Educational CyberPlayGround ®☰ Menu

Definition of crypto


Technology Quotes

Crypto Resources

A Few Thoughts on Cryptographic Engineering
A History of Backdoors also known as "Crypto Wars". Clipper is only one of several examples of 'government access' mechanisms that failed and blew back on us catastrophically. More recent examples have occurred as recently as this year with the FREAK and LogJam attacks on TLS, resulting in vulnerabilities that affected nearly 1/3 of secure websites -- including (embarrassingly) the FBI and NSA themselves. And these did undermine security.

Crypto Hacks

Google, the Wassenaar Arrangement, a multilateral export control association and vulnerability research. Comments

6/16/15 Chairman Chaffetz : WHY DON'T YOU ENCRYPT DATA??
Years of fundamental cybersecurity lapses left the government's personnel agency wide open to a pair of hacks that have exposed the private information about nearly every federal employee, along with detailed personal histories of millions with security clearances, officials acknowledged to Congress. For a long time, he said, the people running the agency's information technology had no expertise. China will seek to gain leverage over Americans with access to secrets by pressuring their overseas relatives and contacts, particularly if they happen to be living in China or another authoritarian country. "China now has a list of Chinese citizens worldwide who are in close contact with American officials and they can use that for espionage purposes," said Rep. Ron DeSantis, a Florida Republican.
Katherine Archuleta is a political hack with no technology skills who also worked as the National Political Director for President Obama’s reelection campaign



cybersecurity practices

DHS chief used personal email on work computer despite risks Johnson and 28 senior staffers obtained an informal waiver last year allowing them to use their work computers to check personal email via the Internet, a practice cybersecurity experts discourage. Jeh Johnson stopped using his desktop computer at work to check personal email because it posed a security risk. Johnson, whose department is responsible for protecting federal government computers from attack “DHS has the mission to provide a common baseline of security across the civilian government and help agencies manage their cyber risk.” In all cases, she said, using personal email for work purposes was and is “strictly prohibited.”

Federal Judge Contreras warned the State Department that it will "have to answer for" any destruction of Hillary Clinton email records.

Adi Shamir Reveals Sisyphus Algorithm
1st Law Fully secure systems don't exist now and won't exist in the future.
2nd Law Cryptography won't be broken, it will be bypassed. Futility of trying to eliminate every single vulnerability in a given piece of software. For the most part the way that attackers deal with encryption is by finding ways around it, not attacking the cryptosystems themselves.

 is a collection of activities and training resources for anyone interested in learning about information security topics in a fun and easy way. Instructor-led Activities.

#MeshNetworks #malware #spyware #adware
#ransomware #cryptoware #IoT Internet of Things

In 2015, we are worried about the integrity of the internet. A class of deliberately weak export cipher suites. As the name implies, this class of algorithms were introduced under the pressure of US governments agencies to ensure that they would be able to decrypt all foreign encrypted communication.
The repercussions of a decision in 1992 to have a US edition of Netscape with 1024-bit RSA public keys in combination with 128-bit symmetric keys, and an international version with 512 bits and 40 bits are being felt today because the weakened encryption system limped on and made its way into modern technology through a sort of software osmosis. We learned this month that it lurks within official government websites and on software and systems from firms including Microsoft, BlackBerry, Apple and Google.

UK spies claim broad powers to hack worldwide
Admits to using vulnerabilities for intelligence gathering.

Targeted Cyberattacks Logbook

On the new Snowden documents


12/14 Matthew Green

NSA has difficulty decrypting certain types of traffic, including Truecrypt, PGP/GPG, Tor and ZRTP from implementations such as RedPhone. Since these protocols share many of the same underlying cryptographic algorithms — RSA, Diffie-Hellman, ECDH and AES — some are presenting this as evidence that those primitives are cryptographically strong. The NSA does break the SSL/TLS protocols.
Massive Snowden Dump
The lack of cryptanalytic red meat in these documents may not truly be representative of the NSA’s capabilities. It may simply be an artifact of Edward Snowden's clearances at the time he left the NSA.
A major attack strategy for NSA/GCHQ involves key databases containing the private keys for major sites. For the RSA ciphersuites of TLS, a single private key is sufficient to recover vast amounts of session traffic — in real time or even after the fact.

The NSA may have relationships with employees at specific named U.S. entities, and may even operate personnel “under cover”. This would certainly be one way to build a key database. Also VPNs use broken protocols and relatively poorly-secured pre-shared secrets and other vulnerabilities like Heartbleed.

Open Source packages:
Redphone, Truecrypt, PGP and OTR The documents provide at least circumstantial evidence that some open source encryption technologies may thwart NSA surveillance. These include Truecrypt, ZRTP implementations such as RedPhone, PGP implementations, and Off the Record messaging. These packages have a few commonalities:
They’re all open source, and relatively well studied by researchers.
They’re not used at terribly wide scale (as compared to e.g., SSL or VPNs)
They all work on an end-to-end basis and don’t involve service providers, software distributers, or other infrastructure that could be corrupted or attacked.

How Stuff Works: How Code Breakers Work
A short series of introductory articles on the gentle art of cryptography, although it's more towards enciphering than deciphering; it has the most succinct description of the Vigenère cipher.

2.11.15 A Crypto Trick That Makes Software Nearly Impossible to Reverse-Engineer

Security researcher Jacob Torrey @JacobTorrey presents Hardened Anti-Reverse Engineering System, or HARES. Torrey’s method encrypts software code such that it’s only decrypted by the computer’s processor at the last possible moment before the code is executed. This prevents reverse engineering tools from reading the decrypted code as it’s being run. The result is tough-to-crack protection from any hacker who would pirate the software, suss out security flaws that could compromise users, and even in some cases understand its basic functions. “This makes an application completely opaque,” says Torrey, who works as a researcher for the New York State-based security firm Assured Information Security. “It protects software algorithms from reverse engineering, and it prevents software from being mined for vulnerabilities that can be turned into exploits."

Computer-stored encryption keys are not safe from side-channel attacks! Not that long ago, grabbing information from air-gapped computers required sophisticated equipment. In my TechRepublic column Air-gapped computers are no longer secure, researchers at Georgia Institute of Technology explain how simple it is to capture keystrokes from a computer just using spurious electromagnetic side-channel emissions emanating from the computer under attack.

Whitfield Diffie, coinventor of the mathematics underlying modern encryption, told the story of his discovery.
Stanford CISAC Diffie spent the 1990s working to protect the individual and business right to use encryption, for which he argues in the book Privacy on the Line, the Politics of Wiretapping and Encryption, which he wrote jointly with Susan Landau. Diffie is a Marconi fellow and the recipient of a number of awards including the National Computer Systems Security Award (given jointly by NIST and NSA) and the Franklin Institute's Levy Prize.


Crypto - Richard Stallman

How cryptography is a key weapon in the fight against empire states
Protect individual freedom from state tyranny. Strong cryptography is a vital tool in fighting state oppression. Cryptography was our secret weapon.What began as a means of retaining individual freedom can now be used by smaller states to fend off the ambitions of larger ones By Julian Assange 2013


12/20/13 Secret contract tied NSA and security industry pioneer
As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned. Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products. Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show. The earlier disclosures of RSA's entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products. RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to stop using the NSA formula after the Snowden disclosures revealed its weakness. RSA and EMC declined to answer questions for this story, but RSA said in a statement: "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own." The NSA declined to comment. The RSA deal shows one way the NSA carried out what Snowden's documents describe as a key strategy for enhancing surveillance: the systematic erosion of security tools. NSA documents released in recent months called for using "commercial relationships" to advance that goal, but did not name any security companies as collaborators. The NSA came under attack this week in a landmark report from a White House panel appointed to review U.S. surveillance policy. The panel noted that "encryption is an essential basis for trust on the Internet," and called for a halt to any NSA efforts to undermine it. Most of the dozen current and former RSA employees interviewed said that the company erred in agreeing to such a contract, and many cited RSA's corporate evolution away from pure cryptography products as one of the reasons it occurred. But several said that RSA also was misled by government officials, who portrayed the formula as a secure technological advance. "They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption. STORIED HISTORY Started by MIT professors in the 1970s and led for years by ex-Marine Jim Bidzos, RSA and its core algorithm were both named for the last initials of the three founders, who revolutionized cryptography. Little known to the public, RSA's encryption tools have been licensed by most large technology companies, which in turn use them to protect computers used by hundreds of millions of people. At the core of RSA's products was a technology known as public key cryptography. Instead of using the same key for encoding and then decoding a message, there are two keys related to each other mathematically. The first, publicly available key is used to encode a message for someone, who then uses a second, private key to reveal it. From RSA's earliest days, the U.S. intelligence establishment worried it would not be able to crack well-engineered public key cryptography. Martin Hellman, a former Stanford researcher who led the team that first invented the technique, said NSA experts tried to talk him and others into believing that the keys did not have to be as large as they planned. The stakes rose when more technology companies adopted RSA's methods and Internet use began to soar. The Clinton administration embraced the Clipper Chip, envisioned as a mandatory component in phones and computers to enable officials to overcome encryption with a warrant. RSA led a fierce public campaign against the effort, distributing posters with a foundering sailing ship and the words "Sink Clipper!" A key argument against the chip was that overseas buyers would shun U.S. technology products if they were ready-made for spying. Some companies say that is just what has happened in the wake of the Snowden disclosures. The White House abandoned the Clipper Chip and instead relied on export controls to prevent the best cryptography from crossing U.S. borders. RSA once again rallied the industry, and it set up an Australian division that could ship what it wanted. "We became the tip of the spear, so to speak, in this fight against government efforts," Bidzos recalled in an oral history. RSA EVOLVES RSA and others claimed victory when export restrictions relaxed. But the NSA was determined to read what it wanted, and the quest gained urgency after the September 11, 2001 attacks. RSA, meanwhile, was changing. Bidzos stepped down as CEO in 1999 to concentrate on VeriSign, a security certificate company that had been spun out of RSA. The elite lab Bidzos had founded in Silicon Valley moved east to Massachusetts, and many top engineers left the company, several former employees said. And the BSafe toolkit was becoming a much smaller part of the company. By 2005, BSafe and other tools for developers brought in just $27.5 million of RSA's revenue, less than 9% of the $310 million total. "When I joined there were 10 people in the labs, and we were fighting the NSA," said Victor Chan, who rose to lead engineering and the Australian operation before he left in 2005. "It became a very different company later on." By the first half of 2006, RSA was among the many technology companies seeing the U.S. government as a partner against overseas hackers. New RSA Chief Executive Art Coviello and his team still wanted to be seen as part of the technological vanguard, former employees say, and the NSA had just the right pitch. Coviello declined an interview request. An algorithm called Dual Elliptic Curve, developed inside the agency, was on the road to approval by the National Institutes of Standards and Technology as one of four acceptable methods for generating random numbers. NIST's blessing is required for many products sold to the government and often sets a broader de facto standard. RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue successfully for NIST approval, according to an official familiar with the proceedings. RSA's contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit. No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists. "The labs group had played a very intricate role at BSafe, and they were basically gone," said labs veteran Michael Wenocur, who left in 1999. Within a year, major questions were raised about Dual Elliptic Curve. Cryptography authority Bruce Schneier wrote that the weaknesses in the formula "can only be described as a back door." After reports of the back door in September, RSA urged its customers to stop using the Dual Elliptic Curve number generator. But unlike the Clipper Chip fight two decades ago, the company is saying little in public, and it declined to discuss how the NSA entanglements have affected its relationships with customers. The White House, meanwhile, says it will consider this week's panel recommendation that any efforts to subvert cryptography be abandoned.

12/21/13 2013 NSA agent co-chairing key crypto standards body should be removed Security experts are calling for the removal of a National Security Agency employee who co-chairs an influential cryptography panel, which advises a host of groups that forge widely used standards for the Internet Engineering Task Force (IETF).
Igoe's leadership had largely gone unnoticed until reports surfaced in September that exposed the role NSA agents have played in "deliberately weakening the international encryption standards adopted by developers. Until now, most of the resulting attention has focused on cryptographic protocols endorsed by the separate National Institute for Standards and Technology. More specifically, scrutiny has centered on a random number generator that The New York Times, citing a document leaked by former NSA contractor Edward Snowden, reported may contain a backdoor engineered by the spy agency

9/5/13 A Few Thoughts on Cryptographic Engineering
All of this is a long way of saying that I was totally unprepared for today's bombshell revelations describing the NSA's efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough. And since I never got a chance to see the documents that sourced the NYT/ProPublica story -- and I would give my right arm to see them -- I'm determined to make up for this deficit with sheer speculation. Which is exactly what this blog post will be.

12/21/13 "I have never seen a standards committee yet, where a big organization with a vested interest in seeing the standards either didn't happen, were diluted, or otherwise hamstrung, didn't hold key chairs of committees or key positions within those committees.
Decisions and power in a standards committee is always bottom up, never top-down.  Anyone who thinks the chair has any real power is kidding themselves.  Actually, they are giving the chair power.  If the chair does have power, it is because the members of the committee are a bunch of wimps!  ;-)
If you are duped into doing something dumb (like listening to the recommendations of someone from a large organization with a vested interest in weakening the standard), then you are the wrong person to be representing your company or yourself in the committee.  If every time a person from a company suggests something, you aren't asking yourself, "how does that serve his vested interest?" You are naive in the extreme.  Once in a while, there will be someone who is doing it for the right reasons, but it is always good to be prepared.
Yes, I am implying that the unbound variable "large organization with a vested interest" can have many values.  ;-)  Been there, have seen it with my own eyes, and have successfully thwarted them on more than one occasion.
P.S. The companies that are best at this will have home-grown the people they put on standards committees, so most of the person's experience is from the company's point of view.  It is much easier (and likely) that they will argue for your vested interest, if they have come to learn it as their own, almost as all they know. I have seen it in practice and it is quite effective. Most people are not that good at knowing one thing and arguing another.  It is much better if they really believe the company's view.  Now when you do find someone who is good at both, they are both very dangerous and someone to learn from." ~ John Day


2013 The Pirate Bay has launched a drive to crowdsource funding for a new mobile messaging app — one so secure that its creators say they couldn't turn over people's messages even if they wanted to. Hemlis (it means "secret" in Swedish), is being developed by Peter Sunde, one of the individuals behind The Pirate Bay, along with Linus Olsson and Leif Högberg. It's described as an easy to use messaging app in the vein of WhatsApp or iMessage, with one important twist: it uses end-to-end encryption to ensure that nobody can monitor your messages. "No one can listen in," the Hemlis site promises. "Not even us."



Encrypted e-mail:
How much annoyance will you tolerate to keep the NSA away?
Reportedly Glenn Greenwald, the Guardian reporter who exposed aspects of the secret NSA dragnet—needED time getting up to speed.
The solution to this is asymmetric cryptography. In asymmetric encryption there are two opposite keys, and a message encrypted with one key can only be decrypted with the other. The two keys are known as a private key, which as the name might suggest is kept private, and a public key, which is broadcast to the world. Each time you want to send an e-mail to someone, you encrypt it with the recipient's public key. To protect the contents of your account, you need to ensure that everyone you communicate with is in a position to handle encrypted mail—and is willing to use that ability.
Free e-mail encryption programs are available for all major operating systems, and the ability to use them effectively isn't out of the grasp of average computer users if they know where to look. What follows is a set of step-by-step instructions for using GnuPG, the open-source implementation of the PGP encryption suite, to send and receive encrypted e-mails on machines running Microsoft Windows and Mac OS X.
After that, we'll show readers how to use a similar crypto standard called S/MIME, which may prove simpler to deploy because it is already built into many desktop and mobile e-mail clients, including Outlook and Thunderbird. (Interested in S/MIME? Skip directly to page three.)
Finally, e-mail encryption doesn't encrypt everything. Certain metadata—including e-mail addresses of both sender and recipient, time and date of sending, and the e-mail's subject line—is unencrypted. Only the body of the mail (and any attachments) gets protected.
Open-source Gnu Privacy Guard, which is available for free on Windows, Mac, and Linux platforms.

2013 Android Police
Researchers at Erlangen University in Germany have managed to dump the contents of a Galaxy Nexus's RAM and the phone had a PIN-protected lockscreen and encrypted internal storage. The technique used, known as "FROST" has been demonstrated on computers before.
Step 1.) put the (powered-on, if it's off you lose the valuable RAM contents) phone in a really, really cold freezer.
Step 2.) develop software that allows you to dump the active memory from an Android smartphone via USB (you might want to do this before step one). Step 3.) Pull the battery (or turn the phone off, though this may cause issues), boot into fastboot, run the dump software, and voila - data stolen. [...]


Virtual machine used to steal crypto keys from other VM on same server

It's typical screwed-up US government policy
The feds would love to  hire ten thousand people who can do cyber attack and defense, but  over the last forty years they have made that discipline both a crime and a tort. They have encouraged companies to sue reverse-engineers, and have themselves put talented and guileless student hackers into prison as if they were hardened criminals. It's just like the crypto  wars -- we were saying that the public needed to use and understand  crypto, to protect us all, but the feds were deadly opposed to letting ordinary people protect themselves FROM THE GOVERNMENT. Now we're all vulnerable to cyber chaos because this sorry excuse for a  government has let itself be bullied by NSA and by companies into  suppressing the relevant technologies and talents.  And among those who have the talents, many would refuse to work for the federal government, since it has threatened and screwed them all their lives. --gnu

BOTNETS A map of global malware distribution in March

Crypto breakthrough shows Flame was designed by world-class scientists

NSA Built Stuxnet, but Real Trick Is Building Crew of Hackers
Finding people skilled enough to wage cyberwarfare is increasingly difficult, experts say  
When Stuxnet -- a massive computer worm that damaged a uranium enrichment plant in Iran -- was discovered in 2010, cybersecurity experts marveled at its intricacy and power. But maybe just as impressive as the exploit itself was the fact that the National Security Administration [sic] was able to find the manpower needed to design the attack. That's because the NSA, CIA, the Army's Cyber Command, and private companies are quickly learning there aren't enough cybersecurity experts steeped in the skills needed to wage cyberwarfare. Experts have suggested that the United States government will need to hire at least 10,000 cybersecurity experts over the next several years, while the private sector will need even more. While most of those jobs are in defense, there's also a growing need for people who are able to hack into complicated networks. Unfortunately, they say, they're getting little help from universities, which are either unable or unwilling to teach students how to exploit network security vulnerabilities.
"Universities don't want to touch [hacking], they don't want to have the perception of teaching people how to subvert things," says Steven LaFountain, an NSA official who helps the agency develop new academic programs.[snip]
Even private companies that only want to defend their own networks are beginning to see the need for skilled hackers. "The whole field is moving toward penetration testing. We think of them as defensive experts, but it's really the same skills you need for offense," Paller says. [snip]



11/3/12 Megaupload and the Government's Attack on Cloud Computing
EFF, on behalf of its client Kyle Goodwin, filed a brief proposing a process for the Court in the Megaupload case to hold the government accountable for the actions it took (and failed to take) when it shut down Megaupload's service and denied third parties like Mr. Goodwin access to their property. The government also filed a brief of its own, calling for a long, drawn-out process that would require third parties—often individuals or small companies—to travel to courts far away and engage in multiple hearings, just to get their own property back.
Even worse, the government admitted that it has accessed Mr. Goodwin's Megaupload account and reviewed the content of his files. By doing so, the government has taken a significant and frightening step. It apparently searched through the data it seized for one purpose when its target was Megaupload in order to use it against Mr. Goodwin, someone who was hurt by its actions but who is plainly not the target of any criminal investigation, much less the one against Megaupload. This is, of course, a bald attempt to shift the focus to Mr. Goodwin, trying to distract both the press and the Court from the government's failure to take any steps, much less the reasonable steps required by law, to protect the property rights of third parties either before a warrant was executed or afterward. And of course, if the government is so well positioned that it can search through Mr. Goodwin's files and opine on their content—and it is not at all clear that this second search was authorized—presumably it can also find a way to return them.
But in addition, the government's approach should terrify any user of cloud computer services—not to mention the providers. The government maintains that Mr. Goodwin lost his property rights in his data by storing it on a cloud computing service. Specifically, the government argues that both the contract between Megaupload and Mr. Goodwin (a standard cloud computing contract) and the contract between Megaupload and the server host, Carpathia (also a standard agreement), "likely limit any property interest he may have" in his data. (Page 4). If the government is right, no provider can both protect itself against sudden losses (like those due to a hurricane) and also promise its customers that their property rights will be maintained when they use the service. Nor can they promise that their property might not suddenly disappear, with no reasonable way to get it back if the government comes in with a warrant. Apparently your property rights "become severely limited" if you allow someone else to host your data under standard cloud computing arrangements. This argument isn't limited in any way to Megaupload -- it would apply if the third party host was Amazon's S3 or Google Apps or or Apple iCloud.
The government's tactics here also demonstrate another chilling thing—if users do try to get their property back, the government won't hesitate to comb through their property to try to find an argument to use against them. The government also seeks to place a virtually insurmountable practical burden on users by asking the court to do a slow-walking, multi-step process that takes place in a far away court. Most third parties who use cloud computing services to store their business records or personal information are not in a position to attend even one court appearance in Virginia, much less the multiple ones the government envisions in its submission to the court.
Ultimately, if the government doesn't feel any obligation to respect the rights of Megaupload's customers—and it clearly doesn't—it's not going to suddenly feel differently if the target of its next investigation is a more mainstream service. The scope of its seizure here was breathtaking and they took no steps to engage in what the law calls "minimization," either before its searches and seizures or afterwards, by taking steps to return property to cloud computing users who it knew would be hurt. And now the government is trying to use standard contractual language to argue that any user of a cloud computing service has, at best, "severely limited" ownership rights in their property. Those who have been watching on the sidelines thinking that the issues in this case are just about Megaupload should take heed.

From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud
Peter P. Swire Ohio State University (OSU) - Michael E. Moritz College of Law April 12, 2012 Number of Pages in PDF File: 12
Abstract: This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The major and growing reliance on surveillance access to stored records results from the following changes:
(1) Encryption. Adoption of strong encryption is becoming much more common for data and voice communications, via virtual private networks, encrypted webmail, SSL web sessions, and encrypted Voice over IP voice communications.
(2) Declining effectiveness of traditional wiretaps. Traditional wiretap techniques at the ISP or local telephone network increasingly encounter these encrypted communications, blocking the effectiveness of the traditional techniques.
(3) New importance of the cloud. Government access to communications thus increasingly relies on a new and limited set of methods, notably featuring access to stored records in the cloud.
(4) The “haves and “have-nots.” The first three changes create a new division between the “haves” and “have-nots” when it comes to government access to communications. The “have-nots” become increasingly dependent, for access to communications, on cooperation from the “have” jurisdictions.
Part 1 of the paper describes the changing technology of wiretaps and government access. Part 2 documents the growing adoption of strong encryption in a wide and growing range of settings of interest to government agencies. Part 3 explains how these technological trends create a major shift from real-time intercepts to stored records, especially in the cloud.

Cryptographic Usability



Confusion between the semantics of authentication and of confidentiality happens because these are, in fact, subtle concepts that are as poorly understood as they are intertwined.

An important cryptologic principle:
the security properties of keys used for authentication and those used for decryption are quite different.

Protocol failures that have exactly this confusion at their root.

Authentication keys, such as login passwords, become effectively useless once they are changed (unless they are re-used in other contexts). An attacker who learns an old authentication key would have to travel back in time to make any use of it.
But old Decryption Keys, even after they have been changed, can remain as valuable as the secrets they once protected, forever. Old ciphertext can still be decrypted with the old keys, even if newer ciphertext can't.




Air Force Intelligence, Surveillance and Reconnaissance Agency
Public Affairs 9/30/2011 By Wayne Amann
LACKLAND AIR FORCE BASE, Texas (AFNS) -- The Air Force Intelligence, Surveillance and Reconnaissance Agency now has the trifecta of cryptologic machines on display. Working in concert with the National Security Agency's National Cryptologic Center Museum at Fort Meade, Md., the AFISRA History Office received on loan an M-125 Fialka, which is a 10-rotor cipher machine developed by the Soviet Union in the late 1950's and used during the Cold War until that country's collapse in 1991.
The Fialka, which in English means "violent," was unveiled at a ceremony Sept. 22 in the AFISRA Heritage Center here. It joined Nazi Germany's Enigma and the United States' Sigaba, as the only known co-located display of the three encryption/decryption devices. "I didn't find any museum, not the Imperial War Museum, not the Smithsonian, that had these three machines on display," said Gabe Marshall, from the AFISRA History Office. "It's safe to say the troika of encryption devices we have can only be found in a private collection."
The new Fialka display also features unique accessories in two glass
enclosed cases: a Soviet parade uniform, an AK-47 assault weapon and Soviet flight gear. Senior Master Sgt. Benjamin Jones, from the AFISRA History Office, designed and built the display, which took eight months to complete.
"We overcame a lot of setbacks," Jones said. "We had to replace the
doors, find the special glass which was extremely difficult, get the AK-47 to fit correctly so it would never fall down, stabilize the Fialka, reinforce the bottoms of the display (cases). Luckily I'm a carpenter so that helped. Even the display for the uniform was made from an old lamp."
The Fialka first went into operation in 1959, officials said. According
to the rotating picture frame in the display, Eastern Bloc countries
were issued customized, upgraded versions of the Fialka machine, which included keyboards, print heads and rotor sets adapted to accommodate their respective individual alphabets and special characters. The rotor sets were each wired differently and used for inter-country communication. Few Fialkas exist today following their systematic destruction by the Soviet and subsequent Russian governments for security purposes, officials said. It remains an obscure, but highly significant Cold War cryptologic artifact today.
Maj. Gen. Robert Otto, AFISRA commander and officiating officer at the display unveiling, recognized National Cryptolgic Center Museum staff for their support promoting the efforts of the AFISRA History Office to assemble its display. All three AFISRA Heritage Center cryptologic machines are on loan from the National Cryptolgic Center museum "I don't think that museum will be asking us to return their artifacts any time soon since our displays are really world class," Otto said.


Introduction to Applied Cryptography for Secure Communication and Commerce (c)
There is no such thing as a "web of trust" signed by unknown (or corruptable) entities. Your key does *NOT* link your meatspace entity to your email address. You might have separate keys (and separate emails) for each identity you maintain. None of which need be linked to your meatspace "true name". In fact, you could have different identities of yours sign your other keys, and the gullible would believe them (you)! The eBay equivalent is having one 'identity' give positive feedback about another 'identity', fooling those who assume they are different physical-entities. Don't assume that the "web of trust" has anything to do with trust, just because it (ab)uses that word. Think about collusions of signers. Think about multiple identities.Remember that the Govt issues false "real-world" IDs when it is convenient for them to do so.

Bitcoin: The Cryptoanarchists’ Answer to Cash
How Bitcoin brought privacy to electronic transactions
By Morgen E. Peck / June 2012
Bitcoin Opener
There's nothing like a dollar bill for paying a stripper. Anonymous, yet highly personal—wherever you use it, that dollar will fit the occasion. Purveyors of Internet smut, after years of hiding charges on credit cards, or just giving it away for free, recently found their own version of the dollar—a new digital currency called Bitcoin. You’ll know it when you see it (strippers who accept tips in bitcoins advertise their account addresses right on their bodies). And more important, if you pay with it, no one needs to know. Bitcoin balances can flow between accounts without a bank, credit card company, or any other central authority knowing who is paying whom. Instead, Bitcoin relies on a peer-to-peer network, and it doesn’t care who you are or what you’re buying. In the long run, a system like this, which restores privacy to electronic payments, could do more than just put the sneak back into the peek. If enough people take part, Bitcoin or another system like it will give political dissidents a new way to collect donations and criminals a new way to launder their money—while causing headaches for traditional financial gatekeepers. graphic link to future of money landing page You may have heard about Bitcoin last year, when the digital currency was briefly a major media story and speculators rushed to cash in on the rising value of bitcoins. Or perhaps you heard about hackers raiding the coffers of the largest online bitcoin exchanges, which coincided with the price of bitcoins plunging. Since January Bitcoin has stabilized. It’s been holding an exchange rate of about US $5. [snip]
TAGS: Bitcoin // Internet // cryptocurrency // cryptography // encryption //
hash functions // peer-to-peer networks // privacy

Can You Keep A Secret? by John J. Fried; March 5, 1998; Summary: The article discusses the debate over encryption. More recently, some members of Congress and the FBI have begun to worry that without domestic fetters on strong encryption, home-grown criminals, too, will have free rein on the Internet so and would like to regulate the export of strong, hard-to-break encryption programs. However, legislators and law enforcement agencies, most notably the Federal Bureau of Investigation, are clashing with cyberlibertarians and powerful commercial interests over efforts to extend controls on so-called strong encryption to domestic uses.

© Educational CyberPlayGround ® All rights reserved world wide.