Artificial Brain and cryptanalysis

Was reading about different Blue brain or Artificial brain projects and thought of writing a simple network myself. So all I could afford myself is one compute machine from amazon which allows to run 3000 threads only if I am not doing much in each neuron. Each thread is a neuron and after adding little logic of filtering I came down to much lower number. I felt like, what am I doing, so to simulate this in cloud framework, I need the following,

• A good messaging platform
• A very lightweight service framework to make it work as neuron

And to able to use this network for doing a cryptanalysis is not far but the brain I produced is a size of an ant or less. I need bigger brain means a lot of machines => a lot of money ??

BIOS attack & cryptography

i liked the article on BIOS attack :- http://searchsecurity.techtarget.com.au/articles/33210-BIOS-can-become-a-source-of-malware.

The author sited two examples/ mechanism to prevent such attacks:

1) Non-writable BIOS, well it was before, but not user freindly.

2) Trusted Platform Module. This based on cryptographic verification and very secure. But there is problem of certificate expiration of public key cryptography. With current standard a certificate can be valid upto 2-3 years max and you can’t throw your PC after that period if you do not update your certificate store. Now that becomes more or you can say very complicated process. Atleast not so user friendly.

Hardware Security module / Crypto Accelerator

I think this is a very interesting topic, I have just started to learn this, But as I am going through this I have found couple of links as well as documents which are really interesting. These articles talk about openssl, Hardware Security module, SSL Accelerator and information about provider companies

1. Blog post : http://jadickinson.co.uk/2007/11/02/using-hardware-security-modules/
2. Article on HSM, http://nlnetlabs.nl/downloads/publications/hsm/hsm.pdf
3. Wiki http://en.wikipedia.org/wiki/SSL_acceleration
4. Wiki http://en.wikipedia.org/wiki/Hardware_Security_Module
5. SSL programming tutorial http://h71000.www7.hp.com/doc/83final/BA554_90007/ch04s03.html
6. VIA PadLock support for Linux http://www.logix.cz/michal/devel/padlock/
7. Something from safenet http://www.safenet-inc.com/products/pki/psGold_API.asp

I will write about my findings, An how to do , Short cut of course. But let me look in to it more carefully. Thanks to Jad.

One Way Hash functions — OpenSSL

Hash or Fingerprint generation functions are always an interesting Chapter in Cryptography as they are the basics of the most cryptographic protocols.

Definition for a Cryptographic Hash Functions

=============================

Let us consider that M is the message and h is it’s hash value after applying the hash function H. Or, it can be stated mathematically as: H (M) :=h. Where H will also satisfy the following characteristics.

1. Given M, it is easy to compute h
2. Given h, it is hard to compute M such that H(M) = h
3. Given M, it is hard to find another messag, M1 , such that H(M) = H(M1)

SHA-*, MD* and RIPEMD-* are the most popular Hash functions. OpenSSL provides both generic APIs to these Hash functions also provides direct APIs. Accessing through generic API (the EVP) is preferred.

Now let us first use the Hash APIs from OpenSSL and generate fingerprint or calculate hash value. The alorithm, that we will use, is MD5. MD5 (MD stands for Message Digest ) is One way hash algorithm from Ron Rivest. There are test vectors in MD5 RFC, which we can use to calculate (or validate) the hash values. The following figure shows the process of calculation MD5 hash using OpenSSL :-

Below is an example to calculate message digest using MD5 algorithm.

Code Snippet :

openSSlExmpleHashMd5.cpp

 

#include <stdio.h>
#include <string.h>
#include <openssl/evp.h>

int main(int argc, char *argv[  ]) {

	int i,j;
	const int	totalTestVectors = 7;
	/*
	The ouput length for the claculated
	digest. This will be fixed for a parti-
	cular Hash algorithm and will very algo-
	rithm to algorithm.
	*/
	unsigned int	outputLength;
	/*
	The Message Digest Context object, which
	will hold the intermediate state.
	*/
	EVP_MD_CTX    messageDigestContext;

	/*
	The buffer to store message digest after
	computing. 64 bytes is enough for any hash
	function. For MD5 128/8 would be fine as
	MD5 has 128 bit output length.
	Someone can directly use the 128/8 as
	the size but if you change the Hash
	algorithm, for example SHA1,has 160 bit
	output, the length need to be changed to
	160/8 bytes.
	*/

	unsigned char messageDigest[EVP_MAX_MD_SIZE];

	/*
	Hashes will be calculated for the following strings.
	These strings are from the MD5 RFC.
	*/
	const char *strMessages[] = 
	{	"", // Input String : 1
		"a", // Input String : 2
		"abc",// Input String : 3
		"message digest",// Input String : 4
		"abcdefghijklmnopqrstuvwxyz",// Input String : 5
		"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",// Input String : 6
		"12345678901234567890123456789012345678901234567890123456789012345678901234567890"// Input String : 7
	};
	/*
	For each Input string the Expected Output are (from RFC,
	this is to make sure that, this implementation is not bogus):
	1: d41d8cd98f00b204e9800998ecf8427e
	2: 0cc175b9c0f1b6a831c399e269772661
	3: 900150983cd24fb0d6963f7d28e17f72
	4: f96b697d7cb7938d525a2f31aaf161d0
	5: f96b697d7cb7938d525a2f31aaf161d0
	6: d174ab98d277d9f5a5611c2c9f419d9f
	7: 57edf4a22be3c955ac49da2e2107b67a
	*/
	
	/*
	Initialize the Message Digest Context
	Calculate Message Digest
	*/
	//EVP_DigestInit(&amp;amp;amp;messageDigestContext, EVP_md5());
	for (j=0; j < totalTestVectors; j++)
	{
		EVP_DigestInit(&messageDigestContext, EVP_md5()); // for SHA1 use EVP_sha1()
		EVP_DigestUpdate(&messageDigestContext, strMessages[j], strlen(strMessages[j]));
		EVP_DigestFinal(&messageDigestContext, messageDigest, &outputLength);
		printf("Test Vector : \"%s\" \n, Digest : = \"",strMessages[j]);
		for (i = 0;  i < outputLength;  i++) printf("%02x", messageDigest[i]);
		printf("\"\n");
	}
	return 0;
}

The above code work fine on windows or Linux but you should have already openssl libs with you or you can download it.

HTTP over SSL / TLS or HTTPS

HTTP is an application Layer protocol from TCP/IP protocol layer’s perspective. Http is implemented on top of TCP, which means HTTP usages TCP as transport protocol. TLS/SSL is a security mechanism/protocol to secure the transport layer and basically TCP. The term “to secure” in the previous sentence does not mean that it will change the TCP protocol and make it secure instead it will add an extra layer of protocol on top TCP to provide security. Now the application protocol HTTP who were using TCP directly will use TLS APIs to call TCP API calls and make them secure from communication security perspective. The protocol stack can represented as in the figure below, which shows how the new TLS/SSL stack is introduced horizontally between the HTTP and TCP.

Now as communication security is concerned, how does HTTP achieves them is can be described with respect to the three basic goals of communication security i.e. (1) End point Authentication, (2) Confidentiality and (3) Data Integrity. TLS/SSL defines how these goals can be achieved.

Now most important and probably difficult part is the “End point Authentication”, because it deals with certificates and some very complicated concepts. In this step the client and server authenticated their identity. But most of the case, does not do a client authentication because it is not required from the application logic point of view and also makes the process more difficult.

Some nice readings on TLS/SSL and programming TLS with openSSL

• Wiki : TLS
• SSL and TLS: Designing and Building Secure Systems, this book also contains programming TLS /SSL with openSSL and TrueTLS in Java and C
• OpenSSL : The SSL/TLS library
• IBM article on OpenSSL

Genetic Cryptography?

I am thinking about a concept of cryptographic system based on Human Genome codes, which will specially help to create hash (one way functions), may be encryption/decryption also. I am not talking about the genetic algorithms, which are out of scope.

(( Genetic Code )) — Transform–> ((Behavior + Physical Construct + ….)) —>>> ((Human))

Now, let us apply the same logic for creating a hash function…

(( Document)) — Get Attributes or Properties —>( (Document Attributes) )—> ((Hash))

Does it make any sense? May be i am missing something….

Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange)

PFX : PFX defines a file format commonly used to store private with accompanying public key certificates, protected with a password-based symmetric key (standard-PKCS12).
PEM : Openssl usages PEM (Privacy Enhanced Mail Certificate) to store the private key.
If you have the openssl then go to command promt and run the following commands (If not, download it from openssl, you can either download binary or source and then compile).

If you want to extract private key from a pfx file and write it to PEM file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
If you want to extract the certificate file (the signed public key) from the pfx file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
To remove the password from the private key file.
>> openssl.exe rsa -in privateKey.pem -out private.pem
This is required as, at the time of exporting privateKey, you have added a password to the private key to secure it. If you left the password with it, it will keep asking the password as any application tries to access it.

PSK-TLS and TLS comparision : when to use what?

I was going through the RFC of Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) http://tools.ietf.org/html/rfc4279, and was trying to compare them when to use what?
It actually depends on two main aspects to analyse:-

1. What is the target environment?
2. Who is going to use your solution?

Following are the properties, we should have a look, before we think about deploying:-

1. Does that target environment has enough CPU to process initial Public/Private or Asymatric key cryptography operation? If it is a 256Mhz processor and a new session establishment trigered inbetween a critical task execution, you can not imagine that. Because such devices are alawys assigned to do real time activity?
2. Is it feasible to update or revoke certificate their / on the target environment?
3. What is more important ? Availabity or Information Security?

Now, when it comes to end user, who is going to use the solution, Is it a web browser like application or a set of API, which you will sell by adding TLS to it, or a stand alone application running on a small box.

For resource constrained, controlled and where certificate revocation is a pain, and using phony certificate is not granted by IT security policy it is alwys better to go with PSK-TLS, just like IPsec-Preshared key (which also proven to be worked out nicely).