Hands-On Project 11-3 (Page 396)

Objective ad Verbatim:

“As an alternative to EFS, third party applications can also be downloaded to protect files with cryptography. In this project, you will download and install TrueCrypt.” (Ciampa, 2009)

Process:

1. The first step was to download TrueCrypt at truecrypt.org and install it.

2. Next, I opened up TrueCrypt and created a new volume.

3. I chose to create a simple encrypted file container. This option creates a file containing the encrypted drive information on your hard drive or removable material.

4. Then, I selected the ‘Standard TrueCrypt Volume’.

5. On the next page, I was directed to pick which encryption and hash algorithm I wanted. I stuck to the default settings.

6. Next, I set the volume size to 1 MB.

7. Then, I set up my password to access the encrypted volume.

8. On the Volume Format page, things got interesting. I was directed to wiggle my mouse about inside the window in a random fashion to generate the random pool to increase the cryptographic strength of the encryption keys. After, waving my mouse about for what seemed to be a sufficient time, I clicked Format.

9. It then informed me that the volume was created successfully.

10. Now, to access the Encrypted Volume I just created, I had to click Exit and return to the main page. Clicking on a random drive letter, I pressed Mount and entered in my volume password.

11. Following the instructions in the book, I created a Word document containing a considerable amount of text. I titled it Truecrypt Encrypted.docx.

12. Opening up My Computer, I checked that the encrypted drive was mounted and saved a duplicate of my TrueCrypt Encrypted.docx in the drive. First, I opened the file outside of the encrypted drive to get a vague estimate on how long an unencrypted file takes to open. Then, I opened the encrypted file. Oddly enough and contrary to intuition, there was not much difference between the two file reads.

Reflection:

I’ll cover the finer points and issues with privacy and encryption in another post to keep this post oriented towards what I perceive this exercise to represent.

From this hands-on project, TrueCrypt is demonstrated to be extremely easy to use with a rather high level of security in terms of cryptographic protection. More particularly, this allows casual computer users to have the same standard of protection available to large organisations such as banks in a user-friendly package. The method of using a file as a container for the drive means that steganography can be employed to hide the drive in a field of innocent files. Also, it creates an easy to transport style, i.e. simply by copying or cutting the file into an external device.

Now if we explore the other features of TrueCrypt, we discover we can create a hidden container within a container. This drive within a drive system works like so: When a user inputs the password for the outer drive, TrueCrypt mounts the decoy (outer) drive. However, when the password for the hidden (inner) drive is used, TrueCrypt reveals the secret drive. This hidden drive is practically invisible when examined via forensics or when the password for the outer drive is supplied. This is particularly useful when a password is extracted from a user via rubber hose cryptanalysis or the user is required by the law to supply one. The attacker will access the decoy drive and will merely view what the user wants the attacker to see. This protection is called ‘Plausible Deniability’.

Sine Cera,
Jeremy Heng.

"Quis custodiet ipsos custodes?"

Hands-On Project 11.3 Sources

Hands-On Project 11-1 (Page 394)

Objective ad Verbatim:

“In this project, you will download different hash generators to compare hash values.” (Ciampa, 2009)

Process:

1. I pointed my browser (Firefox) to md5deep.sourceforge.net to download MD5Deep, a utility program to generate the hash from a file.

2. After the download completed, I extracted thecontents of the zip file to my desktop.

3. Next, I opened up my Word processor, typed in the sentence, “Now is the time for all good men to come to the aid of the country.” and saved the file as country1.docx.

4. I saved the sentence, “Now is the time for all good men to come to the aid of the country” (without the period), as country2.docx.

5. Tabbing to the desktop, I navigated to the MD5Deep folder.

6. Now, opening a command prompt and navigating to the MD5Deep folder, I generated the MD5 hash of the md5deep.txt file {md5deep md5deep.txt}. The program outputted the MD5 hash in the next line.

7. Next, I used MD5Deep to generate the MD5 hashes of country1.docx and country2.docx to compare the differences between the two document files with slightly different contents { md5deep country1.docx country2.docx}.

8. Continuing on my bid to explore and compare the strengths and weaknesses of different hashing algorithms, I used SHA1 to generate hashes of country1.docx and country2.docx {sha1deep country1.docx country2.docx}.

 
9. Next, I used SHA256 to hash the two document files {sha256 country1.docx country2.docx}. [9_sha256]
10. Finally, I tested out the Whirlpool algorithm. It generated a considerably longer hash than the other algorithms tested {whirlpooldeep country1.docx country2.docx}.

Reflection:

It is necessary to clarify that the underlying premise of hashing is to maintain integrity. Now, hashing algorithms might not contain the same mathematical formulae or work the same way but there is one crucial attribute shared by all the hashing algorithms: the function used to generate the hash is _one-way_.

i.e. There is no way to derive the original plaintext from the checksum.

However, hashing algorithms are not foolproof. Collisions, as an example, are a prevalent risk. This is especial when pertaining to hashing algorithms which generate hashes in a weak way or generate hashes that are too short. The shorter the length of the hash, the more collisions it might incur. This is the basic principle behind a birthday attack. The more prone to collisions a hashing algorithm is, the higher the probability of a random collision.

From the exercise done, we can see that (simply by observing the length of the hash) MD5 is the most prone to collisions while Whirlpool is the least prone. This may translate to increased security in terms of probability theory.

Sine Cera,
Jeremy Heng.

"Quis custodiet ipsos custodes?"

Hands-On Project 11.1 Sources

Hands-On Project 8-5 (Page 297)

Objective ad Verbatim:

“In this project, you use the OpenID account that you created in the previous project.” (Ciampa, 2009)

Process:

1. Now on to testing the OpenID. I pointed Firefox to LiveJournal’s page to login with an OpenID URL. To login (this being the first time), I simply input my PIP OpenID URL into the field provided and clicked ‘Login’.

2. On the first login with the OpenID, Verisign redirects you to a page to set when LiveJournal expires as a trusted site. On this page, you are presented with a few options pertaining to time or logic as to when the trusted site expires.

3. After setting the required options, Verisign directs you back to LiveJournal logged in to your account and authenticated.

4. Next, I pointed my browser to LifeWiki’s login page. After entering the OpenID URL into the Identity URL field, I clicked on ‘Login via OpenID’.

5. Opere citato, I am prompted by Verisign to set the trusted site expiry.

6. And as before, I am logged into the website.

Reflection:

What I personally glean from this exercise is the simplicity and elegance to using a single OpenID to manage web applications that provides potential value to the user (in terms of social networking and the broadcasting of information in this case).

However, using an OpenID runs the risk of the usual issues with Password Management Programs simply for the reason that it consolidates many accounts into one where only one instance of authentication is used (typically). Breaking the OpenID account password would grant access to a whole host of applications to a malicious user. A few possible methods to obtain OpenID access could include theft of cookies, malware or password cracking.

Sine Cera,
Jeremy Heng.

"Quis custodiet ipsos custodes?"

Hands-On Project 8.5 Sources

Hands-On Project 8-4 (Page 296)

Objective ad Verbatim:

“OpenID is a decentralized open source FIM that does not require specific software to be installed on the desktop. OpenID is a uniform resource locator (URL)-based identity system. In this project, you create and use an OpenID account.”

Process:

1. First, I pointed my browser to Verisign’s registration page (pip.verisignlabs.com) to sign up for an OpenID account. After entering in all the required information, I clicked ‘Create Account’.

2. The submit brought me to a confirmation page of the creation of my account giving me a multitude of options and my PIP URL.

3. From the page, ‘My Account’ allows you to personalize and update your personal details as well as add an avatar.

4. Now, to test out that the account is valid, I signed out and logged into the PIP.

5. If I clicked on ‘My Information’, it takes me to a summary of my profile where I can see and edit the information contained in the account.

Reflection:

This practical demonstrates how easy it is to obtain an OpenID to use with sites that support it.

Sine Cera,
Jeremy Heng.

"Quis custodiet ipsos custodes?"

Hands-On Project 8.4 Sources

Hands-On Project 8-1 (Page 294)

Objective ad Verbatim:

“Cognitive biometrics holds great promise for adding two-factor authentication without placing a tremendous burden on the user. In this project, you participate in a demonstration of Passfaces.” (Ciampa, 2009)

Process:

1. Firstly, I pointed my web browser (Firefox!) to passfaces.com/demo to access the online Passfaces demo.

2. The web application displays some instructions to enrolling an account in the Passfaces demo.

3. Passfaces then presented three faces to use as ‘Secret Passfaces’ that the user would recognize to enter an account.

4. It puts forth the faces individually so as to accustom the user to their Passfaces.

5. When all the faces are shown, an array of faces of different ethnicity and structure containing one of the user’s Passfaces.

6. It continues on until the user is used to the practice login.

7. This brings us to the end of the demo.

Reflection:

This hands-on practical demonstrates the advantages and disadvantages of using cognitive biometrics to accompany or replace the traditional password/passphrase method of authentication. The premise for Passfaces employs the innate human ability to recognize faces and, in its essence, to detect the subtle differences in facial structure via a sensitive cognitive function.

From a radical point of view, this method of authentication would serve sufficiently for most people capable of sight. However, it does include drawbacks such as when a person suffering from face blindness or Prosopagnosia has to use Passfaces. The inability to recognize faces would render the whole facial recognition paradigm moot.

From a security risk point of view, if one were to attempt to crack the password simply via the method of brute force paired with luck (due to the limited number of pictures of faces) could break into a users account. Also, a variety of methods could be used to monitor the user’s choices when logging in, especially when the number of faces to remember has to be kept low such that the user can easily remember, to compromise the intactness of the account. With these concerns, a facial recognition system would probably work best paired with other forms of authentication in a multi-factor authentication system.

Sine Cera,
Jeremy Heng.

"Quis custodiet ipsos custodes?"

Hands-On Project 8.1 Sources

Hands-On Project 7-2 (Page 258)

Objective ad Verbatim:

“The drawback to using strong passwords is that they can be very difficult to remember, particularly when a unique password is used for each account that a user has. As an option there are several passwords storage programs that allow the user to enter account information such as username and password. These programs are themselves then protected by a single strong password. One example of such a password storage program is KeePass Password Safe, which is an open source product. In this project, you will download and install KeePass.” (Ciampa, 2009)

Process:

1. First, I downloaded the Classic Edition of the Portable KeePass 1.17 off the KeePass.info website.

2. I extracted the downloaded zip onto my desktop into a folder named ‘KeePass’.

3. Since WinRAR extracted to a folder on the desktop, I navigated to the folder and opened the KeePass program.

4. I created a new password database and was prompted to enter the Composite Master Key.

5. Next, I added a New Entry. Namely, the login information to HackThisSite.org.

6. I double clicked on the URL field to visit the HackThisSite login page.

7. Now, bringing up the KeePass window, I dragged and dropped the username and password information into the the according fields on the HackThisSite login page.

8. After clicking submit, the login worked ending the demonstration on how to use KeePass to log into a website.

 

Reflection:

I personally believe that password management programs are a double-edged sword with its advantages and disadvantages in terms of convenience and security.

When password management programs are used as a tool to consolidate a multitude of passwords for various websites and applications in a bid to separate passwords should an account be compromised it displays its ability to provide a singularized and systematic form of managing non-congruent passwords.

However, when using a local consolidated application to store passwords to everything protected with a single password, it could pose a security risk should this database of passwords be stolen and the master password be cracked.

This ultimately brings us to the necessity of using a strong secure password.

Sine Cera,
Jeremy Heng.

"Quis custodiet ipsos custodes?"

Hands-On Project 7.2 Sources