Encryption Is Foundational to The Future (Part 2 The Century of Huge Advances)

The 20^th century was marked by huge advances in all the humanity areas, and the cryptography not was the exception.

At the begin of the 20th century, cryptography was a labor intensive, error prone process, capable of transforming a small amount of written material into an encoded cipher text form.

With the advancement of communication technology, encryption and decryption came to be actively performed during World War I.

On the first day of hostilities of the World War I, the British cable ship Telconia located and cut Germany’s transatlantic cables, forcing them to send all their international traffic via Sweden, American cables or wireless communications, and the German forces then started to encrypt their communications in an attempt to prevent hostile countries from reading them, but soon all German traffic was routinely routed to Room 40, the Royal Navy’s cypher organization.

The ADFGX Cipher, conceived by Colonel Fritz Nebel of the German Army, was first put to practical use in 1918. It involves the writing of five letters, ADFGX, in a column and a row, and replaces a character with two characters, and the encryption method is essentially the same as the Uesugi Cipher up to this point. The distinguishing feature of the ADFGX cipher, however, is that the resulting series of letters is then ciphered again, this time by a transposition cipher method. The ADFGX Cipher was subsequently improved by using six characters, ADFGVX, instead of five, in order to make it easier to identify this cipher when messages were transmitted via Morse code.

Towards the end of WWI the head of cryptographic research for the US Army Major Joseph Mauborgne introduced the concept of a code based on truly RANDOM keys. This would take the form of two identical pads printed with lines of randomly generated letters. Using the Vigenere technique, each page is to be used to encrypt and decrypt ONE message and then destroyed; introducing the concept of the one use key.

The weakness of the Vigenere square was the repetition of the key. This new technique injected the same randomness into the cyphertext as was contained in the key and there was therefore no useable pattern or structure within the message. Attacks seeking to exploit these weaknesses such as the Babbage and Kasiski tests, would fail.

A key length of as little as 21 letters meant that a Key Exhaustion attack, the cryptographic equivalent of Custer’s last stand, would require the testing of 500 x 1027 keys and even then multiple decrypts may all appear plausible.

This method is still in use today, called the One Time Letter Pad or OTLP, and is used for encrypting the most secret of communications. OTLP is still the only ‘admitted’ system to provide the ‘holy grail’ of cryptography of perfect secrecy.

Julian Bolivar-Galeno is an Information and Communications Technologies (ICT) Architect whose expertise is in telecommunications, security and embedded systems. He works in BolivarTech focused on decision making, leadership, management and execution of projects oriented to develop strong security algorithms, artificial intelligence (AI) research and its applicability to smart solutions at mobile and embedded technologies, always producing resilient and innovative applications.

Encryption Is Foundational to The Future (Part 2 The Century of Huge Advances)

You are the Social Networks' Product...

Facebook, Twitter and other social networks expose your personal information far beyond your group of friends and remember that really you are not customers of them, you’re their product.

Users need to remember that the Social Networks makes money from its advertisers, not from the users; and the advertisers want to get their message out to as many people as possible; because this fact, they share your information to everyone, not just your “friends”; and most recently for example Facebook’s facial recognition technology automatically suggests that friends tag you, unless you turn it off.

The most popular scams on social networks include cross-site scripting, clickjacking, survey scams and identity theft, but far from this technical breach, we are our first security hole.

We publish everything from our day to day activities, leaving a virtual trail of breadcrumbs about our behavior, what we like and dislike, our way to think and watch the world and more important when and where we do all of our things and our relationship with others in our environment; and there is the social networks’ business, they collect (and we are happy to provide it) and process and catalog all our information and they sell it in a direct way to organizations, governmental and private agencies, and in an indirect way when publicity is included in the social networks’ site.

I remember one time my best friend told me, “If I am not capable to keep my own secrets how I will demand to other to keep it”, and this is a big true at the social networks; we published our private life without fear, and really is a good thing that there are certain ethical restrictions because otherwise I do not even want to imagine the things would be published without any shyness.

At Valhala Networks and all the information security professionals in general, work hard to keep your information safe, but our efforts are futile without the final user awareness about his own privacy.

My free advice as security consultor, please think twice about the consequences before publish anything in a social network because the internet don’t forget and just remember, “Do not be fooled, if you do not pay for the product, then the product is you !!!”

Julian Bolivar-Galeno is an Information and Communications Technologies (ICT) Architect whose expertise is in telecommunications, security and embedded systems. He works in BolivarTech focused on decision making, leadership, management and execution of projects oriented to develop strong security algorithms, artificial intelligence (AI) research and its applicability to smart solutions at mobile and embedded technologies, always producing resilient and innovative applications.

You are the Social Networks' Product...

BlackEnergy and Stuxnet the first Cyber Weapons on a Global Cyberwarfare

Western Ukraine power company Prykarpattyaoblenergo reported an outage on December 23 2015, saying the area affected included regional capital Ivano-Frankivsk, with a population of 1.4 million, during few hours.

Now at January 2016, the researchers have proof that link that outage with the malware called BlackEnergy.

BlackEnergy is a popular malware that is sold in the Russian cyber underground and dates back to early as 2007.

Originally, it was designed as a toolkit for creating botnets for use in conducting Distributed Denial of Service (DDoS) attacks; but over the time has evolved to support different plugins, which are used to extend its capabilities to provide necessary functions, depending on the purpose of an attack.

The BlackEnergy toolkit capabilities has been used by different gangs for different purposes like sending spam, stealing banking credentials; but the most notorious use may be when it was used to conduct cyberattacks against Georgia during the Russo-Georgian confrontation in 2008, also at the summer of 2014, BlackEnergy was tailored by plugins to target Ukrainian government institutions.

The BlackEnergy toolkit comes with a builder application which is used to generate the clients that the attackers use to infect victim machines; also it comes with server-side scripts, which the attackers set up in the Command and Control (C&C) server. The scripts also provide an interface where an attacker can control his bots. The simplicity and convenience provided by this toolkit means that anyone who has access to the kit can build his own botnet without any skills required, and how was demonstrated by the Ukraine power grid attack it can be easily converted in a cyber weapon.

In order to do the Ukraine power outage was used the BlackEnergy’s trojan, together with a backdoored SSH server introduced in the targets’ system and the destructive KillDisk plugin, which were all detected in several electricity distribution companies in Ukraine, are a dangerous set of malicious tools used as cyber weapon that give the attackers remote access to the company’s network and the capability of shutting down critical systems and by wiping their data, making it harder to get them up and running again.

But how is possible that “standard” malware can infect specialized industrial software?

It’s common, in order to reduce cost and time, that dedicated software used to program and control industrial hardware will run on PCs with operating systems like Windows or Linux; and these can then be targeted using similar or even the same malware that is used to attack regular internet users; and also all the regular vectors of attack can be used, including human error and social engineering.

Another very serious risk is to connect industrial systems to the internet, but based on my expertise this practice is common due to practicality and cost savings, because in order to reduce the number of high level trained employees is allowing to the existent ones to access the system remotely and solve any problem in an expedite way.

This factors of integrating commercial solutions and internet connection exposes the industrial control system to the same threats that common PCs face, but with much fewer options for defense because for example, software patching is much more problematic with industrial systems because they tend to be heavily customized and they are often always on, and in order to perform a maintenance it must be very well planned.

At the Ukraine power attack, the vector used was to convince the user to execute a malicious macro in Microsoft Office files. In this case no vulnerability is used to try to infect system, just trying to trick the user to execute the malicious macro.

But BlackEnergy is not the first cyber weapon known because at January 2010, the most sophisticated cyber weapon the world had ever seen, ravaged the Iran’s nuclear program.

This malware dubbed Stuxnet, was allegedly developed by the U.S. and Israel to infect the Natanz uranium enrichment plant in Iran, the complex virus infected the computer system that ran the centrifuges and making slight tweaks to the software caused hundreds of the centrifuges to self-destruct.

Stuxnet was designed to manipulate computer systems made by the German firm Siemens that control and monitor the speed of the centrifuges. The attack was due by infecting the Step 7 project files used to program Siemens’ PLCs.

The computers at Natanz are disconnected from the internet and cannot be reached directly by the remote attackers. Because this Stuxnet was designed to spread via infected USB flash drives using the Windows Autorun feature or through the victim’s local network using the print-spooler zero-day exploit that Kaspersky Lab and Symantec later found in the code.

In order to Stuxnet reach its target machines, the attackers first infect computers belonging to five outside companies that are believed to be connected in some way to the nuclear program. Then employees from this companies become an unwitting courier who will help spread and transport the weapon on flash drives into the protected facility and the Siemens computers at the end.

It’s not clear how long it took Stuxnet to reach its target after infecting machines in the contractor companies.

According to one U.S. intelligence source, Stuxnet’s developers tried to deploy a version of the Stuxnet malware to attack North Korea’s nuclear weapons.

This malware would be activated when it encountered Korean-language settings on an infected machine.

The attackers could not access the core machines that ran Pyongyang’s nuclear weapons program as was at Iran, and tried to deploy it using the same vector attack; but ultimately this attempt failed because in contrast to Iranians that access the Internet broadly and had interactions with companies from around the globe; North Korea has some of the most isolated communications networks in the world, where just owning a computer requires police permission, and the open Internet is unknown except to a tiny elite. Also the country has one main conduit for Internet connections to the outside world, through China allowing the complete control over the information that pass-through it.

The advantage that custom-made have over a weaponized public-domain malware, reside in the firsts are more difficult or impossible to detect by commercial antivirus because the limited and targeted objectives prevent to this companies get samples to be incorporated in their solutions before the attack was did. But the use of public domain malware for politically-oriented attack is an intriguing convergence of criminal activity and espionage, because as the kit is being used by multiple criminal groups, it provides a greater measure of plausible deniability than is afforded by a custom-made piece of code.

Julian Bolivar-Galeno is an Information and Communications Technologies (ICT) Architect whose expertise is in telecommunications, security and embedded systems. He works in BolivarTech focused on decision making, leadership, management and execution of projects oriented to develop strong security algorithms, artificial intelligence (AI) research and its applicability to smart solutions at mobile and embedded technologies, always producing resilient and innovative applications.

BlackEnergy and Stuxnet the first Cyber Weapons on a Global Cyberwarfare

NSA Believe that Current Cryptography Algorithms Are Broken by New Quantum Computers

Quantum computing is a new way to build computers that takes advantage of the quantum properties of particles to perform operations on data in a very different way than traditional computers.

With this computational performance improvement came other risks, and more in the cryptography area where the security resides in apply to the plain data mathematical operations hard to replicate in a reasonable time without the knowledge of specific parameters values.

At quantum computers exist the Shor’s algorithm and the Minimization algorithm can efficiently factor numbers and can break RSA, Diffie-Hellman and other discrete log-based cryptosystems, including those that use elliptic curves.

The Shor’s algorithm is composed of two parts. The first part of the algorithm turns the factoring problem into the problem of finding the period of a function, and may be implemented classically. The second part finds the period using the quantum Fourier transform, and is responsible for the quantum speedup.

Minimization algorithm relies on first transforming the factorization problem into an optimization problem and as was exposed at my other article “Quantum Computers are already here? “, at the level of the machine, the actual quantum processor solves a Quadratic Unconstrained Binary Optimization problems that can provide faster ways to get optimal and semi-optimal results.

Before have panic and declare that internet security is broken, we need to know using these algorithms the largest such number that we found without using any prior knowledge of the solution to the factorization problem was 56153, that is 16 bits, using only 4 qubits; in order to exploit the true power of quantum mechanics in this type of computation, finding the solution will need to make use of more qubits and remember that D-Wave 2X have 1000 qubits available to be used in the quantum processor.

In August 2015, the U.S. government’s National Security Agency (NSA) released a major policy statement on the need to develop standards for post-quantum cryptography (PQC).

In this announcement, the NSA explain about his intentions to “initiate a transition to quantum resistant algorithms in the not too distant future” and also recommend “for those partners and vendors that have not yet made the transition to Suite B elliptic curve algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.”

NSA Suite B Cryptography is a set of cryptographic algorithms promulgated as part of its Cryptographic Modernization Program; and It is to serve as an interoperable cryptographic base for both unclassified information and most classified information.

NSA Suite A Cryptography is a cryptography category which contains classified algorithms that will not be released and will be used for the protection of some categories of especially sensitive information.

Also the NSA recommend “for those customers who are looking for mitigations to perform while the new algorithm suite is developed and implemented into products”, “first, it is prudent to use larger key sizes in algorithms in many systems”; additionally, when “using layered commercial solutions to protect classified national security information with a long intelligence life should begin implementing a layer of quantum resistant protection. Such protection may be implemented today through the use of large symmetric keys and specific secure protocol standards”.

Symmetric-key encryption schemes such as AES have the property that the fastest quantum attack known for recovering a k-bit secret key takes time 2^k/2. Thus AES with 256-bit keys is believed to provide a 128-bit security level against quantum attacks, that is half the number of bits of security that it has against conventional attacks.

At Valhala Networks to secure our documents, electronic schemas and source codes we use CuaimaCrypt that is a Symmetric-key encryption algorithm and based in a theoretical (we don’t have access to a quantum computer) pre-evaluation it is quantum resilient because it dynamic structure, number of equivalent bits and algorithm’s operation.

You can use it free just downloading the “CuaimaCrypt Command Line” or CCLI from the Valhala’s web site.

Other viable candidates for postquantum cryptography can be Lattice-based cryptography that are being intensively studied by cryptographers, because they can be used to achieve fully homomorphic encryption and code obfuscation not known to be achievable using conventional RSA and discrete logarithm cryptography.

Hash-based cryptography, because is believed to have the same security against quantum computers as against conventional ones, k/2 bits of security, where k is the bit length of hash values.

Multivariate polynomial cryptography, where the security of these schemes is based on the difficulty of solving a multivariate system of polynomial equations over a finite field.

Isogeny-based cryptography, where the security of these schemes is based on the difficulty of computing an isogeny of a certain degree between two isogenous super-singular elliptic curves over Fp2

We must note that this post PQC algorithms don’t have any relation with Quantum Cryptography

 

Quantum Cryptography is essentially based on the usage of individual particles/waves of light (photon) over a transmission channel and their intrinsic quantum properties know as Heisenberg’s uncertainty principle to develop an unbreakable cryptosystem because it is impossible to measure the quantum state of any system without disturbing that system.

It is theoretically possible that other particles could be used, but photons offer all the necessary qualities needed, their behavior is comparatively well-understood.

Also the actual commercial quantum cryptography is used in quantum key distribution systems over fiber channels.

In conclusion I don’t think that internet security is actually broken, but the certain is, based on the actual quantum computer’s development state, in few years “we will be short” at the quantity of bits used by current cryptographic algorithms and we need to take care of this possibility from now because after will be late.

Julian Bolivar-Galeno is an Information and Communications Technologies (ICT) Architect whose expertise is in telecommunications, security and embedded systems. He works in BolivarTech focused on decision making, leadership, management and execution of projects oriented to develop strong security algorithms, artificial intelligence (AI) research and its applicability to smart solutions at mobile and embedded technologies, always producing resilient and innovative applications.

NSA Believe that Current Cryptography Algorithms Are Broken by New Quantum Computers

Quantum Computers are Already Here?

We have years with the promise of a commercial quantum computer will be developed to solve complex problems at unprecedented speeds. But appear that “the future is now” with the first generation of commercial quantum computers.

But first we need to establish what is and how work a quantum computer.

First in quantum computing, a qubit or quantum bit or qbit is a unit of quantum information, analogue of the classical bit.


A qubit is a two-state quantum-mechanical system, where the two states can be vertical and horizontal polarization for example, and this states are used to encode information as 0s, 1s or both simultaneously.

This “superposition” of states, along with the quantum effects of entanglement and quantum tunneling, enable quantum computers to consider and manipulate many combinations of bits simultaneously.

One of the problems with the actual Quantum computers is that need to be near to 0 Kelvins and shield from any electromagnetic and mechanical disturbance; this is in order to allow the quantum effects can play a role in computation, the quantum processor must operate in an extreme isolated environment with refrigeration and many layers of shielding in order to create an internal environment with a temperature close to absolute zero and that is isolated from external magnetic fields, vibration, and external RF signals of any form.


The actual commercial system implements a quantum annealing algorithm, which solves problems by searching for the global minimum of a function. This is fundamentally different from the familiar framework of classical computing built on logical operations, but it is relevant in many high value problems such as minimizing error for example in a voice recognition system, learning algorithms, break cryptographic symmetric keys, controlling risk in a financial portfolio, or reducing energy loss in an electrical grid, etc.

While there are different ways in which users can submit problems to the system, at the level of the machine instruction of the quantum processor the system solves a Quadratic Unconstrained Binary Optimization Problem (QUBO), where binary variables are mapped to qubits and correlations between variables are mapped to couplings between qubits. The system of interacting qubits is evolved quantum mechanically via the annealing algorithm to find optimal or near-optimal solutions.

Solving problems with a quantum system can be thought of as trying to find the lowest point on a landscape of peaks and valleys. Every possible solution is mapped to coordinates on the landscape, and the altitude of the landscape is the “energy’” or “cost” of the solution at that point. The aim is to find the lowest point or points on the map and read the coordinates, as this gives the lowest energy, or optimal solution to the problem.

The special properties of quantum physics, such as quantum tunneling, allow the quantum computer to explore this landscape in ways that have never before been possible with classical systems. Quantum tunneling is like a layer of water that covers the entire landscape. As well as running over the surface, water can tunnel through the mountains as it looks for the lowest valley. The water is an analogy for the probability that a given solution will be returned. When the quantum computations occur, the “water” or probability is pooled around the lowest valleys. The more water in a valley, the higher the probability of that solution being returned. A classical computer, on the other hand, is like a single traveler exploring the surface of a landscape one point at a time.

Founded in 1999, D-Wave Systems is a quantum computing company that makes quantum processors based on superconducting circuits. They last processor the D-Wave 2X, with 1000 qubits, can evaluate all 21000 possible solutions at the same time.

The physical footprint of the D-Wave 2X is approximately 10’ x 7’ x 10’ (L x W x H) where It houses a cryogenic refrigeration system, shielding and I/O systems that support a single thumbnail-sized quantum processor. Most of the physical volume of the current system is due to the size of the refrigeration system. The adjoining cabinets contain the control subsystems and the front-end servers that provide connectivity to the system.

The D-Wave 2X system can be deployed as part of a High Performance Computing (HPC) data center using standard interfaces and protocols.

The I/O subsystem is responsible for passing information from the user to the processor and back. After receiving a problem from the user via standard web protocols, data is converted to analog signals and carried on normal conducting wires that transition to superconducting wires at low temperatures.

The only path for signals between the inside and outside of the shielded enclosure is a digital optical channel carrying programming information in, and results of computations out.


The processor resides in a high vacuum environment in which the pressure is 10 billion times lower than atmospheric pressure, temperature of 15 millikelvin, which is approximately 180 times colder than interstellar space, and the magnetic shielding subsystem achieves fields less than 1 nanotesla across the processor in each axis witch is approximately 50000 times less than the Earth’s magnetic field.

Some researchers think that the D-Wave 2X is not a quantum computer, is just a quantum annealer, which is only a part of a computer. The annealer’s role is to specify interactions for its qubits so they can find the lowest energy states.

After read the papers about how work and program a D-Wave 2X computer is easy to understand that computer is not a general use computer, you can’t expect go to buy a quantum version of the universal processor in your PC and play a game at quantum speeds. The D-Wave 2X design is to solve a very specific problem of find the global minimum value of a very complicated function and cannot be programmed to perform a range of tasks.

At this moment at quantum computer technology we are at the same level had by binary computers during the World War II when only can solve specific problems about projectile’s ballistic calculus or the Turing’s machine to break the Enigma code.

In conclusion my opinion and with these technical facts in mind is possible infer that we are a few decades away to create a quantum universal processor.

Julian Bolivar-Galeno is an Information and Communications Technologies (ICT) Architect whose expertise is in telecommunications, security and embedded systems. He works in BolivarTech focused on decision making, leadership, management and execution of projects oriented to develop strong security algorithms, artificial intelligence (AI) research and its applicability to smart solutions at mobile and embedded technologies, always producing resilient and innovative applications.

Quantum Computers are Already Here?

Malfeasance by Cheatware

During the past six years, Volkswagen was cheating on the emissions testing for its diesel cars because the cars’ computers were able to detect when they were being tested, and temporarily alter how their engines worked so they looked much cleaner than they actually were and when they weren’t being tested, the car produced 40 times more the pollutants.

Computers allow people new ways to cheat, because the cheating is at the embedded software and the malicious actions only happen when the expected conditions are presented, otherwise continue with the normal operation mode. Because the software is “smart” in ways that normal objects are not, the cheating can be subtle and harder to detect.

The Internet of Things is supposed coming and many industries are moving to add embedded computers to their devices, and that will bring with it new opportunities for manufacturers to cheat; for example, light bulbs could appear more energy efficient than they are, temperature sensors could do appear that food has been stored at safer temperatures than it has been, voting machines could appear to work perfectly, except during the presidential polls date, when they undetectably switch a few percent of votes from one party’s candidates to another’s, electricity meters add some cents more to the measure, etc.

This cheating embedded software won’t be solved through as standards computer security procedures, because they are designed to prevent outside hackers from breaking into your computers and networks. The car’s analogue example would be security software that prevented an owner from tweaking his own engine to run faster but in the process emit more pollutants; the real task is contend malfeasance programmed in at the design stage.

Software verification has two parts, transparency and oversight. Where transparency means making the source code available for analysis by independent investigators. The need for this is obvious because it’s much easier to hide cheating software if a manufacturer can hide the code. Oversight means that analysis can’t be limited to a once-every-few-years government test; is necessary private analysis as well.

Both transparency and oversight are not accomplished in the right way at the software world because companies routinely fight making their code public and attempt to muzzle independent security researchers who find problems, citing the proprietary nature of the software; really it’s a fair complaint, but the public interests of accuracy and safety need to be more that business interests.

Proprietary software is widely being used in critical applications like voting machines, medical devices, breathalyzers, electric power distribution, etc. And as I said at my other article “Artificial Intelligence, is really so dangerous?” we’re ceding more control of our life to “dumb Intelligent Systems” with poor quality control and a deficient testing and homologation procedures; but overall software quality is so bad that products ship with thousands of programming mistakes and most of them don’t affect normal operations, this is why your software generally works just fine; but some of them do and is why your software occasionally fails, and needs constant updates. By making cheating software appear to be a programming mistake, the cheating looks like an accident and unfortunately this type of deniable cheating is easier than people think.

Malfeasance by software is easier to commit and harder to prove because fewer people need to know about the conspiracy, and it can be done in advance and far to the testing time and homologation; and, if the “cheatware” remains undetected for long enough, it could easily be the case that no one in the company know that it’s there.

From the companies’ point of view and also for me as software developer, I can understand that software algorithms are a time and money investment in development and research, and can be the most precious (or the only one) asset of the company, and publish the source code is like request to Coca-Cola or Pepsi reveal his soda recipes; also I know that often the project’s schedule and money investments are against to perform a meticulous software auditory.

In one side we have that transparency and oversight is the only way verify that software is doing the job as expected and at the other side the right to protect intellectual property, and the midway between both situations the more viable option would be that companies follow procedures to receive certifications by external entities for his software, and a contract to provide a non-disclosure agreement about the source code but allow a full release of the tests, procedures and results by the external certification entity.

In conclusion we need a better verification of the software that controls our lives in this modern world, because can be the case when our lives will be depending of them.

Julian Bolivar-Galeno is an Information and Communications Technologies (ICT) Architect whose expertise is in telecommunications, security and embedded systems. He works in BolivarTech focused on decision making, leadership, management and execution of projects oriented to develop strong security algorithms, artificial intelligence (AI) research and its applicability to smart solutions at mobile and embedded technologies, always producing resilient and innovative applications.

Malfeasance by Cheatware

Now ‘iSpyU’ business is outsourcing

From unmemorable times always the governments have trying to collect intelligence information about people problematic for them within same folks. But this always was an “in house business” where the own government develop itself tools and procedures to accomplish the task; until now when the ‘iSpyU’ business can be outsourced by anyone thanks to products like the FinFisher Suite.

FinFisher is a remote intrusion and surveillance software developed by Munich-based Gamma International GmbH and marketed and sold exclusively to law enforcement and intelligence agencies by the UK-based Gamma Group.

FinFisher is sold as a “lawful interception” suite for monitoring criminals, but it has gained notoriety because it has been used by repressive governments in targeted attacks against human rights campaigners and opposition activists in countries with questionable human rights records like Bahraini, Ethiopia, Serbia, Turkmenistan, Venezuela, Vietnam, etc.

The major information about FinFisher came from The Citizen Lab that is a laboratory based at the Munk School of Global Affairs, University of Toronto, Canada and it focus on advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security.

As information leaked and collected from the deep web “Spy your opponents” is not cheap, and the suggested “tag price” for FinFisher products (including a full set of attack software, booby-trapped thumb drives and nearly a dozen different training courses) retailed for some 3.5 million dollars (3 million Euros)

FinFisher provide the follow spy feature on target devices (computers, cellphones):

• Bypassing of 40 regularly tested Antivirus Systems


• Covert Communication with Headquarters


• Full communications monitoring (Calls, Video, Contact List, etc.)


• Recording of common communication like Email, Chats, Voice-over-IP, WhatsApp, Skype, SMS, Chats, File Transfers, etc.


• Live Surveillance through inbuilt camera and microphone


• Country Tracing of Target


• Silent extracting of Files from device


• Process-based Key-logger for faster analysis


• Live Remote Forensics on Target System


• Advanced Filters to record only important information


• Supports most common Operating Systems (Windows, Mac OSX, Linux, Android, iOS, Windows Phone)

For me as security specialist is curious ear how competitors propose to avoid this kind of surveillance focus to use encryption software, when the target device is compromised at the level to allow key-logger capabilities to capture what the user is typing from the source and file transfers directly from devices, any kind of encryption are useless because it is to protect against transmission media taped not compromised terminals.

To mitigate this kind of surveillance the only choices available is be very careful about software installed in your terminals because you can’t trust on your antivirus because can be easy bypassed; other more radical countermeasures are available for human rights campaigners and opposition activists who know that can be targets from oppressive governments.

Julian Bolivar-Galeno is an Information and Communications Technologies (ICT) Architect whose expertise is in telecommunications, security and embedded systems. He works in BolivarTech focused on decision making, leadership, management and execution of projects oriented to develop strong security algorithms, artificial intelligence (AI) research and its applicability to smart solutions at mobile and embedded technologies, always producing resilient and innovative applications.

Now ‘iSpyU’ business is outsourcing

CuaimaCrypt, a Strong Cryptographic Alternative

CuaimaCrypt is a cypher designed by Julian Bolivar-Galeno in 2007, with improvements suggested by Jonathan Pastran during the development period.

CuaimaCrypt originally had two versions, CuaimaCrypt Stream Codec (CuaimaCrypt-SC) which was designed for hardware implementation, making encoding data streams in real time; and CuaimaCrypt Block Codec (CuaimaCrypt-BC) which was designed for software implementation because it uses the capacity of PCs to process data blocks efficiently.

Currently the most distributed and used is the CuaimaCrypt-BC and I will focus this article on it.

Traditional cryptographic algorithms such as AES, RC4, Blowfish, DES, Triple DES, Serpent, Twofish and others, have predetermined fixed structure.

CuaimaCrypt has a dynamic structure, due to this the structure is unknown in advance, only the basic layout is defined.

The CuaimaCrypt ‘s structure is determined based on the key used; this feature together with the coding blocks operation makes it more robust to cryptanalysis than traditional algorithms and current Quantum Computer attacks resistant as was exposed in my other article “NSA Believe that Current Cryptography Algorithms Are Broken by New Quantum Computers”.

The CuaimaCrypt’s heart is the Shift-Codec and Shift-Decodec who are those that allow the encoding and decoding the clear data.

The Shift-Codec, consists of a 64-bit shift register, five 32 bits XOR gates; also it has two internal 32-bit windows (Win A and B) and a “Shift Leap” parameter which determines how many bits are going to be shifted by the register at each iteration; another important point is, the Shift-Codec have a “Up Chain and “Down Chain”, which are linked to other Shift-Codec in CuaimaCrypt’s structure, also in the shift register are defined two anchor points “Up Chain” and “Down Chain” from other two Shift-Codec in CuaimaCrypt.

The Shift-Decodec, has an identical structure to the Shift-Codec, the difference between the Shift-Decodec and the Shift-Codec is the feedback point for the upper loop which uses the clear data to feedback the loop; this is very important for the system security due to two reasons, the first is that in order to decode data at time t+(64/”shift leap”) must have successfully decoded the data at time t, otherwise the outcome data will be useless because the system will diverged from the original sequence. The second is with this feedback the shift register does not suffer from the drawbacks of linear feedback shift registers (FSR), which the problems of sub-cycles or shorter cycles. Due to the feedbacks loop, the “up and down chain” connections, the “shift-leap” and the dependence of the clear data, the Shift-Codec and Shift-Decodec not have cycles that can be predicted by cryptanalysis.

The Shift-Codes and Shift-Decoder form a mesh using the “Up Chain” and the “Down Chain”, each connection “Up Chain” and “Down Chain” are bind to a single Shift-Codec or Shift-Decodec, but not necessarily the same, and each Shift-Codec or Shift-Decodec can only receive an “Up Chain” and “Down Chain”, so the connections are unique among Shift-Codec or Shift-Decodec, additionally the connection point where is extracted the shift-register’s data is dynamic.

These connections must be initialized before start coding and must be key dependent.

The Shift-Leap is a parameter that defines how many bits are going to be shifted in each cycle, this value is between 1 bit and 15 bits per cycle.

The Rake Codec and the Rake Decoder are formed by grouping four Shift Codec and four Shift Decodec respectively.

This group of Shift Codec and Shift Decoder can process blocks of 128 bits.

The byte scramblers are functions that combine the four 32-bit outputs form the Rake Codec or Rake Decodec; These are used to increase the coding’s entropy as it mixes the most significant and the least significant bytes.

The interleaving is used to make orthogonal the input data using a Walsh code in order to produce an equal distribution of 1 and 0 in the data. It makes a mixture of the most and less significant bits.

The scramblers and the interleaving help to produce a flatter distribution of values over the ASCII table.

CuaimaCrypt in its most basic form is formed by interleaving the input data, two blocks Rake Codec and one Scrambler between Rake Codec.

One of the strengths of CuaimaCrypt is that this structure could be repeated almost indefinitely, depending on available memory and encoding rate required to increase the level of security required by the application, at the present for the Valhala’s most classified documents we are using CuaimaCrypt with 512 blocks.

The CuaimaCrypt’s initialization is set using the following parameters:

• Number of blocks.


• Seeds of Shift Codec.


• Sequence of Scramblers to be used between blocks.


• Hopping sequence between Shift Codecs.


• Up Chains on each Shift Codec.


• Down Chains on each Shift Codec.


• Start Point window for each Up Chain Shift Codec.


• Start Point window for each Down Chain Shift Codec.


• Start Point window for Win A in each Shift Codec.


• Start Point window for Win B in each Shift Codec.


• Shift Leap for each Codec


• Walsh code to be used in the interleaving.

The initialization process can be performed by any method chosen by the programmer using the library, but to determine the security of the algorithm is imperative to be very careful in the way to implement it.

At the Valhala Networks’ implementation, to initialize CuaimaCrypt we are using Lorenz attractors.

The Lorenz attractor is a concept introduced by Edward Lorenz in 1963, it is a three-dimensional deterministic nonlinear dynamic system derived from simplified equations of convection rolls that occur in the dynamic equations of the atmosphere.

For certain values of the system’s parameters, it exhibits chaotic behavior and show what is now called a strange attractor.

Tucker proved in 2001, the strange attractor in this case is a fractal of Hausdorff’s dimension between 2 and 3. Grassberger (1983) estimated the Hausdorff’s dimension in 2.06 ± 0.01 and a correlation 2.05 ± 0.01.

In order to perform the CuaimaCrypt’s parameters initialization, the Lorenz attractor are used to generate a pseudorandom sequence difficult to determine without knowing precisely the starting points that was chose.

To determine the CuaimaCrypt’s security level is necessary to establish a comparative framework which should be equivalent to that used by other encryption algorithms, CuaimaCrypt’s operation is different and is necessary to determine a key length equivalence that include all the CuaimaCrypt’s initialization process.

The equation that define the possible combinations of CuaimaCrypt’s configuration is:

Where N is the number of blocks in the algorithm.

Number of Blocks N	CuaimaCrypt’s Configuration Combinations	Equivalent Key Bits Length
2	3.6855×10 ^ 165	550
4	5.4648×10 ^324	1078
6	7.1220×10 ^ 484	1610
9	2.0384×10 ^ 726	2412
16	5.6466×10 ^ 1293	4297
32	2.0153×10 ^ 2603	8647
64	1.8187×10 ^ 5250	17440
128	8.2660×10 ^ 10600	35215
256	5.9661×10 ^ 21416	71144
512	4.2701×10 ^ 43278	143768
1024	4.6637×10 ^ 87463	290548

 

In perspective at the observable universe we have in a gross underestimation of 1×10^29 stars according to astronomers’ estimates.

If we compare these values with known symmetric key algorithms we can see:

• AES: 256 bits


• Blowfish: 448 bits


• Serpent: 256 bits


• Twofish: 256 bits


• GOST: 256 bits


• REDOC: 160 bits


• IDEA: 128 bits


• MMB: 128 bits


• SAFER K-128: 128 bits


• NewDES: 120 bits


• 3-WAY: 96 bits


• CRAB: 80 bits


• SKIPJACK: 80 bits (Clasificated algorithm by NSA)


• CAST: 64 bits


• Madryga: 64 bits


• FEAL: 64 bits


• LOKI: 64 bits


• SAFER K-64: 64 bits


• DES: 56 bits

CuaimaCrypt is a mature algorithm with 9 years in the market without any, reported or known, security fails at Valhala Networks’s implementations.

If you want to try a powerful implementation of the CuaimaCrypt algorithm for all platforms, just please visit CuaimaCrypt Command Line (ccli) at Valhala Networks’ web site.

Julian Bolivar-Galeno is an Information and Communications Technologies (ICT) Architect whose expertise is in telecommunications, security and embedded systems. He works in BolivarTech focused on decision making, leadership, management and execution of projects oriented to develop strong security algorithms, artificial intelligence (AI) research and its applicability to smart solutions at mobile and embedded technologies, always producing resilient and innovative applications.

CuaimaCrypt, a Strong Cryptographic Alternative

FBI Wants to Break the Apple

A federal judge ordered Apple to comply with the FBI’s request for technical assistance in the data recovery from the San Bernardino gunmen’s iPhone 5C.

In an open-letter published on Apple’s website, Tim Cook publicly challenged the US government and the FBI, saying what it is asking of the company fundamentally violates the privacy, security, and trust of its customers.

The White House spokesman Josh Earnest said the FBI request for access did not mean they were asking for a “back door” or unauthorized access into the company’s device or for it to be redesigned. “They are simply asking for something that would have an impact on this one device”.

But based on my Security Developer expertise, any tool as the requested is like “The Lord of the Rings: One Ring to rule them all, One Ring to find them, One Ring to bring them all…”, because after created a way to circumvent the security protocols, it can be used in anyone that use the same system and can’t be restricted to only one device, creating a back door in the product.

The FBI request is simple, they want to recover the keys stored in the iPhone, and this is the point, as developer focuses on security, when you create a secure system YOU CAN’T HOLD ANYTHING IN IT, every key or password need to be created or introduced at run time by the user and be safe deleted when the system is going shutdown.

This concept is known as User Controlled Encryption (UCE) and it is implemented in CuaimaCrypt, CCLI or any other system developed by Valhala Networks or BolivarTech, because this the developer can’t be forced by anyone, including a judge order, to reveal or recover it because is unknown by him and also it is technically impossible.

In the other point of view as human being, we want to enforce the law and solve and prevent crimes and terrorist acts, and I know that encryption can be an insurmountable barrier that can cool a case, but also we need to weight this with The Universal Declaration of Human Rights (Article 12): “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks”; and this is just the point one tool like the requested by the FBI to Apple, it is impossible to confine to a single device and would be opening Pandora’s box against iPhone users’ privacy.

To this situation we need to keep the perspective how anti-cryptography laws are being imposed from the terrorist attack at Paris.

For example, at California, the State Representative Jim Cooper is touting a bill, AB1681, that would force mobile devices to come with encryption off by default starting January 1, 2017. Any phone sold after that date would also have to be “capable of being decrypted and unlocked by its manufacturer or its operating system provider”, and any smartphone not meeting these requirements would result in the manufacturers being fined $2,500 per offending device.

A New York assemblyman TITONE has reintroduced a new bill, A8093, that aims to essentially disable strong encryption on all smartphones sold in the Empire State, because “Terrorists will use these encrypted devices” to plan attacks.

Among other restrictions, the proposed law states that “any smartphone that is manufactured on or after January 1, 2016 and sold or leased in New York, shall be capable of being decrypted and unlocked by its manufacturer or its operating system provider.” and any smartphone not meeting these requirements would result in the manufacturers being fined $2,500 per offending device.

Yes, both laws are practically identical, only changed the date when it will begin to be effective.

The French Parliament is considering a legislative provision, The Digital Republic bill, that would ban strong encryption by requiring tech companies to configure their systems so that police and intelligence agencies could always access their data.

This French anti-encryption amendment is a response to the two deadly Paris terrorist attacks in 2015, despite the fact that the attackers repeatedly used unencrypted communications by text messages and phone calls with senior operatives elsewhere at Europe in the leadup to the killings.

At UK the Investigatory Powers Bill will place in law a requirement to tech firms and service providers to be able to provide unencrypted communications to the police or spy agencies if requested through a warrant.

And also that Bill say “… if it is shown that that person was in possession of a key to any protected information … that person shall be taken for the purposes of those proceedings to have continued to be in possession of that key at all subsequent times, unless it is shown that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it.”, that mean you will be sent to jail for refusing to give up encryption keys, regardless of whether you have them or not.

About this law, Apple says that while the new law might help British authorities fight terrorism, it will weaken the security of “hundreds of millions” of people who use Apple’s platform.

The real problem with this topic about security and encryption is because it falls in the fine line between national security and personal privacy and as Spock says, “The needs of the many outweigh the needs of the few”, but the problem is, who are the many and the few in this case.

Julian Bolivar-Galeno is an Information and Communications Technologies (ICT) Architect whose expertise is in telecommunications, security and embedded systems. He works in BolivarTech focused on decision making, leadership, management and execution of projects oriented to develop strong security algorithms, artificial intelligence (AI) research and its applicability to smart solutions at mobile and embedded technologies, always producing resilient and innovative applications.

FBI Wants to Break the Apple