Difference between revisions of "Cryptography Tools"

From DevSummit
Jump to navigation Jump to search
(Created page with "Overview of Crypto – People of unfamiliar – why you might want to use encryption. Common places interact – network services – encryption can work well. Are some people...")
 
Line 30: Line 30:
 
If Garrets private key (secrete)  is compromised – can go read all of garrets e-mail.  If loose GPG key. In huge trouble. <br>
 
If Garrets private key (secrete)  is compromised – can go read all of garrets e-mail.  If loose GPG key. In huge trouble. <br>
  
Smart card. Can only get in Germany. <br>
+
* Smart card. Can only get in Germany. <br>
  
Yubi keys.<br>
+
* Yubi keys.<br>
  
 
What do you recommend in opposition to PGP??  
 
What do you recommend in opposition to PGP??  
Line 40: Line 40:
 
Traffic analysis is fairly easy. Tor makes it more difficult to track who is doing what or an anonymizing network.  Sites cannot see who is actually visiting what websites.  If you can see entire network. Global passive network – can make assumptions on who is doing what. Not entirely sure if gov agencies or NSA can deanonymize tor. In 2011 according to Snowden documents we knew the NSA couldn’t. '''Anyone can see the traffic on a exit node.'''
 
Traffic analysis is fairly easy. Tor makes it more difficult to track who is doing what or an anonymizing network.  Sites cannot see who is actually visiting what websites.  If you can see entire network. Global passive network – can make assumptions on who is doing what. Not entirely sure if gov agencies or NSA can deanonymize tor. In 2011 according to Snowden documents we knew the NSA couldn’t. '''Anyone can see the traffic on a exit node.'''
  
=Mobile=
+
==Difference between Virtual Private Network (VPN) and Tor==
HTTPS – When using whatsapp – message contains metadata to tell who and where to send message. Whatsapp takes body and headers and uses whatsapp in encrypted tunnel. HTTPS – can do nothing to do with that. Still have to do a DNS lookup. DNS first connection cannot be hidden. TOR or VPN used over encryption.
 
  
Difference between VPN (Virtual Private Network) versus Tor.
+
Used VPNS to connect to external work network. Used to proxy over the internet. Route traffic through your server.  Observers of your connection cannot see what you are doing. Can only see that you are connecting to a VPN. VPN can see everything you do? <br>
  
Used VPNS to connect to external work networkUsed to proxy over the
+
In China cannot google Tiananmen squareConnect to a VPN outside of ChinaVPN always knows what you are doing. TOR can be a better solution than using a VPN. Run by volunteers. One server knows who you are.<br>
internet. Route traffic through your serverObservers of your
 
connection cannot see what you are doing. Can only see that you are
 
connecting to a VPN.   VPN can see everything you do?
 
  
In China cannot google Tiananmen square. Connect to a VPN outside of
+
Tor servers that are run by volunteers. 7000 exit nodes. List of all servers is publicThere are some sites that will intentionally block all serversVery annoying. People use tor for abuse and SPAM all the time. <br>
ChinaVPN always knows what you are doingTOR can be a better
 
solution than using a VPN. Run by volunteers. One server knows who you
 
are.
 
  
Tor servers that are run by volunteers. 7000 exit nodes. List of all
+
''TOR is slow ''– three times longer to do everythingTor makes multiple hops around the worldPretty good. Can stream audio and video not great.
servers is publicThere are some sites that will intentionally block
 
all serversVery annoying. People use tor for abuse and SPAM all
 
the time.
 
  
TOR is slow – three times longer to do everything. Tor makes multiple
+
'''Do not use bittorrent over tor.''' Makes entire slow. Not really anonymous.  Try to pirate content over tor. Bit torrent protocol not safe over tor. Bad etiquette – slow the entire network downUse an encrypted channel in tor. <br>
hops around the worldPretty good. Can stream audio and video not
 
great.
 
  
Do not use bittorrent over tor. Makes entire slow. Not really
+
Downloading from a site that is using httpTraffic can be intercepted. Source forge no encryption. Easy for whoever is control of the exit node or relay and intercept trafficIf connection using https inside of tor cannot mess with it. <br>
anonymousTry to pirate content over tor. Bit torrent protocol not
 
safe over tor. Bad etiquette – slow the entire network downUse an
 
encrypted channel in tor.
 
  
Downloading from a site that is using httpTraffic can be
+
VPN question – Safer if you run open VPN server? It is a a bit more secure? It depends on threat modelSpy agencies – not a good threat model. Cause virtualize server cloud provider – controlling server for you. Run infrastructure. Do not as a good of a job for people who it for there jobPeople do it better.  Attacker will look for the weakest link in.
intercepted. Source forge no encryption. Easy for whoever is control
 
of the exit node or relay and intercept trafficIf connection using
 
https inside of tor cannot mess with it.
 
  
 +
=SSL Certificates=
  
SSL Certs – Domain validate – extended validations certs.  Cash cow
+
SSL Certs – Domain validate – extended validations certs.  Cash cow for people who make the certs.  Certs not really secure it all. Domain validation. Extended validation – not just you control a domain. You are who you say you are. Bank of America. Provide tax records. You are who you say you are.  Has gotten cheaper.  Keep out for let’s encrypt. Free SSL certs for everyone.  Automate process – nonprofit created by EFF. Issue certs for websites for free.  Have become certificate authority.  Cross signature from another CA.  Wants that because it looks better.  Same crypto for a “nicer” a bank.
for people who make the certs.  Certs not really secure it all. Domain
 
validation. Extended validation – not just you control a domain. You
 
are who you say you are. Bank of America. Provide tax records. You are
 
who you say you are.  Has gotten cheaper.  Keep out for let’s encrypt.
 
Free SSL certs for everyone.  Automate process – nonprofit created by
 
EFF. Issue certs for websites for free.  Have become certificate
 
authority.  Cross signature from another CA.  Wants that because it
 
looks better.  Same crypto for a “nicer” a bank.
 
 
 
VPN question – Safer if you run open VPN server? It is a a bit more
 
secure? It depends on threat model.  Spy agencies – not a good threat
 
model.  Cause virtualize server cloud provider – controlling server
 
for you.  Run infrastructure. Do not as a good of a job for people who
 
it for there job.  People do it better.  Attacker will look for the
 
weakest link in.
 
  
 
Freedom of Press – automating – ansible –
 
Freedom of Press – automating – ansible –
  
POND – encryption tool – hide meta data – obfuscate traffic analysis
+
POND – encryption tool – hide meta data – obfuscate traffic analysis ricochet – much easier to use. Not quite as secure.
ricochet – much easier to use. Not quite as secure.
 
  
Phones – baseband. Proprietary.
+
=Mobile=
Compartmentalize – keep things separate. Best way to avoid making
+
HTTPS – When using whatsapp – message contains metadata to tell who and where to send message. Whatsapp takes body and headers and uses whatsapp in encrypted tunnel. HTTPS – can do nothing to do with that. Still have to do a DNS lookup. DNS first connection cannot be hidden. TOR or VPN used over encryption.
mistakes.
+
* Phones – baseband. Proprietary.
 +
* Compartmentalize – keep things separate. Best way to avoid making mistakes.

Revision as of 18:58, 24 November 2015

Overview of Crypto – People of unfamiliar – why you might want to use encryption. Common places interact – network services – encryption can work well. Are some people – who need encryption to stay safe. In an act of solidarity – by using encryption we can raise the bar. Start a community against surveillance.

HTTPS

HTTPS – (HTTP) Add secure s is added at the end.

  • Browser add-on = https everywhere.
    • https everywhere force sites that use it for the client to user it.
  • Other sites support it and make it optional.
  • HTTPs relies on servers to support it.
  • Some support https by default some do not
    • Ok cupid – didn’t support secure connections at all.
    • Very concerned – Garret was heartbroken that OK cupid wouldn’t use https. Wrote to them and did not listen. Eventually they did overtime.
  • Used to work for Mozilla. In the browser community – trying to use https all the time and everywhere.
  • A ton of info about what you do online. More data that can be collected – more the NSA can build a profile about you.
  • In the context of the web – combating mass surveillance.
  • HTTPS does not obscure your location.

E-mail

E-mail – PGP or GPG used to encrypt your e-mails. A way to bolt security on the e-mail protocol. As the internet grew - malicious activity started to happen more frequently. Tried to use e-mail in a secure way – closest thing we have to making e-mail more secure.

E-mail has fields (headers) – meta data – How to send e-mail from one place to another. Nothing to be done to encrypt that information. All routing information is public. All GPG encrypts body of the e-mail. Which is good and an improvement. It’s not anonymous – Larger state adversaries can still do traffic analysis. Able to extract lots of information about who is talking to who. Trivial for them to collect it and build lots of information or a profile on someone. GPG or PGP should not be used. Garret personally does not recommend it.

A number of problems with PGP. Does not hide meta-data. Depending on threat model you may want to do that. You should always hide meta-data. NSA only collects meta-data – can paint a huge picture about who you are talking to and when.

PGP is not that great. Another problem. It uses old crypto. Might be easier for older people to break it. Uses RSA. It’s difficult to use. A really big problem. Technical problem. PGP and GPG lack forward secrecy.

When set up encrypted channel use secrete keys. If keys are secret then it’s secure. If not then they can be decrypted. Can re-use keys over and over again OR can use one time use keys. When connected to gmail.com over https. Send keys back and forth. Used same keys for everyone. If someone where to break into gmail servers. Post Snowden. Really bad. Not cool. Big push to support forward secrecy. Everyone talks to gmail negotiate a new key just for that session. Afermeral or session key. Makes it hard for other malicious actors (NSA) to go back and decrypt. Forward secrecy – key compromise a lot harder.

If Garrets private key (secrete) is compromised – can go read all of garrets e-mail. If loose GPG key. In huge trouble.

  • Smart card. Can only get in Germany.
  • Yubi keys.

What do you recommend in opposition to PGP??

  • OTR – forward secure chatting. Signal encrypts calls and messaging.

Tor

Traffic analysis is fairly easy. Tor makes it more difficult to track who is doing what or an anonymizing network. Sites cannot see who is actually visiting what websites. If you can see entire network. Global passive network – can make assumptions on who is doing what. Not entirely sure if gov agencies or NSA can deanonymize tor. In 2011 according to Snowden documents we knew the NSA couldn’t. Anyone can see the traffic on a exit node.

Difference between Virtual Private Network (VPN) and Tor

Used VPNS to connect to external work network. Used to proxy over the internet. Route traffic through your server. Observers of your connection cannot see what you are doing. Can only see that you are connecting to a VPN. VPN can see everything you do?

In China cannot google Tiananmen square. Connect to a VPN outside of China. VPN always knows what you are doing. TOR can be a better solution than using a VPN. Run by volunteers. One server knows who you are.

Tor servers that are run by volunteers. 7000 exit nodes. List of all servers is public. There are some sites that will intentionally block all servers. Very annoying. People use tor for abuse and SPAM all the time.

TOR is slow – three times longer to do everything. Tor makes multiple hops around the world. Pretty good. Can stream audio and video not great.

Do not use bittorrent over tor. Makes entire slow. Not really anonymous. Try to pirate content over tor. Bit torrent protocol not safe over tor. Bad etiquette – slow the entire network down. Use an encrypted channel in tor.

Downloading from a site that is using http. Traffic can be intercepted. Source forge no encryption. Easy for whoever is control of the exit node or relay and intercept traffic. If connection using https inside of tor cannot mess with it.

VPN question – Safer if you run open VPN server? It is a a bit more secure? It depends on threat model. Spy agencies – not a good threat model. Cause virtualize server cloud provider – controlling server for you. Run infrastructure. Do not as a good of a job for people who it for there job. People do it better. Attacker will look for the weakest link in.

SSL Certificates

SSL Certs – Domain validate – extended validations certs. Cash cow for people who make the certs. Certs not really secure it all. Domain validation. Extended validation – not just you control a domain. You are who you say you are. Bank of America. Provide tax records. You are who you say you are. Has gotten cheaper. Keep out for let’s encrypt. Free SSL certs for everyone. Automate process – nonprofit created by EFF. Issue certs for websites for free. Have become certificate authority. Cross signature from another CA. Wants that because it looks better. Same crypto for a “nicer” a bank.

Freedom of Press – automating – ansible –

POND – encryption tool – hide meta data – obfuscate traffic analysis ricochet – much easier to use. Not quite as secure.

Mobile

HTTPS – When using whatsapp – message contains metadata to tell who and where to send message. Whatsapp takes body and headers and uses whatsapp in encrypted tunnel. HTTPS – can do nothing to do with that. Still have to do a DNS lookup. DNS first connection cannot be hidden. TOR or VPN used over encryption.

  • Phones – baseband. Proprietary.
  • Compartmentalize – keep things separate. Best way to avoid making mistakes.