Cryto Party at CCU

Jose L. Quiñones, BS
MCSA, RHSA, C|EH, C)PEH, C)M2I, GCIH, GPEN

What is a crypto party?
Is a grassroots global movement to
introduce the basics of practical
cryptography such as the Tor anonymity
network, key signing parties, disk
encryption and virtual private networks to
the general public.

The NSA scandal has revealed …
• They can and will capture all traffic possible
• All encrypted traffic is considered suspicious and is retained
indefinitely
• They trace up to 3 hops/connections (people) to and from the target.
• This is not something new, don’t be naive. Every country does it.
• The Patriot Act expired on June 1st, 2015, but was reinstated by the
USA Freedom Act on June 2, 2015 until 2019.

Encoding
• Encoding is the process of putting a sequence of characters (letters,
numbers, punctuation, and certain symbols) into a specialized format
for efficient transmission or storage.
• Encoding Standards: Base64, ROT13, ASCII, Hex/Bin, XML
• Encoding IS NOT SECURITY!

Hashing
• Creates a fixed string of bits or hexadecimal characters,
which cannot be reverted to recreate the original data.
• A hash is a number derived from performing a calculation
(algorithm) on data, such as a message, file or string.
• It can be used to ensure that data has retained integrity.
• It’s commonly used for storing passwords

Common Hashing Algorithms
• MD5
• MD5 algorithm is a widely used hash function producing a 128-bit hash value
• SHA-1
• SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function published
by the United States NIST. SHA-1 produces a 160-bit (20-byte) hash value
known as a message digest.
• SHA-2
• It’s the successor to SHA-1. The SHA-2 family consists of six hash functions
with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-
256, SHA-384, and SHA-512.

Encryption
• Scrambles, or ciphers data to make It unreadable if
intercepted
• Can be used to ensure Confidentiality and Integrity
• Confidentiality ensures that data is only viewable by authorized users
• Integrity provides assurances that data has not been modified
• Does not protect metadata or activity around the encrypted
packet or file.

Types of Encryption
• Symmetric
• Symmetric-key algorithms are algorithms for cryptography that use the same
cryptographic keys for both encryption of plaintext and decryption of
ciphertext.
• Examples: AES (Rijndael), DES, 3DES, Blowfish, Twofish
• Asymmetric
• Public key cryptography, or asymmetric cryptography, is any cryptographic
system that uses pairs of keys: public keys which may be disseminated widely,
and private keys which are known only to the owner.

Encryption Algorithms and Protocols
• Algorithms
• RC4
• RSA
• AES
• DES/3DES
• Blowfish
• Twofish
• Protocols
• OpenPGP
• HTTPS/S-HTTP
• SSL/TLS
• IpSec
• SSH/SCP/SFTP
• STMPS

PRISM ⚡ BREAK
Go to … https://prism-break.org/en/

Gnu Privacy Guard (GnuPG/GPG)
• It’s a free open source implementation of the OpenPGP
standard.
• Download at:
Linux: Install using package manager (apt-get or yum)
MacOS: https://gpgtools.org
Windows: http://www.gpg4win.org

GPG How-to
# Generate you key pair (Private/Public), answer the questions. (key size > 2048)
$ gpg --gen-key
# Export your public key to ASCII format
$ gpg --armor --export <email@domain>
# Encrypt file
$ gpg --encrypt --sign --armor -r <email@domain> <file_name>
# Decrytpt file
$ gpg <file_name>

(The Onion Router)
• The original data, including its destination, are encrypted and
re-encrypted multiple times, and sent through a virtual circuit
comprising successive, randomly selected Tor relays.
• Download at:
https://www.torproject.org/

How Tor protects you from snooping

Private Virtual Private network (VPN)
• Private VPN service
• VPN service you pay for to protect your information
• VPN providers are bound by its country’s laws
• Protocols
• PPTP (weakest)
• L2TP/Ipsec
• SSL/TLS
• OpenVPN
• Opensource vpn software

Secure Shell (SSH)
• SSH is a cryptographic network protocol for operating network
services securely over an unsecured network.
• The best known example application is for remote login to computer
systems by users.
• SSH can be used to create encrypted tunnels and forward port traffic.

SSH How-to
• Remote
• ssh –R remote_port
• Static (redirect a local connection to a remote ip:port)
• ssh –L local_port:remote_ip:remote_port user@host
• ssh –L 10000:10.10.10.10:80 user@host
• Dynamic (socks v5)
• ssh –D local_port user@host
• ssh –D 10000 user@host
• Other options
• -f (sent to backgrond
• -N (prevent execution on remote server
• -o (send proxy command)
6/22/2017

Watch out for sides channels,
… and metadata!

Cautions with Tor
• Traffic on exit nodes can be captured/sniffed, exit nodes
should not (NEVER) be trusted.
• Incompatible applications can bypass Tor and reveal your
location/personal information
• “User” fingerprinting may be possible
• User agent, OS, plugins, etc…
• Client side scripting can collect valuable information

Metadata
• With whom do you communicate?
• Telephone, Email, Text/SMS, Chat
• What is you pattern of communication?
• frequency, periods of time, volume, time line
• Where do you go and who goes to the same “place”?
• “places” you visit

Immersion at MIT
https://immersion.media.mit.edu/
• Immersion presents users with a number of different perspectives of their
email data.
• It provides a tool for self-reflection at a time where the zeitgeist is one of
self-promotion.
• It provides an artistic representation that exists only in the presence of the
visitor.
• It helps explore privacy by showing users data that they have already
shared with others.
• Finally, it presents users wanting to be more strategic with their
professional interactions, with a map to plan more effectively who they
connect with.

Thanks!
josequinones@codefidelio.org
@josequinones

Cryto Party at CCU

More Related Content

What's hot

Similar to Cryto Party at CCU

More from Jose L. Quiñones-Borrero

Recently uploaded

Cryto Party at CCU