06 April 2012

Dissapearing Cryptography

The problem with cryptography books is that either require a degree in mathematics to understand them, or stay in a series of algorithmic recipes for programmers. Finding a work like this book, who knows how to please both those who seek a solid theoretical basis as those seeking a more practical approach is extremely difficult.

Author has managed to structure a book in layers that allow a progressive approach to the subject without having to delve into the arcane details to complete the work with a clear vision of the foundations of cryptography to hide or steganography .Thus, each chapter begins with an overview of the subject matter going after gradually in mathematics. The reader can skip this part at any time to go to mathematical algorithms describing the possible forms of practical benefit to all this. It is so educational and affordable, that even without prior knowledge of steganography, a reader with some agility in a programming languages can do his own data hiding tools after finishing the book.

It is also quite extensive, playing a wide range of information hiding techniques. For example, it has an extremely interesting chapter on steganography using grammars and tree-structured code so that seemingly innocuous texts contain hidden messages completely different. The example used after an alleged sports broadcasting is very revealing ... Of course, it is also the techniques (most popular), hiding in images and sounds coming well in advanced materials, such as manipulation of the coefficients of the FFT to hide information in image compression format, or different techniques for watermarking resistant to suppression or manipulation. It touchs other topics that may not come under the heading of steganography from the orthodox view, but certainly interesting for anyone studying the subject. This is the anonymity of email services, or browsing through remailers and anonymous networks respectively.

Annexes deserve special mention because in them the author delves into the practical side of book.  In one of them offers a practical example in Java of some of the issues.  In other uses LISP to illustrate the chapter of steganography over grammars.  And in another place an intensive review of steganographic tools available online, as well as to deepen the available literature on the subject. 

In short, a highly recommended book for both experts and cryptography and steganography as for those looking to start in this discipline.

05 March 2012

Chryptographic filesystems

At this point it is redundant to explain the reasons for using cryptographic techniques. Throughout history we have seen many examples which are summarized in the premise that someone wants to keep secret something that another would like to know.

At the time that computers and mass storage devices began to be "transportable" came immediately the need to find mechanisms to protect the information contained in these devices on the road. Imagine the damage that a public agency or a large company could suffer if one of their employees have his work laptop stealt at a gas station or an airport. Therefore, it was needed to find an environment that ensured the confidentiality of the information of the portable devices in a comfortable way that do not penalize their use.

On the other hand, it exists the possibility that the owner of the data suffers pressure to decrypt the data with its key. Imagine if an employee who works on military bussines or a political dissident is tortured or interrogated to find out how to enter his laptop to get a nes future fighter blueprints or opinion pieces that could lead him to a firing squad. In such cases it is very useful that mechanisms exist to provide deniability of information. These mechanisms would help deciphering "lure" files of little importance or even outright false which would mislead the interrogators, who would have no way of knowing if that is the whole information encrypted or if instead there is more. 
To address these problems the military has been developing long ciphers able to protect data in case of mass storage devices fall into enemy hands.

At civil level, one of the earliest examples is found in the file system StegFS. This file system allows not only encrypt confidential data but apply steganographic methods that gives deniability of that information. StegFS development is stopped and is not currently recommended for use in modern infrastructure (in fact only supports kernels 2.2.x branch), however their website has several papers, highly recommended reading, explaining the theoretical of such mechanisms.

Another option, the other in constant development and has come to pick up the baton from the previous system, is TrueCrypt . This tool is cross-platform (runs on Windows, Mac and Linux) and allows you to create encrypted virtual disks that can be mounted as standard units of the system, performing the encryption-decryption in real time (on-the-fly), so that operation on encrypted files is completely transparent to the user. When removing these virtual disks TrueCrypt encrypts data in a single file so there is no way for an attacker to know how many encrypted files are inside the main one. For all this the user uses a password of his invention and one of the symmetric encryption algorithms offered by the tool, such as AES-256, Serpent or Twofish, among others.

The usefulness of this tool is obvious, since we can encrypt personal data that we have in our USB memory (for example, our certificate of the FNMT, lists of passwords, network maps or personal photos) or even an entire partition, including boot, as TrueCrypt allows for authentication during startup, so that if any steals the laptop will be virtually impossible to him to extract any information from the hard drive.

TrueCrypt provides two levels of deniability. To begin with: without the decryption key, encrypted TrueCrypt volumes are indistinguishable from any other type of binary data files. Files containing encrypted TrueCrypt volumes lack any type of signature that identifies them as such. This makes it easy to hide it by changing its extension such as. Iso,. Raw,. Img or what comes to mind ... to TrueCrypt will not be affected by extension because when mounting the volume Truecrypt accepts anyone. The second level of deniability corresponds to hidden volumes that consists in an encrypted volume inside another so that the user has two passwords: one that opens the main encrypted volume, which will have decoy files, and other that opens a secondary encripted volume (the one in the main) with the really important files. The TrueCrypt developers say there is no way to tell if an encrypted volume contains another hidden. 
Besides the above, Truecrypt is really easy to use by relying on a truly intuitive windows interface. To make things better the documentation of its website is very well organized and is very educational explaining in a clear and easily way the fundamentals of the functionality offered by the tool.

With this, there is no excuse for not wearing our data safely on our portable devices, completely safe from leaks because of theft or espionage.