DOCSLIB.ORG

An Illustrative Inventory of Widely- Available Encryption Applications Kevin Bankston, Ross Schulman, and Jake Laperruque

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Illustrative Inventory of Widely- Available Encryption Applications Kevin Bankston, Ross Schulman, and Jake Laperruque NEW AMERICA An Illustrative Inventory of Widely- Available Encryption Applications Kevin Bankston, Ross Schulman, and Jake Laperruque out ofout the safeofout the encryption safeofout the encryption apps safeofout wouldthe encryption apps safe beofout wouldthe encryption apps safe beofout wouldthe encryption appssafe beofout wouldthe encryption apps safe beof wouldthe encryption apps safe be would encryption apps be would apps be would be onlyonly1 ofonly91a e edofonly91 bya e edof USonly9 government1 bya e edof USonly9 government1 byregulationa e edof USonly9 government1 byregulationa e ed of USonly9 government1 bya e edregulationout of US9 government1 byregulationa e ed ofof US the9 government encrypted byregulationa e ed US government apps regulationby US reportedly government regulation identified regulation as ‘safe’ or Only 1 of 9 ‘safest’ by ISIS would be affected by regulation in the U.S. When it comes to encryption, the genie is out of the When it comes to encryption, the horse is out of bottle. But encryption isn’t magic. It’s math, and the barn, the ship has sailed, and the toothpaste very well-known math at that. The basic principles isn’t going back in the tube. The math, and the behind modern end-to-end encryption of digital technology, is already out there. Therefore, any messages, where only the recipient of the message attempt by the U.S. government to pressure U.S. can decode it, are nearly four decades old.1 companies to redesign their end-to-end encrypted services so that they have the keys necessary to U.S. companies like Apple and Facebook, providers decrypt the communications—which is really just of the encrypted messaging services iMessage and another way of saying “stop deploying end-to-end WhatsApp, don’t have a monopoly on strong end- encryption”—would be futile. There are plenty of to-end encryption tools. Strong encryption tools other reasons why anti-encryption regulation would are everywhere, and over a billion ordinary people be bad for America, which we’ve laid out many around the world rely on them every day. times over the past year in Congressional testimony, research papers, blog posts, op-eds and more.5 There are countless applications that are freely available online, across the globe, with unbreakable But the biggest reason is just this: anti-encryption end-to-end encryption. The vast majority of those regulation will not make us safer. It’s all cost, no applications are either “open source” software that benefit. anyone is free to use, review, copy or build on,2 and/or are offered by companies, organizations or developers outside of the United States. In fact, it’s Surveillance backdoors are a lose- so easy to create new end-to-end encryption apps, lose proposition: they won’t make jihadists have been coding their very own secure messaging tools since at least 2007, tools with the terrorists less secure, only names like Mujahadeen Secrets and Security of the ourselves—and former heads of the Mujahid.3 Another app that terrorists are claimed to DHS, NSA and CIA agree. have used, Telegram, is based in Berlin.4 The Crypto Cat is Out of the Bag 1 A surveillance backdoor into U.S. products will We agree with former Director McConnell that not stop terrorists from using other end-to-end the encryption genie is out of the bottle, as encryption tools that are widely available online demonstrated by the following charts. That’s why around the world. It will only discourage a lot of the White House and Congress should sensibly normal, law-abiding Americans from using it, while reject any calls to regulate the availability of strong also discouraging international users from relying encryption tools, just as they did 20 years ago.8 on U.S. products that have been rendered less secure. Surveillance backdoors are a lose-lose The figure below is adapted from a chart that proposition: they won’t make the terrorists less reportedly came from an ISIS information security secure, only ourselves—and former heads of the training manual, which identified encrypted DHS, NSA and CIA agree.6 messaging applications that were thought to be “safe” and “safest” (as opposed to “moderately As former NSA Director and Director of National safe” or “unsafe”).9 As you’ll see, all of the Intelligence Mike McConnell puts it, rather encryption apps considered “safest” by ISIS are than trying to fight the inevitable, government open source, foreign-based, or both, as are three investigators need to adapt to a world with out of the four apps considered “safe”. Therefore, of widespread encryption: the nine apps recommended as “safe” or “safest”, eight of them are outside of U.S. regulation’s reach. “Don’t get in the way of pro gress. Don’t get in the way of in nov a tion and cre ativ ity, be cause The second figure is an illustrative inventory of the this is go ing to hap pen. Some body’s go ing many popular, easy to get, easy to use end-to-end to provide this en cryp tion.” Therefore, law encryption tools available right now that are either enforcement must “adapt,” says McConnell. “If open source, developed outside of the US, or both, law en force ment starts to change the way they and would therefore be minimally affected if at think about this, I think there are many, many all by U.S. legislation or action by U.S. companies. ways to carry out the mis sion, giv en that you In sum, it describes sixteen popular apps for fully are faced with a situ ation where tech no logy is encrypted email, chat, messaging or voice calls not go ing to be re versed.”7 that are outside of U.S. regulation’s reach. ISIS’ Favorite Encryption Apps are Open Source, Foreign-Based, or Both10 Apps Labeled Safest by ISIS Key OSTel Signal Open Source ChatSecure Silent Circle11 Open Source and Foreign Redphone12 Under U.S. Regulation Apps Labeled Safe by ISIS Surespot Telegram Wickr Threema 2 OPEN TECHNOLOGY INSTITUTE An Illustrative Inventory of End-to-End Encrypted Applications that are Open Source, Foreign-Based, or Both Is App Company or What does it What operating systems Is Company or Org App Open Organization encrypt? is it available on? U.S. Based? Source? N/A; Adium is an open Instant No; Adium is an open Mac Yes Adium development project messaging development project The Guardian Project (nonprofit research Chat iPhone and Android Yes Yes ChatSecure and development organization) iPhone, Mac, and via N/A; Cryptocat is an No; Cryptocat is an a web application for open development Chat Yes open development Cryptocat Chrome, Firefox, and project project Safari browsers N/A; GnuPG is an open No; GnuPG is an open Email Linux Yes GnuPG development project development project No; Intevation GmbH Intevation GmbH and and G10 Code GmbH Email Windows PC Yes Gpg4win G10 Code GmbH are German-based companies N/A; GPGTools is an No; GPGTools is an GPGTools open development Email Mac Yes open development project project Android devices, N/A; Jitsi is an open Voice calls and No; Jitsi is an open Windows PC, Mac, and Yes Jitsi development project text messaging development project Linux No; Mailvelope GmbH Mailvelope Mailvelope GmbH Email Web application Yes is a German-based company The Guardian Project iPhone, Android devices, (nonprofit research Voice calls Blackberry, Windows PC, Yes Yes Ostel and development Mac, and Linux organization) N/A; Pidgin is an open Instant No; Pidgen is an open Windows pC and Linux Yes Pidgin development project messaging development project N/A; RetroShare is an No; RetroShare is an Text messaging Mac, Windows PC, and open development Yes open development RetroShare and email Linux project project Voice calls and Open Whisper Systems iPhone and Android Yes Yes Signal text messaging No; Silent Circle Voice calls and Silent Silent Circle iPhone and Android Yes is a Swiss-based text messaging Phone company iPhone and Android Surespot, LLC Text messaging Yes Yes Surespot devices iPhone, iPad, Android No; Telegram devices, Windows Phone, Messenger is a Telegram Messenger Text messaging Partially Telegram Windows PC, Mac, Linux, German-based and via web application company No; Threema GmbH Threema Threema GmbH Text messaging iPhone and Android Yes is a Swiss-based company The Crypto Cat is Out of the Bag 3 Notes 1. The foundational work in this area began with com/read/former-nsa-chief-strongly-disagrees-with- Whitfield Diffie and Martin Hellman’s New Directions in current-nsa-chief-on-encryption. Cryptography, IEEE Transactions in Information Theory 7. Kaveh Wadell, The National Journal, Former (Nov. 6, 1976), available at http://www-ee.stanford. Intelligence Director: Law Enforcement Must edu/~hellman/publications/24.pdf. “Adapt” to Encryption (October 1, 2015), available at 2. Open-source software (OSS) is computer software http://www.nationaljournal.com/s/74230/former- with its source code made available with a license intelligence-director-law-enforcement-must-adapt- in which the copyright holder provides the rights encryption. to study, change, and distribute the software to 8. Danielle Kehl, Andi Wilson, and Kevin Bankston, anyone and for any purpose. Open-source software Doomed to Repeat History? Lessons From The may be developed in a collaborative public manner,” Crypto Wars of the 1990s, New America’s Open which we refer to below as “open development”. Technology Institute, June 2015, available at See Wikipedia, Open-source softare (last modified https://static.newamerica.org/attachments/3407- December 7, 2015), available at https://en.wikipedia. doomed-to-repeat-history-lessons-from-the- org/wiki/Open-source_software. Even the encryption crypto-wars-of-the-1990s/OTI_Crypto_Wars_History.
Load more

Recommended publications
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • Privacy Resources 2018
    Privacy Resources 2018 By Marcus P. Zillman, M.S., A.M.H.A. Executive Director – Virtual Private Library [email protected] Privacy Resources 2018 is a comprehensive listing of privacy resources currently available on the Internet. These include associations, indexes, search engines as well as individual websites and sources that supply the latest technology and information about privacy and how it relates to you and the Internet. The below list of sources is taken from my Subject Tracer™ Information Blog titled Privacy Resources and is constantly updated with Subject Tracer™ bots from the following URL: http://www.PrivacyResources.info/ These resources and sources will help you to discover the many pathways available to you through the Internet to find the latest privacy sources and sites. Figure 1: Privacy Resources 2018 Subject Tracer™ Information Blog 1 [Updated: April 1, 2018] Privacy Resources 2018 White Paper Link Compilation http://www.PrivacyResources.info/ [email protected] Voice: 800-858-1462 © 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 Marcus P. Zillman, M.S., A.M.H.A. Privacy Resources 2018: 10 Best Security and Privacy Apps for Smartphones and Tablets http://drippler.com/drip/10-best-security-privacy-apps-smartphones-tablets 10 Minute Mail http://10minutemail.com/10MinuteMail/index.html 10 Privacy Gadgets To Help You Keep a Secret http://www.popsci.com/keep-your-secrets-a-secret 10 Reasons to Use a VPN for Private Web Browsing http://netforbeginners.about.com/od/readerpicks/tp/Reasons-to-Use-a-VPN-Service.htm
    [Show full text]
  • N2N: a Layer Two Peer-To-Peer VPN
    N2N: A Layer Two Peer-to-Peer VPN Luca Deri1, Richard Andrews2 ntop.org, Pisa, Italy1 Symstream Technologies, Melbourne, Australia2 {deri, andrews}@ntop.org Abstract. The Internet was originally designed as a flat data network delivering a multitude of protocols and services between equal peers. Currently, after an explosive growth fostered by enormous and heterogeneous economic interests, it has become a constrained network severely enforcing client-server communication where addressing plans, packet routing, security policies and users’ reachability are almost entirely managed and limited by access providers. From the user’s perspective, the Internet is not an open transport system, but rather a telephony-like communication medium for content consumption. This paper describes the design and implementation of a new type of peer-to- peer virtual private network that can allow users to overcome some of these limitations. N2N users can create and manage their own secure and geographically distributed overlay network without the need for central administration, typical of most virtual private network systems. Keywords: Virtual private network, peer-to-peer, network overlay. 1. Motivation and Scope of Work Irony pervades many pages of history, and computing history is no exception. Once personal computing had won the market battle against mainframe-based computing, the commercial evolution of the Internet in the nineties stepped the computing world back to a substantially rigid client-server scheme. While it is true that the today’s Internet serves as a good transport system for supplying a plethora of data interchange services, virtually all of them are delivered by a client-server model, whether they are centralised or distributed, pay-per-use or virtually free [1].
    [Show full text]
  • Biting Into Forbidden Fruit
    Biting into the forbidden fruit Lessons from trusting Javascript crypto Krzysztof Kotowicz, OWASP Appsec EU, June 2014 About me • Web security researcher • HTML5 • UI redressing • browser extensions • crypto • I was a Penetration Tester @ Cure53 • Information Security Engineer @ Google Disclaimer: “My opinions are mine. Not Google’s”. Disclaimer: All the vulns are fixed or have been publicly disclosed in the past. Introduction JS crypto history • Javascript Cryptography Considered Harmful http://matasano.com/articles/javascript- cryptography/ • Final post on Javascript crypto http://rdist.root.org/2010/11/29/final-post-on- javascript-crypto/ JS crypto history • Implicit trust in the server to deliver the code • SSL/TLS is needed anyway • Any XSS can circumvent the code • Poor library quality • Poor crypto support • No secure keystore • JS crypto is doomed to fail Doomed to fail? Multiple crypto primitives libraries, symmetric & asymmetric encryption, TLS implementation, a few OpenPGP implementations, and a lot of user applications built upon them. Plus custom crypto protocols. https://crypto.cat/ https://www.mailvelope.com/ http://openpgpjs.org/ JS crypto is a fact • Understand it • Look at the code • Find the vulnerabilities • Analyze them • Understand the limitations and workarounds • Answer the question: can it be safe? JS crypto vulns in the wild • Language issues • Caused by a flaw of the language • Web platform issues • Cased by the web • Other standard bugs • out of scope for this presentation Language issues Language issues matter
    [Show full text]
  • Cisco SCA BB Protocol Reference Guide
    Cisco Service Control Application for Broadband Protocol Reference Guide Protocol Pack #60 August 02, 2018 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Universidad Pol Facultad D Trabajo
    UNIVERSIDAD POLITÉCNICA DE MADRID FACULTAD DE INFORMÁTICA TRABAJO FINAL DE CARRERA ESTUDIO DEL PROTOCOLO XMPP DE MESAJERÍA ISTATÁEA, DE SUS ATECEDETES, Y DE SUS APLICACIOES CIVILES Y MILITARES Autor: José Carlos Díaz García Tutor: Rafael Martínez Olalla Madrid, Septiembre de 2008 2 A mis padres, Francisco y Pilar, que me empujaron siempre a terminar esta licenciatura y que tanto me han enseñado sobre la vida A mis abuelos (q.e.p.d.) A mi hijo icolás, que me ha dejado terminar este trabajo a pesar de robarle su tiempo de juego conmigo Y muy en especial, a Susana, mi fiel y leal compañera, y la luz que ilumina mi camino Agradecimientos En primer lugar, me gustaría agradecer a toda mi familia la comprensión y confianza que me han dado, una vez más, para poder concluir definitivamente esta etapa de mi vida. Sin su apoyo, no lo hubiera hecho. En segundo lugar, quiero agradecer a mis amigos Rafa y Carmen, su interés e insistencia para que llegara este momento. Por sus consejos y por su amistad, les debo mi gratitud. Por otra parte, quiero agradecer a mis compañeros asesores militares de Nextel Engineering sus explicaciones y sabios consejos, que sin duda han sido muy oportunos para escribir el capítulo cuarto de este trabajo. Del mismo modo, agradecer a Pepe Hevia, arquitecto de software de Alhambra Eidos, los buenos ratos compartidos alrrededor de nuestros viejos proyectos sobre XMPP y que encendieron prodigiosamente la mecha de este proyecto. A Jaime y a Bernardo, del Ministerio de Defensa, por haberme hecho descubrir las bondades de XMPP.
    [Show full text]
  • A History of End-To-End Encryption and the Death of PGP
    25/05/2020 A history of end-to-end encryption and the death of PGP Hey! I'm David, a security engineer at the Blockchain team of Facebook (https://facebook.com/), previously a security consultant for the Cryptography Services of NCC Group (https://www.nccgroup.com). I'm also the author of the Real World Cryptography book (https://www.manning.com/books/real-world- cryptography?a_aid=Realworldcrypto&a_bid=ad500e09). This is my blog about cryptography and security and other related topics that I Ûnd interesting. A history of end-to-end encryption and If you don't know where to start, you might want to check these popular the death of PGP articles: posted January 2020 - How did length extension attacks made it 1981 - RFC 788 - Simple Mail Transfer Protocol into SHA-2? (/article/417/how-did-length- extension-attacks-made-it-into-sha-2/) (https://tools.ietf.org/html/rfc788) (SMTP) is published, - Speed and Cryptography the standard for email is born. (/article/468/speed-and-cryptography/) - What is the BLS signature scheme? (/article/472/what-is-the-bls-signature- This is were everything starts, we now have an open peer-to-peer scheme/) protocol that everyone on the internet can use to communicate. - Zero'ing memory, compiler optimizations and memset_s (/article/419/zeroing-memory- compiler-optimizations-and-memset_s/) 1991 - The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations The US government introduces the 1991 Senate Bill 266, (/article/461/the-9-lives-of-bleichenbachers- which attempts to allow "the Government to obtain the cat-new-cache-attacks-on-tls- plain text contents of voice, data, and other implementations/) - How to Backdoor Di¸e-Hellman: quick communications when appropriately authorized by law" explanation (/article/360/how-to-backdoor- from "providers of electronic communications services di¸e-hellman-quick-explanation/) and manufacturers of electronic communications - Tamarin Prover Introduction (/article/404/tamarin-prover-introduction/) service equipment".
    [Show full text]
  • Download Windows Live Messenger for Linux Ubuntu
    Download windows live messenger for linux ubuntu But installing applications in Ubuntu that were originally made for I found emescene to be the best Msn Messenger for Ubuntu Linux so far. It really gives you the feel as if you are using Windows Live Messenger. Its builds are available for Archlinux, Debian, Ubuntu, Fedora, Mandriva and Windows. At first I found it quite difficult to use Pidgin Internet Messenger on Ubuntu Linux. Even though it allows signing into MSN, Yahoo! Messenger and Google Talk. While finding MSN Messenger for Linux / Ubuntu, I found different emesene is also available and could be downloaded and installed for. At first I found it quite difficult to use Pidgin Internet Messenger on Ubuntu Linux. Even though it allows signing into MSN, Yahoo! Messenger. A simple & beautiful app for Facebook Messenger. OS X, Windows & Linux By downloading Messenger for Desktop, you acknowledge that it is not an. An alternative MSN Messenger chat client for Linux. It allows Linux users to chat with friends who use MSN Messenger in Windows or Mac OS. The strength of. Windows Live Messenger is an instant messenger application that For more information on installing applications, see InstallingSoftware. sudo apt-get install chromium-browser. 2. After the installation is Windows Live Messenger running in LinuxMint / Ubuntu. You can close the. Linux / X LAN Messenger for Debian/Ubuntu LAN Messenger for Fedora/openSUSE Download LAN Messenger for Windows. Windows installer A MSN Messenger / Live Messenger client for Linux, aiming at integration with the KDE desktop Ubuntu: Ubuntu has KMess in its default repositories.
    [Show full text]
  • An Empirical Survey on How Much Security and Privacy Customers Want in Instant Messengers
    SECURWARE 2016 : The Tenth International Conference on Emerging Security Information, Systems and Technologies An Empirical Survey on how Much Security and Privacy Customers Want in Instant Messengers Thomas Paul Hans-Joachim Hof MuSe – Munich IT Security Research Group Munich University of Applied Sciences Munich University of Applied Sciences Lothstrasse 64, Munich, Germany Lothstraße 64, Munich, Germany e-mail: [email protected] e-mail: [email protected] Abstract— Instant messengers are popular communication developers of future instant messengers to decide on tools used by many people for everyday communication, as security features to implement. well as for work related communication. Following the This paper is structured as follows: Section II discusses disclosure of a massive surveillance system by Edward related work. Section III presents the design of the user Snowden, many users became aware of the risks of unsecure survey. Section IV discusses in detail the findings of the communication. Users increasingly ask for secure communication. However, unsecure instant messengers are still user survey. Section V presents the features of an ideal popular nowadays. This could be due to the fact, that, besides instant messenger fulfilling all the user preferences the large number of available instant messengers, no instant identified by the survey. A market simulation is used to messenger fully satisfies the users preferences. To research the show the potential of this ideal instant messenger. Section acceptance of security mechanisms in instant messengers, this VI summarizes the findings of the paper. paper presents an evaluation of user preferences for secure instant messengers. A user survey was conducted to rate the II.
    [Show full text]
  • Wiretapping End-To-End Encrypted Voip Calls Real-World Attacks on ZRTP
    Institute of Operating Systems and Computer Networks Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schürmann, Fabian Kabus, Gregor Hildermeier, Lars Wolf, 2017-07-18 wiretapping difficulty End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) End-to-End Encryption & Authentication SIP + SRTP + ZRTP Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls Institute of Operating Systems and Computer Networks No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 wiretapping difficulty End-to-End Encryption & Authentication SIP + SRTP + ZRTP Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls Institute of Operating Systems and Computer Networks No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 wiretapping difficulty Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls Institute of Operating Systems and Computer Networks No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time
    [Show full text]
  • Openfire Service Level Agreement
    Service Level Agreement Technical Services — Communications Service University Technology Services 1. Overview This Service Level Agreement (SLA) is between University Technology Services (UTS) and either departments or groups choosing to utilize the internal Oakland University instant messaging (OUIM) service. The OUIM service is currently referenced by talk.oakland.edu and runs XMPP/Jabber software called Openfire. Under this SLA, UTS agrees to provide specific information technology (IT) services. This SLA also covers performance and reliability targets and objectives. Section 7 requires the signature and contact information of the group coordinator as an agreement to the SLA. OUIM is an online service that is available on campus and off campus. The requirements to utilize the service are a NetID, an XMPP client, and an Internet connection. XMPP clients are available online. The UTS Helpdesk supports the XMPP clients Spark, Pidgin, and Adium. Instructions are available on the UTS Web site at http://www.oakland.edu/?id=13849&sid=70. 2. Purpose The purpose of this SLA is to establish a cooperative partnership between UTS staff members with the community of customers who may opt into its use by clarifying roles, setting expectations, and providing service objectives and limitations. 3. Terms of Agreement This service is provided on an ongoing basis. From time to time, it may be reviewed and modified by UTS. Modifications to this agreement will be done at the sole discretion of UTS and the Technical Support and Services team (TSS). 4. Service Hours Regularly scheduled maintenance will be scheduled during low-use hours as much as possible; such work will be done either before 8:00 A.M.
    [Show full text]
  • Investigating Mobile Messaging Security
    Technische Universitat¨ Munchen¨ Department of Informatics Interdisciplinary Project in Electrical Engineering Investigating Mobile Messaging Security Elias Hazboun Technische Universitat¨ Munchen¨ Department of Informatics Interdisciplinary Project in Electrical Engineering Investigating Mobile Messaging Security Untersuchung von Mobile Messaging Sicherheit Author Elias Hazboun Supervisor Prof. Dr.-Ing. Georg Carle Advisor Dr. Matthias Wachs, Quirin Scheitle Date April 27, 2016 Informatik VIII Chair for Network Architectures and Services Abstract In this report we document our work in analyzing the security of a selection of mobile messaging apps. Focusing on network based security, we studied traffic generated by the apps to gain an understanding of the current state of applying encryption and authentication protocols. Our findings show a positive trend in security with developers steadily improving security with newer app updates partly due to the increased scrutiny from the community and academia. Although not all apps analyzed had perfect state of the art security properties, none have shown any major vulnerabilities exploited by normal adversaries. It was also evident that only one app - namely TextSecure - is using the industry standard TLS for server-client authentication and security while others have opted for custom made protocols and algorithms. I Contents 1 Introduction 1 1.1 Research Question . .2 1.2 Outline . .2 2 Background and Related Work 3 2.1 Methodology . .3 2.1.1 App Selection . .3 2.1.2 Approach . .3 2.2 Definition of Security Concepts . .4 2.2.1 Layers of Encryption . .4 2.2.2 Transport Layer Security Protocol (TLS) . .5 2.2.3 Perfect Forward Secrecy (PFS) . .5 2.2.4 Asynchronous Messaging Security .
    [Show full text]