The niner noteworthy and the 12 recaps of 2016 (day 4)

Cryptography is a difficult subject, not least because of it’s mathematical properties. It is also difficult to implement correctly and sometimes we find out that the rules governing it’s usage are lacking behind or not even there to begin with.
Another issue that is of all times, but came to the surface again this year in the Apple vs. FBI court case, is the constant fight between encrypting stuff and law enforcement as well as intelligence agencies wanting backdoors in those systems to be able to access them when necessary.
Today’s instalment touches briefly on all these aspects.

In chronological order:

How quantum computing could unpick encryption to reveal decades of online secrets

Quantum computing is still a long way off and we could have quantum resistant algorithms in place well before the first general purpose quantum computer is ever turned on. The cryptographic issues described however do exists because of the simple fact that current algorithms can’t be cracked by modern computer hardware in a sufficient amount of time to make it worthwhile doing so.
This last bit is the linchpin of current day cryptography, because most algorithms can be cracked with the current state of technology. However, doing so will take you decades or even centuries to complete all calculations necessary. A quantum computer would bring that down to days or weeks possibly.
Is there a threat to current day information security from quantum computing? No, not really. But that doesn’t mean we can rest easy and do nothing to make sure we have algorithms and technology in place to mitigate the risk of quantum computing if and when it arrives.
source: CBS Interactive, Techrepublic (external link)

Mozilla wants woeful WoSign certs off the list

The problem with the entire certificate authority business is that it isn’t very profitable, difficult to implement correctly and apparently not bound to any over-arching regulations or policies. Mozilla is referring to their own certificate policy documents to take the step of distrusting certificates, uhh maybe.
The SHA1 hashing algorithm mentioned btw has been deprecated by the National Institute of Standards and Technology (NIST) since the 1st of January 2011. The fact browsers only now are deprecating it’s use says a lot by itself.
source: The Register (external link)

Getting To The ‘Just Right’ Level Of Encryption

The most important point from this article is to understand that who owns the encryption keys, owns the data encrypted with those keys. Making sure your business therefore owns the keys is paramount for your security posture and data leakage prevention.
There are several ways to do this from obtaining backups, generating and distributing the keys used e.g. by the use of key pairs and smartcards or by offering encryption services not tied to the device of the user but as a network service. Think of it as a physical key to a strongbox or safe.
The example discussed in this article is interesting as well and could e.g. be combined with public key infrastructure elements and key escrow systems to make sure the company always has access to it’s own data whatever the employee may do or fails to do for that matter.
source: UBM, Darkreading (external link)

SSL handshake weakness leaves MacOS, iOS devices open to MitM attacks

The biggest issue here is simply that received information is not sanitised before it is actually used. Unfortunately a common mistake in current day programming and the reason why several attack factors related to missing input validation are still ranking the OWASP top 10.
Is SSL/TLS insecure because of this? Probably not as the vulnerability has nothing to do with the encrypted connection. OCSP or (Online Certificate Status Protocol) is used to verify that a given certificate is still valid. An invalid, revoked or expired certificate can tell you that the service you are requested can’t prove it’s the service you are connecting too. Certificates are a basis of trust that you are connecting to the right party, nothing more and nothing less.
source: (SC Magazine UKexternal link)

Rise of the photon clones: New method could lead to ‘impenetrable’ comms

Okay, a long way off still and a pretty high failure rate too. However this is the kind of research that one day may help us secure the internet or whatever form of communication we are using at that time.
source: The Register (external link)

Privacy-protecting encryption here to stay: documents

There is but one very small issue with all of this: you can’t weaken encryption systems without losing the protection it gives to online commerce, privacy protection and communication security. The positive point in the quoted memo is that the writers at least understand the problems with weakening encryption and the impact it would have to modern day society.
The fact that two-thirds of cryptographic technologies are sold by non-US companies has a very clear and historic background. Before 1996 exporting strong encryption (at least stronger then the American Government could crack) was illegal and made identical to weapons exports. Because of that a lot of cryptographic research was moved and completed outside of the US. One example of this was all software that included cryptographic libraries on the Linux platform which was specifically hosted outside America because of this fact.
Even the RSA algorithm, by itself only 3 lines long, was exported in books and as a story would have it even as somebody’s tattoo.
source: Toronto Star (external link)

Finally! A minimum standard for certificate authorities

Although it is a good thing that this minimum standard is finally there, the question will be how many certificate authorities will actually implement them and what will happen if they don’t.
One caveat in my opinion is that these standards only hold for code signing certificates, although important I would rather have seen minimum standards for all certificate authorities for all types and usage of certificates and corresponding key pairs. Okay there obviously will be differences between certificates used for (web)servers and those used for code signing, but the 2001 Diginotar incident has shown that a lot needs to be done in this very critical space within online security.
And no, Diginotar was certainly not the only CA with minor or major security troubles, it’s just that it was the biggest security problem at that time with major impact.
source: IDG Communications (external link)

DSLR Camera Encryption: Here Are The Pros And Cons For Photojournalists

Camera’s also will become more expensive as they need more processing power to compensate for the extra encryption and decryption tasks that it needs to perform. Besides that, they may become larger as well because of the added processing power they also need bigger battery packs or journalist need to cope with having to change their battery packs even more often then is the case now.
That isn’t to say that encryption or any form of protection of the data stored on the camera would be useless. Though the only thing photo and video journalists would be protected from is their own material being used to prosecute themselves. As the article already states, just destroy the camera or the SD card to make sure the incriminating material is not shown to the world, is always an option whatever security features a camera or it’s storage media may have.
An alternative option would be to protect only the storage media by including all necessary components in the SD or similar cards directly. As for the times lost by unlocking the security features, why not make the encryption feature write only by default. I mean as long as no security code or finger print is identified the camera will operate in recording mode, only when you switch to viewing mode would it ask for a security code or finger print to be identified. This would at least negate one of the cons provided in this article but would keep the envisioned protection in place.
source: Tech Times (external link)

Strong non-backdoored encryption is vital – but the Feds should totally be able to crack it, say House committees

The outcome seems to be more or less identical to the one I wrote about earlier in this article. The interesting bit however, something US and other politicians either don’t or don’t want to understand, is that weakening encryption for some causes will weaken it permanently from that moment on.
It is impossible to weaken cryptographic systems in such a way that only certain people or agencies can access it and others can’t. So either order people to give up their password or fingerprints or, as France actually already has tried to do, order everyone to hand over their private keys to the government before they are allowed to use a certain cryptographic system.
The latter option will only weaken privacy and protection to the society itself and will not hinder criminals who will be using the cryptographic systems anyway without handing over their private keys. Effectively this isn’t a solution either.
Unless we want to crate a society where everyone who is using “unbreakable” cryptography is automatically labeled a threat to society in whatever form or shape.
source: The Register (external link)
A paper on this topic by the European Network Information Security Agency (ENISA) can be found here (external link)