Without Perfect Forward Secrecy, if a government or hostile entity is collecting encrypted data, they can still ultimately decrypt millions of messages if they figure out which SSL key was used, either through a court order, hacking the servers that store the keys, or through crypto-analysis.
With Perfect Forward Secrecy, such a mass decryption of encrypted data becomes much harder because the key is ephemeral and session specific. It is still possible to decrypt the data, with time and resources, but it has to be done one message at a time.
The article mentions that implementation of Perfect Forward Secrecy does add a slight delay at the beginning of the session – about 150 milliseconds in the U.S., and up to a second in countries further away from Twitter’s servers, such as Brazil.
Even though it introduces a brief delay at the beginning of a session, the fact that it creates a session specific key is a boon for personal privacy.
Extensible Authentication Protocol (EAP) is typically used with wireless networks and Point-To-Point connections. EAP is not a wireless protocol. Accprdomg to Wikipedia, it’s used to define message formats. Protocols define how EAP messages are encapusulated from within the protocol’s message.
IEEE 802.1x - When and 802.1x device such as a wireless access point invokes EAP, EAP methods can provide a secure method of authentication and negotiate a secure private key.
The following protocols can also use EAP:
- PEAP - Protected Extensible Authentication Protocol
- RADIUS and Diameter
- PANA - Protocol for Carrying Authentication for Network Access
- PPP - Point-to-Point Protocol
I thought that what was interesting about this article is that the author stated that for small contractors, the cost of implementing security for Information Technology is roughly 0.5% of a company’s revenues, which refers to all the money a company takes in from doing what it does. So this can be a substantial cost to a company. However, due to the economies of scale, larger companies tend to pay a fraction of that amount.
I wonder if we’re going to get to the point where small companies just can’t afford to implement decent security, and put themselves at greater risk.
Edward Snowden has not revealed how he infiltrated numerous secure systems while he was at the National Security Agency (NSA). An article in Eweek.com
lists several potential methods.
There are reports
that Edward Snowden talked almost two dozen NSA employees into giving him their passwords.
Additionally, security experts at Venafi, a certificate-management firm, posted the results of an analysis
that demonstrates that Edward Snowden used Secure Shell (SSH) authentication keys to give his account privileged access to other servers on the NSA network. The most provocative indication that this is how Snowden gained access is based on testimony from General Keith Alexander, Director of the NSA, stating that Snowden “fabricted digital keys” to gain access to classified systems.
The fact that Snowden may have gained access to a number of systems by using other users passwords and securing SSH keys demonstrates that monitoring what goes on inside your network is as important as monitoring what is happening on the perimeter.
According to an article on http://thestranger.com
, the Seattle Police Department is in the process of installing an Aruba wireless mesh network throughout the city that may have the ability to physically track and monitor wireless devices
such as cell phones, laptops etc, using their MAC addresses. This project is part of a $2.7 Million dollar project funded by the Department of Homeland Security.
also sells and markets systems that can track devices moving through their system’s coverage area and detect rogue access points on the network.
In the article, Detective Monty Moss said that the mesh network would not be used for “surveillance purposes… without City Council’s approval and the appropriate court authorization.”
The article points out that the detective didn’t say that the mesh network would be used for surveillance, only that it wouldn’t be used for surveillance without court authorization.
Wikipedia has a nice, high level summary of what a Four-Way Handshake is in relation to the 802.11i protocol.
The Four-Way Handshake is a protocol that creates a secure authentication strategy for delivering data over networks. The purpose behind the Four-Way Handshake is to allow an Access Point to authenticate itself to a client while providing secure encryption. Keys are derived to encrypt traffic between the Access Point and the client.
Before the Handshake: The shared secret Pairwise Master Key (PMK) is provided during the earlier EAP or WPA2-PSK exchange. Since the PMK is designed to last the entire session, it should be exposed as little as possible.
Step One: The Access Point sends an AP Nonce-value (ANonce) to the client station (STA). The client (STA) can now create the Pairwise Transient Key (PTK) through a combination of the PMK, ANonce, AP MAC Address and Client (STA) MAC Address.
From here, the four-way handshake creates another key called the Pairwise Transient Key (PTK). The PTK is created by through a combination of the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The result of this combination is run through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:
Image provided by Wikipedia Commons
There’s an update to this story. It turns out that most of the press have gotten this story wrong.
Image taken from Wikipedia Commons
Eugene Kaspersky (of the antivirus company Kaspersky Lab) made two statements while speaking to Australia’s National Press Club in Canberra, Australia:
- The International Space Station had been infected by a Russian cosmonaut’s malware ridden USB memory stick brought up from Earth.
- The Stuxnet virus had infected and damaged a Russian nuclear power plant.
The popular press merged Kaspersky’s statement about malware on the ISS with the Stuxnet virus infecting a Russian nuclear power plant, making it sound like the Stuxnet virus had infected the ISS. Stuxnet was originally designed to degrade or destroy specific Sieman’s control equipment operating in Iran’s nuclear program.
The Atlantic.com ran the following correction:
(Correction: this article originally said the ISS was infected with Stuxnet. Upon further review of Kaspersky’s statements, that’s not the case. We’re sorry for the confusion.)
This doesn’t mean that it couldn’t happen. Stuxnet has been found in the wild outside Iran.