DOCSLIB.ORG

Security & Forensic Analysis of an Internet of Things Smart Home

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security & Forensic Analysis of an Internet of Things Smart Home DEGREE PROJECT IN COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2020 Security & Forensic Analysis of an Internet of Things Smart Home Ecosystem JOHANNES OLEGÅRD KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE Security & Forensic Analysis of an Internet of Things Smart Home Ecosystem JOHANNES OLEGÅRD Master’s Programme, Computer Science, 120 credits Date: December 14, 2020 Supervisor: Asif Iqbal Examiner: Mathias Ekstedt School of Electrical Engineering and Computer Science Swedish title: Säkerhets- & Digital-forensisk Analys av ett Sakernas Internet smarthemsekosystem 4 Abstract Abstract The Internet of Things (IoT) is an ongoing trend where a multitude of internet- connected devices become more common. Many of these devices have easily exploitable security vulnerabilities. This has led to large-scale cyberattacks such as the Mirai botnet Distributed Denial of Service (DDOS) attacks. More cybercrime can be expected in the future, especially as the number and types of IoT devices grow. In this work, the security of an IoT ecosystem was investigated from two perspectives: security testing and Digital Forensics (DF). Security testing was used to search the Application Programming Interfaces (APIs) of the IoT ecosystem for security vulnerabilities. Three Static Application Security Testing (SAST) Tools were used to search the source code of the cloud part of the system. A manual review was done to search the system as whole, with the guide of common vulnerability lists from the Open Web Application Security Project (OWASP). As a result, severe security vulnerabilities were found. A DF experiment was conducted where actions were taken in five Android smartphone apps to control six IoT devices (two are from aforementioned IoT ecosystem). The contents of the smartphone was then examined for forensic evidence of those actions. Additionally the contents one of the IoT devices was also examined for evidence. It was concluded that only limited evidence of the actions could be found. Additionally, various challenges were identified. i Sammanfattning Sammanfattning Det så kallade Sakernas Internet (eng. Internet of Things, IoT) området är en pågående och ökande trend. Trenden handler om att olika enklare enheter ansluts mot internet i stort antal. IoT-enheter har utsatts för, och utnyttjats i, cyber attacker som i exempelvis det så kallade “Mirai botnet”. Allt fler IoT-relaterade brott kan förväntas i framtiden, speciellt eftersom antalet IoT- enheter blir allt fler och mer diversifierade. I den här uppsatsen undersöks säkerheten i ett IoT ekosystem utifrån två aspekter: “security testing” (säkerhetstesting) och “digital forensics”. På svenska kalls digital forensics för “IT-forensik” (kriminalteknik inom informationsteknik) eller digital-forensik. Säkerhetstestning användes för att hitta sårbarheter i det undersökta IoT ekosystemets olika applikationsprogrammeringsgränssnitt. Tre olika verktyg av typen Static Application Security Testing (SAST) användes i undersökningen för att granska den kod som motsvarar moln-delen av systemet. Utöver de tre verktygen, undersöktes systemet också manuellt. Den manuella undersökning utgick från de listor av vanliga typer av sårbarheter som finns publicerade av organisationen Open Web Application Security Project (OWASP).Resultatmässigt hittades flera allvarliga sårbarheter i systemet. Digital forensics-delen av projektet bestod av ett experiment där en Android telefon, sex IoT-enheter (två från det ovannämnda IoT ekosystemet) och fem motsvarande Android-appar undersöktes. Experimentet bestod av att utföra olika handlingar i apparna (till exempel att skicka ett kommando till en IoT- enhet), och sedan av att leta bevis för de handlingarna. För att hitta bevis undersöktes innehållet på telefonen och innehållet på en av IoT-enheterna. Slutsatsen av experimentet är att bara få och begränsade bevis kunde hittas. Utmaningarna som påträffades i experimentet jämfördes med utmaningarna beskrivna i forskningslitteraturen inom digital forensics. ii Acknowledgments Acknowledgments I would like to thank my supervisor Asif Iqbal for his guidance, patience, dedication and generosity. He got me interested in the topics of the thesis, and helped in every single part of the work. He also managed to borrow some of the IoT devices for the experiment on my behalf. Thanks are also due to the anonymous people at the company for giving me this opportunity. They gave me access to their system, guided me through it and lent me the related IoT devices. I would like to thank my coauthors of [1, 2] for involving me in two of my first published papers. Last but not the least, many thanks to my family for their support in these strange times. Stockholm, December 2020 Johannes Olegård iii Acknowledgments iv Contents 1 Introduction 1 1.1 Problem statement ....................... 2 1.2 Research question ........................ 2 1.3 Hypothesis ........................... 2 1.4 Evaluation ............................ 3 1.5 Scope and limitations ...................... 3 1.6 Thesis structure ......................... 4 2 System architecture 5 2.1 Overview ............................ 5 2.2 IoT devices ........................... 5 2.3 The server ............................ 7 2.4 The app ............................. 9 2.5 Protocols ............................ 9 2.5.1 The HTTPS API .................... 10 2.5.2 The AMQP APIs .................... 11 2.5.3 The UDP-based protocol . 12 3 Security testing 15 3.1 What is software testing? .................... 15 3.2 What is security testing? .................... 16 3.3 Security standards ........................ 18 3.4 OWASP lists ........................... 18 3.4.1 OWASP top ten ..................... 19 3.4.2 OWASP API top ten . 19 3.4.3 OWASP IoT top ten ................... 20 3.5 API security testing ....................... 20 3.6 Automating security ....................... 28 3.7 What security measures are currently taken at the company? . 28 v CONTENTS 3.8 Method ............................. 29 3.9 Results .............................. 32 3.10 Example exploits ........................ 37 3.10.1 Firmware update MITM . 37 3.10.2 Update device directly . 37 3.10.3 Upload firmware to server . 39 3.10.4 Steal shared key ..................... 42 3.10.5 Capture ApiService ................... 45 3.10.6 Example exploit 6 Crack unsalted passwords . 46 3.10.7 Steal app signing keys . 47 3.11 Discussion ............................ 48 3.11.1 Vulnerabilities ..................... 48 3.11.2 Security testing tools . 48 3.11.3 Solutions ........................ 48 3.11.4 Future work ....................... 49 3.11.5 Ethics .......................... 50 3.11.6 Sustainability ...................... 50 3.12 Conclusion ........................... 51 4 Digital forensics 53 4.1 Introduction ........................... 53 4.2 What is digital forensics? .................... 54 4.3 The digital forensic process ................... 55 4.4 Challenges to digital forensics . 56 4.5 Related work .......................... 59 4.5.1 Android app digital forensics . 59 4.5.2 IoT digital forensics ................... 61 4.6 Method ............................. 64 4.6.1 Overview ........................ 64 4.6.2 Scope and limitations . 64 4.6.3 Hardware ........................ 65 4.6.4 Software ........................ 66 4.6.5 Activities ........................ 67 4.6.6 Acquisition ....................... 73 4.6.7 Analysis ......................... 74 4.7 Results .............................. 77 4.7.1 Port scanning results . 77 4.7.2 X app .......................... 78 4.7.3 Mydlink (D-link) .................... 80 vi Contents 4.7.4 Kasa (TP-Link) ..................... 81 4.7.5 Telldus live ....................... 82 4.7.6 Alexa (Amazon) .................... 84 4.7.7 “Sense” device ..................... 85 4.8 Discussion ............................ 88 4.8.1 Evidence ........................ 88 4.8.2 Challenges ....................... 89 4.8.3 Future work ....................... 90 4.8.4 Ethics .......................... 91 4.8.5 Sustainability ...................... 91 4.8.6 Conclusion ....................... 92 References 93 A App file structures 113 vii Contents viii List of Figures 2.1 System architecture ....................... 6 2.2 Simplified overview of AMQP data flow between services. 13 3.1 Illustrations of OWASP WEB01 through WEB04. 21 3.2 Illustrations of OWASP WEB05 through WEB08. 22 3.3 Illustrations of OWASP WEB09, WEB10, API01 and API03. 23 3.4 Illustrations of OWASP API04, API05, API06 and API09 . 24 3.5 Illustrations of OWASP IOT01 through IOT04 . 25 3.6 Illustrations of OWASP IOT05 through IOT08 . 26 3.7 Illustration of OWASP IOT09 and IOT10. 27 3.8 Illustration of an MITM attack exploiting V01 and V05. 37 3.9 Illustration of firmware installation by exploiting V04. 38 3.10 Illustration of exploiting V36 and V01 to install malicious firmware on multiple devices. 42 4.1 Overview of the digital forensic process [2]. 55 4.2 Summary of Digital Forensic challenges [2]. 57 4.3 X app, X plug and X “sense” activities. 68 4.4 Mydlink app and D-link plug activities. 68 4.5 Kasa app and TP-Link plug activities. 69 4.6 Telldus live app, Telldus gateway and Telldus plug activities. 69 4.7 Alexa app and Amazon plug activities. 69 4.8 Access Point MITM network setup in the configuration mode [2]. ............................... 70 4.9 Ettercap MITM network setup in the configuration mode [2]. 70 4.10 Access Point MITM network setup [2]. 71 4.11 Telldus MITM
Load more

Recommended publications
  • Course 5 Lesson 2
    This material is based on work supported by the National Science Foundation under Grant No. 0802551 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the National Science Foundation C5L3S1 With the advent of the Internet, social networking, and open communication, a vast amount of information is readily available on the Internet for anyone to access. Despite this trend, computer users need to ensure private or personal communications remain confidential and are viewed only by the intended party. Private information such as a social security numbers, school transcripts, medical histories, tax records, banking, and legal documents should be secure when transmitted online or stored locally. One way to keep data confidential is to encrypt it. Militaries,U the governments, industries, and any organization having a desire to maintain privacy have used encryption techniques to secure information. Encryption helps to boost confidence in the security of online commerce and is necessary for secure transactions. In this lesson, you will review encryption and examine several tools used to encrypt data. You will also learn to encrypt and decrypt data. Anyone who desires to administer computer networks and work with private data must have some familiarity with basic encryption protocols and techniques. C5L3S2 You should know what will be expected of you when you complete this lesson. These expectations are presented as objectives. Objectives are short statements of expectations that tell you what you must be able to do, perform, learn, or adjust after reviewing the lesson.
    [Show full text]
  • Chapter 12 Pretty Good Privacy (PGP)
    Chapter 12 Pretty Good Privacy (PGP) With the explosively growing reliance on electronic mail for every conceivable pur- pose, there grows a demand for authentication and confidentiality services. Two schemes stand out as approaches that enjoy widespread use: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME). The latter is a security en- hancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security. Although both PGP and S/MIME are on an IETF standards track, it appears likely that S/MIME will emerge as the industry standard for commercial and organisational use, while PGP will remain the choice for personal e-mail security for many users. In this course we will only be looking at PGP. S/MIME is discussed in detail in the recommended text. 12.1 Background PGP is a remarkable phenomenon. Largely the effort of a single person, Phil Zimmer- mann, PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. In essence what Zimmermann has done is the following: 1. Selected the best cryptographic mechanisms (algorithms) as building blocks. 2. Integrated these algorithms into a general purpose application that is independent of operating system and processor and that is based on a small set of easy to use commands. 3. Made the package and its source code freely available via the Internet, bulletin boards, and commercial networks such as America On Line (AOL). 4. Entered into an agreement with a company (Viacrypt, now Network Associates) to provide a fully compatible low cost commercial version of PGP.
    [Show full text]
  • Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard V1.2.3
    Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3 Phong Q. Nguyen CNRS/Ecole´ normale sup´erieure D´epartement d’informatique 45 rue d’Ulm, 75230 Paris Cedex 05, France. [email protected] http://www.di.ens.fr/˜pnguyen Abstract. More and more software use cryptography. But how can one know if what is implemented is good cryptography? For proprietary soft- ware, one cannot say much unless one proceeds to reverse-engineering, and history tends to show that bad cryptography is much more frequent than good cryptography there. Open source software thus sounds like a good solution, but the fact that a source code can be read does not imply that it is actually read, especially by cryptography experts. In this paper, we illustrate this point by examining the case of a basic In- ternet application of cryptography: secure email. We analyze parts of thesourcecodeofthelatestversionofGNUPrivacyGuard(GnuPGor GPG), a free open source alternative to the famous PGP software, com- pliant with the OpenPGP standard, and included in most GNU/Linux distributions such as Debian, MandrakeSoft, Red Hat and SuSE. We ob- serve several cryptographic flaws in GPG v1.2.3. The most serious flaw has been present in GPG for almost four years: we show that as soon as one (GPG-generated) ElGamal signature of an arbitrary message is released, one can recover the signer’s private key in less than a second on a PC. As a consequence, ElGamal signatures and the so-called ElGamal sign+encrypt keys have recently been removed from GPG.
    [Show full text]
  • A History of End-To-End Encryption and the Death of PGP
    25/05/2020 A history of end-to-end encryption and the death of PGP Hey! I'm David, a security engineer at the Blockchain team of Facebook (https://facebook.com/), previously a security consultant for the Cryptography Services of NCC Group (https://www.nccgroup.com). I'm also the author of the Real World Cryptography book (https://www.manning.com/books/real-world- cryptography?a_aid=Realworldcrypto&a_bid=ad500e09). This is my blog about cryptography and security and other related topics that I Ûnd interesting. A history of end-to-end encryption and If you don't know where to start, you might want to check these popular the death of PGP articles: posted January 2020 - How did length extension attacks made it 1981 - RFC 788 - Simple Mail Transfer Protocol into SHA-2? (/article/417/how-did-length- extension-attacks-made-it-into-sha-2/) (https://tools.ietf.org/html/rfc788) (SMTP) is published, - Speed and Cryptography the standard for email is born. (/article/468/speed-and-cryptography/) - What is the BLS signature scheme? (/article/472/what-is-the-bls-signature- This is were everything starts, we now have an open peer-to-peer scheme/) protocol that everyone on the internet can use to communicate. - Zero'ing memory, compiler optimizations and memset_s (/article/419/zeroing-memory- compiler-optimizations-and-memset_s/) 1991 - The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations The US government introduces the 1991 Senate Bill 266, (/article/461/the-9-lives-of-bleichenbachers- which attempts to allow "the Government to obtain the cat-new-cache-attacks-on-tls- plain text contents of voice, data, and other implementations/) - How to Backdoor Di¸e-Hellman: quick communications when appropriately authorized by law" explanation (/article/360/how-to-backdoor- from "providers of electronic communications services di¸e-hellman-quick-explanation/) and manufacturers of electronic communications - Tamarin Prover Introduction (/article/404/tamarin-prover-introduction/) service equipment".
    [Show full text]
  • Pgpfone Pretty Good Privacy Phone Owner’S Manual Version 1.0 Beta 7 -- 8 July 1996
    Phil’s Pretty Good Software Presents... PGPfone Pretty Good Privacy Phone Owner’s Manual Version 1.0 beta 7 -- 8 July 1996 Philip R. Zimmermann PGPfone Owner’s Manual PGPfone Owner’s Manual is written by Philip R. Zimmermann, and is (c) Copyright 1995-1996 Pretty Good Privacy Inc. All rights reserved. Pretty Good Privacy™, PGP®, Pretty Good Privacy Phone™, and PGPfone™ are all trademarks of Pretty Good Privacy Inc. Export of this software may be restricted by the U.S. government. PGPfone software is (c) Copyright 1995-1996 Pretty Good Privacy Inc. All rights reserved. Phil’s Pretty Good engineering team: PGPfone for the Apple Macintosh and Windows written mainly by Will Price. Phil Zimmermann: Overall application design, cryptographic and key management protocols, call setup negotiation, and, of course, the manual. Will Price: Overall application design. He persuaded the rest of the team to abandon the original DOS command-line approach and designed a multithreaded event-driven GUI architecture. Also greatly improved call setup protocols. Chris Hall: Did early work on call setup protocols and cryptographic and key management protocols, and did the first port to Windows. Colin Plumb: Cryptographic and key management protocols, call setup negotiation, and the fast multiprecision integer math package. Jeff Sorensen: Speech compression. Will Kinney: Optimization of GSM speech compression code. Kelly MacInnis: Early debugging of the Win95 version. Patrick Juola: Computational linguistic research for biometric word list. -2- PGPfone Owner’s
    [Show full text]
  • Security Analysis of the Signal Protocol Student: Bc
    ASSIGNMENT OF MASTER’S THESIS Title: Security Analysis of the Signal Protocol Student: Bc. Jan Rubín Supervisor: Ing. Josef Kokeš Study Programme: Informatics Study Branch: Computer Security Department: Department of Computer Systems Validity: Until the end of summer semester 2018/19 Instructions 1) Research the current instant messaging protocols, describe their properties, with a particular focus on security. 2) Describe the Signal protocol in detail, its usage, structure, and functionality. 3) Select parts of the protocol with a potential for security vulnerabilities. 4) Analyze these parts, particularly the adherence of their code to their documentation. 5) Discuss your findings. Formulate recommendations for the users. References Will be provided by the supervisor. prof. Ing. Róbert Lórencz, CSc. doc. RNDr. Ing. Marcel Jiřina, Ph.D. Head of Department Dean Prague January 27, 2018 Czech Technical University in Prague Faculty of Information Technology Department of Computer Systems Master’s thesis Security Analysis of the Signal Protocol Bc. Jan Rub´ın Supervisor: Ing. Josef Kokeˇs 1st May 2018 Acknowledgements First and foremost, I would like to express my sincere gratitude to my thesis supervisor, Ing. Josef Kokeˇs,for his guidance, engagement, extensive know- ledge, and willingness to meet at our countless consultations. I would also like to thank my brother, Tom´aˇsRub´ın,for proofreading my thesis. I cannot express enough gratitude towards my parents, Lenka and Jaroslav Rub´ınovi, who supported me both morally and financially through my whole studies. Last but not least, this thesis would not be possible without Anna who re- lentlessly supported me when I needed it most. Declaration I hereby declare that the presented thesis is my own work and that I have cited all sources of information in accordance with the Guideline for adhering to ethical principles when elaborating an academic final thesis.
    [Show full text]
  • Analysis and Implementation of the Messaging Layer Security Protocol
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by AMS Tesi di Laurea Alma Mater Studiorum · Universita` di Bologna CAMPUS DI CESENA Dipartimento di Informatica - Scienza e Ingegneria Corso di Laurea Magistrale in Ingegneria e Scienze Informatiche Analysis and Implementation of the Messaging Layer Security Protocol Tesi in Sicurezza delle Reti Relatore: Presentata da: Gabriele D'Angelo Nicola Giancecchi Anno Accademico 2018/2019 Parole chiave Network Security Messaging MLS Protocol Ratchet Trees \Oh me, oh vita! Domande come queste mi perseguitano. Infiniti cortei d'infedeli, citt`agremite di stolti, che v'`edi nuovo in tutto questo, oh me, oh vita! Risposta: Che tu sei qui, che la vita esiste e l’identit`a. Che il potente spettacolo continua, e che tu puoi contribuire con un verso." - Walt Whitman Alla mia famiglia. Introduzione L'utilizzo di servizi di messaggistica su smartphone `eincrementato in maniera considerevole negli ultimi anni, complice la sempre maggiore disponi- bilit`adi dispositivi mobile e l'evoluzione delle tecnologie di comunicazione via Internet, fattori che hanno di fatto soppiantato l'uso dei classici SMS. Tale incremento ha riguardato anche l'utilizzo in ambito business, un contesto dove `epi`ufrequente lo scambio di informazioni confidenziali e quindi la necessit`adi proteggere la comunicazione tra due o pi`upersone. Ci`onon solo per un punto di vista di sicurezza, ma anche di privacy personale. I maggiori player mondiali hanno risposto implementando misure di sicurezza all'interno dei propri servizi, quali ad esempio la crittografia end-to-end e regole sempre pi`ustringenti sul trattamento dei dati personali.
    [Show full text]
  • Case Study on the Official Scripts Electronic Applications in Bantul)
    I.J. Information Engineering and Electronic Business, 2017, 4, 1-6 Published Online July 2017 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijieeb.2017.04.01 The Implementation of Pretty Good Privacy in eGovernment Applications (Case Study on the Official Scripts Electronic Applications in Bantul) Didit Suprihanto Department of Electrical Engineering Universitas Mulawarman, Kalimantan Timur, Indonesia, 75123 Email: [email protected] Tri Kuntoro Priyambodo Department of Computer Sciences & Electronics, Universitas Gadjah Mada, Yogyakarta, Indonesia, 55281 Corresponding Author Email: [email protected] Abstract—eGovernment application has evolved from the world [1]. The United Nations‘ global survey reports simply appearing as a website providing news and some ICT indicators that point to the measure of how far information, to the application that provides various a nation has gone in the implementation of e-governance services through online transactions. Provision of online such as: 1.E-readiness, 2.Web measure index, 3. transactions require the effectively and safely service, so Telecommunications infrastructure index, 4. Human the users can make sure that the entry data is secure and capital index, 5. E-participation index[2] will not be used by other parties which are not authorized. Information security is a major factor in the service of Security is also necessary for the service provider side of eGovernment. The using of the host to host in previous online transactions, it is necessary to keep the system, and services of eGovernment is considered as lacking in the data transactions sent through the communications security. Therefore, it needs more security to serve clients media and the data stored in the database are secured.
    [Show full text]
  • Hands-On Assignment
    MIT OpenCourseWare http://ocw.mit.edu 6.033 Computer System Engineering Spring 2009 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms. This course makes use ofAthena, MIT's UNIX-based computing environment. OCW does not provide access tothis environment. M.I.T. DEPARTMENT OF EECS 6.033 - Computer System Engineering Crypto Hands-On Assignment Hands-on 6: Cryptography and Certificates This hands-on assignment is due at the beginning of Recitation 23. The goal of this hands-on is to give you an introduction to mathematics and the algorithmic building blocks of moderns cryptographic protocols. Before attempting this hands-on, you should read Chapter 11 of the class notes. Part 1: Big Numbers and Brute-Force Attacks One way to unseal a sealed message is to try every possible key. This kind of attack is known as a brute-force attack or a key search attack. The longer the key, the harder the attack. Keys are almost always represented as blocks of binary data. Some cryptographic transformations use a fixed number of bits, while others allow a variable number. The table below lists some common cryptographic transformations and the key sizes that they use: Cipher Key Size The Data Encryption Standard (DES) 56 bits RC-2 40-1024 bits RC-4 40-1024 bits Advanced Encryption Standard (AES) 128, 192 or 256 bits Although there are many factors that come into play when evaluating the strength of a cryptographic transformation, the length of the key is clearly important. This is because an attacker who is in possession of a sealed message can always mount a brute-force attack.
    [Show full text]
  • LAB :: PGP (Pretty Good Privacy)
    LAB :: PGP (Pretty Good Privacy) GnuPG : GnuPG forms the heart of Gpg4win – the actual encryption software. Kleopatra : The central certificate administration of Gpg4win, which ensures uniform user navigation for all cryptographic operations. Download Gpg4win (GNU Privacy Guard for Windows) from https://www.gpg4win.org/index.html Install GnuPG & Related application 1. The installation assistant will start and you will see this welcome dialog: 2. Close all programs that are running on your computer and click on [ Next ] 3. The next page displays the licensing agreement – it is only important if you wish to modify or forward Gpg4win. If you only want to use the software, you can do this right away – without reading the license. Click on [ Next ] 4. On the page that contains the selection of components you can decide which programs you want to install. A default selection has already been made for you. You can also install individual components at a later time. Moving your mouse cursor over a component will display a brief description. Another useful feature is the display of required hard drive space for all selected components. Bellow are the application and there fucntion: a. GnuPG: Gnu Privacy Guard b. Kleopatra: Keymanager for OpenPGP c. GPA: GNU Privacy Assistant d. GpgOL: GnuPG for Outlook e. GpgEX: GnuPG Shell Extension f. Claws-Mail: Claws Mail user client g. Gpg4win Compedium: The Gpg4Win documentation Click on [ Next ] 5. The system will suggest a folder for the installation, e.g.: C:\Programme Files (x86)\GNU\GnuPG You can accept the suggestion or select a different folder for installing Gpg4win.
    [Show full text]
  • Pretty Good Privacy
    1 Pretty Good Privacy Pretty Good Privacy 2 Pretty Good Privacy 1. Introduction 1.1. What is cryptography? Cryptography originates from the Greek word “kryptos” meaning hidden [1]. It is one of the main branches of cryptology which studies methods of securing and authenticating information. Cryptography is concerned with the design of these methods whereas cryptanalysis, the other main branch of cryptology, looks at overcoming them. Cryptography is also described as the science of using mathematics to encrypt and decrypt data for secure transmissions [2 p. 11]. 1.2. Why is cryptography important? The Computer Emergency Response Team (CERT) recorded the total number of computer vulnerabilities from 1995 to 2008 (Q1-Q3) based on reports submitted to them and from other public sources [3]. Security vulnerabilities were included from operating systems on individual machines, routers in networks and other network devices [4 p. 10]. Their statistics show a general trend of the total number of vulnerabilities rising from 171 in 1995 to a peak of 8064 in 2006. Clearly this shows Internet security is a problem albeit a problem which is possibly starting to be tackled more effectively as tenaciously indicated by the decrease in the total number of vulnerabilities from 8064 in 2006 to 6058 in 2008 (Q1-Q3) [3]. Moreover the Internet Architecture Board (IAB) submitted a report in 1994 called “Security in the Internet Architecture” (RFC 1636). The overall conclusion of the report was that “security must be added to the Internet” [5 p. 44] outlining the necessity to secure network infrastructure and traffic by authentication and encryption.
    [Show full text]
  • Centralized Email Encryption with Anubis
    SYSADMIN Anubis Centralized email encryption with Anubis xperts acknowledge the danger of transmitting plans, personal Edata, and confidential agree- ments in clear text across the Internet, but end users rarely heed their warnings. EGYPTIAN Users typically don’t turn to tools such as PGP, GnuPG [2], and S/ Mime by choice. CTOs can either bemoan their fate or take proactive steps: so-called PGP servers provide centralized user key ENCRYPTION management and handle the encryption and decryption processes. These services remove the need for time-consuming The Anubis mail manipulation daemon lets you centralize encryption installation and configuration of a PGP client on every user workstation. for outgoing mail. BY DANIEL S. HAISCHT Linux admins have a choice of free en- cryption programs such as GPG-Relay [3] or Kuvert [4], and there are a number of commercial applications (such as [5] and [6]), some of which are also avail- able for Windows. But if you prefer to avoid specialized applications, your best option may be the universal mail manip- ulation program, GNU Anubis [1]. Anubis, which is named after an ancient Egyptian god, is an SMTP pre-processing daemon. The Anubis daemon receives messages from a Mail User Agent (such as the Mutt client shown in Figure 2), then modifies the messages before pass- ing them to the Mail Transfer Agent (such as the Postfix server shown in Fig- ure 2). Anubis can process messages in a number of different ways, but in this case, one of Anubis’ more useful tricks is the ability to encrypt mail using GnuPG.
    [Show full text]