Kleptographic (algorithmic) backdoors in the RSA key generator

Рассмотрены основные виды алгоритмических закладок. Представлен способ построения асимметричных клептографических закладок в генераторе ключей RSA, позволяющий владельцу ключа закладки (разработчику или авторизованной спецслужбе) получать доступ к пользовательскому ключу, сгенерированному инфицированным алгоритмом. Сформулированы теоремы, иллюстрирующие работоспособность описанных алгоритмов, оценена вычислительная сложность этих алгоритмов. Продемонстрирована стойкость построенных закладок к некоторым классам атак даже при условии, что противник знает используемые методы и имеет доступ к исходному коду ключевого генератора

Going Dark and Encryption

Law officers across the country and around the world are being left in the technological dust by their criminal counterparts. They have no problem obtaining evidence, however they run into issues accessing this information due to various encryption techniques being used. This phenomenon has been dubbed the “Going Dark” problem. James Comey describes the Going Dark problem as, “We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so” (Comey, 2014). The Going Dark problem is a relatively new problem facing law enforcement officers (LEOs) that has roots going back to the Crypto Wars of the early 1990s. At its core, the Going Dark problem is really just an issue of how to attack encrypted data. Data is either at rest, or in motion, and can be attacked several different ways depending on which state it is in. Recently, the FBI has found some success using a man-in-the-middle attack on criminals’ cell phones, but since they sold the cell phones themselves, they were able to attack data both at rest and in motion. Today, LEOs are trying to solve the Going Dark problem by attacking encrypted data using a variety of tactics, and by trying to amend the Communications Assistance to Law Enforcement Act (CALEA) to include email and social media

Exploring Lawful Hacking as a Possible Answer to the Going Dark Debate

The debate on government access to encrypted data, popularly known as the “going dark” debate, has intensified over the years. On the one hand, law enforcement authorities have been pushing for mandatory exceptional access mechanisms on encryption systems in order to enable criminal investigations of both data in transit and at rest. On the other hand, both technical and industry experts argue that this solution compromises the security of encrypted systems and, thus, the privacy of their users. Some claim that other means of investigation could provide the information authorities seek without weakening encryption, with lawful hacking being one of the most suggested alternatives. “Lawful hacking,” also known as “government hacking,” consists in the deployment, by investigative authorities, of tools that allow for the intrusion into computer systems, enabling access to its contents. Although this form of investigation seems to be essential in an increasingly connected society, it is important to understand security and privacy risks of different lawful hacking regulatory approaches. Considering that some countries are already enacting legal frameworks related to it, I aim to highlight the issues that should be properly addressed in order to position lawful hacking as one of the viable answers to the “going dark” debate

The opportunity to regulate cybersecurity in the EU (and the world) : recommendations for the Cybersecurity Resilience Act

Safety is becoming cybersecurity under most circumstances. This should be reflected in the Cybersecurity Resilience Act whenever it is proposed and agreed upon in the European Union. In this paper, we define a range of principles which this future Act should build upon, a structure and argue why it should be as all encompassing as possible. We do this on the basis of what the cybersecurity research community for long have asked for, and on what constitutes clear hard legal rules instead of soft. Important areas such as cybersecurity should be taken seriously, by regulating it in the same way we see other types of critical infrastructure and physical structures, and be uncompromising and logical, to encompass the risks and potential for chaos which its ubiquitous nature entails. We find that principles which regulate cybersecurity systems' life-cycles in detail are needed, as is clearly stating what technology is being used, due to Kirkhoffs principle, and dismissing the idea of technosolutionism. Furthermore, carefully analysing risks is always necessary, but so is understanding when and how the systems manufacturers make fail or almost fail, all of these details must be expected and detailed. We do this through the following principles: Ex ante and Ex post assessment, Safety and Security by Design, Denial of Obscurity, Dismissal of Infallibility, Systems Acknowledgement, Full Transparency, Movement towards a Zero-trust Security Model, Cybersecurity Resilience, Enforced Circular Risk Management, Dependability, Hazard Analysis and mitigation or limitation, liability, A Clear Reporting Regime, Enforcement of Certification and Standards, Mandated Verification of Security and Continuous Servicing. To this, we suggest that the Act employs similar authorities and mechanisms as the GDPR, and create strong national authorities to coordinate inspection and enforcement in each Member State, with ENISA being the top and coordinating organ

Criptomoeda: o Bitcoin

A síntese da moeda Bitcoin, a história da criptomoeda e do Bitcoin, o movimento Cyberpunk, as primitivas das tecnologias das criptomoedas, criptografia assimétrica, encriptação de chave pública, assinaturas digitais, Blockchain, endereços digitais, administração de consenso, prova de trabalho (PoW), mineração e impossibilidade de gastos duplicados.The synthesis of the Bitcoin currency, the history of cryptocurrency and Bitcoin, the Cyberpunk movement, the primitives of cryptocurrency technologies, asymmetric cryptography, public key encryption, digital signatures, Blockchain, digital addresses, consensus management, proof of work (PoW ), mining and the impossibility of duplicate expenses.info:eu-repo/semantics/publishedVersio