DOCSLIB.ORG

Contents 1 a Note of Caution 1.1 Cryptography Is Powerful, but Not

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Contents 1 a Note of Caution 1.1 Cryptography Is Powerful, but Not Contents 1ANoteofCaution1.1CryptographyisPowerful,butnotyouronlylineofdefe nse1.1.1LearnandUse 2Basicsfirst2.1RiskAnalysis2.2Kerckhoffs'sprinciple2.3PublicKeyCrypt ography2.3.1LearnandUse2.4SSL2.4.1LearnandUse2.5AES 3PGP/GPG3.1InstallGPG3.1.1PGPPublicKeyservers3.2Importourkeys3.3 Encryptyourmessage3.3.1AutomaticEncryptionUsingEnigmail/Thunderbird3.3.1 .1LearnandUse3.3.2ManualEncryptionUsingCommandLines/TerminalsandGPG3 .4Keys3.5Links3.6LearnandUse 4VerifyingSoftwareDownloads&Files:Hashing4.1MicrosoftFileChecksumInte grityVerifier4.2Hashtab&HashMyFiles4.3CheckingHashesonLinux/Mac4. 4CheckingGPGDigitallySignedSoftwarePackageSignatures 5DiskEncryption5.1TrueCrypt5.1.1LearnandUse5.2FileVault5.3LUKS5.4T omb5.5LearnandUse 6SecureDataDeletion 7EncryptedMobileCommunications7.1Gibberbot7.2TextSecure7.3RedPhone7.4 Chatsecure 8PrivacyProtectedBrowsing8.1Tor8.1.1LearnandUse8.2TorBrowserBundle 8.3OnionbrowseroniOS8.4Orbot:TorOnAndroid8.5Orweb:Proxy+PrivacyBrow ser8.6Ghostery8.7LearnandUse 9Darknets9.1Tor9.2Tribler9.3i2p9.4Freenet 10SecureChat10.1Encryption10.2Authentication10.3Deniability10.4Perfect forwardsecrecy10.5Clientsupport10.5.1Native10.5.2Viaplugin10.5.3Pro xy10.5.4ChatLogFiles10.6LearnandUse 11Misc11.1TahoeLAFS11.1.1LearnandUse11.2Intrusiondetectionsystems11 .3IronKey11.4DistrRTgen 12SoftwareLibraries 13OperatingSystemandHostEnvironment13.1Homedirectoryencryption13.2Ful lDiskEncryption13.2.1Seealso13.3OperatingSystems13.3.1TailsLinux:The AmnesicIncognitoLiveSystem13.3.2LibertéLinux13.3.3Whonix 14Email14.1WebsiteEmailers14.1.1SSLenabledservices14.1.2NonSSLservi ces 14.2EncryptedDropboxes14.2.1Privacybox.de 15DataLiberation15.1LearnandUse 16VirtualPrivateNetworks(VPNs)16.1MicrosoftPPTP16.1.1MicrosoftPPTPPro blems16.2OpenVPN16.3VPNinmeatspace16.4SSH16.5ExternalVPNguides/links :16.6LearnandUse 17Bitcoin17.1LearnandUse 18RFID 19RemoteDesktopsoftware19.1MicrosoftRDP19.2AppleRemoteDesktopARD 20VoiceoverIP20.1LearnandUse 21MobilePhones/Smartphones 22CounterSurveillance22.1LearnandUse 23LegalIssues23.1Australia23.2EuropeanUnion23.2.1Ireland23.2.1.1Decry ptionLaws23.2.2UnitedKingdom23.3UnitedStates 24OrganizationsandLegalSupport24.1ElectronicFrontierFoundation 25CoursesandEducation 26Wheretogoformoreinformation 27SomeRelevantQuotesfromTwitterandElsewhere 27.1SecurityHumour ANoteofCaution:Pleaseonlyaddresourcesandtoolstothispage.Inasmuchas anyonecaneditthiswiki,someskepticismiswarrantedâcrowdsourcinghasthedef ectsofitsvirtues!Forgood,concrete,peerreviewedadvice,werecommendthe ElectronicFrontierFoundation'stutorialsathttps://ssd.eff.org/Thatsaid,yo urprivacyisalreadymoreconfigurablethanyoumightthink... CryptographyisPowerful,butnotyouronlylineofdefense Thetheorybehindcryptographyissolidandproven,butsolidcryptowillfaili f: Implementedincorrectlyifthetoolclaimstohavecertaincryptoimplemented, theymaybetruthfulbuttheimplementationmaybeunsound.Trytousethetool sthathavealargeuserbaseandlargecommunitiestheyaregenerallysafer( butnotalways). Misusedencryptedafilebutdidn'tsecuredeletetheplaintext?Initiatedan SSLtunnelbutdidn'tverifytheremotecertificate?Usetopnotchcryptosoftw arebutdidn'tprotecttheOSorthephysicalcomputer?Itissoeasytomakemi stakes,doingitrightrequiresconsistency,vigilance,andamodicumofparanoi a.Assumethatyoudonotknow,learnallyoucan,thenuse.Carefully.Mistakes mayrenderyourstateoftheartcryptouselessagainstaknowledgeableadversa ry. Whyiscryptographydangerous?Becauseitcangiveyouafalsesenseofsecurity . Cometoacryptopartyandtalktoexperts,learnfromeachother,andcontinue tolearnovertime.Takeresponsibilityforyourcommunication,privacy,andsec urity.Don'tletanyonescareyououtofexperimentingandimplementingcrypto, butpleasebeawareittakestimeandefforttolearnthatcryptoisnecessary, butnotsufficent;itisnotapanacea. LearnandUse Video:EncrypttoLivefromCryptopartyBoston(Andrew)via@torproject Basicsfirst RiskAnalysis CommitteetoProtectJournalistsJournalistsSecurityGuideInformationSecuri tybyDannyOâBrienhopefullyaCryptoPartywillclearlyexplainmostofthesoftw areandtechniquesmentionedinthisguide. Youremphasisshouldbeonsimplicity.Thereâsnopointinsurroundingyourselfwith computersecuritythatyoudonâtuse,orthatfailstoaddressaweakerlinkelsewh ere.Takeadvantageofwhatyouknowwell:thepeoplewhoaremostlikelytotak eoffenseorotherwisetargetyourwork,andwhattheymaybeseekingtoobtain ordisrupt.Usethatknowledgetodeterminewhatyouneedtoprotectandhow. Askyourself:WhatinformationshouldIprotect?Whatdataisvaluabletomeor apotentialadversary?Itmightnotbewhatyouthinkofatfirst.Manyjournali stsfeelthatwhattheyaredoingislargelytransparent,andthattheyhavenot hingtohide.Butthinkaboutthedangerstosourcesiftheinformationtheyhav eprovidedtoyouwasmorewidelyknown.Whatmayseeminnocuouspersonalinform ationtoyoumightbeincriminatorytoothers. Kerckhoffs'sprinciple Kerckhoffs'sprincipleAcryptosystemshouldbesecureevenifeverythingabout thesystem,exceptthekey,ispublicknowledge. Thisprincipleshouldapplytoallofthetoolsandresourcesmentionedonthis page. PublicKeyCryptography PublicKeyCryptographyhasonlybecomepracticalwiththeuseofcomputers.It offersamathematicallysecurewayofsendingencryptedmessagesorfilesbetwee ncomputersandtheirusers,withoutnecessarilyhavingtosetupaseparateSec ureChannele.g.afacetofacemeeting,toagreeuponorexchangethesecretke ytothecryptographicalgorithmtheyareusingtoprotecttheprivacyoftheme ssageordatafromsnoopers. PublicKeyCryptographyalsooffersamethodofdetectingattemptsatforgeryth roughtheuseofDigitalSignatures. LearnandUse BBCsciencepresenterDrYanWongexplains(withoutmathematics)theprincipleo fhowAliceandBobcanuse"digitalpadlocks"toprotecttheirmessagesfrombe ingreadbyEdtheeavesdropperPublicKeyEncryptionvideoclip(3minutes) ThereisanexcellentvisualexplanationofDiffieHellmankeyexchangeonYouTu be. SSL SecureSocketLayerisamulticypherprotocolusedtocreateanencryptedconne ctionacrosstheinternetfromyourdevicetoadestinationserver;itiswidely usedincommercialapplications.TheprecursortoTransportLayerSecurity(TLS ),manysystemswhichactuallyuseTLSanachronisticallyclaimthattheyareusi ngSSLinasmuchasitfarmorewidelyknown. Websitelinkswhichbeginwithhttps://signifytheuseofSSLorTLSencrypted sessions CheckhowwellapublicinternetwebserverisconfiguredforSSL/TLSviatheQ ualsysSSLLabsServerTest Bydefaultmostwebserverconfigurationsallowoldprotocolsandweakcryptograp hicciphers.SeetheServersidesecuritytweakspageforhowthiswasimproved forthiswebsitehttps://CryptoParty.orgrunningonanApachewebserver. TheQualsysSSLLabsServerTestscoreforCryptoParty.orgof"A"85isnowasg oodasmostinternetbankingwebsitesetc. ForMicrosoftIIS7.xonWindows2008orIIS6.xonWindows2003,thefreeNarta cSoftwareIISCryptotoolwillallowyoutoconvenientlydisabletheweakSSLve r2protocolandtopickandordertheCipherSuites,toignoreweak40bitand 56bitkeylengthsandtoincludetheRC4algorithmtoresisttheBEASTmanint hemiddleattack,withouthavingtowadethroughthecomplexitiesofvariousReg istryKeysetc. AddingtheHTTPStrictTransportSecurityheaderwhichallowsthelatestversion sofbrowserslikeGoogleChrometoalwayschoosetheSSLencryptedversionofa website,againtoresistmaninthemiddleattacks: Windows2008IIS7.x Windows2003IIS6.x ApacheServersidesecuritytweaks TheDigitalCertificateFingerprintsforhttps://CryptoParty.orgare: SerialNo:000835C2 SHA1:13:10:16:5D:8E:19:3F:E9:58:A0:A5:D0:38:B1:BB:59:C8:75:B2:2C MD5:EF:07:FB:C6:AF:D9:CC:25:72:43:0A:05:B4:AB:14:65 Youcanchoosetotrustthecolourchangesinyourwebbrowsernavigationbaror othersymbolsandthelackofpopupwarningmessages,thatsignifya"good"SS L/TLSencryptedsessionconnectiontothewebsite.Alternatively,youcanchec ktheseCryptographicHashFingerprintsmanuallyeachtimeyouvisitthiswebsit e,e.g.inFirefoxonaWindowscomputer,rightmouseclickonthewebpage/Vi ewPageInfo/Security/ViewCertificate Iftheydonotmatchwhatyouareexpecting,donotenteranysensitivedataint oanywebforme.galoginusernameorpasswordoryourcreditcarddetails,wit houtcheckingfurther. Youcanalsomakeuseofsay,aFirefoxwebbrowseraddonlikeCertificatePatro l,whichwillnotifyyouifthecurrentDigitalCertificatehaschangedsinceth eprevioustimeyouvisitedthewebsitethismaybeindicativeofamaninthe middlehijackattemptoritmaybeanormalrotationduecertificateexpiryor loadbalancingbetweendifferentcomputersonhighvolumewebsites. UsingSSLbynomeansguaranteesthatyourconnectionis"secure".Itonlyindic atesthattheconnectionisencryptedbetweenyouandtheserver,andifthecer tificatesystembehinditisnotmanipulated(whichhashappenedinthepast)th attheremoteserveriswhatitclaimsitis.TheuseofSSLdoesnotimplythat theremotewebsiteissecure(orthatyourcomputerissecure)."UsingSSLto deliverdatabetweenadesktopPCandatypicalwebsiteislikeusinganarmored cartodelivermoneyfromyoursockdrawertoapaperbagtapedunderaparkbe nch."AlanBatie(whoeverthatis). LearnandUse Video:"SSLandAuthentication"fromBostonCryptoparty(John)via@torproject AES TheAdvancedEncryptionStandardisapopularsymmetriccypher.Thismeansthat thekeyusedtoencrypttheinformationisthesameasthekeytodecryptit.AE Sisastandardformofencryptionforgovernmentsandlargeorganisations,and hasformedthebasisformanyotherderivativecryptosystems(suchasPGP,asdi scussedbelow). SymmetriccipherssuchasAESareusefulbecausetheyarefast,reliableandnon specific.AfileencryptedviaAEScanbesharedwidelyanddecryptedbyeveryon ewiththesamekey.Thisisinstarkcontrasttopublickeyencryptionmethods, whereencryptionistargetedtotheownerofaprivatekeyonly.Arealworlde xampleofthisapproachisthedistributionbyWikileaksofan"insurance"file, whichappearstobeAESencrypted.ThedistributionofthisfilemeansthatWik ileakshaveleverageovermorepowerfulenemies,astheycanreleaseasmallkey tounlockalarge,andpresumablyhighimpact,file. Isisnormalforpublickey(asymmetric)andsymmetricciphermethodstobecomb
Load more

Recommended publications
  • Course 5 Lesson 2
    This material is based on work supported by the National Science Foundation under Grant No. 0802551 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the National Science Foundation C5L3S1 With the advent of the Internet, social networking, and open communication, a vast amount of information is readily available on the Internet for anyone to access. Despite this trend, computer users need to ensure private or personal communications remain confidential and are viewed only by the intended party. Private information such as a social security numbers, school transcripts, medical histories, tax records, banking, and legal documents should be secure when transmitted online or stored locally. One way to keep data confidential is to encrypt it. Militaries,U the governments, industries, and any organization having a desire to maintain privacy have used encryption techniques to secure information. Encryption helps to boost confidence in the security of online commerce and is necessary for secure transactions. In this lesson, you will review encryption and examine several tools used to encrypt data. You will also learn to encrypt and decrypt data. Anyone who desires to administer computer networks and work with private data must have some familiarity with basic encryption protocols and techniques. C5L3S2 You should know what will be expected of you when you complete this lesson. These expectations are presented as objectives. Objectives are short statements of expectations that tell you what you must be able to do, perform, learn, or adjust after reviewing the lesson.
    [Show full text]
  • MASTERCLASS GNUPG MASTERCLASS You Wouldn’T Want Other People Opening Your Letters and BEN EVERARD Your Data Is No Different
    MASTERCLASS GNUPG MASTERCLASS You wouldn’t want other people opening your letters and BEN EVERARD your data is no different. Encrypt it today! SECURE EMAIL WITH GNUPG AND ENIGMAIL Send encrypted emails from your favourite email client. our typical email is about as secure as a The first thing that you need to do is create a key to JOHN LANE postcard, which is good news if you’re a represent your identity in the OpenPGP world. You’d Ygovernment agency. But you wouldn’t use a typically create one key per identity that you have. postcard for most things sent in the post; you’d use a Most people would have one identity, being sealed envelope. Email is no different; you just need themselves as a person. However, some may find an envelope – and it’s called “Encryption”. having separate personal and professional identities Since the early 1990s, the main way to encrypt useful. It’s a personal choice, but starting with a single email has been PGP, which stands for “Pretty Good key will help while you’re learning. Privacy”. It’s a protocol for the secure encryption of Launch Seahorse and click on the large plus-sign email that has since evolved into an open standard icon that’s just below the menu. Select ‘PGP Key’ and called OpenPGP. work your way through the screens that follow to supply your name and email address and then My lovely horse generate the key. The GNU Privacy Guard (GnuPG), is a free, GPL-licensed You can, optionally, use the Advanced Key Options implementation of the OpenPGP standard (there are to add a comment that can help others identify your other implementations, both free and commercial – key and to select the cipher, its strength and set when the PGP name now refers to a commercial product the key should expire.
    [Show full text]
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • Operating System Boot from Fully Encrypted Device
    Masaryk University Faculty of Informatics Operating system boot from fully encrypted device Bachelor’s Thesis Daniel Chromik Brno, Fall 2016 Replace this page with a copy of the official signed thesis assignment and the copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniel Chromik Advisor: ing. Milan Brož i Acknowledgement I would like to thank my advisor, Ing. Milan Brož, for his guidance and his patience of a saint. Another round of thanks I would like to send towards my family and friends for their support. ii Abstract The goal of this work is description of existing solutions for boot- ing Linux and Windows from fully encrypted devices with Secure Boot. Before that, though, early boot process and bootloaders are de- scribed. A simple Linux distribution is then set up to boot from a fully encrypted device. And lastly, existing Windows encryption solutions are described. iii Keywords boot process, Linux, Windows, disk encryption, GRUB 2, LUKS iv Contents 1 Introduction ............................1 1.1 Thesis goals ..........................1 1.2 Thesis structure ........................2 2 Boot Process Description ....................3 2.1 Early Boot Process ......................3 2.2 Firmware interfaces ......................4 2.2.1 BIOS – Basic Input/Output System . .4 2.2.2 UEFI – Unified Extended Firmware Interface .5 2.3 Partitioning tables ......................5 2.3.1 MBR – Master Boot Record .
    [Show full text]
  • Chapter 12 Pretty Good Privacy (PGP)
    Chapter 12 Pretty Good Privacy (PGP) With the explosively growing reliance on electronic mail for every conceivable pur- pose, there grows a demand for authentication and confidentiality services. Two schemes stand out as approaches that enjoy widespread use: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME). The latter is a security en- hancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security. Although both PGP and S/MIME are on an IETF standards track, it appears likely that S/MIME will emerge as the industry standard for commercial and organisational use, while PGP will remain the choice for personal e-mail security for many users. In this course we will only be looking at PGP. S/MIME is discussed in detail in the recommended text. 12.1 Background PGP is a remarkable phenomenon. Largely the effort of a single person, Phil Zimmer- mann, PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. In essence what Zimmermann has done is the following: 1. Selected the best cryptographic mechanisms (algorithms) as building blocks. 2. Integrated these algorithms into a general purpose application that is independent of operating system and processor and that is based on a small set of easy to use commands. 3. Made the package and its source code freely available via the Internet, bulletin boards, and commercial networks such as America On Line (AOL). 4. Entered into an agreement with a company (Viacrypt, now Network Associates) to provide a fully compatible low cost commercial version of PGP.
    [Show full text]
  • Effective Crypto Ransomawre Detection Using Hardware
    Effective Crypto Ransomawre Detection Using Hardware Performance Counters John Podolanko Department of Computer Science & Engineering The University of Texas at Arlington Supervisor Jiang Ming, PhD In partial fulfillment of the requirements for the degree of Master of Science in Computer Science May 2019 Abstract Systems affected by malware in the past 10 years has risen from 29 million to 780 million, which tells us it is a rapidly growing threat. Viruses, ransomware, worms, backdoors, botnets, etc. all come un- der malware. Ransomware alone is predicted to cost $11.5 billion in 2019. As the downtime, data loss, and financial damages are ris- ing, researchers continue to look for new ways to mitigate this threat. However, the common approaches have shown to yield high false posi- tive rates or delayed detection rates resulting in data loss. My research explores a dynamic approach for early-stage ransomware detection by modeling its behavior using hardware performance counters with low overhead. The analysis begins on a bare-metal machine running ran- somware which is profiled for hardware calls using Intel R VTuneTM Amplifier before it compromises the system. By using this approach, I am able to generate models using hardware performance counters extracted by VTuneTM on known ransomware samples collected from VirusTotal and Hybrid Analysis, and I use that data to train the de- tection system using machine learning techniques. I have shown that hardware performance counters can provide effective metrics for use in detecting and mitigating the ever-growing ransomware threat faced by the world while ensuring no data is lost. ii Acknowledgements The author thanks the supervisory committee for all their guidance, support, and patience.
    [Show full text]
  • N2N: a Layer Two Peer-To-Peer VPN
    N2N: A Layer Two Peer-to-Peer VPN Luca Deri1, Richard Andrews2 ntop.org, Pisa, Italy1 Symstream Technologies, Melbourne, Australia2 {deri, andrews}@ntop.org Abstract. The Internet was originally designed as a flat data network delivering a multitude of protocols and services between equal peers. Currently, after an explosive growth fostered by enormous and heterogeneous economic interests, it has become a constrained network severely enforcing client-server communication where addressing plans, packet routing, security policies and users’ reachability are almost entirely managed and limited by access providers. From the user’s perspective, the Internet is not an open transport system, but rather a telephony-like communication medium for content consumption. This paper describes the design and implementation of a new type of peer-to- peer virtual private network that can allow users to overcome some of these limitations. N2N users can create and manage their own secure and geographically distributed overlay network without the need for central administration, typical of most virtual private network systems. Keywords: Virtual private network, peer-to-peer, network overlay. 1. Motivation and Scope of Work Irony pervades many pages of history, and computing history is no exception. Once personal computing had won the market battle against mainframe-based computing, the commercial evolution of the Internet in the nineties stepped the computing world back to a substantially rigid client-server scheme. While it is true that the today’s Internet serves as a good transport system for supplying a plethora of data interchange services, virtually all of them are delivered by a client-server model, whether they are centralised or distributed, pay-per-use or virtually free [1].
    [Show full text]
  • PV204: Disk Encryption Lab
    PV204: Disk encryption lab May 12, 2016, Milan Broz <[email protected]> Introduction Encryption can provide confidentiality and authenticity of user data. It can be implemented on several different layes, including application, file system or storage device. Application encryption examples are PGP or ZIP compression with password. Encryption of files (inside filesystem or through independent layer like Linux eCryptfs) provides more generic solution. Yet some parts (like filesystem metadata) are still unencrypted. However this solution provides encrypted data with private key per user. (Every user can have own directory encrypted by own key.) Encryption of the low-level storage (disk) is called Full Disk Encryption (FDE). It is completely transparent to the user (no need to choose what to encrypt – the whole disk is encrypted). The encrypted disk behaves as the same as a disk without encryption. The major disadvantage is that everyone who knows the password can read the whole disk. Often we combine FDE with another encryption layer. The primary use of FDE is to provide data confidentiality in power-down mode (stolen laptop does not leak user data). Once the disk is unlocked, the main encryption key remains in system, usually directly in system RAM. Exercise II will show how easy is to get this key from memory image of system. Another disadvantage of FDE is that it usually cannot guarantee integrity of data. Encryption is fully transparent and length-preserving, the ciphertext and plaintext device are of the same size. There is no space to store any integrity information. This allows attacks by direct modification of ciphertext.
    [Show full text]
  • Download Here
    Seminar Nasional Sistem Informasi Indonesia, 1 Nopember 2016 SECURE REAL TIME PROTOCOL: SOLUSI ALTERNATIF PENGAMANAN CHATTING 1) Donny Seftyanto 1Sekolah Teknik Elektro dan Informatika, Institut Teknologi Bandung Jatinangor, Sumedang, 45363 Telp : (022) 7798600, Fax: (022) 7798617 1) E-mail : [email protected] Abstrak Off The Record (OTR) merupakan protokol kriptografi yang digunakan untuk menjamin keamanan chatting pada banyak aplikasi, seperti Xabber. Tetapi terdapat kelemahan pada protokol ini, yaitu kegagalan otentikasi, penipuan, dan penyangkalan. Untuk memberikan solusi alternatif dalam pengamanan chatting, maka dirancang protokol bernama Secure Real Time (SRT). SRT terdiri dari tiga tahap, yaitu Trusted Public Key Distribution, Key Exchange with Digital Signature, dan Signed and Encrypted Message Transmission with Key Derivation Function. Tahapan tersebut diterapkan dengan algoritma ECDSA-384, ECDH-384, AES-256, dan SHA-384 pada aplikasi Xabber, sehingga memberikan kekuatan keamanan algoritma yang lebih tinggi dari OTR. Lalu berdasarkan hasil evaluasi yang meliputi uji keamanan komunikasi dan pembandingan performa aplikasi Xabber, diketahui bahwa protokol SRT dapat menjamin kerahasiaan, keutuhan, keotentikan, nir-penyangkalan, dan tahan replay attack terhadap data penting di ketiga tahap SRT. Sedangkan tingkat kecepatan dan kemudahan aplikasi Xabber dengan SRT relatif lebih tinggi dari aplikasi Xabber dengan OTR. Kata kunci: chatting, kriptografi, OTR, SRT. Abstract Off The Record (OTR) is cryptographic protocol that is used to ensure the chatting safety in many applications, like Xabber. But there are weaknesses in this protocol, namely authentication failure, fraud, and repudiation. To provide alternative solution in securing chatting, then designed a protocol called Secure Real Time (SRT). SRT consists of three stages, namely The Trusted Public Key Distribution, Key Exchange with Digital Signature, and Signed and Encrypted Message Transmission with Key Derivation Function.
    [Show full text]
  • Securing Email Through Online Social Networks
    SECURING EMAIL THROUGH ONLINE SOCIAL NETWORKS Atieh Saberi Pirouz A thesis in The Department of Concordia Institute for Information Systems Engineering (CIISE) Presented in Partial Fulfillment of the Requirements For the Degree of Master of Applied Science (Information Systems Security) at Concordia University Montreal,´ Quebec,´ Canada August 2013 © Atieh Saberi Pirouz, 2013 Concordia University School of Graduate Studies This is to certify that the thesis prepared By: Atieh Saberi Pirouz Entitled: Securing Email Through Online Social Networks and submitted in partial fulfillment of the requirements for the degree of Master of Applied Science (Information Systems Security) complies with the regulations of this University and meets the accepted standards with respect to originality and quality. Signed by the final examining commitee: Dr. Benjamin C. M. Fung Chair Dr. Lingyu Wang Examiner Dr. Zhenhua Zhu Examiner Dr. Mohammad Mannan Supervisor Approved Chair of Department or Graduate Program Director 20 Dr. Christopher Trueman, Dean Faculty of Engineering and Computer Science Abstract Securing Email Through Online Social Networks Atieh Saberi Pirouz Despite being one of the most basic and popular Internet applications, email still largely lacks user-to-user cryptographic protections. From a research perspective, designing privacy preserving techniques for email services is complicated by the re- quirement of balancing security and ease-of-use needs of everyday users. For example, users cannot be expected to manage long-term keys (e.g., PGP key-pair), or under- stand crypto primitives. To enable intuitive email protections for a large number of users, we design Friend- lyMail by leveraging existing pre-authenticated relationships between a sender and receiver on an Online Social Networking (OSN) site, so that users can send secure emails without requiring direct key exchange with the receiver in advance.
    [Show full text]
  • Universidad Pol Facultad D Trabajo
    UNIVERSIDAD POLITÉCNICA DE MADRID FACULTAD DE INFORMÁTICA TRABAJO FINAL DE CARRERA ESTUDIO DEL PROTOCOLO XMPP DE MESAJERÍA ISTATÁEA, DE SUS ATECEDETES, Y DE SUS APLICACIOES CIVILES Y MILITARES Autor: José Carlos Díaz García Tutor: Rafael Martínez Olalla Madrid, Septiembre de 2008 2 A mis padres, Francisco y Pilar, que me empujaron siempre a terminar esta licenciatura y que tanto me han enseñado sobre la vida A mis abuelos (q.e.p.d.) A mi hijo icolás, que me ha dejado terminar este trabajo a pesar de robarle su tiempo de juego conmigo Y muy en especial, a Susana, mi fiel y leal compañera, y la luz que ilumina mi camino Agradecimientos En primer lugar, me gustaría agradecer a toda mi familia la comprensión y confianza que me han dado, una vez más, para poder concluir definitivamente esta etapa de mi vida. Sin su apoyo, no lo hubiera hecho. En segundo lugar, quiero agradecer a mis amigos Rafa y Carmen, su interés e insistencia para que llegara este momento. Por sus consejos y por su amistad, les debo mi gratitud. Por otra parte, quiero agradecer a mis compañeros asesores militares de Nextel Engineering sus explicaciones y sabios consejos, que sin duda han sido muy oportunos para escribir el capítulo cuarto de este trabajo. Del mismo modo, agradecer a Pepe Hevia, arquitecto de software de Alhambra Eidos, los buenos ratos compartidos alrrededor de nuestros viejos proyectos sobre XMPP y que encendieron prodigiosamente la mecha de este proyecto. A Jaime y a Bernardo, del Ministerio de Defensa, por haberme hecho descubrir las bondades de XMPP.
    [Show full text]
  • Mcafee Foundstone Fsl Update
    2016-AUG-18 FSL version 7.5.841 MCAFEE FOUNDSTONE FSL UPDATE To better protect your environment McAfee has created this FSL check update for the Foundstone Product Suite. The following is a detailed summary of the new and updated checks included with this release. NEW CHECKS 20369 - Splunk Enterprise Multiple Vulnerabilities (SP-CAAAPQM) Category: General Vulnerability Assessment -> NonIntrusive -> Web Server Risk Level: High CVE: CVE-2013-0211, CVE-2015-2304, CVE-2016-1541, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE- 2016-2109, CVE-2016-2176 Description Multiple vulnerabilities are present in some versions of Splunk Enterprise. Observation Splunk Enterprise is an operational intelligence solution Multiple vulnerabilities are present in some versions of Splunk Enterprise. The flaws lie in multiple components. Successful exploitation by a remote attacker could lead to the information disclosure of sensitive information, cause denial of service or execute arbitrary code. 20428 - (HT206899) Apple iCloud Multiple Vulnerabilities Prior To 5.2.1 Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: High CVE: CVE-2016-1684, CVE-2016-1836, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, CVE-2016-4483, CVE-2016-4607, CVE- 2016-4608, CVE-2016-4609, CVE-2016-4610, CVE-2016-4612, CVE-2016-4614, CVE-2016-4615, CVE-2016-4616, CVE-2016-4619 Description Multiple vulnerabilities are present in some versions of Apple iCloud. Observation Apple iCloud is a manager for the Apple's could based storage service. Multiple vulnerabilities are present in some versions of Apple iCloud. The flaws lie in several components. Successful exploitation could allow an attacker to retrieve sensitive data, cause a denial of service condition or have other unspecified impact on the target system.
    [Show full text]