Great explanation of Diffie-Hellman Key Exchange – YouTube.
It is based on mixing colors and some colors of the mix being private.
Brilliant!
–jeroen
Archive for the ‘Security’ Category
Diffie-Hellman Key Exchange – YouTube
Posted by jpluimers on 2016/07/20
Posted in Algorithms, Development, Encryption, Hashing, https, OpenSSL, Power User, Public Key Cryptography, Security, Software Development | Leave a Comment »
DEFCON 17: More Tricks For Defeating SSL – YouTube
Posted by jpluimers on 2016/07/11
Still relevant after a few years: DEFCON 17: More Tricks For Defeating SSL – YouTube.
I landed there after trying to find out how to verify the Internic root server file is actually pubished by Internic via authentication – Ways to sign gpg public key so it is trusted? – Information Security Stack Exchange.
I remember reading his “if you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom” post (Moxie Marlinspike >> Blog >> The Cryptographic Doom Principle), but never noticed his videos.
It is still relevant as there are lots of implementations still vulnerable to these kinds of attacks.
Many more of his blog entries are interesting as well:
Share this:
Posted in Encryption, Hashing, https, OpenSSL, PKI, Power User, Public Key Cryptography, Security, Signing | Leave a Comment »
Some Yubikey notes
Posted by jpluimers on 2016/06/10
For my own reference:
- [Wayback/Archive] How To Configure Your Yubikey for Maximum Usefulness & Security.
- [Wayback/Archive] Yubico’s take on U2F key wrapping | Yubico.
- [Wayback/Archive] Make your passwords stronger with Yubikey and LastPass — TrustedNerd.
- [Wayback/Archive] What happens if I lose my YubiKey? | Yubico.
- [Wayback/Archive] YubiKey NEO and YubiKey NEO-n | Premium Strong Two-Factor Authentication for Secure Logins | U2F, OTP, PIV, USB, NFC | Yubico.
- [Wayback/Archive] Life of a Computer Scientist: Yubikey NEO-n.
Always get at least two keys, configure them, and use only one. Store the rest in a safe place for when the first dies.
Get the NEO (if you need NFC) or NEO-n (if you don’t need NFC but love small form-factor).
–jeroen
(Image courtesy of Yubico)
Share this:
Posted in Encryption, Hashing, Power User, Security, U2F FIDO Security Keys | Leave a Comment »
400+ Free Resources for DevOps & Sysadmins
Posted by jpluimers on 2016/04/27
400+ Free Resources for DevOps & Sysadmins ranging from bitbucket/gitbub via letsencrypt through loggly to cloudflare and all soorts of *aaS online IDEs, payment services and more.
via: Mary Tee referred to by Joe Hecht.
–jeroen
Share this:
Posted in Development, Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security, Software Development | Leave a Comment »
Tools that Isotopp installed on his Mac…
Posted by jpluimers on 2016/04/01
IRC so: »i> Isotopp: Ich habe jetzt nen Mac als Arbeitsplatzrechner… Was will man als UNIX Hacker zuerst an Tools installieren?«
Source: IRC so: »i> Isotopp: Ich habe jetzt nen Mac als Arbeitsplatzrechner… Was will… by Kristian Köhntopp.
Since G+ is very bad at searching, I created this summary of the tools; read the full G+ post (Google Translate is quite OK), including comments on why.
Edit: 20160402 – I’m posting regular updates based on the comments for that G+ post. I’ve changed or added German iTunes store links to US-English ones.
Share this:
Posted in Apple, Audacity, Audio, Fusion, Hardware, Keybase, Keyboards and Keyboard Shortcuts, KVM keyboard/video/mouse, Mac, Mac OS X / OS X / MacOS, MacBook, MacBook Retina, MacBook-Pro, Media, OS X 10.10 Yosemite, OS X 10.11 El Capitan, Power User, Security, VirtualBox, Virtualization, VMware | Leave a Comment »
DEF CON 22 – Dan Kaminsky – Secure Random by Default – YouTube
Posted by jpluimers on 2016/02/25
Just while I was watching a nice DEFCON video about security
I came across these two links:
- Use a wireless mouse? This $15 hack could compromise your laptop – CNET
- Japanese advert spam pages on community.embarcadero.com site
(Google now event thinks that site might be hacked)
It really looks like too many companies are not genuinely interested in your security.
(Prices of Crazyradio PA devices on Amazon USA didn’t just go through the roof: they ran out of them)
–jeroen
Share this:
Posted in Geeky, Security | Leave a Comment »
Index of /materials/haxpo2015ams
Posted by jpluimers on 2015/11/27
It feels like yesterday, but haxpo2015ams was already six months ago!
Session materials index:
Index of /materials/haxpo2015ams
![[ICO]](https://wiert.me/wp-content/uploads/2015/10/blank.gif)
![[PARENTDIR]](https://wiert.me/wp-content/uploads/2015/10/back.gif)
![[ ]](https://wiert.me/wp-content/uploads/2015/10/layout.gif)
–jeroen
Share this:
Posted in *nix, *nix-tools, Encryption, Hashing, https, LifeHacker, OpenSSL, PKI, Power User, Public Key Cryptography, Security, Signing | Leave a Comment »
StartSSL indeed offers free Class1 certificates for any subdomain
Posted by jpluimers on 2015/11/20
StartSSL does in fact offer free SSL certs for subdomains, though they are Class 1 certificates.
It works: just start the process for the domain, then when you get to the step for entering a subdomain, enter any one (of course www works, but you can do the process multiple times so register certificates for multiple subdomains).
–jeroen
via: tls – Free second-level domain SSL certificate – Information Security Stack Exchange
Share this:
Posted in *nix, *nix-tools, Apache2, https, Power User, Security | Leave a Comment »
How is NSA breaking so much crypto? “weak” standard primes for Diffie-Hellman are being widely used and take NSA only ~$100 million to crack
Posted by jpluimers on 2015/11/19
Interesting: a few quotes below, read How is NSA breaking so much crypto? and the full paper Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice for details.
The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.
.. there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.
How enormous a computation, you ask? … For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.
Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.
NSA could afford such an investment. The 2013 “black budget” request … shows that the agency’s budget is on the order of $10 billion a year, with over $1 billion dedicated to computer network exploitation, and several subprograms in the hundreds of millions a year.
… However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation. For instance, the Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted connections and passing certain data to supercomputers, which return the key. The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto.
Since weak use of Diffie-Hellman is widespread in standards and implementations, it will be many years before the problems go away, even given existing security recommendations and our new findings. In the meantime, other large governments potentially can implement similar attacks, if they haven’t already.
Our findings illuminate the tension between NSA’s two missions, gathering intelligence and defending U.S. computer security. If our hypothesis is correct, the agency has been vigorously exploiting weak Diffie-Hellman, while taking only small steps to help fix the problem. On the defensive side, NSA has recommended that implementors should transition to elliptic curve cryptography, which isn’t known to suffer from this loophole, but such recommendations tend to go unheeded absent explicit justifications or demonstrations. This problem is compounded because the security community is hesitant to take NSA recommendations at face value, following apparent efforts to backdoor cryptographic standards.
–jeroen
via:
Share this:
Posted in Algorithms, Development, Encryption, Power User, Security, Software Development | Leave a Comment »
Hash Toolkit – Reverse MD5 / SHA1 Hashes
Posted by jpluimers on 2015/11/11
Interesting: Hash Toolkit – Reverse MD5 / SHA1 Hashes
They generate and allow you to generate various hashes, and store both the hash and original so you can reverse it.
Not meant for production data, but an approach for verifying if you do hashing correctly.
–jeroen
via: Hash Toolkit – Reverse MD5 / SHA1 Hashes.
Share this:
Posted in Development, Hashing, md5, Power User, Security, Software Development | Leave a Comment »
The Wiert Corner - irregular stream of stuff 