Category Archives: Encryption
How a glitch in the Matrix led to apps potentially exposing encrypted chats – The Register
The Matrix.org Foundation, which oversees the Matrix decentralized communication protocol, said on Monday multiple Matrix clients and libraries contain a vulnerability that can potentially be abused to expose encrypted messages.
The organization said a blunder in an implementation of the Matrix key sharing scheme designed to allow a user's newly logged-in device to obtain the keys to decrypt old messages led to the creation of client code that fails to adequately verify device identity. As a result, an attacker could fetch a Matrix client user's keys.
Specifically, a paragraph in Matrix E2EE (end-to-end encryption) Implementation Guide, which described the desired key handling routine, was followed in the creation of Matrix's original matrix-js-sdk code. According to the foundation, this SDK "did not sufficiently verify the identity of the device requesting the keyshare," and this oversight made its way into other libraries and Matrix chat clients.
"This is not a protocol or specification bug, but an implementation bug which was then unfortunately replicated in other independent implementations," the foundation insisted.
To exploit this vulnerability, an attacker would need to access the message recipient's account, via stolen credentials or compromising the victim's homeserver.
"Thus, the greatest risk is to users who are in encrypted rooms containing malicious servers," the Matrix.org Foundation said in a blog post. "Admins of malicious servers could attempt to impersonate their users' devices in order to spy on messages sent by vulnerable clients in that room."
Admins of malicious servers could attempt to impersonate their users' devices in order to spy on messages sent by vulnerable clients in that room
At the moment, this risk remains theoretical as the foundation said it has not seen this flaw being exploited in the wild. Among the affected clients and libraries are: Element (Web/Desktop/Android, but not iOS), FluffyChat, Nheko, Cinny, and SchildiChat.
A handful of other applications that haven't implemented key sharing are believed not to be vulnerable. These include: Chatty, Hydrogen, mautrix, purple-matrix, and Syphon.
Matrix's key-sharing scheme was added in 2016 as a way to let a Matrix client app ask a message recipient's other devices or the sender's originating device for the keys to decrypt past messages. It also served to provide a way for a user to log into a new client and gain access to chat history when devices with the necessary keys were offline or the user hadn't backed the keys up.
The recommended implementation, as taken in matrix-js-sdk, involved sharing keys automatically only to devices of the same user that have been verified.
"Unfortunately, the implementation did not sufficiently verify the identity of the device requesting the keyshare, meaning that a compromised account can impersonate the device requesting the keys, creating this vulnerability," explained the Matrix.org Foundation.
Patches for affected software have been made available in the relevant repositories. The foundation said it intends to review the key sharing documentation and to revise it to make it clearer how to implement key sharing in a safe way. The group also said it will revisit whether key sharing is really necessary in the Matrix protocol and will focus on making matrix-rust-sdk a portable reference implementation of the Matrix protocol, so other libraries don't have to reimplement logic that has proven to be difficult to do properly.
"This will have the effect of reducing attack surface and simplifying audits for software which chooses to use matrix-rust-sdk," the foundation said.
Read more from the original source:
How a glitch in the Matrix led to apps potentially exposing encrypted chats - The Register
WhatsApp is finally allowing users to encrypt chat backups uploaded to iCloud and Google Drive – Buzz.ie
WhatsApp has announced that all users will soon be able to store end-to-end encrypted backups of their chat history on Google Drive in Android or Apple iCloud in iOS.
The Facebook-owned company, which boasts two billion users who send over 100 billion messages a day, said that the move makes WhatsApp the first global messaging service at this scale to offer end-to-end encrypted messaging and backups.
WhatsApp's introduction of end-to-end encryption (E2EE) will provide users with the ability to secure their backed up message history stored in the cloud.
While WhatsApp messages have been encrypted since 2016, the app hasnt offered end-to-end encryption of backups, which rely on iCloud or Google Drive.
This lack of encryption on the backed-up messages created a security loophole exploitable by parties ranging from law enforcement agencies to unintended malicious third parties.
But with the latest update, users will be able to opt-in to end-to-end encryption for their backups before those backups hit their cloud storage service.
Users can expect the update in the coming weeks, according to the company.
For years, in order to safeguard the privacy of peoples messages, WhatsApp has provided end-to-end encryption by default so messages can be seen only by the sender and recipient, and no one in between.
Now, the platform is planning to give people the option to protect their WhatsApp backups using end-to-end encryption as well.
People can already back up their WhatsApp message history via cloud-based services like Google Drive and iCloud. WhatsApp does not have access to these backups, and they are secured by the individual cloud-based storage services. But, while WhatsApp doesn't have access to those backups, Apple and Google potentially do.
But now, if people choose to enable end-to-end encrypted (E2EE) backups once available, neither WhatsApp nor the backup service provider will be able to access their backup or their backup encryption key.
WhatsApp users will have to opt in to the new feature which will soon begin rolling out.
To enable E2EE backups, WhatsApp developed an entirely new system for encryption key storage that works with both iOS and Android.
With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key. People can choose to secure the key manually or with a user password.
When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) specialised, secure hardware that can be used to securely store encryption keys.
When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup.
The HSM-based Backup Key Vault will be responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a limited number of unsuccessful attempts to access it. These security measures provide protection against brute-force attempts to retrieve the key. WhatsApp will know only that a key exists in the HSM. It will not know the key itself.
The move arrives as Facebook faces scrutiny over its privacy polices for the messaging service. Earlier this week, ProPublica published a report highlighting how contract workers sift through millions of private messages that have been flagged by users as potentially abusive.
The nonprofit investigative organisation subsequently made clear that WhatsApp doesnt break the end to end encryption.
WhatsApp is adding encrypted backups – The Verge
WhatsApp will let its more than 2 billion users fully encrypt the backups of their messages, the Facebook-owned app announced Friday.
The plan, which WhatsApp is detailing in a white paper before rolling out to users on iOS and Android in the coming weeks, is meant to secure the backups WhatsApp users already send to either Google Drive or Apples iCloud, making them unreadable without an encryption key. WhatsApp users who opt into encrypted backups will be asked to save a 64-digit encryption key or create a password that is tied to the key.
WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems, Facebook CEO Mark Zuckerberg said in a statement.
If someone creates a password tied to their accounts encryption key, WhatsApp will store the associated key in a physical hardware security module, or HSM, that is maintained by Facebook and unlocked only when the correct password is entered in WhatsApp. An HSM acts like a safety deposit box for encrypting and decrypting digital keys.
Once unlocked with its associated password in WhatsApp, the HSM provides the encryption key that in turn decrypts the accounts backup that is stored on either Apple or Googles servers. A key stored in one of WhatsApps HSM vaults will become permanently inaccessible if repeated password attempts are made. The hardware itself is located in data centers owned by Facebook around the world to protect from internet outages.
The system is designed to ensure that no one besides an account owner can gain access to a backup, the head of WhatsApp, Will Cathcart, told The Verge. He said the goal of letting people create simpler passwords is to make encrypted backups more accessible. WhatsApp will only know that a key exists in a HSM, not the key itself or the associated password to unlock it.
The move by WhatsApp comes as governments around the world like India WhatsApps largest market are threatening to break the way that encryption works. We expect to get criticized by some for this, Cathcart said. Thats not new for us ... I believe strongly that governments should be pushing us to have more security and not do the opposite.
WhatsApps announcement means the app is going a step further than Apple, which encrypts iMessages but still holds the keys to encrypted backups; that means Apple can assist with recovery, but also that it can be compelled to hand the keys over to law enforcement. Cathcart said WhatsApp has been working on making encrypted backups a reality for the past couple of years, and that while they are opt-in to start, he hopes, over time, to have this be the way it works for everyone.
Visit link:
WhatsApp is adding encrypted backups - The Verge
What Is Fully Homomorphic Encryption (FHE)? – CIO Insight
Company leaders are continually looking for ways to keep data safe without compromising its usability. Fully homomorphic encryption (FHE) could be a step in the right direction.
Fully homomorphic encryption allows the analyzing and running of processes on data without needing a decryption method. For example, if someone wanted to process information in the cloud but did not trust the provider, FHE would allow sending the encrypting data for processing without providing a decryption key.
Read more: Creating a Cloud Strategy: Tips for Success
FHE is like other encryption methods that require using a public key to encrypt the data. Only the party with the correct private key can see the information in its unencrypted state. However, FHE uses an algebraic system that allows working with data without requiring decryption first. In many cases, information is represented as integers, while multiplication and addition replace the Boolean functions used in other kinds of encryption.
FHE uses an algebraic system that allows working with data without requiring decryption first.
Researchers first proposed FHE in the 1970s, and people became interested back then. However, it has taken substantial time to turn these concepts into feasible real-world applications.
A researcher showed it was plausible with his 2009 published study. However, working with even a tiny amount of data proved too time-intensive. Even now, FHE can require hundreds of times more computing power than an equivalent plaintext data operation.
Data is at a higher risk of becoming compromised when its not encrypted. FHE keeps the information secure by not requiring decryption to occur for processing to happen.
In one recent example, Google released an FHE-based tool that allows developers to work with encrypted data without revealing any personally identifiable information (PII). Googles blog post on the subject gave the example of FHE allowing medical researchers to examine the data of people with a particular condition without providing any personal details about them.
Encryption takes private information and makes it unreadable by unauthorized third parties. However, something that makes people particularly excited about FHE is that it eliminates the tradeoff between data privacy and usability, making both present at a high level.
Read more: Data Collection Ethics: Bridging the Trust Gap
Many people familiar with FHE and its potential applications agree that it seems safer than other methods of data protection, which require decrypting data for processing. It could be particularly widely embraced in certain sectors. After all, cloud computing brings in $250 billion per year.
Experts believe FHE will emerge as a compelling option in tightly regulated industries.
People are continually interested in how to keep their data safe when stored in the cloud. Some experts also believe FHE will emerge as a compelling option in tightly regulated industries because it could become a better safeguard against breaches.
Past solutions to either completely anonymize data or restrict access through stringent data use agreements have limited the utility of abundant and valuable patient data, IBM notes on its site. FHE in clinical research can improve the acceptance of data-sharing protocols, increase sample sizes, and accelerate learning from real-world data.
Fully homomorphic encryption could forever change how companies use data. Thats crucial, especially considering how many businesses collect it in vast quantities at a time where many consumers feel increasingly concerned about keeping their details safe.
For example, FHE allows keeping information in an encrypted database to make it less vulnerable to hacking without restricting how owners can use it. That approach could limit an organizations risk of regulatory fines due to data breaches and hacks.
It also permits secure data monetization efforts by protecting customers information and allowing services to process peoples information without invading privacy. In such cases, individuals may be more forthcoming about sharing their information, knowing in advance that business representatives cannot see certain private aspects of it.
Using an FHE-based solution also enables sharing data with third-party collaborators in ways that reduce threats and help the company providing the information comply with respective regulations. Thus, this kind of encryption could support research efforts where people across multiple organizations need to work with sensitive content.
Read more: Data Analytics vs Data Science: Whats the Difference?
Fully homomorphic encryption is not widely available in commercial platforms yet. However, some companies offer products based on homomorphic encryption that could eventually work for the use cases discussed earlier.
For example, Intel has such a product that allows segmenting data into secure zones for processing.Similarly, Inpher offers a product with an FHE component. It primarily uses secure multiparty computation, but applies FHE to certain use cases.
IBM says FHE is now adequate for specific use cases.
Beyond those examples, IBM has a fully homomorphic encryption toolkit that it released for iOS in 2020. That progress primarily occurred after IBMs experts took it upon themselves to make FHE more commercially feasible, addressing the time and computing power that it previously took to use this type of encryption.
The companys representatives say FHE is now adequate for specific use cases and suggested the health care and finance industries as particularly well suited to it.
Since FHE is not widely available via commercial platforms yet, interested parties should not expect to start using it immediately. However, that could change as organizations become increasingly concerned about striking the right balance between data security and usability.
The ideal strategy for businesses to take now is to explore the options currently on the market. They can then determine if any of those options check the boxes for helping them explore fully homomorphic encryption, including what it might do in the future and what capabilities exist now.
Read next: AI vs Machine Learning: What Are Their Differences & Impacts?
Read this article:
What Is Fully Homomorphic Encryption (FHE)? - CIO Insight
WhatsApp end-to-end encrypted messages arent that private after all – Ars Technica
Enlarge / The security of Facebook's popular messaging app leaves several rather important devils in its details.
Yesterday, independent newsroom ProPublica publisheda detailed piece examining the popular WhatsApp messaging platform's privacy claims. The service famously offers "end-to-end encryption," which most users interpret as meaning that Facebook, WhatsApp's owner since 2014, can neither read messages itself nor forward them to law enforcement.
This claim is contradicted by the simple fact that Facebook employs about 1,000 WhatsApp moderators whose entire job isyou guessed itreviewing WhatsApp messages that have been flagged as "improper."
The loophole in WhatsApp's end-to-end encryption is simple: Therecipient of any WhatsApp message can flag it. Once flagged, the message is copied on the recipient's device and sent as a separate message to Facebook for review.
Messages are typically flaggedand reviewedfor the same reasons they would be on Facebook itself, including claims of fraud, spam, child porn, and other illegal activities. When a message recipient flags a WhatsApp message for review, that message is batched with the four most recent prior messages in that thread and then sent on to WhatsApp's review system as attachments to a ticket.
Although nothing indicates that Facebook currently collects user messageswithout manual intervention by the recipient, it's worth pointing out that there is no technical reason it could not do so. The security of "end-to-end" encryption depends on the endpoints themselvesand in the case of a mobile messaging application, that includes the application and its users.
An "end-to-end" encrypted messaging platform could choose to, for example, perform automated AI-based content scanning of all messages on a device, then forwardautomatically flagged messages to the platform's cloud for further action. Ultimately, privacy-focused users must rely on policies and platform trust as heavily as they do on technological bullet points.
Once a review ticket arrives in WhatsApp's system, it is fed automatically into a "reactive" queue for human contract workers to assess. AI algorithms also feed the ticket into "proactive" queues that process unencrypted metadataincluding names and profile images of the user's groups, phone number, device fingerprinting, related Facebook and Instagram accounts, and more.
Human WhatsApp reviewers process both types of queuereactive and proactivefor reported and/or suspected policy violations. The reviewers have only three options for a ticketignore it, place the user account on "watch," or ban the user account entirely. (According to ProPublica, Facebook uses the limited set of actions as justification for saying that reviewers do not "moderate content" on the platform.)
Although WhatsApp's moderatorspardon us,reviewershave fewer options than their counterparts at Facebook or Instagram do, they face similar challenges and have similar hindrances. Accenture, the company that Facebook contracts with for moderation and review, hires workers who speak a variety of languagesbut notall languages. When messages arrive in a language moderators are not conversant in, they must rely on Facebook's automatic language-translation tools.
"In the three years I've been there, it's always been horrible," one moderator told ProPublica. Facebook's translation tool offers little to no guidance on either slang or local context, which is no surprise given that the tool frequently has difficulty even identifying the source language. A shaving company selling straight razors may be misflagged for "selling weapons," while a bra manufacturer could get knocked as a "sexually oriented business."
WhatsApp's moderation standards can be as confusing as its automated translation toolsfor example, decisions about child pornography may require comparing hip bones and pubic hair on a naked person to a medical index chart, or decisions about political violence might require guessing whether an apparently severed head in a video is real or fake.
Unsurprisingly, some WhatsApp users also use the flagging system itself to attack other users. One moderator told ProPublica that "we had a couple of months where AI was banning groups left and right" because users in Brazil and Mexico would change the name of a messaging group to something problematic and then report the message. "At the worst of it," recalled the moderator, "we were probably getting tens of thousands of those. They figured out some words that the algorithm did not like."
Although WhatsApp's "end-to-end" encryption of message contents can only be subverted by the sender or recipient devices themselves, a wealth of metadata associated with those messages is visible to Facebookand to law enforcement authorities or others that Facebook decides to share it withwith no such caveat.
ProPublica foundmore than a dozen instances of the Department of Justice seeking WhatsApp metadata since 2017. These requests are known as "pen register orders," terminology dating from requests for connection metadata on landline telephone accounts. ProPublica correctly points out that this is an unknown fraction of the total requests in that time period, as many such orders, and their results, are sealed by the courts.
Since the pen orders and their results are frequently sealed, it's also difficult to say exactly what metadata the company has turned over. Facebook refers to this data as "Prospective Message Pairs" (PMPs)nomenclature given to ProPublica anonymously, which we were able to confirm in the announcement of a January 2020 course offered to Brazilian department of justice employees.
Although we don't know exactly what metadata is present in these PMPs, we do know it's highly valuable to law enforcement. In one particularly high-profile 2018 case, whistleblower and former Treasury Department official Natalie Edwards was convicted of leaking confidential banking reports to BuzzFeed via WhatsApp, which she incorrectly believed to be "secure."
FBI Special Agent Emily Eckstut was able to detail that Edwards exchanged "approximately 70 messages" with a BuzzFeed reporter "between 12:33 am and 12:54 am" the day after the article published; the data helped secure a conviction and six-month prison sentence for conspiracy.
Read the rest here:
WhatsApp end-to-end encrypted messages arent that private after all - Ars Technica
UK government backs Apple, and wants to scan encrypted messages for CSAM – 9to5Mac
The British government has expressed support for Apples now-delayed CSAM scanning plans, and says that it wants the ability to scan encrypted messages for CSAM, even where end-to-end encryption is used.
The country is offering to pay anyone who can find a way to keep children safe in environments such as online messaging platforms with end-to-end encryption
Home Secretary Priti Patel made the announcement, which included support for Apples plans.
Recently Apple have taken the first step, announcing that they are seeking new ways to prevent horrific abuse on their service. Apple state their child sexual abuse filtering technology has a false positive rate of 1 in a trillion, meaning the privacy of legitimate users is protected whilst those building huge collections of extreme child sexual abuse material are caught out. They need to see though that project.
But that is just one solution, by one company, and wont solve everything. Big Tech firms collectively need to take responsibility for public safety and greater investment is essential. Today I am launching a new Safety Tech Challenge Fund. We will award five organisations from around the world up to 85,000 each to develop innovative technology to keep children safe in environments such as online messaging platforms with end-to-end encryption.
She repeats the governments oft-expressed objection to end-to-end encrypted messaging, and attempts to imply that it is a new plan, rather than something that has been used for many years by services like iMessage, FaceTime, WhatsApp, Telegram, and Signal.
Your messages are already encrypted as they travel from your device to a technology companys systems. End-to-end encryption takes this further, so that neither the platform operator nor police can see the content even when its essential for safety reasons that they do so []
The introduction of end-to-end encryption must not open the door to even greater levels of child sexual abuse but that is the reality if plans such as those put forward by Facebook go ahead unchanged.
The reality here is that Facebook Messenger is the only major messaging platform that doesnt already offer E2E encryption as standard, and even that allows some users to enable it via the Secret Conversations feature. Facebooks plans to make this standard is simply catching up with the industry standard for private messaging.
The governments call for help is vaguely worded, and offers a maximum of 85k ($117K) to each successful applicant.
The Fund will award five organisations from around the world up to 85,000 each to develop innovative technology to keep children safe in environments such as online messaging platforms with end-to-end encryption []
Applications open today, with a deadline of 6 October. The Fund will run for five months from November 2021. Technologies will be evaluated by independent academic experts.
Apple was somehow taken by surprise by widespread objections to its own plans, and now says that it will take additional time to make privacy improvements.
Stock photo:Andrej Liakov/Unsplash
FTC: We use income earning auto affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news:
See the original post here:
UK government backs Apple, and wants to scan encrypted messages for CSAM - 9to5Mac
VPN and Email Encryption Provider, WiTopia, Inc., Is Now Raising Capital Via StartEngine – PRNewswire
RESTON, Va., Sept. 8, 2021 /PRNewswire/ -- WiTopia, Inc., veteran VPN provider and developer of SecureMyEmail, a revolutionary email encryption service that can add "zero-knowledge" end-to-end encryption to any email address, isexcited to announce the launch of an investment crowdfunding campaign on the StartEngine platform. StartEngine allows investors of any level to own a stake in the company.
SecureMyEmail offers free unlimited encryption for a single Gmail, Yahoo Mail, or Microsoft consumer email address, as well as a paid version that provides a user end-to-end encrypted email for up to eight of their email addresses, personal or business, for only $3.99 a month or $29.99 annually.
SecureMyEmail's zero-knowledge architecture ensures encrypted emails and attachments are only viewable by the sender and their recipients. No one, including the user's email provider, internet company, or even Witopia itself, ever has access to the encrypted email or attachments.
"Access to powerful, yet simple and low-cost, online security and privacy services have never been more important than on today's internet," said Bill Bullock, CEO of WiTopia. "We are incredibly excited to work with StartEngine to expand our business and build awareness."
For more information about the equity crowdfunding campaign, visithttps://www.startengine.com/witopia-inc
About WiTopia
WiTopia is an internet privacy and security company based inReston, Virginia. In early 2005, the launch of our personalVPN service pioneered the use of Virtual Private Network (VPN) technology to give individuals the ability to connect to the internet privately, securely, and without censorship or geo-restrictions. With the addition of our CloakBox VPN Router and SecureMyEmail encrypted email service, we continue to work to ensure that a secure, private, and censorship-free internet is available to everyone. Today, WiTopia's products and services provide internet freedom, security, and privacy to individuals, businesses, and organizations in more than 190 countries.
For more information, please email us at[emailprotected], call 703-665-3336 / 703-665-3340, or visithttps://www.witopia.comorhttps://www.securemyemail.com
SOURCE WiTopia, Inc.
The rest is here:
VPN and Email Encryption Provider, WiTopia, Inc., Is Now Raising Capital Via StartEngine - PRNewswire
Future in the cloud for encryption – Capacity Media
06 September 2021 | Alan Burkitt-Gray
Traditional PKI methods of encrypting data are about to fall to the onslaught of quantum computing. Arqit, a start-up led by David Williams thinks it has a quantum-based solution, he tells Alan Burkitt-Gray
A start-up company that is expected to be valued at US$1.4 billion by the end of August is launching its quantum-based telecoms encryption service in the middle of July. Arqit, founded by satellite entrepreneur David Williams, is launching QuantumCloud, a platform-as-a-service (PaaS) for telecoms, including consumer, industrial and defence internet of things (IoT), he tells me.
Early customers, including BT and other telcos that he doesnt want to name, have already signed contracts and used the cyber security software, but Arqit is likely to be thrust into greater prominence imminently, when a Nasdaq-listed special purpose acquisition company (Spac) buys it in a deal that will value it at $1.4 billion.
Williams and a small number of co-founders will own 45%, he tells me a stake that will be worth $630 million to him and his colleagues.
A former banker, Williams, who is now chairman of Arqit, was founder and CEO of Avanti, a UK-based company that runs a fleet of geostationary satellites called Hylas with government, military and commercial customers. He left Avanti in August 2017 and a month later set up Arqit.
Being the founder of two satellite companies is a pretty remarkable record after seven years working for three banks following a degree in economics and politics. (He also notes that he was the yard-of-ale champion at the University of Leeds.)
However, his first start-up, Avanti Communications, has not fared well over the past year, long after Williamss departure. In February 2021 its existing junior lenders injected $30 million of new capital, and its so-called super senior facility, which was due for repayment in February, was extended, but only to the end of January 2022.
Existential threat
But Arqit has moved into a completely different market, addressing something the company calls an existential threat to the hyperconnected world. Why? The legacy encryption that we all use, designed in the 1980s, has done a great job but is now failing us, says Arqit on its website. It was never intended for use in our hyper-connected world. The breaches caused are seen around us daily.
At the same time, there is a bigger problem. Quantum computing now poses an existential threat to cyber security for everyone. As a result, the world must begin a global upgrade cycle to replace all encryption technologies, an upgrade unlike anything we have seen before, says the company.
Dont bother patching and mending, says Arqit. Dont take risks with incremental improvements to public key encryption which is no longer fit for purpose.
Encryption using public key infrastructure (PKI) emerged from the communications intelligence community around 1971 in work by James Ellis at the UKs Government Communications Headquarters (GCHQ) and was then developed further in 1976 through work in the US and Israel by Whit Diffie and Martin Hellman and separately by Ronald Rivest, Adi Shamir and Leonard Adleman (known, from their initials, as RSA).
So, the idea is virtually half a century old. But in that time, certainly in the past decade, it has done us well. If the URL of a website starts https://, you know its encrypted to those 1970s standards. It means we are reasonably confident we can type our credit card details into a hotel, theatre, travel or shopping site. Messaging apps such as Signal and WhatsApp use encryption based on these PKI principles.
No one trusts PKI
However, no one trusts PKI any more, says Williams. The safest way of delivering keys to a battlefield is now to put them on a dongle and fly them in by helicopter.
At the heart of the problem is the fact that quantum computers are coming, and quantum computers are fast. Diffie and Hellman, and the RSA trio, calculated that if it took weeks or months to decrypt a message, PKI was secure. Breaking the code would be computationally infeasible, to use the term the crypto community likes.
By perhaps as soon as next year, quantum computers will be able to work so fast that they will have decrypted the text in a usable period of time. The challenge will no longer be computationally infeasible. Someone intercepting a transaction could find your credit card details within an hour or so, and use them. So, thats why there is pressure to upgrade to a new system of key exchange, a replacement for PKI.
However, the security people have something more to worry about. Many suspect that for years governments and other organisations have been squirrelling away in their vaults traffic that is encrypted to current standards, knowing that, any time soon, they will be able to crack it.
Think of all those politicians, on all sides of the global political divides, who have been conspiring via WhatsApp. Think of all those whistleblowers who have leaked information to law enforcement authorities or journalists via Signal. Think of all those criminal organisations that have been using Telegram for their plans.
Lemon juice and milk
Thats why PKI, the current crypto infrastructure, is facing what Arqit calls an existential threat. Pretty soon, it will be as outmoded as writing Xf buubdl bu ebxo upnpsspx* in lemon juice or milk and sending it via carrier pigeon. Dont bother with minor fixes, says Arqit. Its wrong to patch and mend, or to take risks.
The future lies in symmetric keys, with a new way of distributing them. Symmetric keys are provably secure against any attack, including quantum computing, says the company.
The problem is that, until now, there has been no safe way to distribute them. Arqit says that it offers a method to create those keys at scale, securely, at any kind of endpoint device. We have invented a method of creating unbreakable encryption keys locally, both at the edge and in the cloud, says Williams.
Arqit has a solution. Its called Arq19, pretty much for the same reason Covid-19 has that suffix: 2019 was our Eureka moment, he smiles.
These are systems he calls global and trustless, a confusing term. It seems to mean you cant trust it, but what Williams and Arqit mean is that you dont have to trust it, as keys will never be stored in any system, so they cannot be stolen, but they can be put on devices within less than half a second to enable a high level of security.
We create hardware storage modules in a number of places he says London, New York, Sydney, for example. But those arent the keys. They are clues, a process involving shared secrets to create brand-new symmetrical encryption keys. No, I dont understand either; but how many people in 1936 understood Turings famous paper, On Computable Numbers, which started the computer revolution? (Turing went on to work during World War Two at GCHQs predecessor at Bletchley Park, in what is now the English city of Milton Keynes.)
Arqit can deliver its keys in unlimited group sizes, says Williams. The traditional PKI approach is for two-way communications Alice and Bob, in the crypto communitys terminology.
But what Williams is looking for is a system that will work with Alice, Bob, Catherine, Dave, Eve and a whole telephone directory.
For example, says Williams, they can deliver keys to international telecoms networks, and we can change the key every second if we want. He says that will result in ultra-secure software defined networks (SDNs).
We can deliver quantum keys in a manner thats global and trustless, says Williams. The company will use a small fleet of satellites, weighing 300kg each, that is being built by QinetiQ, a company formed 20 years ago by the privatisation of part of the UK governments Defence Evaluation and Research Agency.
BT has an exclusive deal to distribute Arqits QuantumCloud services in the UK, and the Japanese firm Sumitomo has a deal as the first big international customer, says Williams.
It is working with telcos to encrypt traffic on Japanese fibre cables, he adds.
These are contracts with distributors that have been signed, but the companys first contract with a corporate user went live in June, he says, although he will not name the partner, except that it is a big global corporation. It is an enterprise customer and is not BT.
The eventual market will include the internet of things (IoT) and connected cars, enterprise and connectivity, he said. Cost will be low, says Williams. Users will pay a tiny fraction of a dollar for each key created.
Heir to Turing
Williams has gathered around him a range of technical, crypto and management talent. CTO and co-founder with Williams is David Bestwick, who was also a co-founder and CTO of Avanti. Theres a chief cryptographer who was at GCHQ: think of David Shiu as the inheritor of the tradition founded by Turing 80 years ago.
There are other ex-GCHQ people, too, and a retired air vice-marshal and a former lieutenant general in the US Air Force. And more, including experts in telecoms, IT and a chief software engineer who was at McAfee. And a former head of operations at 10 Downing Street.
These people are well connected. Well see what they achieve.
Though, will we be able to find out, or will it all be encrypted?
*Xf buubdl bu ebxo upnpsspx means just We attack at dawn tomorrow, using the so-called Caesar cipher, as reputedly used by the Roman dictator
See the article here:
Future in the cloud for encryption - Capacity Media
Debunking Wi-Fi Security Myths: Wi-Fi Encryption Is Weak – TechSpective
One of the most common myths associated with Wi-Fi security is that wireless encryption is weak and easily cracked. To be fair, this myth does have a basis in reality, but that reality is two decades old. Practically speaking, there is no perfect security and no such thing as unbreakable encryption, but the simple fact is that a lot has changed since then, and the encryption available in Wi-Fi is significantly stronger.
Wireless networking exploded into mainstream acceptance in early 2000, and fundamentally changed the technology landscape from that point forward. The 802.11b standard dramatically increased throughput, and the cost of the underlying technology dropped, creating a perfect storm for widespread adoption.
The novelty of simply being able to set up a desktop computer without having to run an ethernet cable was exciting, and Wi-Fi also enabled the laptop boomfreeing people from being tethered to a single location at all. Of course, being able to communicate wirelessly and transmit potentially sensitive data through the air from Point A to Point B also introduced some security concernswhich is why the developers of the Wi-Fi standard included Wired Equivalent Privacy (WEP).
The United States government placed restrictions on exporting cryptographic technology to prevent our adversaries from obtaining encryption that was too strong for intelligence agencies to crack. The goal was for the Wi-Fi standard to be accepted globally, so developers used a 40-bit key that would stay within the export guidelines.
That worked for the US government. Unfortunately, using weak encryption with a weak encryption key comes with consequences as well. Researchers were able to quickly crack the WEP encryption. A variety of tools suddenly became available that would allow virtually anyone to crack WEP encryption within a few minutes.
The ease with which WEP could be cracked and easy access to a plethora of tools available to do it tarnished the reputation of Wi-Fi. Many businesses and consumers make the mistake of leaving their wireless networks open, which makes them an even easier target. An attacker will generally choose the path of least resistance, so they are likely to go after wireless networks that are not protected at all than to invest any time and effort breaking into a protected networkeven if its protected by something as weak as WEP.
For many people, the reputation of wireless networking as inherently insecure and easy to break into has endured. Nearly 20 years later, rumors persist that Wi-Fi networks are vulnerable, and that wired or cellular data networks offer better security and data protection.
The reality is that the industry quickly moved from WEP to Wi-Fi Protected Access (WPA). WPA adopted the Temporal Key Integrity Protocol (TKIP), which significantly improved protection. TKIP dynamically generates a new 128-bit key for each packet transmitted and includes a Message Integrity Check designed to prevent attackers from altering and resending data packets.
WPA was replaced with WPA2 around 2004which uses AES-CCMP encryptionand that remained the security standard for Wi-Fi until recently. AES encryption is rock solid and is still widely used today for very sensitive environments and data. In 2018, Wi-Fi Alliance announced WPA3 as the next generation of Wi-Fi security. WPA3 adds a 192-bit security level and replaces the pre-shared key (PSK) model of WPA2which was susceptible to key reinstallation attackswith simultaneous authentication of equals (SAE).
Technology changes quickly and constantly. Wi-Fi technology and wireless networking are ubiquitous now, and standards like Wi-Fi must continuously evolve to embrace new technologies and new use cases. The threat landscape is also continually adapting and expandingwhich means that the security technologies and protocols used by Wi-Fi must be updated as well.
All new devices certified by Wi-Fi Alliance now require WPA3, including Wi-Fi CERTIFIED 6 devices. , WPA3 offers a variety of security enhancements to strengthen and extend protection for Wi-Fi traffic. WPA3 ensures that Wi-Fi devices are more secure than everand just as secure as wired or cellular data networks.
WPA3 offers a variety of cutting-edge protections to defend against the latest techniques and exploits, such as:
Wi-Fi security had some issues in the early days. WEP was easily crackable and that reputation has continued as a pervasive myth about Wi-Fi security in general that is simply no longer true. WPA3 ensures that your wireless connection is just as secure as a wired or cellular data connection and protects against the latest attack techniques.
Visit link:
Debunking Wi-Fi Security Myths: Wi-Fi Encryption Is Weak - TechSpective
WhatsApps Claims Of End-To-End Encryption Might Be Entirely True – Ubergizmo
WhatsApp claims to offer end-to-end encryption. What this means is that messages are encrypted so that during transit, even if they were to be intercepted, it will not be readable. Instead, it only gets decrypted once it arrives on the intended device. Or at least thats what they claim.
According to a somewhat damning report from ProPublica, it seems that WhatsApps claims of end-to-end encryption might not be 100% true. The report alleges that WhatsApp employs over 1,000 contractors from Dublin, Singapore, and Texas who use special Facebook software to examine user content.
These contractors then make judgments on the content that appears on their screen that includes all kinds of content ranging from fraud, spam, potential terrorist planning, and CSAM. WhatsApp has since sort of denied the allegations made in the report. The companys director of communications Carl Woog told the publication that the contractors are only used to remove the worst abusers who use their platform to spread spam, threats, and more.
Facebook has also since issued a statement claiming that WhatsApp has been built in a way that limits the data they collect, which might be true, but it also means that some data can be collected.
WhatsApp has faced several privacy related controversies in the past, with the latest one seeing many users migrate to other messenger platforms like Signal and Telegram.
Filed in General. Read more about Facebook, Privacy, Security and Whatsapp. Source: cultofmac
Link:
WhatsApps Claims Of End-To-End Encryption Might Be Entirely True - Ubergizmo