Archive for the ‘security and cryptography’ Category

Fourmilab and Java+Hotbits+TLS

Friday, March 20th, 2009

In paranoid cryptographic applications, I use John Walker’s HotBits, a free service which generates genuine random data based on radioactive decay. It generates ½ bits per sample, using radiation generated from Cæsium-137 beta decay:

Cæsium‐137 decay reaction

The service stores the generated data in a buffer; when it serves a request, it pops the data and transmits it.
I trust HotBits over other solutions such as random.org because their entropy seems more reliable and because they provide a TLS‐secured request page. I am also naturally less suspicious of providers of cool free services and open source software, providers of science fiction stories, and anything whose name means “ant lab” in French.
I built upon Fourmilab’s randomX Java encryption package in my class SecureRandomHotBits, which accesses the TLS‐secured HotBits for enhanced security. My code does not extend randomX’s randomHotBits but easily can; add extends randomHotBits to the class declaration to extend randomX functionality.

Tags: , , , , , , ,
Posted in other science, security and cryptography | No Comments »

Friends‐to‐Friends‐Only is Not a Phish

Tuesday, December 2nd, 2008

Several people I know received Wall posts on their Facebook profiles recently with text akin to “your profile picture is all over mdannic.com”. So I did what any normal user would do: I visited the site and tried to determine whether it was a phish. It’s certainly not legitimate, but I doubt it’s a phish—it looks more like a prank. Here is a transcription of its interactions with my client (Fedora 10; i686; en-US; Firefox 3.0.2):

  1. The Javascript requests a file; the server returns a 404. This happens four times for http://rotating-destination.com/newpoproutine/*: dhtmlwindow.css, dhtmlwindow.js, modal.css, modal.js.
    http://rotating-destination.com/newpoproutine/dhtmlwindow.js

    GET /newpoproutine/dhtmlwindow.css HTTP/1.1
    HTTP/1.x 404 Not Found

  2. My client GETs data from http://friends-to-friends-only.com/.

    GET / HTTP/1.1
    Host: friends-to-friends-only.com
    User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008102718 Fedora/3.0.2-1.fc10 Firefox/3.0.2
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive

    HTTP/1.x 200 OK
    Date: Thu, 13 Nov 2008 19:06:17 GMT
    Server: Apache/2.2.3 (CentOS)
    Cneonction: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=ISO-8859-1

    I will omit my client’s request (excepting the first line) after this—just know that it’s the same.

  3. Step one’s Javascript–404 interactions repeat.

  4. thawte.com supplies an OCSP request after POSTing the data I submitted in the HTML form.

    Content-Length: 115
    Content-Type: application/ocsp-request

    In the following line, control characters are replaced by parenthesized Unicode identifiers to ensure proper rendering.

    0q0o0M0K0I0 (U+6)(U+5)+(U+E)(U+3)(U+2)(U+1A)(U+5)
    HTTP/1.x 200 Ok
    Last-Modified: Tue, 11 Nov 2008 08:11:51 GMT
    Expires: Tue, 18 Nov 2008 08:11:51 GMT
    Content-Type: application/ocsp-response
    Content-Transfer-Encoding: binary
    Content-Length: 1480
    Cache-Control: max-age=604800, public, no-transform, must-revalidate
    Date: Thu, 13 Nov 2008 19:09:02 GMT
    Connection: close

  5. My client interacts with Google Safebrowsing. I will omit those interactions for brevity and anti-clutter purposes. (My headers contain them.)

  6. My client GETs 4549 bytes of HTML. If I remember correctly, this included a Javascript popup warning box.

    GET /taf/page2.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans&email=none&category1=lauras&confirmation=http%3A%2F%2Ftellafriendrewards.com%2Ftaf%2Fpage2.html&error_page=http%3A%2F%2Ftellafriendrewards.com%2Ftaf%2Fpage2.html&ref=000&getpostdata=get HTTP/1.1
    Host: www.this-isnt-personal.com
    Referer: http://rotating-destination.com/taf/taf.html

    HTTP/1.x 200 OK
    Date: Thu, 13 Nov 2008 18:54:37 GMT
    Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.7a FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 mod_bwlimited/1.4 PHP/5.2.4
    Last-Modified: Fri, 07 Nov 2008 03:27:52 GMT
    Etag: “10cc017-11c5-ff8ede00″
    Accept-Ranges: bytes
    Content-Length: 4549
    Connection: close
    Content-Type: text/html

  7. My name, my referring friend’s name, my email address, and my password are sent to /taf/register.cgi; it sends me 4882 bytes of HTML.

    POST /taf/register.cgi HTTP/1.1
    Host: www.this-isnt-personal.com
    Referer: http://www.this-isnt-personal.com/taf/page2.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans&email=none&category1=lauras&confirmation=http%3A%2F%2Ftellafriendrewards.com%2Ftaf%2Fpage2.html&error_page=http%3A%2F%2Ftellafriendrewards.com%2Ftaf%2Fpage2.html&ref=000&getpostdata=get
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 87
    email=none&referring_friend=Henry%2BJoseph&name=Carrie%2BNewjeans&passwd=neatpeoplerock

    HTTP/1.x 302 Found
    Date: Thu, 13 Nov 2008 18:55:40 GMT
    Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.7a FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 mod_bwlimited/1.4 PHP/5.2.4
    Location: taf3.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans
    Content-Length: 442
    Connection: close
    Content-Type: text/html; charset=iso-8859-1

    And no, that is not my real password.

  8. I GET 445 and 5199 bytes of HTML in separate requests.

  9. It interacts with a new server at http://tracking.profitsource.net. Notice the session cookie.

    GET /redir.aspx?CID=13449&AFID=27721&DID=59269&SID= HTTP/1.1
    Host: tracking.profitsource.net
    Referer: http://www.this-isnt-personal.com/taf/tafnext.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans
    Cookie: Redir_Consume-13449=AFID=27721&SID=&MARSID=&DID=59269&AD=CID%3d13449%26AFID%3d27721%26DID%3d59269%26SID%3d&RR=http://www.this-isnt-personal.com/taf/tafnext.html&IDATE=11/13/2008

    HTTP/1.x 302 Found
    Connection: close
    Date: Thu, 13 Nov 2008 19:17:01 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Pragma: no-cache, no-cache
    P3P: policyref=”/w3c/P3P.tracking.profitsource.net.xml”, CP=”NOI DSP COR NID ADM DEV OUR STP OTC”
    Location: http://www.geniusinspiration.net/go/sh_us_gs_txt
    Set-Cookie: Redir_Consume-13449=AFID=27721&SID=&MARSID=&DID=59269&AD=CID%3d13449%26AFID%3d27721%26DID%3d59269%26SID%3d&RR=http://www.this-isnt-personal.com/taf/tafnext.html&IDATE=11/13/2008; expires=Thu, 20-Nov-2008 19:17:01 GMT; path=/
    Cache-Control: no-cache
    Expires: -1
    Content-Type: text/html

  10. And now another, www.geniusinspiration.net.

    GET /go/sh_us_gs_txt HTTP/1.1
    Host: www.geniusinspiration.net
    Referer: http://www.this-isnt-personal.com/taf/tafnext.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans
    Cookie: PHPSESSID=72eb039f0ffdab5255238ca36a7cff56

    HTTP/1.x 302 Found
    Date: Thu, 13 Nov 2008 19:15:56 GMT
    Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
    X-Powered-By: PHP/4.4.7
    Location: http://www.geniusinspiration.net/go/us_brain_txt?&&&ref2=gs_txt&ref3=sh_us_gs_txt&
    Keep-Alive: timeout=3, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html

  11. GET /usbrain_txt/indexhome.php?s=prsntm&ref4=896&ref5=981&ref2=gs_txt&ref3=sh_us_gs_txt HTTP/1.1
    Host: www.geniusinspiration.net
    Referer: http://www.this-isnt-personal.com/taf/tafnext.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans
    Cookie: visit_date=November+13th+-+11%3A04+am; cookie_pagename=home; cookie_site=usbrain; cookie_domain=geniusinspiration; PHPSESSID=72eb039f0ffdab5255238ca36a7cff56

    HTTP/1.x 200 OK
    Date: Thu, 13 Nov 2008 19:15:56 GMT
    Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
    X-Powered-By: PHP/4.4.7
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    P3P: CP=”CAO PSA OUR”
    Set-Cookie: visit_date=November+13th+-+11%3A15+am; expires=Sun, 16 Nov 2008 19:15:56 GMT
    Set-Cookie: cookie_pagename=home; expires=Sat, 13 Dec 2008 19:15:56 GMT
    Set-Cookie: cookie_site=usbrain; expires=Sat, 13 Dec 2008 19:15:56 GMT
    Set-Cookie: cookie_domain=geniusinspiration; expires=Sat, 13 Dec 2008 19:15:56 GMT
    Keep-Alive: timeout=3, max=98
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html

These interactions, the HTML from rotating-destination.com, and friends-to-friends-only’s disclaimer (phishes typically do not alert users by saying they are not phishes—note click-through syndrome) are strong indications that it is not a phish. I posted the HTTP headers if you’re interested.

Tags: , , , , , , , ,
Posted in security and cryptography | No Comments »

Expressed RSA Encryption

Tuesday, November 13th, 2007

About a year ago I was working on an implementation of RSA. Although I eventually abandoned the idea, I learned some about the implementation and theory. The following is a quick mathematical representation of a concept in the algorithm:

Equation for Expressed RSA

Here,
e = the encrypted string.
n = the original string length
c = the current character
m = the original string
a = the maximum of the available characters
b = the minimum of the available characters

If you do not understand this post, I recommend ignoring it.

Tags: , , ,
Posted in math, security and cryptography | No Comments »