Category: protocols

Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.

To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons.

This is how it works:

  1. Two people, Person A and Person B, sit in front of the same computer and open this page;
  2. They input their respective names (e.g. Alice and Bob) onto the same page, and click “Generate”;
  3. The page will generate two TOTP QR codes, one for Alice and one for Bob;
  4. Alice and Bob scan the respective QR code into a TOTP mobile app (such as Authy or Google Authenticator) on their respective mobile phones;
  5. In the future, when Alice speaks with Bob over the phone or over video call, and wants to verify the identity of Bob, Alice asks Bob to provide the 6-digit TOTP code from the mobile app. If the code matches what Alice has on her own phone, then Alice has more confidence that she is speaking with the real Bob.

Simple, and clever.

Interesting analysis: An Internet Voting System Fatally Flawed in Creative New Ways.

Abstract: The recently published “MERGE” protocol is designed to be used in the prototype CAC-vote system. The voting kiosk and protocol transmit votes over the internet and then transmit voter-verifiable paper ballots through the mail. In the MERGE protocol, the votes transmitted over the internet are used to tabulate the results and determine the winners, but audits and recounts use the paper ballots that arrive in time. The enunciated motivation for the protocol is to allow (electronic) votes from overseas military voters to be included in preliminary results before a (paper) ballot is received from the voter. MERGE contains interesting ideas that are not inherently unsound; but to make the system trustworthy—to apply the MERGE protocol—would require major changes to the laws, practices, and technical and logistical abilities of U.S. election jurisdictions. The gap between theory and practice is large and unbridgeable for the foreseeable future. Promoters of this research project at DARPA, the agency that sponsored the research, should acknowledge that MERGE is internet voting (election results rely on votes transmitted over the internet except in the event of a full hand count) and refrain from claiming that it could be a component of trustworthy elections without sweeping changes to election law and election administration throughout the U.S.

New attack against the RADIUS authentication protocol:

The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials.

This is one of those vulnerabilities that comes with a cool name, its own website, and a logo.

News article. Research paper.

It seems that the FCC might be fixing the vulnerabilities in SS7 and the Diameter protocol:

On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers’ locations.

The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and ­ if known ­ the attacker’s identity.

This time frame is significant because in 2018, the Communications Security, Reliability, and Interoperability Council (CSRIC), a federal advisory committee to the FCC, issued several security best practices to prevent network intrusions and unauthorized location tracking.

I have written about this over the past decade.

Network Security protocols are designed to safeguard computer networks from unauthorized access, data breaches, and other cyber threats. And here are some common types of network security protocols:

 Secure Sockets Layer (SSL) / Transport Layer Security (TLS): SSL and its successor TLS are cryptographic protocols that provide secure communication over a computer network. They are commonly used to secure web transactions, such as those conducted in online banking and e-commerce.

IPsec (Internet Protocol Security): IPsec operates at the network layer and is used to secure Internet Protocol (IP) communications. It can provide encryption, authentication, and integrity verification, making it widely used in Virtual Private Networks (VPNs).

Wireless Protected Access (WPA) / WPA2 / WPA3: These are security protocols designed to secure wireless computer networks. They are used to encrypt data transmitted over Wi-Fi networks and protect them from unauthorized access.

Firewall Protocols (e.g., TCP/IP, UDP): Firewalls use various protocols, such as TCP/IP and UDP, to control and monitor incoming and outgoing network traffic. They can be hardware or software-based and act as a barrier between a trusted internal network and untrusted external networks.

Intrusion Detection System (IDS) / Intrusion Prevention System (IPS): While not exactly protocols, IDS and IPS systems use various techniques to detect and prevent unauthorized access and attacks. They analyze network traffic for suspicious patterns or anomalies.

Virtual Private Network (VPN) Protocols (e.g., PPTP, L2TP/IPsec, OpenVPN): VPNs use different protocols to create a secure, encrypted tunnel over an existing network. Protocols like PPTP, L2TP/IPsec, and OpenVPN are commonly used for establishing secure connections over the internet.

Simple Network Management Protocol (SNMP): SNMP is a protocol used for network management and monitoring. While its primary purpose is not security, it plays a role in network security by allowing administrators to monitor and manage network devices.

Secure File Transfer Protocols (e.g., SFTP, SCP, FTPS): These protocols provide secure methods for transferring files over a network. They often use encryption and authentication mechanisms to protect data during transfer.

DNS Security Extensions (DNSSEC): DNSSEC is a suite of extensions to DNS that adds an additional layer of security by digitally signing data to ensure its integrity and authenticity.

Pretty Good Privacy (PGP) / GNU Privacy Guard (GPG): PGP and GPG are used for securing email communications. They provide encryption and digital signatures to ensure the confidentiality and authenticity of email messages.

It’s important to note that new security protocols may emerge over time, and the landscape of network security is continually evolving. Always ensure that your network security measures are up to date with the latest industry standards and best practices.

The post How many types of Network Security protocols exist appeared first on Cybersecurity Insiders.

Interesting analysis:

This paper discusses the protocol used for electing the Doge of Venice between 1268 and the end of the Republic in 1797. We will show that it has some useful properties that in addition to being interesting in themselves, also suggest that its fundamental design principle is worth investigating for application to leader election protocols in computer science. For example, it gives some opportunities to minorities while ensuring that more popular candidates are more likely to win, and offers some resistance to corruption of voters.

The most obvious feature of this protocol is that it is complicated and would have taken a long time to carry out. We will also advance a hypothesis as to why it is so complicated, and describe a simplified protocol with very similar properties.

And the conclusion:

Schneier has used the phrase “security theatre” to describe public actions which do not increase security, but which are designed to make the public think that the organization carrying out the actions is taking security seriously. (He describes some examples of this in response to the 9/11 suicide attacks.) This phrase is usually used pejoratively. However, security theatre has positive aspects too, provided that it is not used as a substitute for actions that would actually improve security. In the context of the election of the Doge, the complexity of the protocol had the effect that all the oligarchs took part in a long, involved ritual in which they demonstrated individually and collectively to each other that they took seriously their responsibility to try to elect a Doge who would act for the good of Venice, and also that they would submit to the rule of the Doge after he was elected. This demonstration was particularly important given the disastrous consequences in other Mediaeval Italian city states of unsuitable rulers or civil strife between different aristocratic factions.

It would have served, too, as commercial brand-building for Venice, reassuring the oligarchs’ customers and trading partners that the city was likely to remain stable and business-friendly. After the election, the security theatre continued for several days of elaborate processions and parties. There is also some evidence of security theatre outside the election period. A 16th century engraving by Mateo Pagan depicting the lavish parade which took place in Venice each year on Palm Sunday shows the balotino in the parade, in a prominent position—next to the Grand Chancellor—and dressed in what appears to be a special costume.

I like that this paper has been accepted at a cybersecurity conference.

And, for the record, I have written about the positive aspects of security theater.