TylerBurton.ca

I have been meaning to write up a short post about this for a while, but thanks to the start of a new school term I have been a bit busy.

If you have seen the security news in the last month or so you will know that RSA-768, a 768bit or 232 decimal digit asymmetric key, has been broken (factored). This has important security repercussions for all of us because it is these public key algorithms like RSA, or ElGamal, that guard our online transactions, and e-mail conversations.

So just how much should we be worrying about this newest ‘break’?

When it comes to public key cryptography it is important to remember that their security is essentially in our inability to factor them quickly. The only real way that public key cryptography could be considered broken is if we find a way to drastically increase our ability to factor massive prime numbers. Thankfully that time is still far away. In fact after digging into the news articles a little more it quickly became obvious that the feat of factoring a 768bit key, while incredibly difficult, was inevitable.

So what now?

Nothing. Currently the most popular asymmetric key size in use is 1024bit, which represents a work load increase of over 1000 times when compared to RSA-768. Still afraid? Check out the list of RSA challenges that have been issued over the years and just how few have actually be ‘broken’.

In choosing my current PGP/GPG public key I decided to go with a 2048bit one, which, according to all accounts, will be safe for years to come. As always, I recommend checking out this site for the most up to date key length recommendations from the world’s foremost cryptography experts.

There you have it

With the knowledge that you’re online transactions are still perfectly safe you have nothing to worry about.

For reference, the currently recommended key lengths for asymmetric encryption algorithms, like RSA, are 1976bit (BSI recommendation for use after 2016), 2048bit (NSA recommendation for current and future use), and 2432 (ECRYPT II recommendation for protection until at least 2030).

I honestly don’t remember how I came across this awesome project but I am certainly glad I did! XMLVM is a software toolchain which is designed to take cross-compilation to a whole new level. Rather than just offer OS portability, XMLVM is able to actually offer OS, hardware and programming language portability.

Here’s how it works: you write a program in a programming language of your choice, say .NET. Once compiled you send it through the first step of XMLVM which analyzes the produced CIL and creates an XML document out of it. It would end up looking like something similar to this:

<clr:ldc type=”int” value=”2″/>
<clr:rem/>

Next this XML document is fed through what XMLVM calls the data-flow analysis (DFA). Basically you can think of DFA as a pseudo-language that simply describes the operations that the program is trying to perform. Once in this form the code is considered portable. XMLVM then lets you pick a target, for example the Java JVM, and automates the conversion of the DFA to an XML representation of the java byte code. From there it’s an easy conversion back to true java byte code.

Now think about this in practical terms for a second. That means that you can write a program in a .NET language (C#), and have it automatically ported and compiled to Java. Expand on this a bit and consider that you can write the same program in any language and have it converted to any other language. Currently the XMLVM offers a lot of other cool options as well and has actually been designed a lot with mobile devices in mind. Now you can write a program once and have it automatically converted to Objective-C, to run on the iPhone, and to Java to run on Android.

I really hope that this project continues to improve and I will certainly be watching it closely. It is still very early in development but from what I have seen it is simply brilliant.

Well, at least for now. Check out the site to see what everyone thought about the experiment as a whole.

Check it out here: The Linux Experiment

That’s right an update to your favourite hash verification program!

This update includes a few new features that some of you might find useful. It also includes help documentation which walks you through how to use it!

New Features

• Menu strip for even easier use
• Export features allows you to automatically write all of the hashes to a single file
• About dialog that provides information about the program
• Help documentation

Requirements:

• All platforms: .NET 2.0+ / Mono, a graphical display
• *nix platforms: WinForms (identified as System.Windows.Forms)

As always the binary only package contains just the executable, whereas the all package contains the source code as well.

Some of you may remember an old Windows program of mine called Hash Verifier. It was a graphical utility that allowed people to generate hashes of their files, and then compare those to known hashes, ensuring that their files had not been corrupted. Well in recent months my foray into the world of Linux has finally taken me into the realm of programming on that platform. Being primarily a .NET developer on Windows I have found the Mono project on Linux to be an absolute breath of fresh air.

“Monkey” project

The Mono project is an open source implementation of Microsoft’s .NET common language runtime and a C# compiler. On Linux the easiest way to program in a Mono language is within the project’s own integrated development environment called MonoDevelop.

C is a sharp language

C# is a very powerful programming language that falls somewhere between C and Java in terms of syntax. While my experience with C# has been limited in the past, I was easily able to pick it up quickly thanks to my background in both C and Java, as well as fellow .NET language Visual Basic.

The challenge

Digging up an old .NET project of mine, Hash Verifier, I decided to challenge myself to port the application to Mono. In order to do this I needed to accomplish the following:

• The original application ran on Microsoft’s .NET on the Windows platform. The new application must run on both .NET on Windows and Mono on supported platforms.
• The original application was written in Visual Basic. The new application must be written in C#.
• The original application has a GUI powered by the native Windows.Forms. The new application needs to have a GUI that works in a similar way on all platforms.
• The new application must be able to fully re-create all of the old application’s features and functions.

Porting = easy

I must say that porting this old application to C#/Mono was a relatively straightforward task. Although I had plenty of GUI toolkits to choose from I ended up sticking with the existing Windows.Forms. Once I had decided on using Windows.Forms as the basis for my GUI (WinForms is a free and open source implementation for non-Windows users!) I set out to create my new application. I was literally able to open the old Visual Basic GUI designer file, copy the code into my Mono workspace, change the syntax to C# and voila it worked!

In fact the only tricky part was trying to figure out a compatibility issue that .NET/Mono 2.0 seem to have with the new Windows Presentation Foundation (WPF). I’ll save you the gory details but basically drag and drop functionality would not work. I eventually rectified this issue by including a compiler flag telling .NET/Mono to execute the form in single thread apartments mode. You can see where I did this in my code by looking right above my static main function:

[STAThreadAttribute]
public static void Main()
{
…
}

Final result

With the application complete I must say I am impressed. Crafting and running applications for Mono is extraordinarily simple to do, seems very powerful, and the application itself only takes up a couple of MiB to run. In the future I definitely plan on doing more of this type of development now that I am using different operating systems every day.

Hash Verifier

If you are still using the old version of Hash Verifier, or if you would just like to try it out you can download the new Hash Verifier in two different ways. The package marked binary only contains just the program itself and the relevant documentation. The package marked all contains both the program, documentation as well as the source code.

Requirements:

• All platforms: .NET 2.0+ / Mono, a graphical display
• *nix platforms: WinForms (identified as System.Windows.Forms)

Over at The Linux Experiment we have decided to shake things up a little bit by forcing a change of desktop environments on everyone. Whatever we have been using thus far as to go for at least two weeks. If you care to follow along you can start by reading about how my transition from KDE to GNOME went below.

Check it out here: The road to GNOME

Just wanted to point out that we over at The Linux Experiment have pushed out our first podcast. Join us as we discuss our experiences with Linux, and complain about all of the little issues we’ve been having.

Check it out here: The Linux Experiment Podcast #1: The Pilot

Public key cryptography is one of the most essential pieces to online security. It is at the root of what enables you to shop online, do secure online banking, and communicate securely. I will be focusing on the latter in this tip. But first a quick and simple refresher on what public key cryptography is and how it works.

How public key cryptography works

Or rather how you use it. Cryptography allows you can lock any data or information inside of a digital safe. Generally this is done through the use of a shared key (password). This is similar to how you, and only you, can log on to your home wireless internet. But what if you don’t already have a shared key? This is where public key cryptography comes in to play.

Public key crypto works by using two keys instead of one. We will call these keys the public key and the private key. The public key can be thought of as your listing in a phone book, you want everyone to be able to get a hold of it in case they need to get a hold of you. The private key on the other hand is like your voice mail password, you only want one person to know it: you.

Messages and data encrypted with your public key are put into a digital safe that can’t be opened by anyone, even the person who just put the data into the safe, except you. This is important because it means anyone and everyone can encrypt things to send to you but you will be the only one able to decrypt them, or open the safe.

OK, so I can encrypt things with your public key and only you can open it. Now what?

Now we use it to send private e-mail.

Pretty Good Privacy (PGP)

PGP uses a system of keys which are actually just public and private keys. If I want to send you a private e-mail I just need to get a hold of your public key. For added integrity I could also sign the message using my private key, which you could then in turn verify with my public key, but that is beyond the scope of this post. Set up correctly not only does PGP allow me to receive secure e-mails, that no one but me can read, but also verify that the person who actually sent me the e-mail is who I think it is.

GNU Privacy Guard (GnuPG)

GnuPG is a a free and open source implementation of OpenPGP that is very common. Most Linux distributions come equipped with it by default but Windows users will most likely need to download it. Several e-mail clients also integrate seamlessly with GnuPG which makes things very easy. Others, like Outlook and Thunderbird, simply require an add-on.

How to get GnuPG

This is a simple step but is crucial to getting everything to work. Jump over to the official website, http://www.gnupg.org/, or hop right over to their download section here and grab a copy of it. For Window’s users you can just grab the binary, indicated by the letter B, while Linux and Mac users should either look in their software repositories or follow the links available. Once installed GnuPG, or gpg as it will be called, should be good to go.

Generate your first key

There are a number of different ways to generate your keys, from within the terminal or command line to within your favourite e-mail client. Rather than cover all of the numerous possible ways that you could generate your key I’m going to only cover two: the terminal and from within Thunderbird (see below).

1. Open up a terminal or a command prompt

2. Type:

gpg –gen-key

That’s two dashes before “gen”

3. This should prompt you with the following options:

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?

As you can see there are a couple of different options. Let’s break it down a little. Digital Signature Algorithm, is the standard way of signing messages. El Gamal is a widespread way of encrypting a message. Finally RSA is a versatile algorithm that can do both (don’t worry about the sign only part of #5, we can fix that later).

For your first key I recommend making a test key just so you can familiarize yourself with the steps required.

4. Type the number “1″ and press Enter. It should now be asking you what size you want the key to be.

DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

The current recommendations seem to be that a 2048 bit key is a very good idea. Creating a larger key will make it more secure but might take a bit longer to generate the key. For now let’s just go with the default 2048. Press enter.

5. Next gpg will ask you how long the key should be valid for. This expiry date is important because should you lose your key, or have it compromised, you will at least feel good that eventually it will become invalid. For this example key we will set it to expire tomorrow. In order to do so type “1″ and press enter. If you wanted it to expire in one week, month, or even year you just need to instead type “1w”, “1m”, or “1y” respectively.

Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)

6. This is where you would enter your personal information. You don’t want to lie about this because this key is meant to identify you as you and only you! However for this example I am going to enter the following information:

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
“Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>”

Real name: Test Key
Email address: testkey@tylerburton.ca
Comment:
You selected this USER-ID:
“Test Key <testkey@tylerburton.ca>”

Once you have verified this information type “o” and hit enter for “OK”

7. It will now prompt you for a passphrase. A passphrase gives your key some additional security. Once your key is generated you want to make sure that no one else can get a hold of your private key. If someone does don’t panic, there are ways for you to revoke the key, but a lot of damage can still be done with someone reading your encrypted e-mails or impersonating you. A passphrase makes it difficult for someone to decrypt your e-mail or impersonate you even if they have a copy of your secret key.

8. One you finish this GnuPG will generate the large prime numbers used in your key. This may take a while depending on the hardware you are running. When it’s done you will be shown your key’s information. It should look something like this:

pub   1024D/E1775F9E 2009-10-04 [expires: 2009-10-05]
Key fingerprint = 6DD1 5B41 1279 03E5 1088  225C 5B1B 90A9 E177 5F9E
uid                  Test Key <testkey@tylerburton.ca>
sub   2048g/4DDF6291 2009-10-04 [expires: 2009-10-05]

9. That’s it! You now have a key that you can use to securely encrypt your e-mail and files. Just be sure to get your public key out to as many people as possible. You can even upload it to a public key server so others can easily retrieve it.

Setting up Thunderbird

Obviously these instructions will only work if you use Thunderbird as your mail client. That being said a quick google search provide you with all of the answers you’ll need to set up PGP with your e-mail client of choice.

1. Download and install the Enigmail add-on for Thunderbird.

2. This will add a title bar option labeled “OpenPGP.” You may want to turn on expert mode to give yourself some extra options but that’s your choice. Inside of this menu you will find something called “Key Management.” If you click this, it will show you all of the keys you have stored in your key ring. The ones for which you have a private key are highlighted in bold.

3. Next go into your account settings and you’ll notice a new option called “OpenPGP Security.” Click this and check the box called “Enable OpenPGP support.” This will add two small icons to the bottom of your new e-mail composition window. One looks like a pen and when it is highlighted means you will sign the e-mail, proving that you were the one who sent it. The other is a key; if you have the recipient’s public key you can use this to encrypt the message you are sending so that no one else will be able to read it. Take a look at the options provided and set it up to your liking.

4. That’s it! You now have PGP support for your e-mail! If you feel like creating a new key, or even your first key, I would suggest doing so from the Key Manager inside of Enigmail instead of via the command line. It provides a very easy wizard to walk you through.

Final points

1. Hopefully this mini-guide  hasn’t scared you away from trying PGP yourself. If you are asking yourself ‘why should I even bother? I have nothing to hide’ you should take a moment while sending that next e-mail and consider if you instead wrote the same thing on a postcard and sent it on an around the world trip. This analogy gives you an idea of how little privacy your current e-mails have. As they are sent out over the internet they hop from server to server until they reach their destination. You have little to no control over what these servers do with your e-mail. Still have nothing to hide? Then you are far less concerned about identity theft then I am.

2. I said above, when selecting what type of key to create, that if you chose RSA (sign only) you could still use it to encrypt e-mail. This is true and all you need to do is edit the key by typing:

gpg –edit-key [e-mail address goes here]

(that’s two dashes in front of edit-key) and then on the next prompt entering:

addkey

This will walk you through adding an additional subkey, this time used for encryption. Just follow the steps as before and you should be set!

3. Remember PGP can be used for more things than just e-mail. You can also digitally sign documents and files or even encrypt them just like you can with your e-mail.

4. Now that you have this set up I fully expect any e-mail being sent my way to make use of it

I just finished up a quick post over on The Linux Experiment about how to share one keyboard and mouse among multiple computers using software, in this case a Windows Vista desktop and a Fedora 11 laptop.

Check it out here: Setting up some Synergy

Some friends and I have decided to give Linux a run for its money. Most of us are experienced Window’s users so we figured making the transition to Linux would be 1) a good thing for the resumé and 2) a pretty easy switch. Boy were we ever wrong about #2… #1 is still debatable

The basic premise is this:

1. Is Linux really a practical desktop computer for the masses?
2. Can someone really make the switch from the far more popular proprietary operating systems and applications to the free and open source alternatives?

The experiment is govern more or less by the following two rules:

1. You must use Linux as your primary computing platform for 4 months
2. You cannot use a distribution of Linux that you are familiar with or have used in the past

Follow us through the highs and lows of getting everything working just right, as we learn new things, and share our user experiences!

www.thelinuxexperiment.com