Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

April 4, 2015

Handbook of Applied Cryptography

Filed under: Cryptography,Cybersecurity — Patrick Durusau @ 7:32 pm

Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone.

Use as historical reference only. Fifth reprinting (2005) of the 1996 edition. Some of the information is eighteen (18) years out of date.

Still, it should make for a useful read.

CRC Press has generously given us permission to make all chapters available for free download.

Please read this copyright notice before downloading any of the chapters.

  • Table of Contents
    ps
    pdf

  • Chapter 1 – Overview of Cryptography
    ps
    pdf

  • Chapter 2 – Mathematics Background
    ps
    pdf

  • Chapter 3 – Number-Theoretic Reference Problems
    ps
    pdf

  • Chapter 4 – Public-Key Parameters
    ps
    pdf

  • Chapter 5 – Pseudorandom Bits and Sequences
    ps
    pdf

  • Chapter 6 – Stream Ciphers
    ps
    pdf

  • Chapter 7 – Block Ciphers
    ps
    pdf

  • Chapter 8 – Public-Key Encryption
    ps
    pdf

  • Chapter 9 – Hash Functions and Data Integrity
    ps
    pdf

  • Chapter 10 – Identification and Entity Authentication
    ps
    pdf

  • Chapter 11 – Digital Signatures
    ps
    pdf

  • Chapter 12 – Key Establishment Protocols
    ps
    pdf

  • Chapter 13 – Key Management Techniques
    ps
    pdf

  • Chapter 14 – Efficient Implementation
    ps
    pdf

  • Chapter 15 – Patents and Standards
    ps
    pdf

  • Appendix – Bibliography of Papers from Selected Cryptographic Forums
    ps
    pdf

  • References
    ps
    pdf

  • Index
    ps
    pdf

December 9, 2014

What does the NSA think of academic cryptographers? Recently-declassified document provides clues

Filed under: Cryptography,NSA — Patrick Durusau @ 7:55 pm

What does the NSA think of academic cryptographers? Recently-declassified document provides clues by Scott Aaronson.

From the post:

Brighten Godfrey was one of my officemates when we were grad students at Berkeley. He’s now a highly-successful computer networking professor at the University of Illinois Urbana-Champaign, where he studies the wonderful question of how we could get the latency of the Internet down to the physical limit imposed by the finiteness of the speed of light. (Right now, we’re away from that limit by a factor of about 50.)

Last week, Brighten brought to my attention a remarkable document: a 1994 issue of CryptoLog, an NSA internal newsletter, which was recently declassified with a few redactions. The most interesting thing in the newsletter is a trip report (pages 12-19 in the newsletter, 15-22 in the PDF file) by an unnamed NSA cryptographer, who attended the 1992 EuroCrypt conference, and who details his opinions on just about every talk. If you’re interested in crypto, you really need to read this thing all the way through, but here’s a small sampling of the zingers:

Are there any leaked copies of more recent issues of CryptoLog?

I ask because of the recent outcry about secure encryption of cell phones by default. The government should not be able to argue both ways, one that non-government cryptography work is valueless and at the same time, deprive the average citizen of some modicum of privacy. Which is it?

I know the FBI wants us to return to physical phone lines and junction boxes so they can use their existing supply of wire tapping gear but that’s just not going to happen. Promise.

December 1, 2014

New NSA Drone!

Filed under: Cryptography,NSA — Patrick Durusau @ 4:58 pm

I don’t pay much attention to the musical chairs game in Washington so I wasn’t aware that the NSA acquired a new drone last April. Code name: Adm. Michael Rogers.

Just in case you need a photograph for identification purposes:

Michael Rogers

Doesn’t look like he gets outside very often does it? Being a cryptographer, what else did you expect?

But that’s makes Rogers a dangerous leader of the NSA.

Consider the latest testimony by Rogers to Congress:

Certain nations are regularly performing electronic “reconnaissance,” Rogers warned, in an effort to be well placed within utility systems in the event that the networks relied on by chemical facilities, water treatment plants and other critical infrastructure components are ordered to be taken offline by a foreign government.

All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” the NSA chief said.

Leading figures within the American intelligence community and Congress have long warned of potentially catastrophic repercussions if such networks should happen to be penetrated and pulverized by foreign actors with malicious intent, but Rogers’ remarks this week are among the most dire ever from not just individual well placed within the administration, but a person arguably most qualified to testify as much. (From China & others can cripple US power grid, NSA admits for the first time)

Well, except that water treatment plants and chemical facilities aren’t part of any seamless network. Minor detail I know but just because some contractor wants to protect us from a non-existent threat with cost-plus contracting, isn’t a reason to credit their reports.

If the Admiral wants to obsess about something, how about the regional power stations that are too big to be housed and are subject to attack with one person anti-tank weapons that could take such stations out for months. (Each is a custom build so there aren’t spare parts if oil cooling goes out and critical parts melt into slag.) No Internet or hacking required. And major parts of the United States could go dark for the entire time needed for repairs. Does that sound like a potential threat?

Compare that to the Admiral’s fantasy about cyber defense:

The U.S. Cyber Command has three primary missions, Adm. Rogers said. Along with defending DOD networks, the Cyber Command is “generating the cyber mission force, the men and women who are going to be addressing the department’s cyber needs, from the defensive to the offensive.” Lastly, Rogers said he is preparing the emerging DOD cyber force to defend U.S. critical infrastructure.

DOD’s cyber force has been given the responsibility to defend, for example, critical power and other utility, telecommunications and transportation networks—which he said are vulnerable to attacks from China and “one or two other” countries. He said a major attack was likely in the next decade.

The cyber chief estimated that DOD is about halfway toward its goal of organizing a cyber capability to defend U.S. networks. (From: NSA chief details ‘real’ threats to US networks, infrastructure)

Quick points to remember:

The civilian population comes dead last, assuming a threat exists at all.

Attack is “likely” within the next decade. (Courteous of our adversaries to wait for us to tool up to repel the attack.)

The DOD is halfway towards a cyber capacity to defend non-existent U.S. water, chemical plants, etc., networks?

The advantage of being halfway to defend networks that don’t exist isn’t clear. But, the DOD is also said to be halfway to being subject to auditing. Maybe those programs are on the same track?

All news outlets should be calling BS on testimony such as that by Adm. Rogers. Creating disinformation about security issues distorts the policy process and makes for fat contractors and a poorly served civilian population.

Not to mention making security issue topic maps more laborious to construct by re-weeding out false threats such as those being pandered by Adm. Rogers.

March 11, 2014

Number Theory and Algebra

Filed under: Algebra,Cryptography,Mathematics — Patrick Durusau @ 6:28 pm

A Computational Introduction to Number Theory and Algebra by Victor Shoup.

The first and second editions, published by Cambridge University Press are available for download under a Creative Commons license.

From the preface of the second edition:

Number theory and algebra play an increasingly significant role in computing and communications, as evidenced by the striking applications of these subjects to such fields as cryptography and coding theory. My goal in writing this book was to provide an introduction to number theory and algebra, with an emphasis on algorithms and applications, that would be accessible to a broad audience. In particular, I wanted to write a book that would be appropriate for typical students in computer science or mathematics who have some amount of general mathematical experience, but without presuming too much specific mathematical knowledge.

Even though reliance on cryptography and vendors of cryptography is fading, you are likely to encounter people still using cryptography or legacy data “protected” by cryptography.

BTW, this is only one of several books that Cambridge University Press has published and allowed the final text to remain available.

Should you pen something appropriate and hopefully profitable for you and a publisher, Cambridge University Press should be on your short list.

Cambridge University Press is a great press and a good citizen of the academic world.
.
I first saw this in a tweet by Algebra Fact.

February 11, 2014

Is 11 Feb 2014 The Day We Fight Back?

Filed under: Cryptography,Cybersecurity,NSA,Privacy,Security — Patrick Durusau @ 11:31 am

Is 11 Feb 2014 The Day We Fight Back? by Mark Stockley.

From the post:

Appalled with government surveillance without oversight? Sick of having your privacy invaded? Numb from stories about the NSA? If you are, you’ll have had many more bad days than good since June 2013.

But today, just perhaps, could be one of the better ones.

Mark covers the general theme of protests quite well and then admits, ok, so people are protesting, now what?

Lacking a target like SOPA, there is not specific action to ask for or for anyone to take.

Or as Mark points out:

Who do we lobby to fix that situation [government surveillance} and how will we ever know if we have succeeded?

I put it to you the government(s) being petitioned for privacy protection are the same ones that spied on you. Is there irony that situation?

Is it a reflection on your gullibility that despite years of known lies, deceptions and rights violations, you are willing to trust the people responsible for the ongoing lies, deceptions and rights violations?

If you aren’t going to trust the government, if you aren’t going to protest, what does that leave?

Fighting back effectively.

Mark points out a number of efforts to secure the technical infrastructure of the Internet. Learn more about those, support them and even participate in them.

Among other efforts, consider the OASIS PKCS 11 TC:

The OASIS PKCS 11 Technical Committee develops enhancements to improve the PKCS #11 standard for ease of use in code libraries, open source applications, wrappers, and enterprise/COTS products: implementation guidelines, usage tutorials, test scenarios and test suites, interoperability testing, coordination of functional testing, development of conformance profiles, and providing reference implementations.

The updated standard provides additional support for mobile and cloud computing use cases: for distributed/federated applications involving key management functions (key generation, distribution, translation, escrow, re-keying); session-based models; virtual devices and virtual keystores; evolving wireless/sensor applications using near field communication (NFC), RFID, Bluetooth, and Wi-Fi.

TC members are also designing new mechanisms for API instrumentation, suitable for use in prototyping, profiling, and testing in resource-constrained application environments. These updates enable support for easy integration of PKCS #11 with other cryptographic key management system (CKMS) standards, including a broader range of cryptographic algorithms and CKMS cryptographic service models. (from the TC homepage)

Whatever security you have from government intrusion is going to come from you and others like you who create it.

Want to fight back today? Join one of the efforts that Marks lists or the OASIS PKCS 11 TC. Today!

February 9, 2014

CryptoAlgebra

Filed under: Cryptography — Patrick Durusau @ 5:20 pm

CryptoAlgebra by Matt Gautreau.

From the post:

Just as so you know, the material being covered in this blog will be based on what I learn in class, partly from these books:

The first section of this blog, corresponding to the textbook, is going to be about what are referred to as “Classical Cryptosystems”. These types of encryption algorithms are what was used before the invention of computers. The computing power of your cell phone could easily brute force these algorithms, but hopefully we will get a chance to take a look at more elegant ways to attack these systems, which you could do with a pencil and paper if you so desired.

I hope you are as excited for this blog as I am for my classes this semester!

All I know is what you see quoted from the blog.

Assuming Matt does well and keeps up with the blog, this could be a lot of fun.

Suggest you not leave any of your cryptographic doodles laying around at your local airport. 😉

Enjoy!

September 17, 2013

NIST recommends against NSA-influenced standards

Filed under: Cryptography,Cybersecurity,NSA,Security — Patrick Durusau @ 9:38 am

NIST recommends against NSA-influenced standards by Frank Konkel.

From the post:

The National Institute of Standards and Technology, the agency that sets guidelines, policy and standards used by computer systems in the federal government and worldwide, now “strongly” recommends against using an encryption standard that leaked top-secret documents show was weakened by the National Security Agency.

NIST’s Information Technology Laboratory recently authored a technical bulletin that urges users not to make use of Special Publication (SP) 800-90A, which was reopened for public comment with draft Special Publications 800-90B and 800-90C on Sept. 10, providing the cryptographic community another chance to comment on encryption standards that were approved by NIST in 2006.

“NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used,” the bulletin states.

The NIST bullentin, SUPPLEMENTAL ITL BULLETIN FOR SEPTEMBER 2013, is important for several reasons.

First, it is fair warning to security designers to not use the encryption described in SP 800-90A. Use of SP 800-90A after this report is a slam dunk on security malpractice.

Second, it reminds us that while rare, there are government agencies who take their missions to serve the public quite seriously. Who are prone to honest actions and statements.

Quite unlike the departments of State and Defense, where the real question isn’t whether they are lying, but of the motivation for lying.

September 5, 2013

NSA Crackers

Filed under: Cryptography,Cybersecurity,NSA,Security — Patrick Durusau @ 7:42 pm

Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security by Jeff Larson, ProPublica, Nicole Perlroth, The New York Times, and Scott Shane, The New York Times.

From the story:

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

Read the full story for the details.

If that weren’t bad enough, consider this report from The NSA has cracked the secure internet: 3 things to know about the latest Snowden leaks by Jeff John Roberts:

Despite Thursday’s detailed revelations, the precise scope of the government’s power to break encryption is not clear. This is in part because the New York Times and Guardian did not publish all that they know. While the government asked the news agencies not to publish the stories, they only withheld certain details.

So, rather than a corrupt government withholding information from the public, the press decides it wants to withhold information as well?

That’s rather cold comfort from the defender’s of the public’s right to know.

I understand why Glenn Greenwald has been releasing the Snowden documents in dribs and drabs.

You can see the evidence for yourself. Watch the news cycles. As one set of Snowden leaks starts to die off, suddenly there is another release from Greenwald.

Glenn is forty-six (46) now so he may be able to stay in the headlines for another nineteen years and retire to write books with more Snowden leaks. It’s a meal ticket.

The news media needs to choose sides.

It can side with inevitably corrupt governments and their venal servants or choose to side with the public.

Members of the public need to make their choices as well.

July 31, 2013

Applied Cryptography Engineering

Filed under: Cryptography,Security — Patrick Durusau @ 3:59 pm

Applied Cryptography Engineering

From the post:

If you’re reading this, you’re probably a red-blooded American programmer with a simmering interest in cryptography. And my guess is your interest came from Bruce Schneier’s Applied Cryptography.

Applied Cryptography is a deservedly famous book that lies somewhere between survey, pop-sci advocacy, and almanac. It taught two generations of software developers everything they know about crypto. It’s literate, readable, and ambitious. What’s not to love?

Just this: as an instruction manual, Applied Cryptography is dreadful. Even Schneier seems to concede the point. This article was written with several goals: to hurry along the process of getting Applied Cryptography off the go-to stack of developer references, to point out the right book to replace it with, and to spell out what you else you need to know even after reading that replacement. Finally, I wrote this as a sort of open letter to Schneier and his co-authors.

Highly entertaining review of Applied Cryptography, its successor, Cryptography Engineering, and further reading on cryptography.

Personally I would pick up a copy of Applied Cryptography because of its place in the history of cryptography.

I first saw this in Nat Torkington’s Four short links: 29 July 2013.

July 30, 2013

Cryptology ePrint Archive

Filed under: Cryptography,Cybersecurity,Security — Patrick Durusau @ 10:30 am

Cryptology ePrint Archive

As a result of finding the paper in: Subject Identity Obfuscation?, I stumbled upon the Cryptography ePrint Archive.

A forbidding title list awaits, unless you are a cryptography expert.

Still, a resource to be aware of for the latest developments in cryptography.

Orwell’s Nineteen Eighty-Four fiction has become fact, more or less everywhere.

Savvy clients/customers will expect you to secure their data. Against surveillance by competitors and governments.

Reading in the Wall Street Journal stories like:

Microsoft provided a lengthy statement to the Guardian and other news outlets at the time the story was published. Microsoft on Tuesday released a blog post that largely repeated its earlier statements.

In the post Tuesday, for the first time, the company did address the encryption-cracking issue. Microsoft said in its statement that it “does not provide any government with the ability to break the encryption, nor does it provide the government with the encryption keys.”

Yet that’s not exactly what the Guardian claimed. The Guardian said Microsoft worked with the FBI to “come up with a solution that allowed the NSA to circumvent encryption” on online chats via Outlook.com, Microsoft’s Web-based email service.

is not going to increase the good will of your clients/customers.

Subject Identity Obfuscation?

Filed under: Cryptography,Encryption,Subject Identity,Topic Maps — Patrick Durusau @ 9:10 am

Computer Scientists Develop ‘Mathematical Jigsaw Puzzles’ to Encrypt Software

From the post:

UCLA computer science professor Amit Sahai and a team of researchers have designed a system to encrypt software so that it only allows someone to use a program as intended while preventing any deciphering of the code behind it. This is known in computer science as “software obfuscation,” and it is the first time it has been accomplished.

It was the line “…and this is the first time it has been accomplished.” that caught my attention.

I could name several popular scripting languages, at the expense of starting a flame war, that would qualify as “software obfuscation.” 😉

Further from the post:

According to Sahai, previously developed techniques for obfuscation presented only a “speed bump,” forcing an attacker to spend some effort, perhaps a few days, trying to reverse-engineer the software. The new system, he said, puts up an “iron wall,” making it impossible for an adversary to reverse-engineer the software without solving mathematical problems that take hundreds of years to work out on today’s computers — a game-change in the field of cryptography.

The researchers said their mathematical obfuscation mechanism can be used to protect intellectual property by preventing the theft of new algorithms and by hiding the vulnerability a software patch is designed to repair when the patch is distributed.

“You write your software in a nice, reasonable, human-understandable way and then feed that software to our system,” Sahai said. “It will output this mathematically transformed piece of software that would be equivalent in functionality, but when you look at it, you would have no idea what it’s doing.”

The key to this successful obfuscation mechanism is a new type of “multilinear jigsaw puzzle.” Through this mechanism, attempts to find out why and how the software works will be thwarted with only a nonsensical jumble of numbers.

The paper has this title: Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits by Sanjam Garg and Craig Gentry and Shai Halevi and Mariana Raykova and Amit Sahai and Brent Waters.

Abstract:

In this work, we study indistinguishability obfuscation and functional encryption for general circuits:

Indistinguishability obfuscation requires that given any two equivalent circuits C_0 and C_1 of similar size, the obfuscations of C_0 and C_1 should be computationally indistinguishable.

In functional encryption, ciphertexts encrypt inputs x and keys are issued for circuits C. Using the key SK_C to decrypt a ciphertext CT_x = Enc(x), yields the value C(x) but does not reveal anything else about x. Furthermore, no collusion of secret key holders should be able to learn anything more than the union of what they can each learn individually.

We give constructions for indistinguishability obfuscation and functional encryption that supports all polynomial-size circuits. We accomplish this goal in three steps:

  • We describe a candidate construction for indistinguishability obfuscation for NC1 circuits. The security of this construction is based on a new algebraic hardness assumption. The candidate and assumption use a simplified variant of multilinear maps, which we call Multilinear Jigsaw Puzzles.
  • We show how to use indistinguishability obfuscation for NC1 together with Fully Homomorphic Encryption (with decryption in NC1) to achieve indistinguishability obfuscation for all circuits.
  • Finally, we show how to use indistinguishability obfuscation for circuits, public-key encryption, and non-interactive zero knowledge to achieve functional encryption for all circuits. The functional encryption scheme we construct also enjoys succinct ciphertexts, which enables several other applications.

When a paper has a table of contents following the abstract, you know it isn’t a short paper. Forty-three (43) pages counting the supplemental materials. Most of it very heavy sledding.

I think this paper has important implications for sharing topic map based data.

In general as with other data but especially with regard to subject identity and merging rules.

It may well be the case that a subject of interest to you exists in a topic map but if you can’t access its subject identity sufficient to create merging, it will not exist for you.

One can even imagine that a subject may be accessible for screen display but not for copying to a “Snowden drive.” 😉

BTW, I have downloaded a copy of the paper. Suggest you do the same.

Just in case it goes missing several years from now when government security agencies realize its potential.

June 10, 2013

Why Theoretical Computer Scientists Aren’t Worried About Privacy

Filed under: Cryptography,NSA,Privacy,Security — Patrick Durusau @ 1:33 pm

Why Theoretical Computer Scientists Aren’t Worried About Privacy by Jeremy Kun.

From the post:

There has been a lot of news recently on government surveillance of its citizens. The biggest two that have pervaded my news feeds are the protests in Turkey, which in particular have resulted in particular oppression of social media users, and the recent light on the US National Security Agency’s widespread “backdoor” in industry databases at Google, Verizon, Facebook, and others. It appears that the facts are in flux, as some companies have denied their involvement in this program, but regardless of the truth the eye of the public has landed firmly on questions of privacy.

Barack Obama weighed in on the controversy as well, being quoted as saying,

You can’t have 100% security and 100% privacy, and also zero inconvenience.

I don’t know what balance the US government hopes to strike, but what I do know is that privacy and convenience are technologically possible, and we need not relinquish security to attain it.

Before I elaborate, let me get my personal beliefs out of the way. I consider the threat of terrorism low compared to the hundreds of other ways I can die. I should know, as I personally have been within an \varepsilon fraction of my life for all \varepsilon > 0 (when I was seven I was hit by a bus, proclaimed dead, and revived). So I take traffic security much more seriously than terrorism, and the usual statistics will back me up in claiming one would be irrational to do otherwise. On the other hand, I also believe that I only need so much privacy. So I don’t mind making much of my personal information public, and I opt in to every one of Google’s tracking services in the hopes that my user experience can be improved. Indeed it has, as services like Google Now will, e.g., track my favorite bands for me based on my Google Play listening and purchasing habits, and alert me when there are concerts in my area. If only it could go one step further and alert me of trending topics in theoretical computer science! I have much more utility for timely knowledge of these sorts of things than I do for the privacy of my Facebook posts. Of course, ideologically I’m against violating privacy as a matter of policy, but this is a different matter. One can personally loathe a specific genre of music and still recognize its value and one’s right to enjoy it.

But putting my personal beliefs aside, I want to make it clear that there is no technological barrier to maintaining privacy and utility. This may sound shocking, but it rings true to the theoretical computer scientist. Researchers in cryptography have experienced this feeling many times, that their wildest cryptographic dreams are not only possible but feasible! Public-key encryption and digital signatures, secret sharing on a public channel, zero-knowledge verification, and many other protocols have been realized quite soon after being imagined. There are still some engineering barriers to implementing these technologies efficiently in large-scale systems, but with demand and a few years of focused work there is nothing stopping them from being used by the public. I want to use this short post to describe two of the more recent ideas that have pervaded the crypto community and provide references for further reading.

Jeremy injects a note of technical competence into the debate over privacy and security in the wake of NSA disclosures.

Not that our clueless representatives in government, greedy bidders or turf building agencies will pick up on this line of discussion.

The purpose of the NSA program is what the Republicans call a “transfer of wealth.” In this case from the government to select private contractors.

How much is being transferred isn’t known. If we knew the amount of the transfer and that the program it funds is almost wholly ineffectual, we might object to our representatives.

Some constitutional law scholars (Obama) have forgotten informed participation by voters in public debate is a keystone of the U.S. constitution.

May 28, 2013

Improving the security of your SSH private key files

Filed under: Cryptography,Cybersecurity,Security — Patrick Durusau @ 9:57 am

Improving the security of your SSH private key files by Martin Kleppmann.

From the post:

Ever wondered how those key files in ~/.ssh actually work? How secure are they actually?

As you probably do too, I use ssh many times every single day — every git fetch and git push, every deploy, every login to a server. And recently I realised that to me, ssh was just some crypto voodoo that I had become accustomed to using, but I didn’t really understand. That’s a shame — I like to know how stuff works. So I went on a little journey of discovery, and here are some of the things I found.

When you start reading about “crypto stuff”, you very quickly get buried in an avalanche of acronyms. I will briefly mention the acronyms as we go along; they don’t help you understand the concepts, but they are useful in case you want to Google for further details.

Quick recap: If you’ve ever used public key authentication, you probably have a file ~/.ssh/id_rsa or ~/.ssh/id_dsa in your home directory. This is your RSA/DSA private key, and ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub is its public key counterpart. Any machine you want to log in to needs to have your public key in ~/.ssh/authorized_keys on that machine. When you try to log in, your SSH client uses a digital signature to prove that you have the private key; the server checks that the signature is valid, and that the public key is authorized for your username; if all is well, you are granted access.

So what is actually inside this private key file?

If you like knowing the details of any sort, this is a post for you!

Or if you start doing topic maps work of interest to hostile others, security will be a concern.

Remember encryption is only one aspect of “security.” Realistic security has multiple layers.

I first saw this in Pete Warden’s Five short links.

April 20, 2013

The Matasano Crypto Challenges

Filed under: Cryptography,Cybersecurity,Security — Patrick Durusau @ 4:31 am

The Matasano Crypto Challenges by Maciej Ceglowski.

From the post:

I recently took some time to work through the Matasano crypto challenges, a set of 48 practical programming exercises that Thomas Ptacek and his team at Matasano Security have developed as a kind of teaching tool (and baited hook).

Much of what I know (or think I know) about security has come from reading tptacek’s comments on Hacker News, so I was intrigued when I first saw him mention the security challenges a few months ago. At the same time, I worried that I’d be way out of my depth attempting them.

As a programmer, my core strengths have always been knowing how to apologize to users, and composing funny tweets. While I can hook up a web template to a database and make the squigglies come out right, I cannot efficiently sort something for you on a whiteboard, or tell you where to get a monad. From my vantage point, crypto looms as high as Mount Olympus.

To my delight, though, I was able to get through the entire sequence. It took diligence, coffee, and a lot of graph paper, but the problems were tractable. And having completed them, I’ve become convinced that anyone whose job it is to run a production website should try them, particularly if you have no experience with application security.

Since the challenges aren’t really documented anywhere, I wanted to describe what they’re like in the hopes of persuading busy people to take the plunge.

You get the challenges in batches of eight by emailing cryptopals at Matasano, and solve them at your own pace, in the programming language of your choice. Once you finish a set, you send in the solutions and Sean unlocks the next eight. (Curiously, after the third set, Gmail started rejecting my tarball as malware.)

Most of the challenges take the form of practical attacks against common vulnerabilities, many of which will be sadly familiar to you from your own web apps. To keep things fun and fair for everyone, they ask you not to post the questions or answers online. (I cleared this post with Thomas to make sure it was spoiler-free.)

The challenges start with some basic string manipulation tasks, but after that they are grouped by theme. In most cases, you first implement something, then break it in several enlightening ways. The constructions you use will be familiar to any web programmer, but this may be the first time you have ever taken off the lid and looked at the moving parts inside.

While avoiding posting the questions/answers online, mapping vulnerabilities you uncover would make a good start on a security topic map.

I first saw this in Four short links: 19 April 2013 by Nat Torkington.

April 16, 2013

Hacking Secret Ciphers with Python

Filed under: Cryptography,Python — Patrick Durusau @ 6:40 pm

“Hacking Secret Ciphers with Python” Released by Al Sweigart.

From the post:

My third book, Hacking Secret Ciphers with Python, is finished. It is free to download under a Creative Commons license, and available for purchase as a physical book on Amazon for $25 (which qualifies it for free shipping). This book is aimed at people who have no experience programming or with cryptography. The book goes through writing Python programs that not only implement several ciphers but also can hack these ciphers.

100% of the proceeds from the book sales will be donated to the Electronic Frontier Foundation, Creative Commons, and The Tor Project.

This looks like fun!

Unlike the secrecy cultists in cybersecurity, I think new ideas and insights into cryptography can come from anyone who spends time working on it.

To paraphrase Buffalo Springfield, “…increase the government’s paranoia like looking in a mirror and seeing the public working on cryptography….”

I never claimed to be a song writer. 😉

PS: Download a copy and buy a hard copy to give to someone.

Or donate the hard copy to your local library!

March 13, 2013

Hiding in Plain Sight/Being Secure From The NSA

Filed under: Cryptography,Cybersecurity,Intelligence,Security — Patrick Durusau @ 3:15 pm

I presume that if a message can be “overhear,” electronically or otherwise, it is likely the NSA and other “fictional” groups are capturing it.

The use of encryption marks you as a possible source of interest.

You can use image-based steganography to conceal messages but that requires large file sizes and is subject to other attacks.

Professor Abdelrahman Desoky of the University of Maryland in Baltimore County, USA, suggests that messages can be hidden in plain sight, but changing the wording of jokes to carry a secret message.

Desoky suggests that instead of using a humdrum text document and modifying it in a codified way to embed a secret message, correspondents could use a joke to hide their true meaning. As such, he has developed an Automatic Joke Generation Based Steganography Methodology (Jokestega) that takes advantage of recent software that can automatically write pun-type jokes using large dictionary databases. Among the automatic joke generators available are: The MIT Project, Chuck Norris Joke Generator, Jokes2000, The Joke Generator dot Com and the Online Joke Generator System (pickuplinegen).

A simple example might be to hide the code word “shaking” in the following auto-joke. The original question and answer joke is “Where do milk shakes come from?” and the correct answer would be “From nervous cows.” So far, so funny. But, the system can substitute the word “shaking” for “nervous” and still retain the humor so that the answer becomes “From shaking cows.” It loses some of its wit, but still makes sense and we are not all Bob Hopes, after all. [Hiding Secret Messages in Email Jokes]

Or if you prefer the original article abstract:

This paper presents a novel steganography methodology, namely Automatic Joke Generation Based Steganography Methodology (Jokestega), that pursues textual jokes in order to hide messages. Basically, Jokestega methodology takes advantage of recent advances in Automatic Jokes Generation (AJG) techniques to automate the generation of textual steganographic cover. In a corpus of jokes, one may judge a number of documents to be the same joke although letters, locations, and other details are different. Generally, joke and puns could be retold with totally different vocabulary, while still retaining their identities. Therefore, Jokestega pursues the common variations among jokes to conceal data. Furthermore, when someone is joking, anything may be said which legitimises the use of joke-based steganography. This makes employing textual jokes very attractive as steganographic carrier for camouflaging data. It is worth noting that Jokestega follows Nostega paradigm, which implies that joke-cover is noiseless. The validation results demonstrate the effectiveness of Jokestega. is only available to individual subscribers or to users at subscribing institutions. [Jokestega: automatic joke generation-based steganography methodology by Abdelrahman Desoky. International Journal of Security and Networks (IJSN), Vol. 7, No. 3, 2012]

If you are interested, other publications by Professor Desoky are listed here.

Occurs to me that topic maps offer the means to create steganography chains over public channels. The sender may know its meaning but there can be several links in the chain of transmission that change the message but have no knowledge of its meaning. And/or that don’t represent traceable links in the chain.

With every “hop” and/or mapping of the terms to another vocabulary, the task of statistical analysis grows more difficult.

Not the equivalent of highly secure communication networks, the contents of which can be copied onto a Lady Gaga DVD, but then not everyone needs that level of security.

Some people need cheaper but more secure systems for communication.

Will devote some more thought to the outline of a topic map system for hiding content in plain sight.

April 9, 2012

Play Color Cipher and Visual Cryptography

Filed under: Cryptography — Patrick Durusau @ 4:32 pm

Play Color Cipher and Visual Cryptography by Ajay Ohri.

From the post:

I was just reading up on my weekly to-read list and came across this interesting method. It is called Play Color Cipher-

Each Character ( Capital, Small letters, Numbers (0-9), Symbols on the keyboard ) in the plain text is substituted with a color block from the available 18 Decillions of colors in the world [11][12][13] and at the receiving end the cipher text block (in color) is decrypted in to plain text block. It overcomes the problems like “Meet in the middle attack, Birthday attack and Brute force attacks [1]”.

It also reduces the size of the plain text when it is encrypted in to cipher text by 4 times, with out any loss of content. Cipher text occupies very less buffer space; hence transmitting through channel is very fast. With this the transportation cost through channel comes down.

If your topic map software needs a cryptography option, this could be an interesting one to explore.

Reference article: A Block Cipher Generation using Color Substitution
.

March 6, 2012

Stanford – Delayed Classes – Enroll Now!

Filed under: Algorithms,Cryptography,CS Lectures,Game Theory,Natural Language Processing,Probabilistic Graphical Models — Patrick Durusau @ 8:10 pm

If you have been waiting for notices about the delayed Stanford courses for Spring 2012, your wait is over!

Even if you signed up for more information, you must register at the course webpage to take the course.

Details as I have them on 6 March 2012 (check course pages for official information):

Cryptography Starts March 12th.

Design and Analysis of Algorithms Part 1 Starts March 12th.

Game Theory Starts March 19th.

Natural Language Processing Starts March 12th.

Probabilistic Graphical Models Starts March 19th.

You may be asking yourself, “Are all these courses useful for topic maps?”

I would answer by pointing out that librarians and indexers have rely on a broad knowledge of the world to make information more accessible to users.

By way of contrast, “big data” and Google, have made it less accessible.

Something to think about while you are registering for one or more of these courses!

November 21, 2011

Cryptography (class)

Filed under: Cryptography,CS Lectures — Patrick Durusau @ 7:37 pm

Cryptography with Dan Boneh. (Stanford)

Looks like competition to have an online class is heating up at Stanford. 😉

From the description:

Cryptography is an indispensable tool for protecting information in computer systems. This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption, digital signatures, and authentication protocols. Towards the end of the course we will cover more advanced topics such as zero-knowledge, distributed protocols such as secure auctions, and a number of privacy mechanisms. Throughout the course students will be exposed to many exciting open problems in the field.

The course will include written homeworks and programming labs. The course is self-contained, however it will be helpful to have a basic understanding of discrete probability theory.

I mention this because topic mappers are going to face security issues and they had better be ready to at least discuss them. Even if the details are handed off to experts in security, including cryptography. Like law, security/cryptography aren’t good areas for self-help.

BTW, if this interests you, see Bruce Schneier’s homepage. Really nice collection of resources and other information on cryptography.

September 15, 2010

International Association for Cryptological Research

Filed under: Cryptography,Security,Topic Map Software,Topic Maps — Patrick Durusau @ 6:01 am

International Association for Cryptologic Research

Hosts conference proceedings, ePrint Archive, CryptoDB, and other goodies. Membership details for IACR.

Topic map applications need to offer features such as:

  • secure communications to and from topic maps.
  • secure and verified data for merging into topic maps.
  • capability to merge parts of separately held topic maps without disclosing the basis for merging.*
  • etc.

*(Important for a range of defense and security applications.)

« Newer Posts

Powered by WordPress