Facebook would like to listen to what you listen or watch

Posted on May 26, 2014 by eric

Last week, Facebook announced a new feature in their status update. If switched on, this feature will identify the songs or TV program that it will identify through the microphone of the mobile device. It will propose to share this information with your community (and propose a 30 second free sample of the song or a synopsis of the TV program).

A new example of the use of audio fingerprinting. By default, the feature is switched off. Furthermore, the user decides when to share and with whom to share the information. Thus, in theory, there is no associated privacy issues. The user remains in control.

Facebook claims that it will not share it if you do not want. Unfortunately, Facebook does not precise whether it will collect the information for its own profiling even if the user refuses to share it with friends.

As I’m paranoid and as there is no free lunch… I don’t care as I do not have a Facebook account. Will you use it?

CataCrypt 2014

Posted on April 23, 2014 by eric

In the tsunami of the catastrophic HeartBleed bug, this new IEEE workshop will be interesting. cataCRYPT stands for “catastrophic events related to cryptography and security with their possible solutions.”

The main point is: many cryptographic protocols are only based on the security of one cryptographic algorithm (e.g. RSA) and we don’t know the exact RSA security (including Ron Rivest). What if somebody finds a clever and fast factoring algorithm? Well, it is indeed an hypothesis but we know several instances of possible progress. A new fast algorithm is a possible catastroph if not handled properly. And there are other problems with hash functions, elliptic curves, aso. Think also about the recent Heartbleed bug (April 2014, see http://en.wikipedia.org/wiki/Heartbleed): the discovery was very late and we were close to a catastrophic situation.

So we are thinking about a regular workshop, the name is CATACRYPT, about these possible problems and their solutions. It includes problems with cryptographic algorithms, protocols, PKI, DRM, TLS-SSL, smart cards, RSA dongles, MIFARE, aso. Quantum computing, resilience and agility are also on the program.

The birth of cataCRYPT is not opportunistic. His founder, Jean Jacques Quisquater, had launched the idea last year. Its announcement following HeartBleed is a pure coincidence.

The paper submission deadline is 2 June 2014. Hurry up…

The conference’s site is http://catacrypt.net/

The war between Digital Rights Locker starts

Posted on March 11, 2014 by eric

The Walt Disney Studios Announces Disney Movies Anywhere In 2010, two initiatives around Digital Rights Locker (DRL) were bubbling. On one hand, DECE was a large consortium of companies that created UltraViolet (UV). On the other hand, Disney was designing its own solution KeyChest.

During these four last years, UV has started to have mild adoption and deployment. The latest news is that UV is available in more European countries. For instance, in France, we start to see on TV advertisement the presence of the UV logo for new titles. Nevertheless, UV did not make an awareness campaign (at least in France). Most French customer have no clue of what UV is.

Meanwhile, Disney did not join UV, neither promote KeyChest. Some people thought KeyChest to be dead. Since February 2014, the situation has changed. Disney launched a new service: Disney Movie Anywhere. User can open a KeyChest account to access the DRL and also use her iTunes account (Remember that Disney and Apple have very close connection). The service is currently only available in the US. It is said that other content owners may join.

Of course, currently UV and KeyChest are not interoperable, meaning that users should have both a UV account and a KeyChest account to access a large catalog. Is a new war of standard starting? DIsney, with its interesting catalog (cartoons, movies, Marvel, Star Wars…) and Apple are serious opponents.

A little bit of auto-congratulation:my book describes in details both UV and KeyChest. Not a bad decision.

NSA spies us: what a surprise!

Posted on January 8, 2014 by eric

I twill start this new year (for which I wish you all the best) by some ranting. Since the Snowden’s story started, I never commented. Now I will a little bit as I start to be upset by all this hypocrisy. Snowden shed some lights on the behavior and skillset of the NSA. This is interesting. But what is not acceptable, is that media seem to be surprised. WE KNEW IT FOR YEARS.

NSA spies our electronic personal communications! We knew it for years. Echelon was known in the 90s. The new systems are just a natural evolution to new communication means and enhanced computing capacities. It was even known that the scope was larger than military/political actions. NSA published patents about semantic analysis of natural speech. The purpose was obvious. I remember an initiative that asked people to generate random mails with gibberish inside but also some alleged keywords (such as terrorism, NSA,…) that should trigger the scrutiny of NSA. The aim was to try to flood the system.

NSA is studying advanced techniques such as quantum computing to crack ciphers! I would expect any serious governments to have their black cabinet studying this topic. Once more, it is known that NSA may have some advances over the academic/public domain in this field. In 1974, US banking industry asked IBM to design a commercial cipher to protect electronic banking transaction. With the help of the NIST, IBM designed the famous DES. End of 80s, academic world discovered a new devastating technique: differential cryptanalysis. In 1991, Eli BIHAM and Adi SHAMIR demonstrated that surprisingly DES was immune to this ”unknown” attack (which was not the case for many other ciphers). In 1994, Don COPPERSMITH, who was part of the DES design team, revealed that DES had been designed to resist to differential cryptanalysis. In 1974, NSA knew already differential cryptanalysis but kept this knowledge secret as it gave a competitive edge to US secret agencies.

Secret services do not play fair democratic games! This is why they are called secret services. Hollywood told about that so often as well as John LE CARRE.

So please, let us stop this hypocrite surprise: we knew about (but not the details).

E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” Journal of Cryptology, vol. 4, Jan. 1991, pp. 3–72 available at http://link.springer.com/article/10.1007/BF00630563.

D. Coppersmith, “The Data Encryption Standard (DES) and its strength against attacks,” IBM Journal of Research and Development, vol. 38, 1994, pp. 243–250.

CCC hacked Apple’s TouchID

Posted on September 23, 2013 by eric

One of the “innovative” features of the new Apple iPhone 5S is TouchID. TouchID is an integrated fingerprint recognition system. Once your fingerprint registered, you will be able to unlock the phone by pressing your finger on the home button. Is it secure?

On Saturday, the German Chaos Computer Club (CCC) announced that they cracked TouchID. According to them, the technology had nothing new excepted a higher resolution sensor. Thus the countermeasure was to use the traditional proven methods with higher resolution. Of course, it worked.

More interestingly, the official announcement of CCC highlights two major limits of biometrics:

It is not secure; Most of the systems can be lured.
Biometrics cannot be revoked! Once cracked, your fingerprint will always valid!

Nevertheless, some comments to mitigate these comments:

Some systems are more sophisticated. for instance, some fingerprint systems check whether the applied “finger” is living or a piece of latex. These systems are more expensive of course.
Some biometrics systems such as venous system recognition are far more difficult to lure. Their price is currently out the reach of consumer market.
As many people do not use pin to lock their phone, using fingerprint may be a more acceptable solution for many people. This would be better than using no access control to the phone, as long as the user does not blindly believe that the phone’s security is absolute.

Has NSA broken the crypto?

Posted on September 10, 2013 by eric

With the continuous flow of revelations by Snowden, there is not one day without somebody asking me if crypto is dead. Indeed, if you read some simplifying headlines, it looks like the Internet is completely unsecure.

Last Friday, Bruce Schneier published an excellent paper in the guardian : “NSA surveillance: a guide to staying secure.” For two weeks, he has analyzed documents provided by Snowden. From this analysis, he drives some conclusions and provides some recommendations. In view of the security profile of Bruce, we may trust the outcome. I recommend the readers to read the article.

My personal highlights from this article.

The documents did not present any outstanding mathematical breakthrough. Thus, algorithms such as AES are still secure.
To “crack” encrypted communications, NSA uses the same tools than hackers but at a level of sophistication far higher. They have a lot of money. The tricks used:

Look for used weak algorithms
Look for weak passwords with dictionary attacks
Powerful brute force attacks
…

The two most important means are:

Implementing back doors and weakening commercial implementations (poor random generator, poor factors in Elliptic Curve Cryptosystems (ECC), leaking keys…). The same is true for hardware.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about.

Compromising the computer that will encrypt or decrypt. If you have access to the data before it is secured, then you do not care about the strength of the encryption.

These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.

His recommendations are common sense. The most interesting one is to avoid using ECC as NSA seems to influence the choice of weak curves and constants in the curve.

His final statement

Trust the math.

is OK, but I would add “Do not trust the implementation.” Always remember law 4: Trust No One.

And if you would authenticate by touching your mobile device?

Posted on July 24, 2013 by eric

We are not yet there. Nevertheless, Christian Holz and Patrick Baudisch, two German researchers seem to have made some progress towards this dream. They designed a tabletop system with a touch screen that allows fingerprint detection.

The magic comes from the screen material. it uses a new fiber optical plate. The plate is made of million highly reflective fibers. Infra red lights is reflected back to the emitter. When infra red lights exits the plate through skin, it reflects less light back. Thus, an high resolution infra red camera can capture highly contrasted fingerprints. This allows to authenticate the user who is using the touch screen.

Unfortunately, the current system requires a projector and a camera. Thus, it is suitable for table top solution with enough room beneath the screen. Not yet ready for small portable devices.

In any cases, it opens many interesting use cases. They will present a paper at UIST’13.

The blog of content protection

A site managed by Eric Diehl

Category Archives: Technology