Future attacks ??

I liked the article on some remote attacks without network!!! Interesting…….

http://www.scientificamerican.com/article.cfm?id=hackers-can-steal-from-reflections

What about analyzing your brain waives..Hah.. Funny…

Phishing Attack – An amateur example

I got an email from some amateur hacker asking me to change my bank account details.

The email was quite promising, I liked it Here is an screen shot of that from my mailbox :-

After i clicked th URL, the layout was good but the URL that was visible on address bar is really bad, I mean really amateur

Here is a screen shot of that. I have marked the mistakes

BIOS attack & cryptography

i liked the article on BIOS attack :- http://searchsecurity.techtarget.com.au/articles/33210-BIOS-can-become-a-source-of-malware.

The author sited two examples/ mechanism to prevent such attacks:

1) Non-writable BIOS, well it was before, but not user freindly.

2) Trusted Platform Module. This based on cryptographic verification and very secure. But there is problem of certificate expiration of public key cryptography. With current standard a certificate can be valid upto 2-3 years max and you can’t throw your PC after that period if you do not update your certificate store. Now that becomes more or you can say very complicated process. Atleast not so user friendly.

Virtualization Security Issues — Adding an sticky Firewall

It might be a good idea to  add a firewall to each of your VMs to protect the whole system. The “Whole System” is of concern becuase one compromise VM can become a hacker’s playground and will be used it attack other VMs in it’s boundary. But there is an; LATENCY, software switches makes the latency more and the firewall (software) will add to it. The presentation from ALTOR networks looks promising for ALTOR VF.

Unintentional Attacks

I have been observing a quite simple but very interesting attack these days and that is based on the popularity of the Web Service. Though is it similar to this definition but it has a  clear distintion from the previous one.

Consider about the enormou popular Web Servers like – yahoo, google, ….etc.  Now consider about all the Developer, system testers, testers, network troubleshooter, network tester and so on…

What is the first thing you do when your server is not respondig? This what:

1. Ping (includes all kind) google or yahoo or … any web server that you remember or you trust or is popular
2. then so on.. other methods

I am not claiming that this same to everyone of us but it is somewhat common. Now, immediate question will be; How to get rid of such attack? Ans: It is really great to have such honor.

Hardware Security module / Crypto Accelerator

I think this is a very interesting topic, I have just started to learn this, But as I am going through this I have found couple of links as well as documents which are really interesting. These articles talk about openssl, Hardware Security module, SSL Accelerator and information about provider companies

1. Blog post : http://jadickinson.co.uk/2007/11/02/using-hardware-security-modules/
2. Article on HSM, http://nlnetlabs.nl/downloads/publications/hsm/hsm.pdf
3. Wiki http://en.wikipedia.org/wiki/SSL_acceleration
4. Wiki http://en.wikipedia.org/wiki/Hardware_Security_Module
5. SSL programming tutorial http://h71000.www7.hp.com/doc/83final/BA554_90007/ch04s03.html
6. VIA PadLock support for Linux http://www.logix.cz/michal/devel/padlock/
7. Something from safenet http://www.safenet-inc.com/products/pki/psGold_API.asp

I will write about my findings, An how to do , Short cut of course. But let me look in to it more carefully. Thanks to Jad.

One Way Hash functions — OpenSSL

Hash or Fingerprint generation functions are always an interesting Chapter in Cryptography as they are the basics of the most cryptographic protocols.

Definition for a Cryptographic Hash Functions

=============================

Let us consider that M is the message and h is it’s hash value after applying the hash function H. Or, it can be stated mathematically as: H (M) :=h. Where H will also satisfy the following characteristics.

1. Given M, it is easy to compute h
2. Given h, it is hard to compute M such that H(M) = h
3. Given M, it is hard to find another messag, M1 , such that H(M) = H(M1)

SHA-*, MD* and RIPEMD-* are the most popular Hash functions. OpenSSL provides both generic APIs to these Hash functions also provides direct APIs. Accessing through generic API (the EVP) is preferred.

Now let us first use the Hash APIs from OpenSSL and generate fingerprint or calculate hash value. The alorithm, that we will use, is MD5. MD5 (MD stands for Message Digest ) is One way hash algorithm from Ron Rivest. There are test vectors in MD5 RFC, which we can use to calculate (or validate) the hash values. The following figure shows the process of calculation MD5 hash using OpenSSL :-

Below is an example to calculate message digest using MD5 algorithm.

Code Snippet :

openSSlExmpleHashMd5.cpp

#include <stdio.h>
#include <string.h>
#include <openssl/evp.h>

int main(int argc, char *argv[  ]) {

	int i,j;
	const int	totalTestVectors = 7;
	/*
	The ouput length for the claculated
	digest. This will be fixed for a parti-
	cular Hash algorithm and will very algo-
	rithm to algorithm.
	*/
  unsigned int	outputLength;
	/*
	The Message Digest Context object, which
	will hold the intermediate state.
	*/

  EVP_MD_CTX    messageDigestContext;

	/*
	The buffer to store message digest after
	computing. 64 bytes is enough for any hash
	function. For MD5 128/8 would be fine as
	MD5 has 128 bit output length.
	Someone can directly use the 128/8 as
	the size but if you change the Hash
	algorithm, for example SHA1,has 160 bit
	output, the length need to be changed to
	160/8 bytes.
	*/

  unsigned char messageDigest[EVP_MAX_MD_SIZE];

  /*
  Hashes will be calculated for the following strings.
  These strings are from the MD5 RFC.
  */
  const char *strMessages[] =
  {	"", // Input String : 1
        "a", // Input String : 2
	"abc",// Input String : 3
	"message digest",// Input String : 4
	"abcdefghijklmnopqrstuvwxyz",// Input String : 5
	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",// Input String : 6
	"12345678901234567890123456789012345678901234567890123456789012345678901234567890"};// Input String : 7
	  /*
	  For each Input string the Expected Output are (from RFC,
	  this is to make sure that, this implementation is not bogus):
	  1: d41d8cd98f00b204e9800998ecf8427e
	  2: 0cc175b9c0f1b6a831c399e269772661
	  3: 900150983cd24fb0d6963f7d28e17f72
	  4: f96b697d7cb7938d525a2f31aaf161d0
	  5: f96b697d7cb7938d525a2f31aaf161d0
	  6: d174ab98d277d9f5a5611c2c9f419d9f
	  7: 57edf4a22be3c955ac49da2e2107b67a
	  */

	/*
	Initialize the Message Digest Context
	Calculate Message Digest
	*/
	//EVP_DigestInit(&messageDigestContext, EVP_md5());
  for (j=0;j<totalTestVectors; j++)
  {
	  EVP_DigestInit(&messageDigestContext, EVP_md5()); // for SHA1 use EVP_sha1()
	  EVP_DigestUpdate(&messageDigestContext, strMessages[j], strlen(strMessages[j]));
	  EVP_DigestFinal(&messageDigestContext, messageDigest, &outputLength);
	  printf("Test Vector : \"%s\" \n, Digest : = \"",strMessages[j]);
	  for (i = 0;  i < outputLength;  i++) printf("%02x", messageDigest[i]);
	  printf("\"\n");
  }
  return 0;
}

The above code work fine on windows or Linux but you should have

already openssl libs with you or you can download it.

HTTP over SSL / TLS or HTTPS

HTTP is an application Layer protocol from TCP/IP protocol layer’s perspective. Http is implemented on top of TCP, which means HTTP usages TCP as transport protocol. TLS/SSL is a security mechanism/protocol to secure the transport layer and basically TCP. The term “to secure” in the previous sentence does not mean that it will change the TCP protocol and make it secure instead it will add an extra layer of protocol on top TCP to provide security. Now the application protocol HTTP who were using TCP directly will use TLS APIs to call TCP API calls and make them secure from communication security perspective. The protocol stack can represented as in the figure below, which shows how the new TLS/SSL stack is introduced horizontally between the HTTP and TCP.

Now as communication security is concerned, how does HTTP achieves them is can be described with respect to the three basic goals of communication security i.e. (1) End point Authentication, (2) Confidentiality and (3) Data Integrity. TLS/SSL defines how these goals can be achieved.

Now most important and probably difficult part is the “End point Authentication”, because it deals with certificates and some very complicated concepts. In this step the client and server authenticated their identity. But most of the case, does not do a client authentication because it is not required from the application logic point of view and also makes the process more difficult.

Some nice readings on TLS/SSL and programming TLS with openSSL

• Wiki : TLS
• SSL and TLS: Designing and Building Secure Systems, this book also contains programming TLS /SSL with openSSL and TrueTLS in Java and C
• OpenSSL : The SSL/TLS library
• IBM article on OpenSSL

Genetic Cryptography?

I am thinking about a concept of cryptographic system based on Human Genome codes, which will specially help to create hash (one way functions), may be encryption/decryption also. I am not talking about the genetic algorithms, which are out of scope.

(( Genetic Code )) — Transform–> ((Behavior + Physical Construct + ….)) —>>> ((Human))

Now, let us apply the same logic for creating a hash function…

(( Document)) — Get Attributes or Properties —>( (Document Attributes) )—> ((Hash))

Does it make any sense? May be i am missing something….

Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange)

PFX : PFX defines a file format commonly used to store private with accompanying public key certificates, protected with a password-based symmetric key (standard-PKCS12).
PEM : Openssl usages PEM (Privacy Enhanced Mail Certificate) to store the private key.
If you have the openssl then go to command promt and run the following commands (If not, download it from openssl, you can either download binary or source and then compile).

If you want to extract private key from a pfx file and write it to PEM file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
If you want to extract the certificate file (the signed public key) from the pfx file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
To remove the password from the private key file.
>> openssl.exe rsa -in privateKey.pem -out private.pem
This is required as, at the time of exporting privateKey, you have added a password to the private key to secure it. If you left the password with it, it will keep asking the password as any application tries to access it.