User Controlled Encryption (UCE) taking the internet by storm

page: 2
6
<< 1    3 >>

log in

join

posted on Feb, 24 2013 @ 09:20 PM
link   


Yes but it has it's many flaws. If one of the many certificate authorities are compromised (and it has happened before) all hell can break loose. Plus there's a lot of evidence that the certificate authorities are working with government agencies to decrypt user connections. This model I suggest is much more decentralized and gives the power back to the user in the same way that the model you described does.


as you point out the CAs are a week point in the system,
any centrally managed system is a target for people to attack,
thing is what do you use to create a trusted relationship between two parties? reputation?



User/server encryption is my plan. User to user would be peer to peer and my suggestion has nothing to do with that. I plan to use public key cryptography to establish a secure line of transmission between the server and browser. Most of the page can be sent unencrypted by the sensitive stuff can be encrypted. One of the main problems with the https protocol is the amount of overhead wasted by encrypting everything when only certain things such as password transmissions need to be encrypted.
edit on 24/2/2013 by ChaoticOrder because: (no reason given)


serving up secure and non secure content (mixed content) is a problem as non secure content can be altered during transit, in fact encrypting the entire page would be more secure,

unless you encrypt the connection and separably encrypt the content, but as you point out
over head.

xploder
edit on 24/2/13 by XPLodER because: (no reason given)




posted on Feb, 24 2013 @ 09:36 PM
link   
reply to post by ChaoticOrder
 



User/server encryption is my plan. User to user would be peer to peer and my suggestion has nothing to do with that. I plan to use public key cryptography to establish a secure line of transmission between the server and browser


i think you should do it

be part of the solution

i hope you make it open source so everyone can use it

xploder



posted on Feb, 24 2013 @ 10:06 PM
link   
reply to post by XPLodER
 


The framework I'm using now depends on the the very first response from the server being legitimate. If this first response is legitimate a highly secure line of transmission can be established. Obviously this is not perfect, but it's much better than an entirely unencrypted session. However I believe that with the addition of a browser plugin to manage part of the public key exchange this process can be made entirely secure and much faster, and requiring a browser plugin is better than requiring certificate authorities. You also have a point about mixing content, but if you can properly filter HTML for JavaScript you can display all the HTML safely and encrypt the dynamic parts of the page.
edit on 24/2/2013 by ChaoticOrder because: (no reason given)



posted on Feb, 24 2013 @ 10:15 PM
link   
reply to post by XPLodER
 




another interesting idea is the public/ private key combination becomes the public key for a second public/private key pair,


I do have some concerns about this one. Public / private keys work because the private key remains private. If this private key is going to even briefly made public the whole encryption process is exposed. There is a lot of complex math going on and does come down to the implementation as our words and understanding can have limitations in describing the actual specifics.

As for how public / private key combinations are derived, if it is easy to define the private key from this secondary key pair, then it is also easy to hack and break. It is very easy to end up with a convoluted mess as it is very difficult to balance security with usability. Personally I would only use the tools as they are designed and avoid this reuse. I am not sure on the recursive capabilities of public/private keys and would want it thoroughly investigated before putting any weight on it. Maybe it is possible with a few tweaks, maybe it is not.



posted on Feb, 24 2013 @ 10:38 PM
link   
reply to post by ChaoticOrder
 


using HTML5 and the "web workers" to run java in the background you should not need a plug in,
it is native to HTML5,

you should be able to run the encryption without plug ins

xploder



posted on Feb, 24 2013 @ 10:57 PM
link   


another interesting idea is the public/ private key combination becomes the public key for a second public/private key pair,



I do have some concerns about this one. Public / private keys work because the private key remains private. If this private key is going to even briefly made public the whole encryption process is exposed. There is a lot of complex math going on and does come down to the implementation as our words and understanding can have limitations in describing the actual specifics.


in this case both private keys stay private, i was just shooting from the hip



As for how public / private key combinations are derived, if it is easy to define the private key from this secondary key pair, then it is also easy to hack and break. It is very easy to end up with a convoluted mess as it is very difficult to balance security with usability. Personally I would only use the tools as they are designed and avoid this reuse. I am not sure on the recursive capabilities of public/private keys and would want it thoroughly investigated before putting any weight on it. Maybe it is possible with a few tweaks, maybe it is not.


i agree that the time tested methods are always more secure, as the have been studied for flaws,

this idea is for very different implementations than previously discussed,
where large complex equations would create to much overhead "locally" but the second round of encryption (on the server) can handle much larger operations.

could be useful for mobile phones to reduce the power consumption.
although most phones have chips that can preform these operations internally for very little effort.

xploder
edit on 24/2/13 by XPLodER because: (no reason given)



posted on Feb, 24 2013 @ 11:07 PM
link   
reply to post by kwakakev
 



I am not sure on the recursive capabilities of public/private keys and would want it thoroughly investigated before putting any weight on it. Maybe it is possible with a few tweaks, maybe it is not.


in theory i can see how it would work, but putting it to work in practice may prove problematic

i like the keep it simple motto,
less to go wrong

xploder



posted on Feb, 25 2013 @ 04:31 AM
link   
reply to post by XPLodER
 


Buzzword bingo detected. The principle sounds just like warmed over public key crypto, and it will never see widespread adoption because companies want easy access to their users' data. This is, after all, how they make money.



posted on Feb, 25 2013 @ 09:41 AM
link   
reply to post by XPLodER
 




where large complex equations would create to much overhead "locally" but the second round of encryption (on the server) can handle much larger operations.


To really beef up security, instead of moving towards more complex algorithms, move towards longer keys. The one time pad is the most secure encryption available as the key is as long as the message. Even with a fast and simple XOR encryption it is impossible to crack as long as a truly random source is used. It does add more overhead to memory, but not processing. This is why I expect there have been national security limits on the key lengths used with encryption.

While such a technique does have its place in some situations, it also has some problems in maintaining and protecting the keys as they can become quite large if a lot of data is encrypted. It is not the kind of thing your average computer user wants to contend with as any mistakes can suddenly make the whole lot unreadable.

One future concern I do have for processor intensive encryptions like Blowfish and others is with how Rainbow tables are becoming a growing business for quickly defeating hashes. MD5 is now rendered obsolete for any security functions due to this, but still works ok for file verifications. With enough computing resources it will become feasible, maybe even profitable for similar tables to help beat other commonly used encryption methods as well. Just keep a heads up with any methods employed as it is a dynamic environment.

One thing I have found with programming, the clearer you can define what you want the better your chance in getting it.



posted on Feb, 25 2013 @ 09:53 AM
link   
reply to post by HattoriHanzou
 


People are just as much to blame as the technology has been out their for quite some time, but still in the too hard basket or just not required for most. Personally I like to get new passwords emailed to me when I forget them and I have not had the need to take control and fully encrypt everything I do. If people in general where more paranoid and had better memories then I would expect to see a lot more user control on encryption matters as the technology has and continues to evolve.



posted on Feb, 25 2013 @ 10:09 AM
link   

Originally posted by XPLodER


the fact that this technology doesn't require a "local install" of software also means that you are not required to know "how" complex encryption works, and also means that you dont need to know "how" to set it up to be secure.


Increased levels of ignorance do not equate to increased layers of security.


so how does it work,...snip


We aready have SSL.



posted on Feb, 25 2013 @ 01:07 PM
link   

Originally posted by HattoriHanzou
reply to post by XPLodER
 


Buzzword bingo detected. The principle sounds just like warmed over public key crypto, and it will never see widespread adoption because companies want easy access to their users' data. This is, after all, how they make money.


the idea prevents unauthorized access to password lists, (each user holds the keys)
it enables a secure connection, (your account can only be accessed with your key)
it prevents third party advertisers, (but still allows first party advertisers)
can be used with public facing sights, (blogs twitter face book ect)

there are major advantages when using public wifi, (packet sniffing, secure connection)

so any "public facing data" stays the same, but private data (user name password email) can be secured,

i dont object to public data being available, but "private identifying data" is not being protected from exploitation

xploder



posted on Feb, 25 2013 @ 01:13 PM
link   
reply to post by XPLodER
 


The problem is that the private data - user / pass pair - is part of the total data package that is desired by the people operating these free services.

We already have one-way hashing as a way to protect passwords, and SSL / HTTPS is still good enough for protecting data in transit.

Frankly this sounds like a new buzzword which is being promoted. Also, no mention of the algorithm? No analysis by cryptographers? Without those things this is a non-announcement.



posted on Feb, 25 2013 @ 01:20 PM
link   

Originally posted by HattoriHanzou
reply to post by XPLodER
 


Buzzword bingo detected. The principle sounds just like warmed over public key crypto, and it will never see widespread adoption because companies want easy access to their users' data. This is, after all, how they make money.



Although Twitter is looking for an engineer to implement two-factor authentication for its users, it still won't prevent a repeat of the recent attack that saw 250,000 users exposed, according to OneID founder Steve Kirsch.

Two-factor authentication provides an additional effective step to thwart would-be attackers from taking over users' accounts, but it is currently not an option for Twitter users. On the back of recent attacks on the site, many have been calling for Twitter to implement it, but, according to Kirsch, even if Twitter does roll out the security measure, it won't prevent the attack from occurring.

While not dismissing two-factor authentication systems' effectiveness at preventing existing phishing attacks from being successful, Kirsch said that the number of people signing up for it in existing services is abysmal, and doesn't do much for improving overall security.


www.zdnet.com...

the lesson is if it is to hard to use, nobody will use it,

you sound more concerned with advertising revenue than keeping personal identifying information secure,
while i understand a web sights need to make money that should not be a the cost of personal privacy.

you dont seem to understand how UCE works and yet claim bingo,
well if you can tell the difference in security terms from centrally managed passwords, and user controlled passwords and why the model is vastly different then im sure explaining it to you would be as useful as playing a game of bingo with a chicken.

feel sorry for advertisers and not users, i think you have your priorities in the wrong place.

xploder



posted on Feb, 25 2013 @ 01:27 PM
link   

Originally posted by XPLodER

Originally posted by HattoriHanzou
reply to post by XPLodER
 


Buzzword bingo detected. The principle sounds just like warmed over public key crypto, and it will never see widespread adoption because companies want easy access to their users' data. This is, after all, how they make money.



Although Twitter is looking for an engineer to implement two-factor authentication for its users, it still won't prevent a repeat of the recent attack that saw 250,000 users exposed, according to OneID founder Steve Kirsch.

Two-factor authentication provides an additional effective step to thwart would-be attackers from taking over users' accounts, but it is currently not an option for Twitter users. On the back of recent attacks on the site, many have been calling for Twitter to implement it, but, according to Kirsch, even if Twitter does roll out the security measure, it won't prevent the attack from occurring.

While not dismissing two-factor authentication systems' effectiveness at preventing existing phishing attacks from being successful, Kirsch said that the number of people signing up for it in existing services is abysmal, and doesn't do much for improving overall security.


www.zdnet.com...

the lesson is if it is to hard to use, nobody will use it,

you sound more concerned with advertising revenue than keeping personal identifying information secure,
while i understand a web sights need to make money that should not be a the cost of personal privacy.

you dont seem to understand how UCE works and yet claim bingo,
well if you can tell the difference in security terms from centrally managed passwords, and user controlled passwords and why the model is vastly different then im sure explaining it to you would be as useful as playing a game of bingo with a chicken.

feel sorry for advertisers and not users, i think you have your priorities in the wrong place.

xploder



Heh, you don't understand how these big web sites think. Their users are their PRODUCT. For this magical UCE technology to be put in place, you have to show a benefit for the site owners AND the users. If there is anything that impacts Twitter or Facebooks chances of seeing the user's private data, they will not implement it.

I don't feel sorry for the users of most web sites. They are usually oblivious and oblivious people do not deserve pity. And the site owners? I have been in a war with them for a decade, blocking their ads and cross site tracking schemes that they all seem to favor.



posted on Feb, 25 2013 @ 01:49 PM
link   


where large complex equations would create to much overhead "locally" but the second round of encryption (on the server) can handle much larger operations.



To really beef up security, instead of moving towards more complex algorithms, move towards longer keys. The one time pad is the most secure encryption available as the key is as long as the message. Even with a fast and simple XOR encryption it is impossible to crack as long as a truly random source is used. It does add more overhead to memory, but not processing. This is why I expect there have been national security limits on the key lengths used with encryption.


i agree with what you are saying, but using publicly recognised standards is important for end user trust, RSA or AES is something that has wide spread acceptance, and can be used for law enforcement personal and for medical records and ect.

IMHO it is more important to provide ubiquitous encryption for everyone, using best practices
this article was about the mass adoption of UCE, for user protection. i believe a simple easy to use system could be widly adopted, to provide "privacy and security" and at the same time. staying "within industry best practices" is important for trust of end users.


While such a technique does have its place in some situations, it also has some problems in maintaining and protecting the keys as they can become quite large if a lot of data is encrypted. It is not the kind of thing your average computer user wants to contend with as any mistakes can suddenly make the whole lot unreadable.


agreed, ultimately if the system is to difficult to use, it wont be
a system of data security is required for "reliable" encrypt/decrypt operations, this can be handy for transportation reasons as well.


One future concern I do have for processor intensive encryptions like Blowfish and others is with how Rainbow tables are becoming a growing business for quickly defeating hashes. MD5 is now rendered obsolete for any security functions due to this, but still works ok for file verifications. With enough computing resources it will become feasible, maybe even profitable for similar tables to help beat other commonly used encryption methods as well. Just keep a heads up with any methods employed as it is a dynamic environment.


cat and mouse game im afraid, and the problem being time
over time computing resources will become cheaper,
and cloud computation allows for much faster throughput



One thing I have found with programming, the clearer you can define what you want the better your chance in getting it.


amen to that


xploder



posted on Feb, 25 2013 @ 01:50 PM
link   
reply to post by XPLodER
 


I really appreciate your posting this topic. I think that this tech. would frustrate TIFA efforts internally and could also be abused to allow terrorists to communicate overseas without the hassle of having to use code words. As far as identity theft goes though, it appears to be fix-all.



posted on Feb, 25 2013 @ 02:00 PM
link   

Originally posted by HattoriHanzou
reply to post by XPLodER
 


The problem is that the private data - user / pass pair - is part of the total data package that is desired by the people operating these free services.


for "directed" advertising? what can advertisers not just do what print ads do?
tents advertised in camping web-sights?sorry but i dont buy into your argument at all, especially if they cant keep my private information private!!!!!!


We already have one-way hashing as a way to protect passwords, and SSL / HTTPS is still good enough for protecting data in transit.


on the user end i agree, but with more and more companies server networks being breached, and hashed passwords stolen, dont you think its time to redesign the system, not just paper over the problem?


Frankly this sounds like a new buzzword which is being promoted. Also, no mention of the algorithm? No analysis by cryptographers? Without those things this is a non-announcement.


let me explain, USER CONTROLLED ENCRYPTION
only YOU have access, there is no central password store to be attacked.

i think the software will be in the hands of experts soon enough, and detailed crypto analysis in the lower non abstract layers has seen some minor improvements already.

the next step would be getting it into the hands of the universities.
that is why i wrote the OP,
it looks like that is about to happen.

xploder



posted on Feb, 25 2013 @ 02:12 PM
link   
reply to post by HattoriHanzou
 


Heh, you don't understand how these big web sites think. Their users are their PRODUCT. For this magical UCE technology to be put in place, you have to show a benefit for the site owners AND the users. If there is anything that impacts Twitter or Facebooks chances of seeing the user's private data, they will not implement it.

I don't feel sorry for the users of most web sites. They are usually oblivious and oblivious people do not deserve pity. And the site owners? I have been in a war with them for a decade, blocking their ads and cross site tracking schemes that they all seem to favor.


well twitter uses HTTPS for user privacy and security, in that case the "tweets" themselves are the advertising

and the public facing nature of tweets are the product, not the private user information, yes it does help with "directed" advertising, but when you can "tweet" you dont need exterior "direction of advertising"

well only "first party advertisers" would be able to push ads at you and third party tracking would be denied.

with UCE cross sight scripting would be virtually imposable.
facebook is not interested in privacy, and should not be confused with sights that consider privacy as "important"



ps i wound not use Facebook if you payed me

xploder



posted on Feb, 25 2013 @ 02:29 PM
link   

Originally posted by th3dudeabides
reply to post by XPLodER
 


I really appreciate your posting this topic. I think that this tech. would frustrate TIFA efforts internally and could also be abused to allow terrorists to communicate overseas without the hassle of having to use code words. As far as identity theft goes though, it appears to be fix-all.


according to the New Zealand privacy commissioners report 2013,


privacy.org.nz...

it is the "best practice" suggested by our privacy commissioner that encrypted storage and encrypted connections to be used for cloud storage,

in fact in my country storing personal identifying information "unsecured" can bring fines if that information is "disclosed" to third parties.

if this is "best industry practice" for "cloud" computing resources or storage, why should "blogs" or other websights with personally identifying information be any different.?

there are "thousands" of other ways terrorists can communicate,
so do i have to give up my privacy "just in case"?

cars can be used by terrorists, should we ban them ALL as well?

cassette tapes can be used to pass terrorist "codes" do we ban them ALL as well?

what about pieces of paper?

should we ban encrypted connections to banks "because it could be used by criminals"?

xploder





new topics
top topics
 
6
<< 1    3 >>

log in

join