Help ATS with a contribution via PayPal:
learn more

User Controlled Encryption (UCE) taking the internet by storm

page: 1
6
<<   2  3 >>

log in

join

posted on Feb, 24 2013 @ 02:22 PM
link   
this is in science because there is a science to encryption.

i have been on the world wide web for about as long as it has existed, and have studied most of the changes to technology as it has progressed, and have been a little quiet about UCE (user controlled encryption) because i wanted to understand its implementation before i commented on it.

in recent weeks a stream of high profile hacks have taken place across the net, some of the giants of the web have had there server networks compromised, user passwords stolen and commercial secrets stolen, this has been the reason for the calls from some governments around the world to push for "cyber warfare" capabilities and for legislation to allow "sharing" of user information.

when you can plainly see a broken system, you design a new one, you don't continue using the broken system, and remove peoples rights to privacy, because someone else is breaking the law.

this is why UCE is looking like a candidate for securing web sights, critical infrastructure and makes user passwords very difficult to "harvest"

a milestone in the evolution of UCE is when it is secure enough to supply the software to others to use, this signifies that the "logic" of the encryption is correct.

so far UCE has been in the wild for 6 weeks, and to date it has not been compromised, and now it looks like the software will be supplied "white label" to universities so they may use it for their students and staff,
this means the logic of the encryption model will be open to scrutiny and investigation by some of the best universities around the world.

it is this reason that leads me to believe we are witnessing the "birth" of a new para-dime in internet security,
that could help remove the ability to harvest centrally stored password hashes, and allows for "always up to date" software because of the delivery mechanism of the software over HTTPS using the functionality of HTML5.

one reason why so many recent hacks have worked is something called a zero day exploit,
and unless every server or PC on the planet, updates software or updates to the latest "patch" there is a way for hackers to gain access to sensitive information.

in security terms "patching" and updating can be time consuming and "testing" of patches before deployment into the working environment is required in case unexpected results stop the server from functioning as expected.

that is why a UCE is more secure and less expensive to maintain, the system can deploy patches and updates AT the back-end (server) and "push" out updated software every-time the user connects to the service.
this means no updates that can crash your system, no patches that require extensive testing before deployment.

these are no small changes to the "web security model"
instead of relying on every server to be up to date and patched to achieve security, the security comes from the service being delivered in a secure manner, (this does not mean you can be sloppy with updates)

the fact that this technology doesn't require a "local install" of software also means that you are not required to know "how" complex encryption works, and also means that you dont need to know "how" to set it up to be secure.

"if something is simple to use and effective" it will be adopted and enjoyed by a large segment of the population, and if it is as fast or faster than current technology it will become the "standard" other will have to compete with.

UCE uses the "local" pc to handle the "heavy encryption" and the passwords are handled by the user not the server, this means that there is no password list to target, and access is "end to end" making it much more difficult to gain unsecured access. because the server doesnt have the encryption keys the data is useless to hackers if they break in and large password resets for huge numbers of users in not required.

so how does it work,

User controlled encryption is where the user "holds" the encryption key,
and the server holds the "encrypted" files, the server cannot access the files, and neither can hackers if they gain access.

a user goes to a web sight with UCE and the web page requests an encrypted secure connection to be established between the server and the user, this HTTPS encryption allows for the secure delivery of an encryption program to the web browser, this program then loads "inside" the web browser, and encrypts everything coming and going from the end users PC over the encrypted HTTPS connection

so both the "connection" and the transferred "files" are encrypted

because the connection is encrypted, and because the files being transmitted are encrypted,
it makes it exceedingly difficult for anyone to gain access to your computer or your transmitted files.

so if this model was deployed across the web, users would be more secure, their personal information would be
more secure, and because the software is distributed every-time a user needs it, its always up to date, removing the need for extensive compatibility testing.

by offering the software as "white-label" (unbranded) it would seem that the software and encryption is secure enough so that even with a copy of the code the users are still safe. (open to be scrutinised)

if this is the case then UCE can be used to solve "most" of the security problems that allow hackers to gain access,
and can be used to secure critical systems infrastructure and private user data with no central password store to be a target.

instead of a cat and mouse game with security UCE promises secure end to end encryption to the masses,
and in doing so would also bring security to the large giant internet companies.

this technology looks like it could change the way we access and store information on the web and if it is supplied to universities it means the UCE encryption methods are secure enough to be put to test by some of the luminaries
of the security world.

i look forward to a future where we dont keep hearing about massive security breaches where user data is stolen,
that is the promise of UCE. a secure safe and easy to use security model that could be deployed world wide.

no more cat and mouse and no more bad legislation, that is the reason i think UCE will become the standard of privacy and security in the very near future, because it is simple and it fixes many of the problems of the current security models.

so instead of going to cyber war or removing the rights of net citizens why dont we just secure the net with UCE?



xploder









edit on 24/2/13 by XPLodER because: (no reason given)




posted on Feb, 24 2013 @ 03:00 PM
link   
sounds good over all but i'm sure that like most things it can be broken given enough interest and the fact that the server will have to agree with the client over version details will allow compromised systems to be fooled

and at the end of the day does it matter if the person you want to keep the data from can just turn up with a warrant and access the target system as its like anything if a judge can sign a form to give access then it don't matter what encryption you used to transfer the data as they can read it native format at the other end.



posted on Feb, 24 2013 @ 03:12 PM
link   

Originally posted by Maxatoria
sounds good over all but i'm sure that like most things it can be broken given enough interest and the fact that the server will have to agree with the client over version details will allow compromised systems to be fooled.


i think the fact that UCE is being supplied to universities for their use will make UCE more secure over time.
the basic encryption techniques are all well known, it is the application that will have to endure scrutiny, by some of the worlds best security researches. by using TLS there is years worth of security testing underpinning the security profile of UCE


and at the end of the day does it matter if the person you want to keep the data from can just turn up with a warrant and access the target system as its like anything if a judge can sign a form to give access then it don't matter what encryption you used to transfer the data as they can read it native format at the other end.


in my country in the latest release from the privacy commission's report for 2013 requires ALL personal data to be both encrypted during transportation and encrypted while in storage. UCE conforms to this by using end to end encryption and encryption "prior" to transposition of the transmitted files.

this is a privacy issue not a criminal issue, ie in new zealand you can face fines for realeasing private customer information ect.

the system is designed for legal protection from prosecution for breaches of personal identifying information stored by third parties. (and the loss of business that comes with bad PR)

xploder



posted on Feb, 24 2013 @ 03:31 PM
link   
Personally it probably won't take off due to there being no 'admin' oops I've forgotten my password can i get at my data so it will be a niche market thing for people who are willing to keep their data secret even if they forget the password and are willing to take the risk where as in the IT business passwords are expected to be changed etc by the sysadmin



posted on Feb, 24 2013 @ 03:38 PM
link   
reply to post by Maxatoria
 


even mobile phone operators are starting to explore the future of "in browser encryption"
that under pins UCE


AT&T-Mozilla “WebPhone” gives a glimpse of the dumb pipe future



By combining Firefox's new WebRTC support, Ericsson's Web Communication Gateway, and AT&T's API Platform, Mozilla has demonstrated calls, text messages, and video calls all being made from within the browser. It's all in a proof-of-concept application AT&T calls WebPhone, and Mozilla will demonstrate WebPhone next week at the Mobile World Congress conference.

With the right phone operator support, the plugin-free technology can potentially offer a full range of telephony services through the browser. This decouples traditional phone services from the phone itself, potentially enabling access to the phone and text messages from anywhere with an Internet connection and WebRTC-enabled browser. The demo is currently limited in scope, with AT&T planning to roll out an alpha version of the full API "in the near future."

AT&T describes WebPhone as a "vision for the future of seamlessly integrated communication." More than that, however, it's a vision for the network operator as dumb pipe provider. Put that browser on a phone—perhaps one running Firefox OS—and you can do away with the voice connection entirely. Just place everything, voice and data alike, over the data connection.


arstechnica.com...

so its not just meag.co.nz that is using the UCE model,
and its more than just data files that will be secured using the UCE model,

in this case the mobile phone browser will be using UCE combined with "dumb pipe" routing to allow phones to be more secure with voice video and data,

this removes the need for "switched" telephony networks and replaces traditional phone service with internet phone services using "data" costs not "minutes" cost plans

this is both more private and more secure.

while the model mobile phones use wont be direct user controlled passwords,
the browser will be used to "hold" the encryption keys "at the users end" and will be discarded after each use.

in this manner phone users will be using the UCE model,

this uses a similar end to end encryption model using the HTML5 in moden web browsers and HTTPS to secure "connection" , with the keys stored in the browser of the users.

i prefer the mega.co.nz model as the user actually has to input the password, to use the "dumb pipes" which makes getting access to stored encrypted data virtually imposable.

xploder


edit on 24/2/13 by XPLodER because: (no reason given)



posted on Feb, 24 2013 @ 03:51 PM
link   

Originally posted by Maxatoria
Personally it probably won't take off due to there being no 'admin' oops I've forgotten my password can i get at my data so it will be a niche market thing for people who are willing to keep their data secret even if they forget the password and are willing to take the risk where as in the IT business passwords are expected to be changed etc by the sysadmin


you are correct,
changing passwords is possible,
but password recovery is imposable,

the mobile phone model is encrypted connection but not encrypted data on the fly,(ie files are not encryted)
and as the browser "generates" a new key for every new connection made, so you cant "forget" you password key,

but most people can remember a single long password phrase,

and password resets are commonly used by hackers to gain access to other peoples accounts,
so this can be seen as an advantage, in security terms.

the best password phrases i know of use abbreviations like text speak and phrases from poetry.

they are hard to dictionary attack and easy to remember.

choose your pass phrase carefully, and you wont have a problem

rough rough rough your boat b4 you 8em pyz

rhyming pass phrases are easer to remember

(im no poet)

xploder



posted on Feb, 24 2013 @ 04:05 PM
link   
as an old machine code programmer, that was a slow, and inaccurate keyboard jock (reason i quit and went into networking)....there is an equally old adage that still applies today...."what can be written, can be read"....if you can show logically, and/or diagramed.... "how" this UCE... CAN'T BE...backdoored, hacked, or a website with the details...i might take it seriously



posted on Feb, 24 2013 @ 04:05 PM
link   
There are some encryption programs that you can use.
AES
en.wikipedia.org...

PGP
en.wikipedia.org...

and GnuPG
en.wikipedia.org...

There is one from an old Soviet Block country that is illegal to use, I just can't think of it.



posted on Feb, 24 2013 @ 04:19 PM
link   

Originally posted by jimmyx
as an old machine code programmer, that was a slow, and inaccurate keyboard jock (reason i quit and went into networking)....there is an equally old adage that still applies today...."what can be written, can be read"....if you can show logically, and/or diagramed.... "how" this UCE... CAN'T BE...backdoored, hacked, or a website with the details...i might take it seriously


why would i supply technical details to make hacking it easyer?

if you can hack an ongoing HTTPS connection and AES encryption you would have other targets to attack that could give you a much bigger payout,

you dont have to out run a bear, you just have to be faster than the slowest runner among you.

the main reason i wrote this OP is because the software is being offered to universities in a white label format,
this means that the logic of the encryption is secure even when the code is available to scrutiny.

in fact some of the best security experts will soon have their hands on the software, and im sure if there are any flaws in the logic of the system they will be found in short order.

so i think i will wait for the experts to comment on its security before i open my big mouth on how well (i think) it works.



xploder
edit on 24/2/13 by XPLodER because: (no reason given)
edit on 24/2/13 by XPLodER because: (no reason given)



posted on Feb, 24 2013 @ 04:23 PM
link   

Originally posted by Violater1
There are some encryption programs that you can use.
AES
en.wikipedia.org...

PGP
en.wikipedia.org...

and GnuPG
en.wikipedia.org...

There is one from an old Soviet Block country that is illegal to use, I just can't think of it.


unless you understand "how" each of those encryption techniques "work"
and "how configuring" them works,

they are of little use to the average user,
that is one of the main advantages of UCE,

all they have to know is there password, as the whole thing is configured by experts, and delivered,
"ready to use"

xploder



posted on Feb, 24 2013 @ 04:49 PM
link   
Isnt this the encryption they use on the new site 'mega'. Ive seen some articles explaining how the encryption on mega is very unsafe.



posted on Feb, 24 2013 @ 05:10 PM
link   

Originally posted by PhoenixOD
Isnt this the encryption they use on the new site 'mega'. Ive seen some articles explaining how the encryption on mega is very unsafe.


i have been studying their methods and implementation,
most of the criticism was unwarranted, although welcomed.

you see the incumbents in the field have alot to lose if UCE becomes wide spread.
including advertisers and other security vendors and other cloud storage platforms.

the fact that mega.co.nz is looking to supply the code to universities to "use free" shows that the logic and encryption techniques are properly very secure, and at least up to the level of being scrutinized by security luminaries at the university level.

this is a sign that the system is secure, and safe even when the code can be examined by experts.

this is similar to open sourcing the code for peer review, and you would not do that with unsafe implementations.

the fact that money has been offered to anyone who can demonstrate "actual" security flaws, (theoretical or real world) shows that the system is secure.

microsoft, twitter, apple and others have been hacked in recent weeks,
even with a prize mega.co is still secure.

any new technology has to be proven in a real world scenario,
im sure if it was not safe they would not be supplying it free to the worlds best universities,
and into the hands of the worlds best cryptographers.

and they wouldn't offer money to break it.

6 weeks without being hacked so far.

i am interested to see what the universities say about its implementation
that would be who to listen to, not people with a market share to lose

xploder



posted on Feb, 24 2013 @ 05:20 PM
link   
reply to post by XPLodER
 


Im no expert in encryption but what do you make of this ;

fail0verflow.com...



posted on Feb, 24 2013 @ 06:12 PM
link   

Originally posted by PhoenixOD
reply to post by XPLodER
 


Im no expert in encryption but what do you make of this ;

fail0verflow.com...



nearly all of what is stated in that article is correct, some points are slightly incorrect in the context of the implementation,


You can then select the forged file in the file picker above again, to verify that it still has the same hash. If you were hosting one of Mega’s CDN nodes (or you were a government official of the CDN hoster’s jurisdiction), you could now take over Mega and steal users’ encryption keys. While Mega’s sales pitch is impressive, and their ideas are interesting, the implementation suffers from fatal flaws. This casts serious doubts over their entire operation and the competence of those behind it.


this is true of any CDN nodes for any authentication service, so i dont know why this would be specific to mega?



Update (2013-01-24): Mega has now switched to using SHA-256. They get points for fixing it quickly, but I wonder what other subtle or not-so-subtle security problems remain.


the more secure SHA-256 was implemented straight away,

being a centrally served resource, the security holes (theoretical and actual) were patched in short order,

here is a list of reported and fixed Vulnerability issues

The Results
Severity class VI: Fundamental and generally exploitable cryptographic design flaws
Class V and VI vulnerabilities:
- none reported -



Class IV vulnerabilities:
Invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster. Mitigating factors: No static content servers had been operating in untrusted data centres at that time, thus no elevated exploitability relative to the root servers, apart from a man-in-the-middle risk due to the use of a 1024 bit SSL key on the static content servers. Fixed within hours.


Class III vulnerabilities:
XSS through file and folder names. Mitigating factors: None. Fixed within hours.
XSS on the file download page. Mitigating factors: Chrome not vulnerable. Fixed within hours.
XSS in a third-party component (ZeroClipboard.swf). Mitigating factors: None. Fixed within hours.


Class II vulnerabilities:
XSS through strings passed from the API server to the download page (through three different vectors), the account page and the link export functionality. Mitigating factors – apart from the need to control an API server or successfully mounting a man-in-the-middle attack –: None. Fixed within hours.
Class I vulnerabilities:
HTTP Strict Transport Security header was missing. Fixed. Also, mega.co.nz and *.api.mega.co.nz will be HSTS-preloaded in Chrome.
X-Frame-Options header was missing, causing a clickjacking/UI redressing risk. Fixed.

We believe that it would be premature to draw any conclusions at this time — barely three weeks after our launch and one week into the program. It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction. Needless to mention that nobody cracked any of the brute-force challenges yet (please check back in a few billion billion years).


mega.co.nz...

as you can see the cryptographic "theory" is good,
the implementation has the ability to mitigate any flaws in hours not weeks or months

the reported problems were minor but fixed within hours,
no other security software can claim to solve problems in implementation in HOURS

the biggest problem to date WAS the CBC issue, which was fixed within hours, and replaced with SHA-256
again this was done in hours not weeks.

in truth the heavy scrutiny has actually helped increase security,
and now it will be looked at in depth by universities, any theoretical flaws will also be explored and closed
in a more proactive manner.

the process of peer review should be seen as a positive not a negative.

6 weeks without getting hacked so far............

xploder



posted on Feb, 24 2013 @ 08:18 PM
link   
this same UCE model could be used in all sorts of web sights and all types of applications,
and could solve alot of security problems for alot of companies.

the idea that passwords need to be centrally managed is yesterdays thinking.
we can implement this model Taylor made for many different reasons,

but this model makes security easy and not intrusive or complex to use.

xploder
edit on 24/2/13 by XPLodER because: (no reason given)



posted on Feb, 24 2013 @ 08:49 PM
link   
reply to post by XPLodER
 



a user goes to a web sight with UCE and the web page requests an encrypted secure connection to be established between the server and the user, this HTTPS encryption allows for the secure delivery of an encryption program to the web browser, this program then loads "inside" the web browser, and encrypts everything coming and going from the end users PC over the encrypted HTTPS connection

But this still relies on SLL/HTTPS... so nothing has really changed. I want to take security certificates out of the picture as well. And I believe it's possible, I'm working on ways to do it with JavaScript based public key cryptography handled by the browser.



posted on Feb, 24 2013 @ 08:50 PM
link   
To safely store private information on the internet, UCE is the most common sense method. A big problem with encryption is how to safely transfer keys. If the key does not need to go anywhere and just remain with the user then there is no need to transfer it and risk potential exposure of it.

If the users system has been compromised with key loggers, packet sniffers and other system monitors then there is still a risk of the key being stolen. For Mega's system it does provide an added level of safety as each users system will need to be hacked to decrypt the whole lot. With a 2048 bit key it is going to take a lot of grunt to brute force it. If Mores law is still in effect, but the latest developments are under a national security blanket then the exponential growth of computer power will hack it some time in the future. With some of the proposed claims of quantum computing power, new algorithms and techniques will have to be developed. But the core concept of the key and encryption taking place on the users machine will remain strong.



posted on Feb, 24 2013 @ 09:00 PM
link   

Originally posted by ChaoticOrder
reply to post by XPLodER
 



a user goes to a web sight with UCE and the web page requests an encrypted secure connection to be established between the server and the user, this HTTPS encryption allows for the secure delivery of an encryption program to the web browser, this program then loads "inside" the web browser, and encrypts everything coming and going from the end users PC over the encrypted HTTPS connection

But this still relies on SLL/HTTPS... so nothing has really changed. I want to take security certificates out of the picture as well. And I believe it's possible, I'm working on ways to do it with JavaScript based public key cryptography handled by the browser.


this is very good to hear,
i really wish you well in your implementation,

SSL/HTTPS security model is well studied, and reliable.

in saying that an approach without certs would be an interesting idea,
are you looking at user to user encryption, end to end in the browser?

or browser to web server or both?

are you looking at encrypting the connection as well as the content?
ie two cryptographic hand shakes?

have you considered using DTLS

datagram transport layer security?
i do realise this would require certs, but would allow for a faster throughput

xploder



posted on Feb, 24 2013 @ 09:10 PM
link   
reply to post by XPLodER
 



SSL/HTTPS security model is well studied, and reliable.

Yes but it has it's many flaws. If one of the many certificate authorities are compromised (and it has happened before) all hell can break loose. Plus there's a lot of evidence that the certificate authorities are working with government agencies to decrypt user connections. This model I suggest is much more decentralized and gives the power back to the user in the same way that the model you described does.


are you looking at user to user encryption, end to end in the browser?

User/server encryption is my plan. User to user would be peer to peer and my suggestion has nothing to do with that. I plan to use public key cryptography to establish a secure line of transmission between the server and browser. Most of the page can be sent unencrypted but the sensitive stuff can be encrypted. One of the main problems with the https protocol is the amount of overhead wasted by encrypting everything when only certain things such as password transmissions need to be encrypted. Not to mention the cost of security certificates.
edit on 24/2/2013 by ChaoticOrder because: (no reason given)



posted on Feb, 24 2013 @ 09:10 PM
link   

Originally posted by kwakakev
To safely store private information on the internet, UCE is the most common sense method. A big problem with encryption is how to safely transfer keys. If the key does not need to go anywhere and just remain with the user then there is no need to transfer it and risk potential exposure of it.

If the users system has been compromised with key loggers, packet sniffers and other system monitors then there is still a risk of the key being stolen. For Mega's system it does provide an added level of safety as each users system will need to be hacked to decrypt the whole lot. With a 2048 bit key it is going to take a lot of grunt to brute force it. If Mores law is still in effect, but the latest developments are under a national security blanket then the exponential growth of computer power will hack it some time in the future. With some of the proposed claims of quantum computing power, new algorithms and techniques will have to be developed. But the core concept of the key and encryption taking place on the users machine will remain strong.


hi bud


another interesting idea is the public/ private key combination becomes the public key for a second public/private key pair,


you are correct about key loggers, there are screen based keyboard software, with mulitipule mouse pointers moving around, so that key loggers and screen shots are much less effective. but even with packet sniffers or a "man in the middle attack" you would find it difficult to collect enough of the hand shake exchange to do much good.

as for quantum computation, i dont think its as far off as we think,



xploder






top topics



 
6
<<   2  3 >>

log in

join