#crypto

RFC 6944 : Applicability Statement : DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status

Mais quel algorithme de #cryptographie choisir pour mes signatures #DNSSEC, se demande l’ingénieur système ? Il y a bien un registre IANA des algorithmes normalisés mais c’est juste une liste non qualifiée, qui mêle des algorithmes de caractéristiques très différentes. Ce nouveau #RFC vise à répondre à cette question en disant quels sont les algorithmes recommandés.

http://www.bortzmeyer.org/6944.html

XKCD cartoon reminds users to log out for better security
http://nakedsecurity.sophos.com/2013/04/22/xkcd-cartoon-log-out-security

It’s disturbing just how many people seem to leave their computers permanently logged in to online services. An XKCD cartoon teaches us all an important security lesson.

http://i0.wp.com/sophosnews.files.wordpress.com/2013/04/xkcd-logout.jpg?fit=1000%2C1000

Source: Naked Security

#cryptography #data_loss #featured #privacy #authorization #cartoon #full_disk_encryption #xkcd

Numbers station
http://en.wikipedia.org/wiki/Numbers_station

A numbers station (or number station) is a type of shortwave radio station characterized by their unusual broadcasts, which consist of spoken words, but mostly numbers, often created by artificially generated voices reading streams of numbers, words, letters, tunes or Morse code. They are transmitted in a wide variety of languages and the voices are usually female, although sometimes men’s or children’s voices are used.

je vais pas parler du #film qui est une sorte d’Ennemi d’Etat à huis clos ; mais la page wikipédia est drôlement intéressante
http://www.filmofilia.com/wp-content/uploads/2013/02/The-Numbers-Station-Poster.jpg

#espionnage #cuba #cryptographie #radio

#Propagande de la #NSA auprès des enfants : http://www.nsa.gov/kids - la NSA c’est rien que des mignonnes créatures poilues qui font de la #cryptographie aussi innocente que leur sourire !

http://www.nsa.gov/kids/_images/splashscreen.jpg

Has HTTPS finally been cracked? Five researchers deal SSL/TLS a biggish blow...
http://nakedsecurity.sophos.com/2013/03/16/has-https-finally-been-cracked

Cryptographers have once again put SSL/TLS (that’s the padlock in HTTPS) in their gunsights and opened fire.

This time, they’ve done some severe damage.

Paul Ducklin takes a detailed look…

http://i2.wp.com/sophosnews.files.wordpress.com/2013/03/ts-cracked-250.png

Source: Naked Security - Paul Ducklin

#cryptography #featured #analysis #beast #cracked #lucky_13 #lucky_thirteen #ssl #tls

La sécurité informatique doit être repensée et se préparer à un monde où la cryptographie ne sera plus déterminante. C’est l’avertissement lancé par Adi Shamir, l’un des créateurs de l’algorithme de chiffrement asymétrique RSA. Selon lui, le cyber-espionnage réduit l’intérêt de la cryptographie.

http://www.numerama.com/magazine/25252-l-interet-de-la-cryptographie-diminue-selon-l-un-des-auteurs-de-l-al

#sécurité_informatique #rsa #cryptographie #cyber-espionnage

Une amusante attaque contre le protocole de #cryptographie #TLS, l’attaque Lucky Thirteen (en cryptographie, la moitié du travail est de trouver un nom rigolo). L’attaque n’aura sans doute pas de conséquence pratique mais elle permet de regarder un aspect peu connu des protocoles cryptographiques : l’erreur est plus lente que le succès.

Ce texte est la version grand public :

http://nakedsecurity.sophos.com/2013/02/07/boffins-crack-https-encryptionin-lucky-thirteen-attack

Et l’article original est :

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

#sécurité #cryptanalyse

Custom Chips Could Be the Shovels in a #Bitcoin Gold Rush as Enthusiasts Design ASICs to Mine the Cryptocurrency Faster | MIT Technology Review
http://www.technologyreview.com/news/508061/custom-chips-could-be-the-shovels-in-a-bitcoin-gold-rush

some in [the Bitcoin] community are taking the expensive step of creating custom silicon chips dedicated to running the software that carries out that process.

“It’s a business opportunity, and also because we believe in Bitcoin and what it can do,” says Josh Zerlan, COO of Butterfly Labs, a Kansas City company that is waiting for its first batch of custom chips to come back from an Asian manufacturer. These chips will be resold to Bitcoin enthusiasts in a line of products that plug into a computer via USB and supercharge its efforts to mine the currency. They range in price from $149 to $29,899, and in early 2013 they will start shipping to over a thousand customers who placed advance orders.
(...)

Having an ASIC fabricated is a highly technical and expensive proposition, typically beginning at the low hundreds of thousands of dollars.

#cryptographie #monnaie

Le retour du ##Mega merdier de Kim | bluetouff
http://reflets.info/le-retour-du-mega-merdier-de-kim

C’est donc pil poil un an après le takedown de Megaupload par une opération du FBI que Kim Dotcom vient de lancer Mega. Accessible sur l’url https://mega.co.nz, le site a comme on s’en doutait, rencontré un afflux massif de connexions provoquant des indisponibilités temporaires et surtout des performances d’upload ridicules dues à un uplink très vite saturé. La [...]

#On_s'en_fout #Crypto #Kim_Dotcom #Sécurité

RFC 6781 : DNSSEC Operational Practices, Version 2

Comme avec toute technique fondée sur la #cryptographie, le protocole #DNSSEC impose, non seulement des bons algorithmes et une mise en œuvre correcte, mais surtout des procédures rigoureuses et soigneusement exécutées. C’est le but de ce #RFC qui explique tout ce à quoi doivent s’attendre les registres et autres administrateurs de zones DNS, grandes ou petites, qui déploieraient DNSSEC.

http://www.bortzmeyer.org/6781.html

Cryptographie et cryptanalyse : Ars Cryptographica
http://www.apprendre-en-ligne.net/crypto/menu/index.html
Un peu de cryptographie à l’ancienne (ça me fait tout de suite penser à Da Vinci Code).
Via Neuromancien (et je viens de voir que Sebsauvage le cite aussi).
#Crypto

How a #Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread

For security reasons, the #DKIM standard calls for using keys that are at least 1,024 bits in length. But Google was using a 512-bit key – which could be easily cracked with a little cloud-computing help.

#cryptographie #sécurité #email #vol_d_identité

The CryptoParty Handbook - CryptoParty
https://cryptoparty.org/wiki/CryptoPartyHandbook

This 392 page, Creative Commons licensed handbook is designed to help those with no prior experience to protect their basic human right to Privacy in networked, digital domains. By covering a broad array of topics and use contexts it is written to help anyone wishing to understand and then quickly mitigate many kinds of vulnerability using free, open-source tools. Most importantly however this handbook is intended as a reference for use during Crypto Parties.

You can download the 392 page book as a free, 28Mb PDF here
http://www.hostb.org/97/download

#crypto #surveillance

Cryptocat – Une extension de chat chiffré pour les navigateurs. | Korben
http://korben.info/cryptocat-une-extension-de-chat-chiffre-pour-les-navigateurs.html
Je connaissais déjà #Cryptocat et le fait de retrouver une extension pour navigateur est assez intéressant.
#Chat #Sécurité

Le mouvement des #CryptoParty
https://cryptoparty.org/wiki/CryptoParty

What is CryptoParty? Interested parties with computers, devices, and the desire to learn to use the most basic crypto programs and the fundamental concepts of their operation! CryptoParties are free to attend, public, and are commercially non-aligned.

Liste des événements déjà prévus sur les 5 continents sur cette page, ainsi qu’une page de ressources sur le sujet assez exhaustive : https://cryptoparty.org/wiki/Resources

#Silk_Road (marketplace) - Wikipedia
http://en.wikipedia.org/wiki/Silk_Road_(marketplace)

Silk Road is an online marketplace whose operators run it as a Tor hidden service. Visitors must use #Tor to access the marketplace. The majority of products that sellers list on Silk Road qualify as contraband in most jurisdictions.[2] NPR has referred to the site as the “Amazon.com of illegal drugs”.[3]

Nicholas Christin on anonymous online market Silk Road
http://surprisinglyfree.com/2012/08/28/nicholas-christin
http://surprisinglyfree.com/wp-content/uploads/SFC-125-120822.mp3

#marché #drogues #contrebande #crypto-anarchisme #bitcoin #anonymat #tor #cdp

http://www.andrew.cmu.edu/user/nicolasc/publications/TR-CMU-CyLab-12-018.pdf

Silk Road places relatively few restrictions on the types of goods sellers can offer. From the Silk Road sellers’ guide [5],

“Do not list anything who’s (sic) purpose is to harm or defraud, such as stolen items or info, stolen credit cards, counterfeit currency, personal info, assassinations, and weapons of any kind. Do not list anything related to pedophilia.”

Conspicuously absent from the list of prohibited items are prescription drugs and narcotics, as well as pornography and fake identification documents (e.g., counterfeit driver’s licenses). Weapons and ammunition used to be allowed until March 4, 2012, but have since then been re-listed on a sister site called The Armory [1], which operates with an infrastructure similar to that of Silk Road.

total sales volume of USD 1.9 million per month

The known unknowns of #Skype interception
http://paranoia.dubfire.net/2012/07/the-known-unknows-of-skype-interception.html

If governments can intercept and record the encrypted communications of users (via assistance provided by Internet Service Providers), and have the encryption keys used by both ends of the conversation — or can impersonate Skype users and perform man in the middle attacks on their conversations, then they can decrypt the voice communications without any further assistance from Skype.

Do we know if this is happening? No. But that is largely because Skype really won’t comment on the specifics of its interactions with governments, or the assistance it can provide. However, privacy researchers (pdf) have for many years speculated about governments compelling companies to hand over their own encryption keys or provide false certificates (pdf) for use in MiTM attacks. In such cases, when the requests come, there isn’t really anything that companies can do to resist.

#cryptographie #surveillance

Les #journalistes devraient protéger leurs sources avec de la #crypto
The spy who came in from the code : CJR
http://www.cjr.org/feature/the_spy_who_came_in_from_the_c.php

#syrie #libye #surveillance #répression etc.

RFC 6637 : Elliptic Curve Cryptography (ECC) in OpenPGP

Le format #OpenPGP, normalisé dans le RFC 4880, permet de choisir parmi plusieurs algorithmes de #cryptographie, afin de pouvoir suivre les progrès de la cryptanalyse. Notre tout nouveau #RFC ajoute à la liste de ces algorithmes des algorithmes à #courbes_elliptiques, venant s’ajouter aux traditionnels RSA et DSA.

http://www.bortzmeyer.org/6637.html

« The Linux Pseudorandom Number Generator Revisited » par Patrick Lacharme, Andrea Röck, Vincent Strubel et Marion Videau

« The Linux pseudorandom number generator (PRNG) is a PRNG with entropy inputs which is widely used in many security related applications and protocols. This PRNG is written as an open source code which is subject to regular changes. It was last analyzed in the work of Gutterman et al. in 2006 [GPR06] but since then no new analysis has been made available, while in the meantime several changes have been applied to the code, among others, to counter the attacks presented [GPR06]. Our work describes the Linux PRNG of kernel versions 2.6.30.7 and upwards. We detail the PRNG architecture in the Linux system and provide its first accurate mathematical description and a precise analysis of the building blocks, including entropy estimation and extraction. Subsequently, we give a security analysis including the feasibility of cryptographic attacks and an empirical test of the entropy estimator. Finally, we underline some important changes to the previous versions and their consequences. »

http://eprint.iacr.org/2012/251

Très bon article, très détaillé. Attention, c’est très technique, aspirine required.

#cryptographie #Linux #générateur_aléatoire #ANSSI #securité #PRNG

Alan #Turing's Second World War research papers released online
http://www.nationalarchives.gov.uk/news/705.htm

To commemorate the centenary of of Alan Turing’s birth, GCHQ (Government Communications Headquarters) has released two of his mathematical research papers, believed to have been written at Bletchley Park during the Second World War, to The National Archives. These records are now available to download.

#crypto #mathématiques #histoire #informatique #recherche

La normalisation est une chose merveilleuse. Il existe même une norme pour le transport de trafic Internet espionné (pardon, « légalement intercepté »). Publiée sur le site du Ministère de la Justice néerlandais : http://www.rijksoverheid.nl/documenten-en-publicaties/regelingen/2012/02/08/tiit-v1-2-0-transport-of-intercepted-ip-traffic.html (de la Justice, oui : Oceania avait bien un Ministère de la Vérité)

« This document describes in detail the Internet Lawful Interception (LI) interface required for LI based upon the requirements described in the Functional Specifications [2]. It provides the specification of the interface from an Interception Function within an IP network to a Law Enforcement Monitoring Facility (LEMF) for the purpose of providing data to Law Enforcement Agencies (LEAs) in the area of LI of communications. »

Plein de choses intéressantes du point de vue technique dedans, comme le détail de l’interception d’une communication SIP (voix sur IP).

Les #Amesys du monde entier peuvent donc travailler sur la base d’un standard commun, au lieu d’avoir des mécanismes privés (« Allow implementation using only open standards », dit le document)

Notez que la norme impose l’usage d’un protocole sécurisé par la cryptographie (comme TLS) : les espions ne veulent pas être espionnés.

#sécurité_Internet #cryptographie #espionnage

Death of a data haven: #cypherpunks, #WikiLeaks, and the world’s smallest nation | Ars Technica
http://arstechnica.com/tech-policy/news/2012/03/sealand-and-havenco.ars/1

From 2000 to 2008, a company called HavenCo did indeed offer no-questions-asked colocation on #Sealand —and it didn’t end well.
HavenCo’s failure—and make no mistake about it, HavenCo did fail—shows how hard it is to get out from under government’s thumb.

#pirate #cryptographie #cdp

Alan Turing at 100
http://www.nature.com/news/specials/turing/index.html

Alan Turing, born a century ago this year, is best known for his wartime code-breaking and for inventing the ’Turing machine’ – the concept at the heart of every computer today. But his legacy extends much further: he founded the field of artificial intelligence, proposed a theory of biological pattern formation and speculated about the limits of computation in physics. In this collection of features and opinion pieces, Nature celebrates the mind that, in a handful of papers over a tragically short lifetime, shaped many of the hottest fields in science today.

http://www.nature.com/polopoly_fs/7.2929.1329914014!/image/turing_featurehead.jpg_gen/derivatives/landscape_630/turing_featurehead.jpg
#histoire #mathématiques #informatique #cryptographie

Amazing new declassified document from John Nash
http://aaronsadventures.blogspot.com/2012/02/amazing-new-declassified-document.html

this is a recently declassified correspondence between John Nash and the NSA from January 1955. In it, John Nash makes the distinction between polynomial time and exponential time, conjectures that there are problems that -cannot- be solved faster than in exponential time, and uses this conjecture as the basis on which  the security of a cryptosystem (of his own design) relies. He also anticipates that proving complexity lower bounds is a difficult mathematical problem
(...)
These letters predate even Godel’s letter to Von Neumann
(...)
“An interesting pamphlet on Non-Cooperative Games, written by Mr. Nash was also sent to this Agency by the author for our information."

http://courses.csail.mit.edu/6.857/2012/files/H03-Cryptosystem-proposed-by-Nash.pdf

#mathématiques #histoire #cryptographie #théorie_des_jeux