Brief History of PGP

Here is a brief history of PGP Encryption “Pretty Good Privacy”.

 PRZ closeup cropped.jpgPhil Zimmerman, courtesy Wikipedia Phil Zimmerman first created PGP in 1991. The name is inspired by the grocery store, “Ralph’s Pretty Good Grocery” from Garrison Keillor’s fictional town of Lake Woebegone.Mr. Zimmerman initally sent PGP to a friend, who posted it to Peacenet, an ISP that was involved in the peace movement. From there, PGP spread across the planet via the nascent internet, to be used by civil libertarians and disidents in totalitarian countries.
Mr. Zimmerann got in trouble with the U.S. governement for “munitions export without a license” when copies of PGP left the borders of the United States. The investigation was begun because PGP never used keys smaller than 128 bits. At that time, in 1993, Cryptosystems that used keys larger than 40 bits were considered munitions, and export of such a Cryptosystem was considered a violation of U.S. export regulations.He challenged these regulations by publishing the entire source code of PGP in the book, PGP: Source Code and Internals. Anyone with $60 could buy the book, scan or type the source code into the GNU Compiler Collection, and compile it. Publication of the book was theorettically protected by the First Amendment. It was never challendged in court, but the case against him was dropped. The book is currently listing for $1,080.00 on Amazon.com.

U.S. Regulations regarding cryptography were updated in the late 1990′s and early 2000s.

In 1996, Zimmerman and his team started PGP Corporation.  In 1997, they proposed the OpenPGP standard to the IETF.  At the end of 1997, Network Associates aquired PGP Corporation. Zimmerman left Network Associates in 2001. He went on to serve as Chief Cryptographer for Hush Communications, who provide OpenPGP email service, Hushmail.

Symantec aquired PGP for $300 million in 2010.

 

Secure Sockets Layer Implementation

Wikipedia has a nice, high level overview of what Perfect Forward Secrecy is.
Without Perfect Forward Secrecy, if a government or hostile entity is collecting encrypted data, they can still ultimately decrypt millions of messages if they figure out which SSL key was used, either through a court order, hacking the servers that store the keys, or through crypto-analysis.
With Perfect Forward Secrecy, such a mass decryption of encrypted data becomes much harder because the key is ephemeral and session specific. It is still possible to decrypt the data, with time and resources, but it has to be done one message at a time.

The article mentions that implementation of Perfect Forward Secrecy does add a slight delay at the beginning of the session – about 150 milliseconds in the U.S., and up to a second in countries further away from Twitter’s servers, such as Brazil.

 Even though it introduces a brief delay at the beginning of a session, the fact that it creates a session specific key is a boon for personal privacy.

Overview of Extensible Authentication Protocol (EAP)

Extensible Authentication Protocol (EAP) is typically used with wireless networks and Point-To-Point connections. EAP is not a wireless protocol. Accprdomg to Wikipedia, it’s used to define message formats. Protocols define how EAP messages are encapusulated from within the protocol’s message.

 IEEE 802.1x - When and 802.1x device such as a wireless access point invokes EAP, EAP methods can provide a secure method of authentication and negotiate a secure private key.
EAP handshake
The following protocols can also use EAP:
  • PEAP - Protected Extensible Authentication Protocol
  • RADIUS and Diameter
  • PANA -  Protocol for Carrying Authentication for Network Access
  • PPP - Point-to-Point Protocol

Pentagon toughens cybersecurity requirements for contractors

http://www.securityweek.com/pentagon-toughens-cybersecurity-requirements-defense-contractors

I thought that what was interesting about this article is that the author stated that for small contractors, the cost of implementing security for Information Technology is roughly 0.5% of a company’s revenues, which refers to all the money a company takes in from doing what it does. So this can be a substantial cost to a company. However, due to the economies of scale, larger companies tend to pay a fraction of that amount.

I wonder if we’re going to get to the point where small companies just can’t afford to implement decent security, and put themselves at greater risk.

How Snowden Bypassed NSA Security

Edward Snowden has not revealed how he infiltrated numerous secure systems while he was at the National Security Agency (NSA). An article in Eweek.com lists several potential methods.
There are reports that Edward Snowden talked almost two dozen NSA employees into giving him their passwords.
Additionally, security experts at Venafi, a certificate-management firm, posted the results of an analysis that demonstrates that Edward Snowden used Secure Shell (SSH) authentication keys to give his account privileged access to other servers on the NSA network. The most provocative indication that this is how Snowden gained access is based on testimony from General Keith Alexander, Director of the NSA, stating that Snowden “fabricted digital keys” to gain access to classified systems.
The fact that Snowden may have gained access to a number of systems by using other users passwords and securing SSH keys demonstrates that monitoring what goes on inside your network is as important as monitoring what is happening on the perimeter.

Is the Seattle PD tracking your phone and laptop?

According to an article on http://thestranger.com, the Seattle Police Department is in the process of installing an Aruba wireless mesh network throughout the city that may have the ability to physically track and monitor wireless devicessuch as cell phones,  laptops etc, using their MAC addresses. This project is part of a $2.7 Million dollar project funded by the Department of Homeland Security.
Aruba also sells and markets systems that can track devices moving through their system’s coverage area and detect rogue access points on the network.
In the article, Detective Monty Moss said that the mesh network would not be used for “surveillance purposes… without City Council’s approval and the appropriate court authorization.”
The article points out that the detective didn’t say that the mesh network would be used for surveillance, only that it wouldn’t be used for surveillance without court authorization.

80211i – Four-Way Handshake Summary

Wikipedia has a nice, high level summary of what a Four-Way Handshake is in relation to the 802.11i protocol.

 The Four-Way Handshake is a protocol that creates a secure authentication strategy for delivering data over networks. The purpose behind the Four-Way Handshake is to allow an Access Point to authenticate itself to a client while providing secure encryption. Keys are derived to encrypt traffic between the Access Point and the client.
Before the Handshake: The shared secret Pairwise Master Key (PMK) is provided during the earlier EAP or WPA2-PSK exchange. Since the PMK is designed to last the entire session, it should be exposed as little as possible.
Step One: The Access Point sends an AP Nonce-value (ANonce) to the client station (STA). The client (STA) can now create the Pairwise Transient Key (PTK) through a combination of the PMK, ANonce, AP MAC Address and Client (STA) MAC Address.
From here, the four-way handshake creates another key called the Pairwise Transient Key (PTK). The PTK is created by through a combination of the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The result of this combination is run through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:
The National Institute of Standards and Technology has a more detailed explanation of 802.11i and Four-Way Handshakes.

4-way-handshake WPA2.png

Image provided by Wikipedia Commons

Stuxnet virus did not infect ISS

There’s an update to this story. It turns out that most of the press have gotten this story wrong.
STS-133 International Space Station after undocking 5.jpg

Image taken from Wikipedia Commons
In an update from the Atlantic.com:
Eugene Kaspersky (of the antivirus company Kaspersky Lab) made two statements while speaking to Australia’s National Press Club in Canberra, Australia:
    1. The International Space Station had been infected by a Russian cosmonaut’s malware ridden USB memory stick brought up from Earth.
    2. The Stuxnet virus had infected and damaged a Russian nuclear power plant.
The popular press merged Kaspersky’s statement about malware on the ISS with the Stuxnet virus infecting a Russian nuclear power plant, making it sound like the Stuxnet virus had infected the ISS. Stuxnet was originally designed to degrade or destroy specific Sieman’s control equipment operating in Iran’s nuclear program.
The Atlantic.com ran the following correction:
(Correction: this article originally said the ISS was infected with Stuxnet. Upon further review of Kaspersky’s statements, that’s not the case. We’re sorry for the confusion.)
 This doesn’t mean that it couldn’t happen. Stuxnet has been found in the wild outside Iran.