Cryptography basics

Written on 3 December 2014, 11:07pm

Tagged with: , ,

1. Steganography

The science of hiding the existence of a message, as opposed to cryptography. A type of security through obscurity.
Ex. message written on the head of a messenger and sent only when it’s covered by the messenger growing hair; microdots; physical templates applied to a long text to highlight only some of the words.
http://en.wikipedia.org/wiki/Steganography

2. Cryptography

The practice of secured communication. The science of encrypting a message, or concealing the meaning of a message.

  • Transposition ciphers – letters do not change, but move position
  • Substitution ciphers – letters change, but keep position
    1. Caesar shift: all the letters of the alphabet shift a number of positions (from 1 to 26)
    2. Simple monoalphabetic substitution: substituting a different letter for every letter. The cipher alphabet is fixed throughout the encryption. Both methods fail to basic frequency analysis
    3. Monoalphabetic with Homophones: a plaintext letter can be enciphered in many ways (typically numbers or symbols) – making the encryption resistant to a basic frequency analysis
    4. Polyalphabetic substitution Рalphabet matrix + password repeated until it has the same length as the plain text message (Vigen̬re cypher). The cipher alphabet changes during the encryption; the change is defined by a key. The longer the key, the more secure; but less practical for everyday use.
  • A mix between transposition and substitution: ADFGVX (used to send Morse code messages)
  • One time pad – the only form of encryption that is unbreakable, relying on a random key that is the same length as the message. Each key can be used only once. Impractical for extended use.

3. Cryptanalysis

The science of deducting the plain text from a cyphertext, without knowledge of the key.
One of the most used methods at the beginning: frequency analysis
http://en.wikipedia.org/wiki/Cryptanalysis

substitution cipher

basic cryptanalisis

Web performance

Written on 3 December 2014, 10:16pm

Tagged with: ,

It’s the speed geek’s favorite time of the year – so I am bookmarking some links for later use 🙂

Starting from the 2014 performance calendar and jumping from link to link:
1. HTTPS and web performance: SSL server test, HSTS header, cache, keep alive, etc…
2. Is it fast yet?

TLS has exactly one performance problem: it is not used widely enough.
Everything else can be optimized.

3. High Performance Browser Networking by Ilya Grigorik – made available by O’Reilly for free.
4. High Performance Web Sites and Even Faster Web Sites by Steve Souders
5. Improving Smashing Magazine’s Performance: A Case Study

And some names in the web performance field:
Tim Kadlec
Ilya Grigorik
Steve Souders
Stoyan Stefanov

Random things about security

Written on 23 November 2014, 11:12pm

Tagged with: , ,

1. OpenSSL common commands

A list of the most common commands used in OpenSSL: https://www.sslshopper.com/article-most-common-openssl-commands.html

Generate a CSR along with a private key:
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out domain.csr
Probably the most used openssl command because it’s the first step in moving to HTTPS.

Generate a CSR using an existing private key:
openssl req -out CSR.csr -key privateKey.key -new

Remove a passphrase from a private key (Warning: leaving a private key unencrypted is a major security risk #):
openssl rsa -in privateKey.pem -out newPrivateKey.pem

Transform a certificate from PEM (text) format to DER (bynary) format:
openssl x509 -outform der -in certificate.pem -out certificate.der

Transform a key from PEM to DER format:
openssl rsa -in key.pem -out key.der -inform pem -outform der

These last 2 commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers (ex – a PEM file for Apache to a PFX for Tomcat or IIS).

The main command options in OpenSSL – req, rsa and x509:
req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
rsa RSA key management.
x509 X.509 Certificate Data Management.

DER (Distinguished Encoding Rules) is a case of BER (Basic Encoding Rules)
OpenSSL as Windows binary: http://slproweb.com/products/Win32OpenSSL.html

2. Let’s encrypt!

https://letsencrypt.org:

When Let’s Encrypt launches in Summer 2015, enabling HTTPS for your site will be as easy as installing a small piece of certificate management software on the server.
The Let’s Encrypt management software will:
– Automatically prove to the Let’s Encrypt CA that you control the website
– Obtain a browser-trusted certificate and set it up on your web server
– Keep track of when your certificate is going to expire, and automatically renew it, etc

3. Some security books

If you plan to get CompTIA Security+:
Get Certified Get Ahead
All-in-One Exam Guide
Comparison between the two books. Amazingly, they are both from 2011 (so more than 3 years old, which in the security field should be ages).

If you know about the Fermat enigma (somehow related), then you you should probably know about its author, Simon Singh. He also wrote a very known book about code and cypher: The Code Book (I know, it’s from 1999, but we were in the context of old books about security 🙂 ). Here’s an idea out of it:

It has been said that the First World War was the chemist’s war, because mustard gas and chlorine were employed for the first time, and that the Second World War was the physicists’ war, because of the atom bomb was detonated. Similarly, it has been argued that the Third World War would be the mathematicians’ war, because they will have control over the next great weapon of war – information.

PS – iPad mini feels just right
finish_silver_large