• About
  • Disclaimer

./

~ Shifts | Thoughts | Evolution | Innovation

Tag Archives: DHA

Why bother with PGP …???

04 Sunday Apr 2010

Posted by Abhi Raj in Sectruni0

≈ Leave a comment

Tags

Cryptography, DHA, Hacking, NSA, PGP

The very nature of email communication makes it perfect for spying and tapping. Imagine all the emails that fly across the Atlantic Ocean. Every single one of them could be tapped without you even noticing it. Of course, thinking that someone will sit and read every single one of them is preposterous – but the “problem” is that nobody has to.

The biggest reason in my mind to use PGP some years back was to resist the government. That sounds pretty crazy. I don’t mean resist in an anarchistic or Disestablishmentarian way but in the same way that one doesn’t want themselves being frisked by police daily. (Which used to happen to my *underground internet friends a lot*. Maybe its the way they look…)

The FBI, NSA, DEA and other government agencies had the ability to wire-tap pretty much anything they want to. Most recently this has come in the form of the Omnivore and Carnivore boxes, which are installed most probably in every ISP and filter through all the incoming or outgoing packets to pick out those of suspected criminals. This means they read all the information passing though an ISP. That could be anything mine or your private emails, to our banking records, to this node I write, right now. Maybe thats not a terrible thing but I will feel alot safer when my web browser uses cryptographically strong encryption.

PGP stands for ‘Pretty Good Privacy’. This is a self-depreciating joke, since PGP uses ‘military strength’ strong cryptography, to provide privacy, confidentiality and validity to your data and that of other peoples.

The software was first released in 1991, and was distributed by, (among others) Kelly Goen, who used several pay-phones, each miles apart, and an acoustic coupler to upload it to various BBS’, USENET groups, and FTP sites within the US, staying at one location for several minutes before moving on. From there it spread rapidly, and quickly disseminated to Europe and Australasia, among other places.

Since it’s initial release, PGP has evolved considerably. Network Associates has taken the PGP brand and expanded it to take the form of a complete personal security/privacy package. The standard tools are now: 

  • Email encryption – this is the main use case. It is now capable of using Diffie-Hellman algorithms as well as RSA. There are plug-ins for the most common email clients.
  • File encryption – Apart from the possibility of using public key encryption in email, it can also be used on traditional files. PGP uses strong encryption such as CAST, IDEA, Triple DES, and in the latest version Rijndael.
  • File wipe – in most operating systems, when you delete a file, it isn’t really gone. All that has been deleted is the pointer to the file’s location – the bytes which that file used to consist of still exist, and can be recovered using commonly available tools, and can be recoverable even after they actual bytes have been overwritten by special forensic tools. PGP contains a utility which directly over-writes the bytes of the file with pseudo-random data up to thirty-two times. At the highest setting, it takes about four hours to wipe a gigabyte of data. Recent advances in data recovery using very expensive atomic-level imaging equipment may circumvent even this.
  • Disk cleaner – this simply writes over all the free space on your hard-drive in the same method as above. This is used for making sure that any programs you’ve used do not leave sensitive temporary files half-deleted. It’s best to leave this running overnight, unless you sleep in the same room as your computer, in which case it’s too noisy – it thrashes your hard-drive, after all 🙂
  • Secure networking protocol suite – if anyone’s actually used this, feel free to add a w/u below.

PGP has also established the openPGP message format which is now used by several applications such as GPG. PGP has occasionally made the headlines for having various flaws discovered.
To guard against this, keep your private key on media that you trust not to be available to an attacker, i.e. your home PC under a further (different) layer of encryption, a disk in your wallet, or, if you don’t trust disks, burn a CD and keep it with you – If you feel that someone might want access to your encrypted conversations that badly.

Other vulnerabilities discovered meant that additional decrypting keys (ADKs) could be appended to the end of a public-key without any error checking. This ‘feature’ was originally included in version six and above for corporate use – as a message recovery feature. However, it was discovered that it was possible to add additional ADKs without PGP including them in the key-block hash function checking procedure. Anything encrypted with that public key-block would then be available to the owner of the appended key.

Despite these two flaws (and probably others which happened before my time), PGP remains one of the most user-friendly encryption tools around. However, if you run a NIX variant, GPG is recommended, as the whole thing is GPLed, and they generally fix flaws such as the ones described above within weeks as opposed to months.

To encrypt and sign a message the following steps are observed:

  1. Signing: An encrypted (or unencrypted) message can be signed to provide absolute proof that the message did indeed come from its apparent recipient. To achieve this, MD5 is applied to the message to get a unique checksum that can only apply to that message. This is then encrypted using RSA and the sender’s private key (which only he knows), this can then be decoded using the sender’s public key (as held by the recipient) to verify that the message is authentic. This works on the principal that only the sender’s public key will decrypt a message encrypted with his private key, which only the sender knows, therefore if it can be decoded it must be from him. The signature is sent along with the main body of the message.
  2. Encryption: Firstly a unique and random 128bit key is generated for that session (called the session key), the message (or the message and its encoded signature) is then encoded using IDEA using this key. The random key is then encoded using the RSA method with the recipient’s public key and these two encoded parts are combined to form the encoded message (along with a signature if one is present).
  3. Decryption: To decode the message, the recipient applies his private key to the encoded session key to obtain the session key. This is then applied to the main IDEA encoded message to decode the message, and, if applicable, the electronic signature.
  4. Authentication: To verify that a message is authentic, the recipient must decode the checksum using the sender’s public key and then MD5 applied to the message to compare with the checksum sent with the message (if they match the message has not been tampered with).

Personally, I am not a criminal, and I really don’t mind the monitoring of terrorism. But at the same time, I strongly resent the fact that I can’t seem to keep my privacy either, because of the mentioned laws and law practices. That’s why I urge you to have a look at PGP – Pretty Good Privacy. Free encryption that makes sure that only the recipient can read your emails!



#Everything2 :The main source, back to 10 yrs, (‘paran0id’: hackhound.com, contributor, cousin)
#This post can also be read here
Advertisements

Twitter Updates

  • RT @DinisCruz: Here is the PDF of v0.31 of the 'Generation Z Developer' book blog.diniscruz.com/2018/03/pdf-of… Please read and let me know what you… 1 month ago
  • RT @JGamblin: Trustico: We want you to revoke 23,000 TLS certs. Digicert: We wont revoke the TLS certs unless there is a breach. Trustico… 1 month ago
  • RT @krishnan: Deciding between VMs, Containers and Serverless? This flow diagram may help. Thoughts? https://t.co/9tCqfoD1Nh 1 month ago
  • @Joi @Joi - Hello Joi, can we get an opportunity to submit an abstract today pls. Unfortunately, missed the timelin… twitter.com/i/web/status/9… 1 month ago
  • RT @tiraniddo: My book's finally here, just in time for Xmas. Thanks to @billpollock and @nostarch for all their time and effort as well as… 4 months ago

Archives

  • September 2011
  • April 2011
  • October 2010
  • September 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010

Search IT!

Advertisements

Recent Entries

  • TRAI’s initiative gripped on towards ‘Regulation on Cloud for Industry’..
  • ‘Parallelized’ Data Mining (PDM) Security..
  • Interview with global Hackerspaces Project!
  • LIGATT site vulnerable under basic injection technique!
  • ENISA’s Risk Summary Of Cloud Computing
  • Cloud Computing – It’s not ‘WHAT’ but ‘HOW’ we do things…
  • Social Networking: Privacy and Security…
  • What does a processor does when it doesn’t spends time in ‘USER ACTIVITIES’…
  • Under illumination variations, exploiting 3D image for ‘Face Authentication’ in Biometrics…
  • A glimpse on how ‘PHISHERS’ take over Corporate Network initializing with ‘Social Networks’…

Cloud Space

Biometrics Cloud Cloud Computing Cloud Computing Security Cloud Security Cloud Spectrum Computer Security Cracking Cryptography CSRF DHA Encryption Facebook GOI Hack Hackerspaces Hacking Indian Hacker Scene Injections Interview Kernel Network Network Breach NSA Orkut Hacks Parallel Computing Security PGP Phishing Processes Protocol Breach Regulation Social Networks Twitter

Create a free website or blog at WordPress.com.

Cancel