Archive by Author | jschonagen

Get Your Geek On: Introduction to Encryption

First of all:  I have been working on this post for over a week and it turned out to be rather extensive. For that I’m sorry. The reason I’m writing this post is that I was amazed about the misinformed assumptions fellow classmates have and their curiosity on this topic.

History
In its earliest form, people have been attempting to conceal certain information that they wanted to keep to their own possession by substituting parts of the information with symbols, numbers and pictures. Stenographic techniques have been used for centuries. The first known application dates back to the ancient Greek times, when messengers tattooed messages on their shaved heads and then let their hair grow so the message remained unseen. A different method from that time used wax tables as a cover source. Text was written on the underlying wood and the message was covered with a new wax layer. The tablets appeared to be blank so they passed inspection without question. In the 20th century, invisible inks were a widely used technique. In the Second World War, people used milk, vinegar, fruit juices and urine to write secret messages. When heated, these fluids become darker and the message could be read. This technique is still used among inmates in U.S. prisons that belong to gangs.

Even later, the Germans developed a technique called the microdot. Microdots are photographs with the size of a printed period but have the clarity of a standard typewritten page. The microdots where then printed in a letter or on an envelope and being so small, they could be sent unnoticed.

Recently, the United States government claimed that Osama Bin Laden and the al-Qaeda organization use steganography to send messages through websites and newsgroups. However, until now, no substantial evidence supporting this claim has been found, so either al-Qaeda has used or created real good stenographic algorithms, or the claim is probably false. [Tel, 2004]

So why might someone want to use encryption?

Actually, there are numerous reasons why people might want to use encryption. Of course there are military reasons, the need to protect business or financial information, protecting communication from unauthorized access, the protection of stored data, authenticating payments and the prevention of espionage. However, due to a lack of knowledge unnecessary security issues still arise.

Terminology

In order to understand the following sections allow me to introduce some terminology. Code is a technique to replace words or semantic structures by a corresponding code word. The simplest example of this principle is a shift in the alphabet by a fixed amount (e.g. 2 positions make a=c, b=d etc.) Cypher means a replacement based on symbols, where each symbol is mapped to another letter. Cryptography is the science of encrypting or hiding secrets. Cryptanalysis is thescience of decrypting messages (cyphertext) or breaking codes and ciphers in order to obtain the unencrypted message (plaintext). Cryptology is the combination of both Cryptography and Cryptanalysis.

Encryption Algorithms

Due to space constraints I am not digging into the algorithms. Moreover, I am afraid that I have already lost a lot of readers by now, and throwing in numbers might turn off the last readers. If you are really enthusiastic and think I’m leaving out the good parts, just leave me a message or come see me after class. (If it’s before noon, coffee would be appreciated.)

My experience tells me that basically, a good encryption algorithm is as strong as its randomness. In short, there are two algorithm categories; symmetric-key encryption and asymmetric key encryption. Symmetric key encryption uses one key for both encrypting and decrypting messages. Asymmetric key encryption uses complementary keys in order to encrypt and decrypt. Symmetric key encryption is often used repeated communication where asymmetric key encryption is used for one-shot communication like signatures (e.g. DigID). Do keep in mind that the latter is more computationally expensive.

Encryption and its use have been a controversial topic for years. Until the late ‘90s encryption algorithms were seen as munitions in some countries, including the U.S. and Germany. All kinds of issues arose from this form of governmental control. Companies were forced to release separate versions of their software (one for export, one for domestic use). Even T-shirts were printed stating (in cyper) “This T-Shirt is a munition.”

Open Source  

To prevent governments in creating backdoors, some developers started collaborating in the cloud. In 1991 PGP was the result of their effort. Since it was given away on the internet the U.S. felt this was export. Zimmerman and other developers saw it as a form of free speech. In 1996 court order ruled computer code to be speech leading to U.S. government dropping most export restrictions in 2000. Nowadays, many advanced encryption algorithms are open source, including AES which may even be used by U.S. Top Secret Agents. And did you know AES was originated by Joan Daemen and Vincent Rijmen in 1971? That sounds pretty Dutch right?

Next-Gen Encryption Algorithms

AsI stated before, cryptographers are continuously seeking for the algorithm that generates the most random cipher. Quantum Cryptology looks promising, although it contains flaws and researchers are worrying about its practicality. MIFARE, (PDF alert) an encryption algorithm used for securing data packets between satellite and RFID-chip. (Yes, it’s used for the OV-chipcard. No, it’s not cracked) is pretty advanced. It’s a well-kept secret that it uses swipe time and distance to satellite amongst other variables to generate random cipher. Hi Brenno!        

Password Strength

I am amazed that you are still reading. In a discussion with fellow classmates I stated that longer passwords are not always more secure. In short, very long encrypted passwords generate simply less random cipher. Below you find an illustration of common misunderstandings about password strengths.

Advertisements

The Dark Side of IT: Researcher Reverse-Engineers Pacemaker Transmitter To Deliver Deadly Shocks

Yesterday, at the BreakPoint security conference in Melbourne researcher Barnaby Jack said in a speech that he has found a way to hack into pacemakers. And the consequences of that are deadly. Anonymous assassinations within 30 feet of the pacemaker seem to be possible. : ‘In a video demonstration, which Jack declined to release publicly because it may reveal the name of the manufacturer, he issued a series of 830 volt shocks to the pacemaker using a laptop. The pacemakers contained a “secret function” which could be used to activate all pacemakers and implantable cardioverter-defibrillators (ICDs) in a 30 foot -plus vicinity. … In reverse-engineering the terminals – which communicate with the pacemakers – he discovered no obfuscation efforts and even found usernames and passwords for what appeared to be the manufacturer’s development server. That data could be used to load rogue firmware which could spread between pacemakers with the “potential to commit mass murder.”

“The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range,” Jack said.

Let’s Talk Money: Where Should You Work as a Post-BIM Graduate?

As a starter you could probably just take the first job offering. But have you ever wondered which tech company pays best? A study from career site Glassdoor gives an overview of tech companies in the salaries it pays to software engineers. It may not be a real surprise that Google tops the list of tech companies. Google paid its engineers an average base salary of $128,336, with Microsoft coming in second at $123,626. Apple, eBay, and Zynga rounded off the top 5.

Flip the App: Is The Secondary Mobile App Market Taking Off?

The practice of flipping is an old practice as seen on different reality TV formats today. To the Dutch masses the most familiar flipping example is “Het Blok”. In this show contestants try to buy a house for the lowest price possible, fix it up a bit and sell it for the highest price possible. But did you know that there is a secondary market for Android and IOS apps?

App creators without the time or drive to further develop or monetize their apps can sell them at a flat rate. Buyers can than tweak the app and resell them to a third party or monetize them.

Two problems arise from secondary mobile app markets. Firstly there are a lot of app developers who write bad code. Secondly, the people buying the apps won’t be able to make substantial changes because they can’t code. So where does that leave them? They focus on marketing and design and see their profits vaporize while having a hard time to flip the app. This makes the big difference between real estate and software development. You can buy real estate; hang onto it for years, then sell at a profit without doing anything. That is not true of the app market. Every day there’s more and more competition with apps. If you buy an app, hang onto it and don’t do anything to develop it further, it will lose more and more value and eventually be worthless.