PaulSpoerry.com

Social Media, Technology, and geeky stuff for your brain.

You are here: Home / Archives for encryption

Darkmail aims to fundamentally change email by making it secure by default

by 6 Comments

 

If you don't already know this… your email is sent over the Internet unencrypted. It's the digital equivalent of sending a letter through the mail without an envelope. Anybody who comes across it can read it. The Darkmail Technical Alliance, which is composed of some heavy hitters like Lavabit founder Ladar Levison and PGP designer Phil Zimmermann, aim to change all of email with drop-in SMTP and IMAP replacements that will wrap messages in layers of encryption.

"Conceptually, DIME applies multiple layers of encryption to an e-mail to make sure that the actors at each stage of the e-mail’s journey from sender to receiver can only see the information about the e-mail that they need to see. The e-mail’s author and recipient both know who sent the message and where it was bound, but the author’s e-mail server doesn’t—it can only decrypt the part of the message containing the recipient’s e-mail server. The recipient e-mail server knows the destination server and the recipient, but it doesn’t know the sender. So if you arrange the four steps in a line from left to right—author, origin server, destination server, and recipient—each step in the line is only aware of the identity of the entity directly to its left or right."

This could be huge and it certainly has the right people in place to make it happen. They'll be submitting all of it to the IETF as a formal set of RFCs and there is even a pre-alpha GitHub repository.

Check out the rest of the article on Ars… it's really worth a read if you're at all curious about the subjects of security and/or email.

Src: http://arstechnica.com/security/2015/01/lavabit-founder-wants-to-make-dark-e-mail-secure-by-default/

Check this out on Google+

Facebooktwittergoogle_plusredditpinterestlinkedin

EvilMaid versus Full Disk Encryption (TrueCrypt and PGP)

by Leave a Comment

The Evil Maid Attack is an attack type against whole system disk encryption in a form of a small bootable USB stick image that allows to perform the attack in an easy “plug-and-play” way. The whole infection process takes about 1 minute, and it’s well suited to be used by hotel maids.

The Invisible Things blog goes into great detail on how most whole disk encryption is vulnerable in a relatively simple way. The scenario we consider is when somebody left an encrypted laptop e.g. in a hotel room. Let’s assume the laptop uses full disk encryption like e.g. this provided by TrueCrypt or PGP Whole Disk Encryption. Many people believe, including some well known security experts, that it is advisable to fully power down your laptop when you use full disk encryption in order to prevent attacks via FireWire/PCMCIA or ”Coldboot” attacks.  So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else.

Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.

So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version).

Now we can safely steal/confiscate the user’s laptop, as we know how to decrypt it. End of story.

[Read more…]

Facebooktwittergoogle_plusredditpinterestlinkedin