Raymond P. Burkholder - Things I Do - Cryptography

Security, Encryption, Cryptography

nospam@example.com (Raymond P. Burkholder) — Sat, 19 May 2018 01:09:27 +0000

I am looking to build a small console based password manager. I started looking at this when RoboForm stopped being able to work in a Firefox browser with a local password file. They now force passwords to their cloud platform. Uck.

Bottom line, I need to encrypt sites, names, and passwords into a small files which I can rsync amongst devices until I can build in a sync'ing process. I would like to be able to do this between Linux, Mac, Windows, and Android.

I started by doing a test program with crypto++, as it seemed to be a lightweight library which could easily be adapted for use on the Android.

Further research indicates that switching to libsodium might be worthwhile. Documentation seems to be better, and it explicitly supports Android, and it interestingly discusses the drawbacks of using GCM-AES, and instead suggests using ChaCha20-Poly1305 for Authenticated Encryption.

Something to go along with is being able to use the SSH agent for nonce signing. Information is available in SSH Agent Protocol or draft-miller-ssh-agent-02. With a bit of an example at How to use the ssh-agent programmatically for RSA signing .

More coding to do.

In related reading, I came across:

Tox, protected, encrypted, private, distributed instant messaging, voice, video, screen sharing, filesharing, and groups.
stellar: is a platform that connects banks, payments systems, and people. Integrate to move money quickly, reliably, and at almost no cost.
pbox which uses pbox files to hold encrypted items (almost what I'd like to do)
OpenBazaar: a free online marketplace, with no platform fees, no restrictions, and provides an ability to earn cryptocurrency. Some background.
Self-sovereign identity - an entirely new distributed ledger that’s engineered for the sole purpose of identity. supporting cast.

Beginnings of a console based password manager.

Embedded Design: Crypto

nospam@example.com (Raymond P. Burkholder) — Tue, 15 Sep 2015 21:04:42 +0000

Various crypto attacks have come to light. BetterCrypto talks of the LogJam Attack (a Diffie-Hellman weakness exploit) and how to mitigate its issues. The site also has a Applied Crypto Hardening document, which is over 100 pages long, for how to how to harden common crypto-utilizing systems.

The post lead to look at crypto devices for carrying around private keys and performing two factor authentication for Linux. One site I came across was performs his initial trials of Linux based smartcards.

Coming at the problem from a different direction, I came across someone using a Programming the FST-01 (gnuk) with a Bus Pirate + OpenOCD. This article is about getting gnuk devices to work with the Debian releases. The interesting twist here is that the author wanted to actually customize the devices. I didn't think this was possible. But the article talks about using a programmer which uses SWD support to get down and dirty with the hardware. OpenOCD, which is the short form for Open On Chip Debugging, forms a primary role in the article.

On Chip Debugging opens up a whole new avenue of exploration for Embedded Systems Desgn. The Bus Pirate, mentioned above, can be found at Dangerous Prototypes

As part of some embedded solutions I am looking at, I picked up a few NVIDIA Jetson TK1 devices. It is cool that Christian's Blog talks about Debugging the Linux kernel via JTAG on the NVIDIA Jetson TK1 / Jetson Pro DevKit where JTAG is a very common mechanism for On Chip Debugging and testing.

Going a little further afield, I came across sigrok which is a project aiming at "creating a portable, cross-platform, Free/Libre/Open-Source signal analysis software suite that supports various device types (e.g. logic analyzers, oscilloscopes, and many more)." Rigol seemed to be a manufacturer of respected, compatible devices.

Even further afield, not crypto related, but something interesting, I came across an interesting DSP based solution with the TMS320F28016 development board which is "known to be the world's lowest cost 32-bit Real Time Microcontroller (DSP) with a build in CAN".

While on the subject of crypto, here is something on how to Secure Secure Shell (SSH). SSH has the capability of using many different crypto combinations. The default may not necessarily be the best. This describes the more secure combinations and how to use them.

While on the subject of hardening, a site describing Hardening your HTTP response headers. Mostly, IIS, but some nginx and a tiny bit apache.

Linux Crypto

nospam@example.com (Raymond P. Burkholder) — Tue, 08 Jul 2014 16:17:55 +0000

A link to another site Linux Crypto: Introduction covering such things as:

Securing Passwords

nospam@example.com (Raymond P. Burkholder) — Sun, 22 Sep 2013 17:21:31 +0000

With the Snowden based revelations, people have become more aware of security and privacy. The revelations have had extreme affects on some individuals. I can name one for example: PJ who runs/ran Groklaw.

I have been following the site since near it's inception, back when SCO was suing everything and everyone related to Unix. Groklaw performed unparallelled research into the underpinnings of various maneuverings and cases around the subject. Issues relating to privacy, for her personally, became front and center. The fact that the internet and anything flowing through it was being analyzed in various ways caused PJ, for various personal reasons described in her farewall entry, to totally abandon Groklaw.

It is sad that things came to this, particularly for a site as popular as Groklaw.

For those of us still making use of the internet, we have to 'batten down the hatches'. With this heightened awareness of security, I have been spending more time with some cryptography lists and websites. One site of immediate interest is AgileBits, a group who produce multi-platform password management software. While I'm on the subject, RoboForm also produce password management software.

Anyway, back to AgileBits. The company has a blog website discussing password strength, especially for the master password, which protects your stored passwords. One article in particular is good: Toward Better Master Passwords. The weakness of traditional passwords is discussed. And they offer a solution for creating stronger passwords. One of the solutions they suggest is by making use of pass-phrases rather than passwords. To assist with making randomized pass-phrases, The Diceware Passphrase Home Page is suggested as a resource.

The basic technique makes use a random word list and five dice. The dice are rolled to to choose random words from a list. You then use the random words as your pass-phrase. There are additional techniques discussed to make the pass-phrase even stronger if so desired.

The weakness behind this strong password is that one's computer could be compromised with a keyboard sentinel. Working around that issue would be the subject of another article.