Category: Cryptography

Security and Privacy Products I Use and (Mostly) Recommend

If you have a need for privacy and security and don’t have a cybersecurity background, trying to wade your way through all of the information and claims made by the producers of different services can be a daunting task. With that in mind, I thought I’d go over the services I personally use and why I use them.

Browsers

Almost all browsers claim to be secure and private. Unfortunately, the reality is that most of these claims are aimed at people who don’t have the time and resources to evaluate whether they are actually true. I use two browsers:

  • Firefox. Firefox is a free and open-source browser made by Mozilla. Open-source means that anyone can evaluate the code used to create the browser, as well as the claims made by Mozilla. That’s important because it means that it is very hard to make unsubstantiated claims. Also, Firefox has add-ons that can improve security and privacy even more.
  • TOR Browser. TOR is designed to be private and anonymous. It is based on Firefox and uses DuckDuckGo as the default search engine. See this post for more information about TOR.

VPN Providers

A VPN provides a secure, encrypted tunnel between the source and destination computers. When you use a VPN, your data is encrypted and your IP Address is masked. Important considerations include whether your internet use is logged by the provider, and whether they are based in an area susceptible to law-enforcement warrants. VPNs are one service where I don’t usually recommend the free services (unless you are proficient enough to set up OpenVPN on an AWS server. I’ve done it and it isn’t that easy). There are a lot of “free” VPN services, but nothing is really free. The risk is that they sell your data to fund their business or shower you with ads. My choices:

  • NordVPN. A paid VPN service based in Panama (no mandatory data retention laws) that provides a fast, secure, reliable product.
  • ProtonVPN. From the people who brought us Protonmail (my choice for secure email). They have a free tier, but I recommend the paid version.

Email Providers

I used to consider email to generally be something you only used if you really didn’t care who saw it. With the advent of Transport Layer Security (TLS), it is possible to have end-to-end (E2E) encrypted email. Gmail now uses this by default. Unfortunately, Google stores all of your data on their servers. I use Gmail for most accounts, but for anything sensitive I recommend:

  • Protonmail. Based in Switzerland, where there are strict privacy laws. Anything you save is stored encrypted on their servers in an underground vault. Protonmail is open source and uses AES-256 symmetric encryption, RSA public-key cryptography, and TLS. See this post for more information on encryption standards.
  • Tutanota. Another encrypted email product that provides E2E encryption and has the advantage of requiring little to no personal information to open an account.

Private Messaging and Calling

This is an area where there is a lot of misinformation. Are your chats and calls actually E2E encrypted? Is your information given to third parties? WhatsApp, for example, is a Facebook company. Take that as you will. I recommend:

  • Signal. A truly E2E encrypted, decentralized messaging and calling service. The only service endorsed for use by European intelligence services and endorsed by Edward Snowden. It’s really the only service I trust. The only downside is that you do have to provide a real cell number.
  • Telegram. Sort of a hybrid social media and chat service. It has recently been in the news because it has been widely used by Ukrainians seeking a safe means to communicate and get news. I like Telegram, but messaging is not E2E encrypted by default. You can select a secret chat that is, though.

Password Storage

At this point, there is really no excuse to use weak passwords. If you use short, easily-memorable passwords, you are simply not secure. I generally use randomly generated, 14 + character passwords that are a combination of upper-case letters, lower-case letters, numbers, and symbols. The problem is that these passwords are virtually impossible to remember. A password vault allows you to generate, store, and usually auto fill passwords. My recommendations are:

  • Bitwarden. A secure, free, and open-source password manager that works on Windows, Linux, MacOS, Android, and IOS. I really like the add-on browser extensions for Firefox and Chrome. I think it’s the easiest to use.
  • KeePass. This is more advanced. With Keepass, passwords are only stored locally (i.e on your computer), encrypted, in a file. They are accessed with an ideally long passphrase. I use KeePass for passwords that are so sensitive that I don’t even want them on Bitwarden.

Disk and File Encryption

I have only one recommendation here, and that’s Veracrypt. Veracrypt is free and open-source encryption software for Windows, MacOS, and Linux that allows you to encrypt files, folders, or even whole disks. There are other encryption solutions: I’ve used File Vault on Mac and BitLocker, which is a proprietary Windows program available on the Pro versions, but if it matters, I use Veracrypt.

Sources

Cracking WPA/WPA2

Disclaimer: This is an exercise designed to teach security principles. It was performed in a secure lab environment. Using these techniques on a network without permission can get you in legal trouble!

Introduction

For about the past month, I’ve been studying for the CompTIA Pentest+ certification. This is primarily a theory-based certification, but the study material has many practical exercises used to reinforce the material. Cracking WPA/WPA2 was the most fun and interesting exercise. It’s also not especially difficult, so is a good beginner activity.

Wi-Fi Security Standards

Modern wireless devices can use a number of security standards for authentication. I’m not including “open” in this list, because setting your device to open leaves your network completely unsecured. The following is a list of available standards

  • WEP or Wired Equivalent Privacy. Trivial to hack and shouldn’t be used
  • WPA or Wi-fi protected Access. An improvement over WEP. Uses a preshared key (WPA-PSK)
  • WPA2 added CCMP (Counter Mode Block Chaining Message Authentication Code Protocol) which uses AES. (See this previous post about Encryption).
  • WPA Enterprise uses RADIUS to give each user a unique ID.

When I setup a home network, I set the router to WPA2 by default. There is a WPA3 available now, but it isn’t widely used yet.

Exercise Setup

For this exercise, I used two laptops and an ASUS N300 Wi-Fi Router, which was inexpensive on Amazon. The first laptop was running Windows 10 Pro, and was the target. The second Laptop was running Kali Linux on Virtualbox. Ubuntu 20.04 was the host OS, and Kali was set up to use a USB attached Alfa AWUS036NHA long-range wifi adaptor. Setting up Kali in Virtualbox to work with the wireless adaptor can be a little tricky. Here is a link to a YouTube video run through of the process. I initially attached the router to the Windows laptop with a network cable, configured the router to use WPA, and set a simple password (passwd123):

I then unplugged the network cable and logged on to the router wirelessly, opened a command prompt on the Windows laptop and set it to continuously ping an imaginary IP Address using the following command:

ping -t 192.168.1.230

Cracking WPA

WPA cracking is done using the aircrack-ng suite, which comes preloaded on Kali. The initial step is to list the available wireless networks using the command

airmon-ng

Next, the wireless interface has to be in set to monitor mode using

airmon-ng start wlan0

You will be asked to run “check kill” to stop processes that can cause issues:

Now find the the BSSID and channel for you the network using the command

airodum-ng wlan0mon

You will get an output like this:

You will need both the BSSID and the channel for the next part of the exercise. Press Control C to exit. Now, we can use airodump-ng to capture the authentication handshake:

airodump-ng -c 6 –bssid <target MAC Address> -w <outfile> wlan0mon

giving:

This requires a client to deauthenticate from the network. For this exercise, I forced the issue using

airplay-ng -0 1 -a <BSSID MAC Address> -c <Target MAC Address> wlan0mon

Switching back to airodump, we can see that we have captured the handshake:

Getting The Password

At this point, we have captured the handshake and it is saved in the file wpa-file-01.cap. Now, we can use aircrack-ng run a wordlist against the file and see if we can obtain the password. In Kali, wordlists are found in /usr/share/wordlists. I first attempted this using the wordlist rockyou.txt, as the pentest+ exercise suggested:

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <Target MAC Address> wpa-file-01.cap

Unfortunately, after 1 1/2 hours, I got the following output:

My suspicion was that this occurred because I chose passwd123 instead of password123. So, I googled Kali wordlists and found one that I thought might work. I ran is and got the password (this was a bit of a cheat since I knew the password and was able to choose a wordlist that let me run by letters of the alphabet, but it worked for demo purposes):

Conclusions

As you can see, this is a very doable exercise for a beginner to intermediate level student. As you can also obviously see, weak passwords are a major security flaw! In general, I autogenerate 15 character random passwords using a password generator, avoiding using common words, names, etc.

Sources

  • Nutting, Ray. CompTIA Pentest+ Certification. McGraw Hill Education, 2019
  • Chapple, Mike and Seidl, David. CompTIA Security+ Study Guide. Sybex, 2021
  • The GNU Image Manipulation Program was used to edit photos.

Cryptography Basics

What is Cryptography?

Wikipedia defines cryptography as “the practice and study of secure communication techniques.” In cyberspace, we are primarily concerned with encrypting data to make it incomprehensible to everyone except its intended recipients (confidentiality) (3). Encryption requires a cipher (algorithm) and a secret key, which is required to decrypt the encrypted data. 

The process can be diagrammed as such:

Decrypting is the opposite:

Cryptography in History

A very early example of cryptography is what is known as the Caesar Cipher, used by Julius Caesar to encrypt military and political secrets. The Caesar cipher took letters of the alphabet and shifted them a certain number of positions. The key to decrypt was the “size of the shift” (2). By modern standards, this was very simplistic, but it worked well enough at the time.  

Mary, Queen of Scots used a similar cipher in her plot against Elizabeth I.  Unfortunately for Mary, Elizabeth’s intelligence agents were able to crack the cipher, and Mary was captured and executed.  

Modern Cryptographic Methods

Modern cryptography is divided into two methodologies. The first is known as symmetric cryptography.  In symmetric cryptography, both the sending and receiving parties have the same key, which is used to encrypt and then decrypt the ciphertext. The biggest challenge with this method is how to send the key. If someone can intercept the key, they can decrypt the text. There has to be a pre-shared key, or the key has to be sent encrypted with the data. In-band key exchange is when the key is shared with the data. Out-of-band key exchange means another, separate communication method is used. 

Examples of symmetric encryption

  • Data Encryption Standard (DES) Used a 56-bit algorithm to encrypt data, Not considered secure by newer standards
  • Blowfish An algorithm with 1- to 448-bit encryption
  • Triple DES (3DES) Uses 168 bit encryption and improves upon DES
  • Advanced Encryption Standard (AES) Replaced 3DES, and uses 128-, 192-, or 256-bit encryption. AES is considered unbreakable

All of the above are considered block ciphers. In a block cipher, data is encrypted in a block of x size until all data is encrypted. Alternatively, a stream cipher encrypts data one bit at a time. Rivest Cipher 4 (RC4) is an example of a stream cipher. 

The other main cryptographic method is known as asymmetric encryption. In this methodology, two separate keys are generated: one public, one private. The sender encrypts the data with the receiver’s public key. The receiver has a private key, known only to them, used to decrypt the data. Examples include

  • Rivest Shamir Adleman (RSA)  Used for both signing and encryption. 
  • Diffie-Hellman   Actually a key-exchange protocol  
  • Elliptic Curve  Used for signing messages, based on Diffie-Hellman

Ensuring the Integrity of Data

When we send data, is there a way to ensure the data hasn’t been tampered with in some way?  There is, and it is done by hashing.  A hash is a one-way transformation that is generated when a hash algorithm is applied to a piece of data.  It works because no two chunks of data generate the same hash value. If one byte of data is changed, ideally a completely different hash is generated. A common use of hashing would be using MD5 or SHA-1 to verify the integrity of a downloaded program. More secure versions of SHA, SHA-256 and SHA-512 are much less susceptible to attacks (1).  

Public Key Infrastructure

Public Key Infrastructure (PKI) is a term used to describe the infrastructure in which public and private keys are managed. PKI is based on the use of certificates. Glen E. Clarke describes a certificate as “an electronic file that is used to store the public key (and sometimes the private key) and associates the public key with an entity such as a person or company” (1). 

There are many types of certificates, but the most well-known are the certificates stored on web servers that tell your browser you have accessed a legitimate site.  If you want to see the certificates stored on Firefox, go to Settings–>Privacy and Security–>Certificates–>View Certificates. 

The idea of certificates begs the question: who issues the certificate? You could make your own self-signed certificate which is fine for a network that never accesses the internet, but for a web server, you need a certificate issued by a Certificate Authority (CA). The first certificate is signed and issued by the Root CA. Intermediate CA’s issue certificates to users. 

Another example of a methodology that uses PKI is Pretty Good Privacy (PGP) and Gnu Privacy Guard (GPG). PGP and GPG are used, among other things, to encrypt emails. Like other forms of asymmetric cryptography, PGP and GPG require the generation of a public and private key pair. Thunderbird by Mozilla is an email client that has the ability to generate key pairs for PGP. 

Other Uses of Cryptography

From a security standpoint, there are two other very important uses of cryptography:

  • SSL/TLS  Secure Sockets Layer, and it’s successor Transport Layer Security, is used to encrypt web traffic. When you use HTTPS instead of HTTP, you are using SSL/TLS
  • WEP, WPA, and WPA2  Used to secure the connection to your router. When available, always use WPA2. WEP is trivial to hack, and WPA2 has an advantage over WPA in that is uses AES encryption

Conclusion

This has been a very high-level introduction to cryptography, aimed primarily at the novice. An in-depth cryptography text makes for some very difficult reading, to say the least. Hopefully, though, this post can give you a place to start in your study of cryptography.

Sources and Additional Reading

  1. Clarke, Glen E. CompTIA Security+ Certification Study Guide 3rd Edition. 2018, MCGraw-Hill.
  2. Martin, Keith. Cryptography, The Key to Digital Security, How It Works, And Why It Matters. 2020, Norton.
  3. Aumasson, Jean-Philippe. Serious Cryptography A practical Introduction to Modern Encryption. 2018, No Starch Press.
  4. CompTIA Security+ Certification (SY0-501): The Total Course. Mike Meyers Total Seminars.