#Syracuse #CryptoParty@SIG315

Presentation by @MarkScrano

What is a CryptoParty?

• CryptoParties are meetups to share and learn basic cryptographic tools such as PGP/GPG, Tor, OTR, TrueCrypt, etc. At CryptoParty, we teach, learn and share.

CypherPunk Manifesto• Protecting our data, information and privacy is of vital

importance, particularly on the internet. We variously lock up and otherwise protect physical objects such as cars, houses and credit cards. But how do we secure our electronic data? How do we protect ourselves on the internet? And how do we know whom to trust, and to what degree?

• Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world.

Hashing vs. Encrypting

Hashing• Fixed length digest• Can have collisions• Examples:

– MD5– SHA-0, -1, -2, -3

• What is it used for?– Checksums– Integrity validation– Digital signatures

Encryption• Variable length digest• Ciphertext• Examples:

– AES– Blowfish– 3DES

• What is it used for?– Confidentiality– Security (layered model)

SSL and TLS

• SSL & TLS provide a form of encryption.

• Helps protect data in transit.

• Tools– Firefox: NoScript, HTTPS

Everywhere– Chrome: Use HTTPS,

HTTPS Everywhere, --force-https(no http)

– Safari: SSL Everywhere

Tor and I2P

• The Onion Router• Defend against surveillance

– Additional Privacy (IP)– Confidential relationships– Reduce efforts to perform

traffic analysis• Hidden services (.onions)

• Invisible Internet Project• Anonymous web

– End to end encryption– EEP sites

• Tails Linux live CD has both securely configured and hardened

VPN

• Add a layer of encryption to unsecured websites

• Protect from wifi sniffing on open networks

• IP anonymity• Get a free/very low cost

VPS from Amazon EC2 and run OpenVPN

PGP & GPG• Email Security• Email is sent plaintext• Can be forged/altered• Who do we trust and how can

we protect our data?– Public/Private Keys– Public Key Servers– Sign email for integrity– Encrypt email for confidentiality

• Applications: – Kleopatra– Enigmail (Thunderbird)– APG (Android)

OTR

• Off-the-record chat– Encryption– Authentication– Deniability– Forward Secrecy

• Examples:– XMPP/Jabber– Pidgin OTR– CryptoCat

Android• PGP/GPG:

– APG (K9 Mail & file manager required) • OTR:

– Gibberbot• SMS and MMS

– TextSecure• TOR:

– OrBot Tor on Android– OrWeb Proxy and Privacy Browser

• Voice:– Redphone

• VPN:– Some built in functions– OpenVPN requires Root

iPhone• OTR:

– ChatSecure• PGP/GPG

– oPenGP (lite or $3.99)– Symantec PGP Viewer (no

sending function)• TOR:

– Onion Browser ($.99)• VPN:

– Many vendor/service specific options

Truecrypt

• Full Disk and Volume Encryption

• Automatic, Realtime, User transparent

• Provides Confidentiality and offers the ability to include Steganography to create hidden volumes.

Hard Drive Encryption

• Windows – EFS (Encrypted File

System)• Linux– LUKS (Linux Unified Key

Setup)• Mac OS– File Vault

Password protections

• Steve Gibson from GRC• Password Haystacks

– How secure is your password?

• Off the grid– Creates a grid to generate

unique secure passwords for use online

• Perfect Paper Passwords– One time password

implementation

Password Managers

• Lastpass• KeePass• Secure storage of

password s • Password generators• Plugins for all major

browsers and smartphones

Two Factor Authentication

• Something you know, something you have, something you are.

• Examples– Google Authenticator– SMS to phone– RSA Tokens– Yubikey

Research

• Cryptology ePrint Archive– Current research and

breakthroughs in Cryptograph

• Cryptoparty handbook– Work in progress– On Github

Resources• http://cryptoparty.org/• https://svn.torproject.org/svn/projects/presentations/ - TOR Presentation SVN • http://crypto.stackexchange.com/ - Q&A Site• https://cacr.uwaterloo.ca/hac/ - Handbook of Applied Cryptography• http://www.cypherpunks.ca/otr/ - OTR Chat• http://support.microsoft.com/kb/308989 - EFS Windows XP• http://windows.microsoft.com/en-US/windows-vista/Encrypt-or-decrypt-a-folder-or-file - EFS

Vista & 7• http://support.microsoft.com/kb/241201 - Certificate backup XP• http://windows.microsoft.com/is-IS/windows-vista/Back-up-Encrypting-File-System-EFS-

certificate - Certificate backup Vista & 7• https://www.grc.com/haystack.htm - Password Haystacks• https://www.grc.com/OffTheGrid.htm - Off the Grid GRC• https://www.grc.com/ppp.htm - Perfect Paper Passwords• https://github.com/cryptoparty/handbook - Cryptoparty Handbook• https://www.coursera.org/crypto/auth/welcome - Cryptography at Stanford University