Tag Archives: crypto

Steven Levy = Awesome Writer

Hackers

'Hackers', by Steven Levy

Many years ago I read Hackers for the first time and thoroughly enjoyed it. Levy takes exhaustive research and interviews and weaves them in to a great tale. I like reading about the people behind technology and how they came to do what they do (or did what they did), and this book is full of characters and their stories: “The Heroes of the Computer Revolution.” Starting with the origins of hacker culture at MIT in the Tech Model Railroad Club, I felt transported back in time and was absorbed by the story.

Crypto

'Crypto', by Steven Levy

A month ago, I saw a reference to Levy’s Crypto, and I immediately ordered a used copy from Amazon. This is a story about how we finally got good crypto outside of the NSA. Having just started it, I’m finally learning something about those Diffie and Hellman guys, and more about the Rivest, Shamir, and Adleman in RSA. All nicely placed in the context of the times.

One sign that it’s a good book is that I’ve read through 100 pages out of 350 in just a few days. For my usual pace on paper books these days, that’s very fast. Again Levy takes all this information and creates a compelling tale. Since there isn’t a lot of action in these books, I can only credit it to the author’s skill that I want to keep turning pages.

I’m guessing many readers of this blog are familiar with Hackers and maybe Crypto also. But if you haven’t heard or given them a chance yet, I highly recommend both books if you want to get some history of the people behind the “computer revolution” and public key cryptography. (And Crypto really is about the people, thankfully, and not the mathematical nuts and bolts which are way beyond me.)

Me and You and a GPG Key Named Boo

“Travellin’ and livin’ off the web…”

I have a GPG key, freshly created a couple of days ago. GPG is the GNU Privacy Guard, also known as GnuPG, used for encryption and digital signatures.

Many people include helpful comments about GPG encryption on a page with their public key and fingerprint. Instead of making similar remarks (which I don’t feel qualified to make), I’ll point to some examples: Karl Fogel, Peter S. May, and Henrik Lund Kramshoej.

I’ve read Karl’s page with interest in the past, and revisited it while preparing my own GPG key page. His comments have been influential in adding to my doubts about using the software and keys properly. I found Peter’s and Henrik’s pages recently in Google search results as I’ve been reading about the subject. All three have wise words of caution and advice about using GPG for encryption and digital signing. Peter and Henrik further get in to the concept of the “web of trust” in public key cryptography. Peter’s page is detailed and he appears to be quite conscientious about being a good participant in this web of trust.

(There is also PGP. Both programs implement the OpenPGP standard, but PGP is not free-as-in-freedom so you should use GnuPG.)

So what’s the point of this page?

Well, to refer you to other sources of information, for starters, and to talk about my shiny new key, reasons for creating it, reasons for attending key signing parties, and lay out my rudimentary key signing policy, which I hope will make the case that I intend to be an upstanding cryptizen* and follow good key signing practices.

However, while not a stranger to GPG, I’m pretty new at key signing and web of trust stuff, so my proclamations and methods have to be viewed with skepticism. You can read this post and perhaps draw your own conclusions.

Why a key now?

I haven’t previously had much (if any) personal need for encryption or signing using GPG, but now seemed like a good time to create a key pair before going to the FSF meeting in Cambridge next weekend where I might gather a few signatures.

That might be an answer for “why now?”, but doesn’t really answer the question of why I need a key at all. Why do I want to use GPG? And it suggests another question: Why do I care about getting signatures for my key? I think my primary motivation at the moment is community. Even though I don’t have an immediate need in mind, being trustworthy (at least with respect to my participation in the web of trust) may help me be a better free software community member.

Continue reading

Password Safe / Password Gorilla

Updated 20 April 2007: Password Gorilla’s author, Frank Pilhofer, contacted me to clarify how permissions work and to investigate the problem I was seeing. Talk about great customer service! See update notes below…

I’ve been using Password Safe in Windows for many years to manage my passwords. It seemed credible to me because it was originally designed by Bruce Schneier and made by his company, Counterpane Systems. It uses either the twofish or blowfish block cipher, depending on the version. I respect Bruce’s knowledge and opinions on security and figured it would be a robust application, free from obvious security flaws.

And it was free for use. As in free beer. At some point it was released under the free and open source Artistic License* and a thriving development community has developed around it, regularly releasing new versions with scads of new features and user interface improvements.

I liked the simple interface of the original program and also the improvements made for version two which allowed for better categorization of logons. It has some nice features like locking on minimize or after some number of minutes idle. (In the process of writing about this, I finally got around to updating to version three and it has several new features also.)

In the past few months I had checked for GNU/Linux versions of the software and saw that while there were none at the time, there were other projects that used the same file format so that I was hoping I’d find a suitable program and it would be easy to switch. And now’s the time, I guess.

Password Gorilla

I looked at Password Gorilla first. It is based on Password Safe and runs on GNU/Linux, Windows, and Mac. It uses the GPL v2 license. Since it still feels easier/more comfortable for me to install things on Windows, and since my Password Safe file is on my Windows machine, I tried that version first. It’s simple — a 1.5MB single file. No installation, really.

It worked just fine. It opened my 39KB v2 file that has over 200 entries with no problem, although it was slower about opening the file. It looked a lot like Password Safe without a toolbar. Just what I was looking for.

Password Gorilla looked pretty good, but how healthy and robust is the user community around it? It’s hard to tell from the home page how many people are involved. I typically want to adopt free programs that are well-established and have a large group of users and preferably more than one developer working on them. This is so that if a key developer is unable or unwilling to keep maintaining it, there is a better chance that someone else will step up. And in the case of security/crypto applications, I think it’s even more important to have enough people poking around in a program to uncover possible weaknesses.

In this case, the project home page looks well done and the program was updated as recently as summer 2006 to support the new v3 file format, so I’d be inclined to use the program. I also like the help page that goes in to some of the risks involved. These are things I’m already aware of, but I think it’s refreshing that a page has been provided to help educate people on these things. So I had a warm fuzzy feeling about the program, but as I was evaluating my options, I noticed from the Password Safe SourceForge project page:

Continue reading

HOWTO: EncFS Encrypted Filesystem in Ubuntu and Fedora GNU/Linux

(Go straight to the HOWTOs. Do not pass GO.)

2 June 2007: Updated with comments for 7.04 / Feisty Fawn.

I mentioned recently that I planned to keep using TrueCrypt in GNU/Linux since I had used it profitably in Windows, and that I also intended to keep using the container approach where you create a single file of a certain size and then mount it to get your virtual file system.

I’m reevaluating my plan. I still like TrueCrypt and will likely keep using it, maybe by alternating DVD backups between it and my new intended: the EncFS Encrypted Filesystem. (And of course GPG is always good for many crypto jobs, and will also be part of my security framework.)

The drawback with my TrueCrypt method is having to create files of fixed sizes. You either have a lot of empty space tied up or you’re bursting at the seams and can’t expand a volume. And you’re dealing with some large files; perhaps with additional risk of an entire volume being more easily corrupted? I had managed this ok in the past, but I always agonized over the size of volumes to create for backups, since it’s hard to predict future requirements there. I know TrueCrypt has ways of encrypting entire devices, but I’ve been hesitant to go down that road.

After adding another 200GB drive to the slug the other day, I didn’t want to make more decisions about container sizes. I started thinking about alternatives. Maybe it was time to figure out how to encrypt the entire drive with a non-container method, and I wanted to look away from TrueCrypt since I’m interested in crypto diversity.

Continue reading

HOWTO: TrueCrypt in Ubuntu and Fedora GNU/Linux

Update, 1 June 2007: Version 4.3a, released May 2007, removes support for SUID.

I’ve been using TrueCrypt to encrypt financial and personal documents in Windows for a while now and it has worked just fine for the way I want to use it. I’m doing file-based encryption where you mount a single file as a virtual volume that appears as a normal drive in Windows. I knew there was a GNU/Linux version, so it seemed like a logical choice to use for the same purposes in the free world.

TrueCrypt is free-as-in-freedom (according to my hearsay understanding of the license), but the TrueCrypt Foundation behind it is apparently kind of secretive and closed with its development processes. I’m not sure how much of a concern this should be for me.

I briefly looked at dm-crypt/cryptsetup/LUKS but shied away from them for now since they don’t appear to be as mature and also since I don’t see that they use a file-based method and I don’t want to figure out more complicated methods at the moment (more complicated in my eyes, anyway). I’m trying to get some momentum going for the overall move and that means avoiding quagmires of new learning where possible.

(Update, 21 Feb 2007: Well, maybe just one new learning jaunt…)

So TrueCrypt it was. There is no GUI in the GNU version yet, but that was ok with me. It has helped that I’ve used the Windows version for a while so I knew what to look for and expect. It appears that there is some compatibility between GNU and Windows versions, but not really. I could take a volume created on GNU and open it in Windows and read files, but if I wrote files to it in Windows, they didn’t appear when I opened it back up in GNU. Maybe there is a way this could work, but it’s not important for me to have this feature so I let it go.

Overall the process went pretty smoothly. I started working on this in Fedora and got hung up on an error, switched to working on Ubuntu where I had more luck, and then got it going in Fedora also. My current strategy is to make things work in both distributions as much as possible. I don’t want to become overly tied to one system. I did have one mishap that I wrote about in a previous post.

And now, the blow by blow account…

Continue reading