dc_lko
Post on 13-Dec-2015
212 Views
Preview:
DESCRIPTION
TRANSCRIPT
Who am I?
● Contributor to n|u● Head of R&D, Skarpsinne Labs, London, UK● I am a hobbyist programmer with some interest
in information security domain. My primary areas of interest are cryptography and malware.
● Blog: http://adhokshajmishraonline.in● Email: me@adhokshajmishraonline.in
Agenda
● Crooked activities by government● Why counter-surveillance?● Common surveillance methods● Counter -surveillance and cryptography● Keeping your data safe● Secure authentication● Private messages (chats, calls etc...)● Countermeasures for counter-surveillance
Crooked Activities
● PRISM Program from NSA● Attempt to backdoor LINUX kernel● Backdoor in hard disk firmware● SuperFish in recent Lenovo laptops● Cryptographic keys for SIM stolen by NSA for
mass spying without warrant or permission● Cryptographic backdoor in MS Windows
Why counter-surveillance?
● Because crooked practices by governments and companies is unacceptable.
● To recover from the damage done by gov agencies under name of surveillance.
● To make a balance between surveillance efforts and privacy protection efforts
Common surveillance methods
● By tapping the wire● By exploiting 0-day vulnerabilities (Tailored
Access Operation)● By paying the big boys to put backdoor in
software (MS Windows)● By weakening the cryptography (Dual EC_DRBG)● And many more......
Counter-surveillance & Cryptography
● Mathematics is our friend. Let us trust it.● NSA cannot break good cryptography.● Cryptography allows all sorts of cool stuff, like
communicating in such a way that nothing can be proved :D
● All you need some cryptography skills and some programming skills to get the things done.
Keeping The Data Safe
● Encrypting the files is not enough● Encrypted volume is not enough● Even “hidden volume” of TrueCrypt is not enough
Keeping The Data Safe (2)
● Fill entire volume with output of a good cryptographically secure pseudo-random bit stream generator.
● Create multiple encrypted file systems at different offsets in same volume.
● Every I/O action should modify slack space at random locations in all the file systems, as well as host volume.
Keeping The Data Safe (3)
● Put some genuine looking data in one of the file systems, and secret data in other. Keep good balance between them.
● Output of a good cryptosystem cannot be distinguished from output of a good pseudo-random bit stream generator.
● Claim the data to be just random stream. Proving otherwise will be very difficult.
Secure Authentication
● CA will protect you only from those it is not willing to take money from.
● “Secure channel” can be intercepted by mechanism used by Superfish.
● You can authenticate yourself without revealing your password.
● Time to move to crypto magic ….
Secure Authentication (2)
● Alice has a secret s which he wants to prove to Bob.
● Three values y, g, and p are shared. P is large prime. Also g^s mod p = y
● Alice will generate a random number r, and calculate C = g^r mod p. C is sent to Bob.
● Bob will request either r or (s + r) mod (p - 1)
Secure Authentication (3)
● Verifying the knowledgein case of r:C = g^r mod pin case of (s + r) mod (p -1)g ^ ((s+r) mod (p-1)) mod p = C.y mod p
● Repeat the request – verification cycle multiple times. Select the request randomly each time.
● In all cases, only a random number is sent, therefore no knowledge of secret is leaked.
Private Messaging
Desired properties:● Encryption● Authentication● Deniability● Perfect Forward Secrecy
Authentication in Private Messaging
● Shared values: g and p. P is prime.● Bob
picks random value r(128 bits)picks random value x (320 bits minimum)
● Calculatesv1 = g ^ x mod p; A = AES(key = r, v1); H = Hash (v)
● Sends A and H to Alice
Authentication in Private Messaging
● Alice picks random value y (320 bits minimum)
Calculates v2 = g ^ y mod p
Sends v2 to Bob● Bob calculates s = v2 ^ x mod p● Hashes s in different ways to generate c, c', m1,
m1', m2, m2'. C, c' are AES keys, others are MAC keys
Authentication in Private Messaging
● Shared values: g and p. P is prime.● Bob
picks random value r(128 bits)picks random value x (320 bits minimum)
● Calculatesv1 = g ^ x mod p; A = AES(key = r, v1); H = Hash (v)
● Sends A and H to Alice
Authentication in Private Messaging
● Bob picks keyid_B, a serial number for his DH keyg ^ x mod p
● Calculates
Mb = MAC(m1)(g^x, g^y, pub_B, keyid_B)
Xb = pub_B, keyid_B, sig(B, Mb)● Sends to Alice
r, AES(key=c, Xb), MAC(m2)(AES(key=c, Xb))
Authentication in Private Messaging
● Alice uses r to decrypt A (received from Bob)● Verifies H by recalculating it● Calculates s = v1 ^ y mod p (s → same as Bob)● Calculates AES and MAC keys from s (same as
Bob)● Uses m2 to verify MAC(m2)(AES(key=c, Xb))● Uses c to decrypt AES(key=c, Xb)
Authentication in Private Messaging
● Calculates Mb, and verifies sig(B, Mb) using pub_B● Picks keyid_A, a serial number for his DH Key● Calculates
Ma = MAC(m1')(g^y, g^x, pub_A, keyid_A)
Xa = pub_A, keyid_A, sig(A, Ma)● Sends to Bob: AES(key=c', Xa), MAC(m2')
(AES(key=c', Xa))
Authentication in Private Messaging
● Bob
uses m2' to verify MAC(m2')(AES(key=c', Xa))
uses c' to decrypt AES(key=c', Xa)
calculates Ma = MAC(m1')(g^y, g^x, pub_A, keyid_A)
uses pub_A to verify sig(A, Ma)● Now Alice and Bob have s, pub_A and pub_B
Encryption in Private Messaging
● Alice is assured that s is known by someone with access to the private key corresponding to pub_B, and similarly for Bob.
● All messages are encrypted using symmetric cipher with shared DH key as encryption key.
● DH protocol is re-initiated to generate new key for next message.
Authentication in Private Messaging
● Alice and Bob know each others public key● Alice and Bob have one more shared secret s1.● To detect impersonation or MITM attack, public
key fingerprints as well as shared secret s1 can be verified using “secure authentication” as discussed previously.
top related