Channel: LibreCryptography
Importance of OpenSSL (pt. 2)
Since OpenSSL is the default implementation for most operating systems, out of the box, developers must remain cognizant of its capabilities at various junctures in order to maintain compatibility (i.e., allow users to actually use whatever app / service / program that they're developing).
Below is a Miniature 'Cheat Sheet' For OpenSSL (to be ran on command line ; if you're unsure about how to do this, consider joining @librecodes) [when we provide the example commands to run in the terminal to provide certain information, we wrap them in apostrophes '' ; if you are going to run these commands, make sure to remove the apostrophes!!!]
1. Command that you run to see which version of OpenSSL is installed on Your OS:
'openssl version -a' ; this will generate a bunch of output, but the most relevant bit (for checking versioning) is the very first part of said output
2. Command to List All Packaged Cipher Algorithms Included in Your Version of OpenSSL:
'openssl list -cipher-algorithms'
3. Command to List All ECC Curves Packaged With Your Version of OpenSSL:
'openssl ecparam -list_curves'
4. OpenSSL Command to List All Digest Algorithms:
'openssl list -digest-algorithms'
5. OpenSSL Command to List All Digest Commands (yes, different than the algorithms with a wholly different list provided):
'openssl list -digest-commands'
6. OpenSSL Command to List All Cipher Algorithms:
'openssl list -cipher-algorithms'
Other useful command parameters built into OpenSSL are (must be ran with an argument of some sort, obviously):
1. 'prime' = for computing prime numbers
2. 'rand' = generating pseudo-random bytes
3. 's_client' = fed to openssl as a command with appended arguments (most popular = 'connect' flag [-connect]) that can be ran against domain names or IP names (with an accomanying port) for opsec / osint / sysadmin / pentesting / simple intel or 'for-fun' purposes. Highly useful & built into the s_client
4. 'x509' = Command must be ran for various CA operations (whether for a self-signed cert or otherwise)
All of the above information was extracted from OpenSSL's online man pages, found here = https://wiki.openssl.org/index.php/Command_Line_Utilities
Since OpenSSL is the default implementation for most operating systems, out of the box, developers must remain cognizant of its capabilities at various junctures in order to maintain compatibility (i.e., allow users to actually use whatever app / service / program that they're developing).
Below is a Miniature 'Cheat Sheet' For OpenSSL (to be ran on command line ; if you're unsure about how to do this, consider joining @librecodes) [when we provide the example commands to run in the terminal to provide certain information, we wrap them in apostrophes '' ; if you are going to run these commands, make sure to remove the apostrophes!!!]
1. Command that you run to see which version of OpenSSL is installed on Your OS:
'openssl version -a' ; this will generate a bunch of output, but the most relevant bit (for checking versioning) is the very first part of said output
2. Command to List All Packaged Cipher Algorithms Included in Your Version of OpenSSL:
'openssl list -cipher-algorithms'
3. Command to List All ECC Curves Packaged With Your Version of OpenSSL:
'openssl ecparam -list_curves'
4. OpenSSL Command to List All Digest Algorithms:
'openssl list -digest-algorithms'
5. OpenSSL Command to List All Digest Commands (yes, different than the algorithms with a wholly different list provided):
'openssl list -digest-commands'
6. OpenSSL Command to List All Cipher Algorithms:
'openssl list -cipher-algorithms'
Other useful command parameters built into OpenSSL are (must be ran with an argument of some sort, obviously):
1. 'prime' = for computing prime numbers
2. 'rand' = generating pseudo-random bytes
3. 's_client' = fed to openssl as a command with appended arguments (most popular = 'connect' flag [-connect]) that can be ran against domain names or IP names (with an accomanying port) for opsec / osint / sysadmin / pentesting / simple intel or 'for-fun' purposes. Highly useful & built into the s_client
4. 'x509' = Command must be ran for various CA operations (whether for a self-signed cert or otherwise)
All of the above information was extracted from OpenSSL's online man pages, found here = https://wiki.openssl.org/index.php/Command_Line_Utilities
Jumble Password [Tool]
A tool (npm-based) with one simple purpose: Provide randomly generated passwords
source code (github repo) found here: https://github.com/theIYD/jumble-password
A tool (npm-based) with one simple purpose: Provide randomly generated passwords
source code (github repo) found here: https://github.com/theIYD/jumble-password
GitHub
theIYD/jumble-password
🔐 A tiny tool to create unique id's or passwords. Contribute to theIYD/jumble-password development by creating an account on GitHub.
'8gWifi': Site with Some Good Cryptography Tools on it
Here's the link = https://8gwifi.org/docs/ ; nothing mind blowing, but seems to be pretty useful if you need a reference point for some functions or ... whatever else you may be using these operations for.
Here's the link = https://8gwifi.org/docs/ ; nothing mind blowing, but seems to be pretty useful if you need a reference point for some functions or ... whatever else you may be using these operations for.
8gwifi.org
PKI Introduction X.509,CRL
pki concepts, Certification Authority (CA),Registration Authority (RA),PKI Users,PKI Architecture, openssl Generating hierarchical CA structure, PKI Data Structure,X.509 certificates, CRL, Implement CERTIFICATION REVOCATION LIST, Adding CRL distribution point
Chef Crypto (hosted by us)
url = https://chefcrypto.librehash.com
If you're familiar with GCHQ (who isn't?), then you're probably aware of the cryptography-based suite that the released to the public a little while ago.
Its called, 'Crypto Chef'.
Its a cool little html / js "crypto chef" platform that provides a GUI for a slew of operations.
*Example*
Suppose you wanted to hash some input using Shake256. Then encrypt that output using AES256, GCM mode (just throwing out something random here) - you can do that on this site.
Goes w/o saying that the results generated from any operations performed on the site should not be used in a production setting. The link to GCHQ's GitHub page is provided at the URL itself & the code (as we have it deployed) is unaltered.
We'd like to start working on getting some subresource integrities together in the near future though + some pre-setup 'recipes' that users can throw in to this webapp to get a better 'visual' for how vaious cryptograhic operations are performed.
Enjoy.
url = https://chefcrypto.librehash.com
If you're familiar with GCHQ (who isn't?), then you're probably aware of the cryptography-based suite that the released to the public a little while ago.
Its called, 'Crypto Chef'.
Its a cool little html / js "crypto chef" platform that provides a GUI for a slew of operations.
*Example*
Suppose you wanted to hash some input using Shake256. Then encrypt that output using AES256, GCM mode (just throwing out something random here) - you can do that on this site.
Goes w/o saying that the results generated from any operations performed on the site should not be used in a production setting. The link to GCHQ's GitHub page is provided at the URL itself & the code (as we have it deployed) is unaltered.
We'd like to start working on getting some subresource integrities together in the near future though + some pre-setup 'recipes' that users can throw in to this webapp to get a better 'visual' for how vaious cryptograhic operations are performed.
Enjoy.
EC-384 Certificates? Maybe? Yes? No?
Here's an entry on Namecheap's website regarding supposed ec-384 certificates users can purchase
https://www.namecheap.com/support/knowledgebase/article.aspx/9504/38/how-do-i-get-an-ecc-certificate-via-namecheap
This is being shared here because most of us in this world have made chosen to go the financially fiscal route for obtaining + deploying certificates (LetsEncrypt).
Unfortunately, 'LetsEncrypt' still uses an intermediate C.A. that signs keys with an RSA private key (its 4096-bit, so not a major security drawback).
Obviously with ECC being all the rage (despite people wishing Edwards' Curves were), there's been a major shift in the industry over the past few years to begin adopting ECC-standards in cryptography based products.
Unable to Locate the EC-Strength Cerificates
Namecheap claims that these certificates are provided for by Comodo, but we were unable to find them on their site (namecheap) or via Comod's site either.
Admittedly, we didn't dig incredibly hard for them, but we'll try to remember to follow up on this and ask their sales reps about this.
The world of 'paid' for certificates is super gimmicky & commercialized (and this feels like something that shouldn't be...for some reason), but hey — its the best 'trust' system that we have at our disposals for right now.
Here's an entry on Namecheap's website regarding supposed ec-384 certificates users can purchase
https://www.namecheap.com/support/knowledgebase/article.aspx/9504/38/how-do-i-get-an-ecc-certificate-via-namecheap
This is being shared here because most of us in this world have made chosen to go the financially fiscal route for obtaining + deploying certificates (LetsEncrypt).
Unfortunately, 'LetsEncrypt' still uses an intermediate C.A. that signs keys with an RSA private key (its 4096-bit, so not a major security drawback).
Obviously with ECC being all the rage (despite people wishing Edwards' Curves were), there's been a major shift in the industry over the past few years to begin adopting ECC-standards in cryptography based products.
Unable to Locate the EC-Strength Cerificates
Namecheap claims that these certificates are provided for by Comodo, but we were unable to find them on their site (namecheap) or via Comod's site either.
Admittedly, we didn't dig incredibly hard for them, but we'll try to remember to follow up on this and ask their sales reps about this.
The world of 'paid' for certificates is super gimmicky & commercialized (and this feels like something that shouldn't be...for some reason), but hey — its the best 'trust' system that we have at our disposals for right now.
Namecheap
How do I get an ECC certificate via Namecheap? - SSL Certificates - Namecheap.com
Learn more about How do I get an ECC certificate via Namecheap?. Find your answers at Namecheap Knowledge Base.
Wildfly Elytron (the s2s / c2s package of your dreams)
Wildfly’s Elytron software is fantastic.
Here is a link to the software’s specs = https://docs.wildfly.org/17/WildFly_Elytron_Security.html#sasl-authentication (page is on SASL authentication because that’s what we’ve been spending the most time on over the past few days)
Wildfly’s Elytron software is fantastic.
Here is a link to the software’s specs = https://docs.wildfly.org/17/WildFly_Elytron_Security.html#sasl-authentication (page is on SASL authentication because that’s what we’ve been spending the most time on over the past few days)
LibreCryptography
Wildfly Elytron (the s2s / c2s package of your dreams) Wildfly’s Elytron software is fantastic. Here is a link to the software’s specs = https://docs.wildfly.org/17/WildFly_Elytron_Security.html#sasl-authentication (page is on SASL authentication because…
The idea is this:
1. Beginning with a classic user management situation (for some service / access controlled resources)
2. Using LDAP for user management. More specifically, OpenLDAP.
3. Argon2ID as the password mechanism (stick with me - I’m aware of what the RFCs say about SCRAM - we’re not going to go out of standard here)
If you’re not familiar with SCRAM authentication, then you should look here: https://en.m.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism
1. Beginning with a classic user management situation (for some service / access controlled resources)
2. Using LDAP for user management. More specifically, OpenLDAP.
3. Argon2ID as the password mechanism (stick with me - I’m aware of what the RFCs say about SCRAM - we’re not going to go out of standard here)
If you’re not familiar with SCRAM authentication, then you should look here: https://en.m.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism
Wikipedia
Salted Challenge Response Authentication Mechanism
family of modern, password-based challenge–response authentication mechanisms providing authentication of a user to a server
Curious About the Security Measures That Librehash Deploys?
This light wiki on cryptography-based security enhancing measures is a fairly solid round up of the various schemes that we have in place (give or take a few) = https://doubleoctopus.com/security-wiki/
These measures have been deployed for the purposes of:
A) Data
B) User credentials
C) Authenticating directly with any of the services (servers) that we provide
D) Ensuring that communications are kept secure
E) Providing some means of formulated resistance against would-be attackers and malware (as well as a means of detecting such - although this falls a bit more under the 'malware' section if there ever was one)
This light wiki on cryptography-based security enhancing measures is a fairly solid round up of the various schemes that we have in place (give or take a few) = https://doubleoctopus.com/security-wiki/
These measures have been deployed for the purposes of:
A) Data
B) User credentials
C) Authenticating directly with any of the services (servers) that we provide
D) Ensuring that communications are kept secure
E) Providing some means of formulated resistance against would-be attackers and malware (as well as a means of detecting such - although this falls a bit more under the 'malware' section if there ever was one)
Secret Double Octopus
Wikis - Secret Double Octopus
Forwarded from LibreCryptography
The idea is this:
1. Beginning with a classic user management situation (for some service / access controlled resources)
2. Using LDAP for user management. More specifically, OpenLDAP.
3. Argon2ID as the password mechanism (stick with me - I’m aware of what the RFCs say about SCRAM - we’re not going to go out of standard here)
If you’re not familiar with SCRAM authentication, then you should look here: https://en.m.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism
1. Beginning with a classic user management situation (for some service / access controlled resources)
2. Using LDAP for user management. More specifically, OpenLDAP.
3. Argon2ID as the password mechanism (stick with me - I’m aware of what the RFCs say about SCRAM - we’re not going to go out of standard here)
If you’re not familiar with SCRAM authentication, then you should look here: https://en.m.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism
Wikipedia
Salted Challenge Response Authentication Mechanism
family of modern, password-based challenge–response authentication mechanisms providing authentication of a user to a server
Skein
1. More than likely the most secure hash function on planet earth.
2. Skein-1024 is integrated with 'Threefish' (with a threefish bit strength that matches that of the Skein implementation) ; 1024 = 1024 (ratio perfect)
2a. Addressing the concerns regarding Threefish and the alleged attacks that were found on several of its rounds (response from one of the co-authors of Threefish [as well as Skein] = https://crypto.stackexchange.com/questions/11725/has-threefish-successfully-been-attacked-practically-or-theoretically/11727
2b. Attack in question was mentioned in this paper (published by the team ) = http://www.skein-hash.info/sites/default/files/skein1.3.pdf
^^^ SHA-3 finalist (but Keccak was the hash function that won out ; Ethereum is using Keccak as we ll, but not the same iteration as w hat was submitted to the NIST)
3. Threefish McOE Mode = https://eprint.iacr.org/2011/644.pdf [exponentially more secure than the original Threefish - seems that there are *very few individuals out there right now that even know that this exists*] <— that's interesting, going to have to do more homework on this
—-
Is it possible to draw from an implementation of Skein-1024 that utilizes Threefish (1024) McOE mode?
Link that attests to the fact that SKein-1024 is the equivalent of 2^452
1. More than likely the most secure hash function on planet earth.
2. Skein-1024 is integrated with 'Threefish' (with a threefish bit strength that matches that of the Skein implementation) ; 1024 = 1024 (ratio perfect)
2a. Addressing the concerns regarding Threefish and the alleged attacks that were found on several of its rounds (response from one of the co-authors of Threefish [as well as Skein] = https://crypto.stackexchange.com/questions/11725/has-threefish-successfully-been-attacked-practically-or-theoretically/11727
2b. Attack in question was mentioned in this paper (published by the team ) = http://www.skein-hash.info/sites/default/files/skein1.3.pdf
^^^ SHA-3 finalist (but Keccak was the hash function that won out ; Ethereum is using Keccak as we ll, but not the same iteration as w hat was submitted to the NIST)
3. Threefish McOE Mode = https://eprint.iacr.org/2011/644.pdf [exponentially more secure than the original Threefish - seems that there are *very few individuals out there right now that even know that this exists*] <— that's interesting, going to have to do more homework on this
—-
Is it possible to draw from an implementation of Skein-1024 that utilizes Threefish (1024) McOE mode?
Link that attests to the fact that SKein-1024 is the equivalent of 2^452
Cryptography Stack Exchange
Has threefish successfully been attacked (practically or theoretically)?
Reading Schneier's "The Doghouse: Crypteto" dated September 30, 2009, I noticed Bruce Schneier stating:
Threefish, the block cipher inside Skein, encrypts data at 7.6 clock cycles/byte with a 25...
Threefish, the block cipher inside Skein, encrypts data at 7.6 clock cycles/byte with a 25...
'8gWifi': Site with Some Good Cryptography Tools on it
Here's the link = https://8gwifi.org/docs/ ; nothing mind blowing, but seems to be pretty useful if you need a reference point for some functions or ... whatever else you may be using these operations for.
Here's the link = https://8gwifi.org/docs/ ; nothing mind blowing, but seems to be pretty useful if you need a reference point for some functions or ... whatever else you may be using these operations for.
8gwifi.org
PKI Introduction X.509,CRL
pki concepts, Certification Authority (CA),Registration Authority (RA),PKI Users,PKI Architecture, openssl Generating hierarchical CA structure, PKI Data Structure,X.509 certificates, CRL, Implement CERTIFICATION REVOCATION LIST, Adding CRL distribution point
'8gWifi': Site with Some Good Cryptography Tools on it
Here's the link = https://8gwifi.org/docs/ ; nothing mind blowing, but seems to be pretty useful if you need a reference point for some functions or ... whatever else you may be using these operations for.
Here's the link = https://8gwifi.org/docs/ ; nothing mind blowing, but seems to be pretty useful if you need a reference point for some functions or ... whatever else you may be using these operations for.
8gwifi.org
PKI Introduction X.509,CRL
pki concepts, Certification Authority (CA),Registration Authority (RA),PKI Users,PKI Architecture, openssl Generating hierarchical CA structure, PKI Data Structure,X.509 certificates, CRL, Implement CERTIFICATION REVOCATION LIST, Adding CRL distribution point
Anti-Cryptography Bill = https://www.judiciary.senate.gov/press/rep/releases/graham-cotton-blackburn-introduce-balanced-solution-to-bolster-national-security-end-use-of-warrant-proof-encryption-that-shields-criminal-activity
Perhaps one of the most nonsensical bills that I've seen in a long, long time.
Produced by three senators that don't appear to understand the concept of encryption on any meaningful (and that's being said with all due respect).
Perhaps one of the most nonsensical bills that I've seen in a long, long time.
Produced by three senators that don't appear to understand the concept of encryption on any meaningful (and that's being said with all due respect).
www.judiciary.senate.gov
Graham, Cotton, Blackburn Introduce Balanced Solution to Bolster National Security, End Use of Warrant-Proof Encryption that Shields…
WASHINGTON – Senate Judiciary Committee Chairman Lindsey Graham (R-South Carolina) and U.S. Senators...
Only Hardware Wallet For Blockchain That's Probably Worth Considering = https://www.thalesgroup.com/en/markets/digital-identity-and-security/press-release/gemalto-and-ledger-join-forces-to-provide--security-infrastructure-for-cryptocurrency-based-activities-
Reasons
1. Produced / Manufactured by Thales ; a company with a far-reaching reputation in the cyber security and cryptography space (you're getting top of the line when you're dealing with these guys)
2. They don't tip toe around the concept of an HSM in hopes that unsophisticated customers will merely look at the raw dollar value of funds that need to be protected without delving deeper into the world of cryptographic key protection (which is really what this is ; and there is a thriving ecosystem in the corporate / enterprise environment for HSM software + devices that can be leveraged by competent dev teams to ensure that funds aren't being raided by 17 year old hackers a la Twitter)
Overall, this is still probably overkill in the grand scheme though. I think that a sufficient means of securing one's keys (hence, their crypto funds) can be derived from resources that are available online.
Fortunately, we at Librehash have taken it upon ourselves to derive such a solution for this very in-demand task (which is needed in all honesty ; especially when considering that the so-called hardware wallet companies are failing to remain secure)
Reasons
1. Produced / Manufactured by Thales ; a company with a far-reaching reputation in the cyber security and cryptography space (you're getting top of the line when you're dealing with these guys)
2. They don't tip toe around the concept of an HSM in hopes that unsophisticated customers will merely look at the raw dollar value of funds that need to be protected without delving deeper into the world of cryptographic key protection (which is really what this is ; and there is a thriving ecosystem in the corporate / enterprise environment for HSM software + devices that can be leveraged by competent dev teams to ensure that funds aren't being raided by 17 year old hackers a la Twitter)
Overall, this is still probably overkill in the grand scheme though. I think that a sufficient means of securing one's keys (hence, their crypto funds) can be derived from resources that are available online.
Fortunately, we at Librehash have taken it upon ourselves to derive such a solution for this very in-demand task (which is needed in all honesty ; especially when considering that the so-called hardware wallet companies are failing to remain secure)
Thales Group
GEMALTO AND LEDGER JOIN FORCES TO PROVIDE SECURITY INFRASTRUCTURE FOR CRYPTOCURRENCY BASED ACTIVITIES
Robust encryption & transaction security for FIs
Stumbled upon this post from the LibreSwan team detailing that IPSec is essentially impossible on Amazon's Web Servers (regardless of how they are tweaked or configured).
More concerning though is the fact that general tests to check connectivity provided a false positive
https://libreswan.org/wiki/Interoperability
More concerning though is the fact that general tests to check connectivity provided a false positive
https://libreswan.org/wiki/Interoperability
End-to-end Encryption Guide by Matrix = https://matrix.org/docs/guides/end-to-end-encryption-implementation-guide
Library that they use = 'libolm'
Specs for Megolm Encryption Ratchet = https://matrix.org/docs/spec/client_server/r0.4.0#m-megolm-v1-aes-sha2
Specs for Olm Encryption Ratchet = https://matrix.org/docs/spec/client_server/r0.4.0#m-olm-v1-curve25519-aes-sha2
Library that they use = 'libolm'
Specs for Megolm Encryption Ratchet = https://matrix.org/docs/spec/client_server/r0.4.0#m-megolm-v1-aes-sha2
Specs for Olm Encryption Ratchet = https://matrix.org/docs/spec/client_server/r0.4.0#m-olm-v1-curve25519-aes-sha2
matrix.org
End-to-End Encryption implementation guide
This guide is intended for authors of Matrix clients who wish to add support for
end-to-end encryption. It is highly recommended that readers be familiar with
the Matrix protocol and the use of access tokens before proceeding.
end-to-end encryption. It is highly recommended that readers be familiar with
the Matrix protocol and the use of access tokens before proceeding.
Few More Informative Links About Various Topics in Cryptography
1. https://hcis-journal.springeropen.com/articles/10.1186/s13673-019-0193-6 (research paper detailing PKE ; an alternative to the McEliece + other code-based / lattice cryptographic signatures)
2. Phenomenal Presentation That Explains Picnic (PQ Algo) = https://asiacrypt.iacr.org/2018/files/SLIDES/TUESDAY/Z411/post%20quantum%20signatures%20-%20asiacrypt18v2.pdf
3. Efficient FPGA Implementations of LowMC and Picnic = https://eprint.iacr.org/2019/1368.pdf
4. Performance Evlauation of Round 2 Submission for the NIST Post-Quantum Cryptography Project = https://digitalcommons.wpi.edu/cgi/viewcontent.cgi?article=8471&context=mqp-all
5. "server.passdb.ovpn" (from the post-quantum forked OpenVPN Repo) = https://github.com/microsoft/PQCrypto-VPN/blob/master/openvpn/config/server-passdb.ovpn
6.
1. https://hcis-journal.springeropen.com/articles/10.1186/s13673-019-0193-6 (research paper detailing PKE ; an alternative to the McEliece + other code-based / lattice cryptographic signatures)
2. Phenomenal Presentation That Explains Picnic (PQ Algo) = https://asiacrypt.iacr.org/2018/files/SLIDES/TUESDAY/Z411/post%20quantum%20signatures%20-%20asiacrypt18v2.pdf
3. Efficient FPGA Implementations of LowMC and Picnic = https://eprint.iacr.org/2019/1368.pdf
4. Performance Evlauation of Round 2 Submission for the NIST Post-Quantum Cryptography Project = https://digitalcommons.wpi.edu/cgi/viewcontent.cgi?article=8471&context=mqp-all
5. "server.passdb.ovpn" (from the post-quantum forked OpenVPN Repo) = https://github.com/microsoft/PQCrypto-VPN/blob/master/openvpn/config/server-passdb.ovpn
6.
SpringerOpen
An IND-CCA2 secure post-quantum encryption scheme and a secure cloud storage use case - Human-centric Computing and Information…
Code-based public key encryption (PKE) is a popular choice to achieve post-quantum security, partly due to its capability to achieve fast encryption/decryption. However, code-based PKE has larger ciphertext and public key sizes in comparison to conventional…
HTML Embed Code: