, 2012 at 6:00 AMView Comments

Breaking Microsoft's PPTP Protocol

Some things never change. Thirteen years ago, Mudge and I published a paper breaking Microsoft’s PPTP protocol and the MS-CHAP authentication system. I haven’t been paying attention, but I presume it’s been fixed and improved over the years. Well, it’s been broken again.

ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise handshake) and reduce the handshake’s security to a single DES (Data Encryption Standard) key.

This DES key can then be submitted to CloudCracker.com—a commercial online password cracking service that runs on a special FPGA cracking box developed by David Hulton of Pico Computing—where it will be decrypted in under a day.

The CloudCracker output can then be used with ChapCrack to decrypt an entire session captured with WireShark or other similar network sniffing tools.

Posted on August 6, 2012 at 11:22 AMView Comments

Changing Surveillance Techniques for Changed Communications Technologies

New paper by Peter P. Swire—”From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud”:

Abstract: This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The major and growing reliance on surveillance access to stored records results from the following changes:

(1) Encryption. Adoption of strong encryption is becoming much more common for data and voice communications, via virtual private networks, encrypted webmail, SSL web sessions, and encrypted Voice over IP voice communications.

(2) Declining effectiveness of traditional wiretaps. Traditional wiretap techniques at the ISP or local telephone network increasingly encounter these encrypted communications, blocking the effectiveness of the traditional techniques.

(3) New importance of the cloud. Government access to communications thus increasingly relies on a new and limited set of methods, notably featuring access to stored records in the cloud.

(4) The “haves” and “have-nots.” The first three changes create a new division between the “haves” and “have-nots” when it comes to government access to communications. The “have-nots” become increasingly dependent, for access to communications, on cooperation from the “have” jurisdictions.

Part 1 of the paper describes the changing technology of wiretaps and government access. Part 2 documents the growing adoption of strong encryption in a wide and growing range of settings of interest to government agencies. Part 3 explains how these technological trends create a major shift from real-time intercepts to stored records, especially in the cloud.

Posted on June 11, 2012 at 6:36 AMView Comments

U.S. Federal Court Rules that it Is Unconstitutional for the Police to Force Someone to Decrypt their Laptop

A U.S. Federal Court ruled that it is unconstitutional for the police to force someone to decrypt their laptop computer:

Thursday’s decision by the 11th U.S. Circuit Court of Appeals said that an encrypted hard drive is akin to a combination to a safe, and is off limits, because compelling the unlocking of either of them is the equivalent of forcing testimony.

Here’s the actual decision. And another blog post.

Note that this a different case, and an opposite ruling, than this. Although the legal experts say that the rulings are not actually in conflict:

Also note that the court’s analysis isn’t inconsistent with Boucher and Fricosu, the two district court cases on 5th Amendment limits on decryption. In both of those prior cases, the district courts merely held on the facts of the case that the testimony was a foregone conclusion.

Posted on February 27, 2012 at 5:49 AMView Comments

1 33 34 35 36 37 56

Sidebar photo of Bruce Schneier by Joe MacInnis.