A Study of Email Encryption on Android OS
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Puddletag 1.0.5
FOSSPICKS Sparkling gems and new releases from the world of FOSSpicks Free and Open Source Software Mike Saunders has spent a decade mining the internet for free software treasures. Here’s the result of his latest haul… Sound file tag editor Puddletag 1.0.5 e love discovering need Mutagen – this is the library programs that that handles the low-level Wostensibly perform operations of adding tags to music mundane tasks, but have so many files. On Ubuntu and Debian-based features and options that they distros, you can get all of the actually become rather cool. dependencies via the python-qt4, Puddletag is one such example: it’s python-pyparsing, python- a music file tag editor. Riveting, mutagen and python-configobj right? But when you start exploring packages. Then extract the the interface and discover some of puddletag-1.0.5.tar.gz file, go into the complexity behind it, you the resulting directory, and run actually start to admire it. And if you ./puddletag. manage a large music collection, you might find that you can’t live I, spreadsheet without it. Sure, most graphical The first thing you’ll notice is the music players on Linux include unusual interface: Puddletag looks Puddletag can work with ID3v1, ID3v2 (MP3), MP4, some kind of tag editing facility, but somewhat like a spreadsheet. This VorbisComments (Ogg and FLAC) and Musepack (mpc) tags. Puddletag is industrial strength. actually turns out to be a very good It’s written in Python (2) and uses design when you’re working on lots click on the F button in the toolbar, Qt 4 for the interface, so its main of files. -
An Architecture for Cryptography with Smart Cards and NFC Rings on Android
OpenKeychain: An Architecture for Cryptography with Smart Cards and NFC Rings on Android DOMINIK SCHÜRMANN, TU Braunschweig, Germany SERGEJ DECHAND, University of Bonn, Germany LARS WOLF, TU Braunschweig, Germany While many Android apps provide end-to-end encryption, the cryptographic keys are still stored on the device itself and can thus be stolen by exploiting vulnerabilities. External cryptographic hardware solves this issue, but is currently only used for two-factor authentication and not for communication encryption. In this paper, we design, implement, and evaluate an architecture for NFC-based cryptography on Android. Our high-level API provides cryptographic operations without requiring knowledge of public-key cryptography. By developing OpenKeychain, we were able to roll out this architecture for more than 100,000 users. It provides encryption for emails, messaging, and a password manager. We provide a threat model, NFC performance measurements, and discuss their impact on our architecture design. As an alternative form factor to smart cards, we created the prototype of an NFC signet ring. To evaluate the UI components and form factors, a lab study with 40 participants at a large company has been conducted. We measured the time required by the participants to set up the system and reply to encrypted emails. These measurements and a subsequent interview indicate that our NFC-based solutions are more user friendly in comparison to traditional password-protected keys. CCS Concepts: • Security and privacy → Usability in security and privacy; Key management; Hardware-based security protocols; • Human-centered computing → Mobile devices; Additional Key Words and Phrases: NFC, near-field communication, smart card, ring ACM Reference Format: Dominik Schürmann, Sergej Dechand, and Lars Wolf. -
Nutzung Von Openpgp Auf Android
Nutzung von OpenPGP auf Android Eine Anforderungsanalyse und Studie vorhandener OpenPGP- Implementierungen Autoren Vincent Breitmoser OpenKeychain Dominik Schürmann Institut für Betriebssysteme und Rechnerverbund, TU Braunschweig OpenKeychain Unter Mitwirkung von: Bernhard Reiter Emanuel Schütze Intevation GmbH Neuer Graben 17 49074 Osnabrück https://intevation.de Werner Koch g10 code GmbH Hüttenstr. 61 40699 Erkrath https://g10code.com Dieses Werk ist unter der Lizenz „Creative Commons Namensnennung-Weitergabe unter gleichen Bedingungen Deutschland“ in Version 3.0 (abgekürzt „CC-by-sa 3.0/de“) veröffentlicht. Den rechtsverbindlichen Lizenzvertrag finden Sie unter http://creativecommons.org/licenses/by-sa/3.0/de/legalcode. Bundesamt für Sicherheit in der Informationstechnik Postfach 20 03 63 53133 Bonn Tel.: +49 22899 9582-0 E-Mail: [email protected] Internet: https://www.bsi.bund.de © Bundesamt für Sicherheit in der Informationstechnik 2016 Änderungshistorie Version Datum Name Beschreibung 1.0 11.5.2016 siehe Autoren Initiale Version für die Veröffentlichung Inhaltsverzeichnis Inhaltsverzeichnis 1 Einleitung............................................................................................................................................................................................... 7 1.1 Ausgangssituation..........................................................................................................7 1.2 Ziel der Studie................................................................................................................7 -
The Chromium Mess Meets Android
The Chromium mess meets Android David Ludovino, The Chromium mess meets Android Jeremy Rand Proposals on how to get a fully free WebView build or replace it with something What is completely new WebView? Which apps use it? What's underneath it? ∗ What's the David Ludovino Jeremy Rand matter with Chromium? WebView and Replicant Replicant Chromium forks Desktop Chromium Android Chromium Stepwise cleansing GeckoView shim Mapping WebView to GeckoView GeckoView on apps ∗with support from Andr´esD and Kurtis Hanna Feedback? The Chromium mess meets Android What is WebView? David Ludovino, Jeremy Rand Renders web content (HTML, CSS, JavaScript) What is WebView? inside apps. Which apps use it? What's underneath it? API has been around since Android 1. What's the matter with Chromium? public class MainActivity extends Activity { WebView and @Override Replicant protected void onCreate(Bundle state) { Chromium super.onCreate(state); forks WebView v = new WebView(this); Desktop Chromium setContentView(v); Android Chromium Stepwise cleansing v. loadUrl ("https://replicant.us"); } GeckoView shim } Mapping WebView to GeckoView GeckoView on apps Feedback? The Chromium mess meets Android Which apps use WebView? David Apps that render HTML: email clients, RSS readers, etc. Ludovino, Jeremy Rand Became pervasive with the advent of cross-platform mobile frameworks. What is WebView? Which apps use it? What's underneath Half of the apps listed at PRISM Break depend on WebView it? What's the uses WebView does not use WebView matter with Chromium? WebView and -
Digital Privacy a Guide to Giving Nsa the Finger
A REPORT FROM SOVEREIGNMAN.COM DIGITAL PRIVACY A GUIDE TO GIVING NSA THE FINGER.. WITHOUT THEM EVER NOTICING A BLACK PAPER DIGITAL A BLACK PRIVACY PAPER I’m not here to tell you that we are being spied on. That Facebook is keeping track of you and your friends. That Google is storing your searches, your locations, your emails, your browsing history. Everything. That the NSA can listen in on every phone call and read every text message. Everybody knows that. They know it. We know it. We know that they track our every move. We know about their social network profiling and enormous data centers they are building all over the country. As I’ve said before, from Obama’s ‘kill switch’, to ACTA, SOPA and PIPA, to stasi tactics against people like Kim Dotcom, hardly a month goes by without some major action against Internet users. But it’s what’s going on in the background that you should be worried about. As William Binney, another NSA whistleblower and the agency’s former Technical Director, recently told me in the May 2013 edition of our premium service, Sovereign Man: Confidential— “It was around 2003 when they started putting optical fibers coming into the US through Y-connector Narus devices. Basically these would duplicate the data coming across the Internet—one set of packets would go the normal route, the other set would go to NSA facilities. There, they collect all the data coming in through fiber optics, reassemble all the data packets into useable information-- emails, file transfers, etc. -
CISSP Exam Cram
Exclusive Offer – 40% OFF Pearson IT Certification Video Training pearsonitcertification.com/video Use coupon code PITCVIDEO40 during checkout. Video Instruction from Technology Experts Advance Your Skills Train Anywhere Learn Get started with fundamentals, Train anywhere, at your Learn from trusted author become an expert, own pace, on any device. trainers published by or get certified. Pearson IT Certification. Try Our Popular Video Training for FREE! pearsonitcertification.com/video Explore hundreds of FREE video lessons from our growing library of Complete Video Courses, LiveLessons, networking talks, and workshops. pearsonitcertification.com/video CISSP® Exam Cram Fourth Edition Michael Gregg CISSP® Exam Cram, Fourth Edition Editor-in-Chief Copyright © 2017 by Pearson Education, Inc. Mark Taub All rights reserved. No part of this book shall be reproduced, stored in Product Line a retrieval system, or transmitted by any means, electronic, mechanical, Manager photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the Brett Bartow information contained herein. Although every precaution has been taken Acquisitions in the preparation of this book, the publisher and author assume no Editor responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. Michelle Newcomb ISBN-13: 978-0-7897-5553-7 Development Editor ISBN-10: 0-7897-5553-X Ellie C. Bru Library of Congress Control Number: 2016940474 Managing Editor Printed in the United States of America Sandra Schroeder First Printing: August 2016 Project Editor Trademarks Mandie Frank All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. -
A Bottom-Up Approach to the Secure and Standardized Internet of Things Timothy Claeys
Security for the internet of things : a bottom-up approach to the secure and standardized internet of things Timothy Claeys To cite this version: Timothy Claeys. Security for the internet of things : a bottom-up approach to the secure and stan- dardized internet of things. Computers and Society [cs.CY]. Université Grenoble Alpes, 2019. English. NNT : 2019GREAM062. tel-02948567 HAL Id: tel-02948567 https://tel.archives-ouvertes.fr/tel-02948567 Submitted on 24 Sep 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE Pour obtenir le grade de DOCTEUR DE LA COMMUNAUTÉ UNIVERSITÉ GRENOBLE ALPES Spécialité : Informatique Arrêté ministériel : 25 mai 2016 Présentée par Timothy Claeys Thèse dirigée par Bernard Tourancheau Professeur, Université Grenoble Alpes et coencadrée par Franck Rousseau Maitre de Conférence, Grenoble INP préparée au sein de Laboratoire d’Informatique de Grenoble (LIG) dans l’École Doctorale Mathématiques, Sciences et Technologies de l’Information, Informatique (EDMSTII). Sécurité pour l’Internet des Objets: Une approche de bas -
Cryptography Domain – Part 2
CISSP® Common Body of Knowledge Review: Cryptography Domain – Part 2 Version: 5.9.2 CISSP Common Body of Knowledge Review by Alfred Ouyang is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. Learning Objective Cryptography Domain The Cryptography domain addresses the principles, means, and methods of applying mathematical algorithms and data transformations to information to ensure its integrity, confidentiality, and authentication. The candidate is expected to know basic concepts within cryptography; public and private key algorithms in terms of their applications and uses; algorithm construction, key distribution and management, and methods of attack; the applications, construction and use of digital signatures to provide authenticity of electronic transactions, and non-repudiation of the parties involved; and the organization and management of the Public Key Infrastructure (PKIs) and digital certification and management. Reference: CISSP CIB, January 2012 (Rev. 5) - 2 - Review of Part 1 • Classic ciphers: – Substitution cipher – Transposition cipher – Polyalphabetic (or running key) cipher – Concealment • Modern ciphers: – Block cipher – Stream cipher – Steganography – Combination - 3 - Review of Part 1 • Hash Function Cryptography – Non-keyed Digest (for integrity) – Keyed Digest (for authentication) – Digital Signature (for non-repudiation) • Symmetric Cryptography – Block Ciphers • Confusion & Diffusion – Confusion: S-box – Diffusion: Feistel network & Columnar transposition – Stream Ciphers • XOR operation – Modes of operation • Block mode: ECB and CBC • Stream mode: CFB, OFB, CTR - 4 - Review of Part 1 • Asymmetric Cryptography – Diffie-Hellman Algorithm – Factorization Algorithm – Discrete Logarithm Algorithm • Hybrid Cryptography – Make use of asymmetric cryptography to keep the ephemeral secret key secret. -
Surreptitious Sharing on Android
M. Meier,D.Reinhardt, S. Wendzel (Hrsg.): Sicherheit 2016, Lecture Notes in Informatics (LNI), Gesellschaft für Informatik, Bonn 2016 67 Surreptitious Sharing on Android Dominik Schürmann1,Lars Wolf 1 Abstract: Manyemail and messaging applications on Android utilize the Intent API for sharing images, videos, and documents. Android standardizes Intents for sending and Intent Filters for receiving content. Instead of sending entire files, such as videos, via this API, only URIs are exchanged pointing to the actual storage position. In this paper we evaluate applications regarding asecurity vulnerabilityallowing privilege escalation and data leakage, which is related to the handling of URIs using the file scheme. We analyze avulnerability called Surreptitious Sharing and present twoscenarios showing howitcan be exploited in practice. Based on these scenarios, 4email and 8messaging applications have been analyzed in detail. We found that 8out of 12 applications are vulnerable. Guidelines howtoproperly handle file access on Android and afixfor the discussed vulnerability are attached. Keywords: Android, sharing, vulnerability,Intent, API. 1Motivation Android includes arich API for communication and interaction between applications. It introduced the concept of Intents with aset of standardized actions to facilitate sharing of data. This allows applications to concentrate on its core functionality and rely on others to deal with extended use cases. Forexample, there is no need to support recording of video when implementing an email client, instead avideo recorder can directly share afinished recording with the email application. In this example, it is crucial to only share the intended video—other recordings must be protected against unauthorizedaccess. Android provides avariety of security mechanisms to implement access control. -
A Worldwide Survey of Encryption Products
A Worldwide Survey of Encryption Products February 11, 2016 Version 1.0 Bruce Schneier Berkman Center for Internet & Society Harvard University [email protected] Kathleen Seidel Independent Researcher [email protected] Saranya Vijayakumar Harvard College [email protected] Introduction Data security is a worldwide problem, and there is a wide world of encryption solutions available to help solve this problem. Most of these products are developed and sold by for-profit entities, although some are created as free open-source projects. They are available, either for sale or free download, all over the world. In 1999, a group of researchers from George Washington University attempted to survey the worldwide market for encryption products [HB+99]. The impetus for their survey was the ongoing debate about US encryption export controls. By collecting information about 805 hardware and software encryption products from 35 countries outside the US, the researchers showed that restricting the export of encryption products did nothing to reduce their availability around the world, while at the same time putting US companies at a competitive disadvantage in the information security market. Seventeen years later, we have tried to replicate this survey. • • • • • • • • • A Worldwide Survey of Encryption Products • Feb 2016, v 1.0 1 Findings We collected information on as many encryption products as we could find anywhere in the world. This is a summary of our findings: • We have identified865 hardware or software products incorporating encryption from 55 different coun- tries. This includes 546 encryption products from outside the US, representing two-thirds of the total. Table 1 summarizes the number of products from each country. -
Cryptoparty Handbook Copyleft Dear Friends, Scientists & Scholars
Cryptoparty Handbook Copyleft Dear friends, scientists & scholars, Today we’ll reclaim our privacy and improve browsing experience step-by-step. There is a diference between protecting your grandma sharing cake recipes, and a human rights activist in a hostile country. Your granny might not be the right person to sell a prepaid SIM & burner-phone to. An activist might consider the below steps entry-level basics, even dangerous if not tailored to the individual. But we all need protection. Even more so if you assume that «you got nothing to hide». «Arguing that you don’t care about the right to privacy because you have nothing to hide is no diferent than saying you don’t care about free speech because you have nothing to say.» – Edward Snowden Those with nothing to hide still like curtains in their bedroom and prefer public restrooms equipped with locks minus the CCTV cameras. If you need further convincing, the movie “Nothing to Hide” is available free online. The following pages contain a list of useful software, search engines, and additional privacy aids to help you take control of your digital privacy. A dictionary of terms is located at the end. cryptoparty.rs copyleft Email Encryption Thunderbird is a desktop email client, which with its Enigmail extension is used for encrypting, decrypting, digitally signing and verifying digitally signed emails. Supported platforms: Windows, Mac, Linux. [1][WARNING: Look at the footnote below!] mozilla.org/thunderbird/ K-9 Mail is an Android email client, which when used with Android GPG agents like APG or OpenKeyChain can provide seamless exchange of encrypted and signed emails. -
An Authentication Framework for Web Access to Remote Hosts
NAT'L INST; OF llilllliHi I NIST PL ^(-/CATIONS A 11 ID 5 SS2745 NISTIR 6278 An Authentication Framework for Web Access to Remote Hosts Ryan P. McCormack John E. Koontz Judith Devaney U.S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology Information Technology Laboratory Gaithersburg, MD 20899 oc 100 U56 NIST HO. 6278 1999 NISTIR 6278 An Authentication Framework for Web Access to Remote Hosts Ryan P. McCormack John E. Koontz Judith Devaney U.S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology Information Technology Laboratory Gaithersburg, MD 20899 January 1999 &&WOF Cq WSM Sr <- > Mr ES o* U.S. DEPARTMENT OF COMMERCE William M. Daley, Secretary TECHNOLOGY ADMINISTRATION Gary R. Bachula, Acting Under Secretary for Technology NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Raymond G. Kammer, Director U.S. DEPARTMENT OF ENERGY Washington, D.C. 20858 An Authentication Framework for Web Access to Remote Hosts Ryan P. McCormack, John E. Koontz, Judith Devaney Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899 January 14, 1999 Abstract An authentication framework is described that provides a secure means for clients to access remote computing resources via the Web. Clients authenticate themselves to a proxy Web server using a secure protocol and a digital certificate. The server constructs a fingerprint (digest) of the certificate using a secure hash function. This hash value acts as a user’s identification, which is used to obtain remote login information for that user from an authentication database. Client commands can then be executed by the Web server on remote hosts using the Secure Shell protocol.