Practical Public Key Cryptography

October 18, 2017 by Pedro Umbelino 25 Comments

Encryption is one of the pillars of modern-day communications. You have devices that use encryption all the time, even if you are not aware of it. There are so many applications and systems using it that it’s hard to begin enumerating them. Ranging from satellite television to your mobile phone, from smart power meters to your car keys, from your wireless router to your browser, and from your Visa to your Bitcoins — the list is endless.

One of the great breakthroughs in the history of encryption was the invention of public key cryptography or asymmetrical cryptography in the 70’s. For centuries traditional cryptography methods were used, where some secret key or scheme had to be agreed and shared between the sender and the receiver of an encrypted message.

Asymmetric cryptography changed that. Today you can send an encrypted message to anyone. This is accomplished by the use of a pair of keys: one public key and one private key. The key properties are such that when something is encrypted with the public key, only the private key can decrypt it and vice-versa. In practice, this is usually implemented based on mathematical problems that admit no efficient solution like certain integer factorization, discrete logarithm and elliptic curve relationships.

But the game changer is that the public key doesn’t have to be kept secret. This allows cryptography to be used for authentication — proving who someone is — as well as for encryption, without requiring you to have previously exchanged secrets. In this article, I’ll get into the details of how to set yourself up so that anyone in the world is able to send you an e-mail that only you can read.
Continue reading “Practical Public Key Cryptography” →

Inside Two-Factor Authentication Apps

October 16, 2017 by Elliot Williams 66 Comments

Passwords are in a pretty broken state of implementation for authentication. People pick horrible passwords and use the same password all over the place, firms fail to store them correctly and then their databases get leaked, and if anyone’s looking over your shoulder as you type it in (literally or metaphorically), you’re hosed. We’re told that two-factor authentication (2FA) is here to the rescue.

Well maybe. 2FA that actually implements a second factor is fantastic, but Google Authenticator, Facebook Code Generator, and any of the other app-based “second factors” are really just a second password. And worse, that second password cannot be stored hashed in the server’s database, which means that when the database is eventually compromised, your “second factor” blows away with the breeze.

Second factor apps can improve your overall security if you’re already following good password practices. We’ll demonstrate why and how below, but the punchline is that the most popular 2FA app implementations protect you against eavesdropping by creating a different, unpredictable, but verifiable, password every 30 seconds. This means that if someone overhears your login right now, they wouldn’t be able to use the same login info later on. What 2FA apps don’t protect you against, however, are database leaks.

Continue reading “Inside Two-Factor Authentication Apps” →

Oh Great, WPA2 Is Broken

October 16, 2017 by Brian Benchoff 131 Comments

WPA2, the standard security for Wi-Fi networks these days, has been cracked due to a flaw in the protocol. Implications stemming from this crack range from decrypting Wi-Fi, hijacking connections, and injecting content. It’s fair to say, WPA2 is now Considered Harmful. The paper is available here (PDF).

This is a proof-of-concept exploit, and like all headline-making network security stories, it has a name. It’s called KRACK, for Key Reinstallation Attack. The key insight to this exploit is a vulnerability in the handshaking between routers and devices to establish a secure connection.

This is not the first time the researchers behind this exploit have found holes in WPA2. In a paper published by the KRACK researchers at the USENIX Symposium last August (PDF), they showed that the Random Number Generator used in 802.11 is flawed, ill-defined, and insecure. The researchers have also spoken at 33c3 on predicting WPA2 Group Keys.

The practical consequences of a poor definition and implementation of an RNG can be found in consumer hardware. The researchers found that in MediaTek-based routers, the only source of randomness is the current time. Meanwhile Broadcom-based routers do not use the RNG proposed by the 802.11 spec, but instead take the MD5 of the current time in microseconds. The researchers do not mention if the current time is a secret.

So what do we do now?

This has happened before. In 2001, WEP, the Wi-Fi security protocol many security-ignorant people are still running, was cracked in much the same was as KRACK. This quickly led to the development of Aircrack, and in 2003, the Wi-Fi Alliance rolled out WPA and WPA2. Sure, you can still select a deprecated security protocol for your router, but the problem of WEP hacking is as solved as it’s ever going to be.

The early 2000s were a different time when it came to wireless networks, though here in 2017 Wi-Fi permeates every cubic inch of our lives. Everything and everyone has Wi-Fi now. This is going to be a bit bigger than cracking WEP, but it remains possible to patch devices to ensure that this exploit is rendered useless. Install those security updates, people! Of course there will still be millions of unpatched devices in a year’s time, and for those routers, IoT baubles, and other wireless devices, turning on WPA2 will be akin to having no security at all.

That said, this isn’t a world-ending Armageddon in the way the botnet of webcams was. You will only be vulnerable if an attacker is within range of your router, and you will still be secure if you’re accessing secure websites. However, turning off Wi-Fi on your phone, relying on mobile data, not ignoring HTTPS cert warnings, and plugging into an Ethernet port might not be a bad idea.

LEGO-compatible Electronics Kits Everywhere!

October 12, 2017 by Bob Baddeley 19 Comments

Within the last few years, a lot of companies have started with the aim to disrupt the educational electronics industry using their LEGO-compatible sets. Now they’re ubiquitous, and fighting each other for their slice of space in your child’s box of bricks. What’s going on here?

Raison D’Être

The main reason for LEGO-compatibility is familiarity. Parents and children get LEGO. They have used it. They already have a bunch. When it comes to leveling up and learning about electronics, it makes sense to do that by adding on to a thing they already know and understand, and it means they can continue to play with and get more use from their existing sets. The parent choosing between something that’s LEGO-compatible and a completely separate ecosystem like littleBits (or Capsela) sees having to set aside all the LEGO and buy all new plastic parts and learn the new ecosystem, which is a significant re-investment. littleBits eventually caught on and started offering adapter plates, and that fact demonstrates how much demand there is to stick with the studs.

Continue reading “LEGO-compatible Electronics Kits Everywhere!” →

Building The Hackaday Superconference Badge

October 11, 2017 by Brian Benchoff 36 Comments

The best hardware conference is just a few weeks away. This is the Hackaday Superconference, and it’s two days of talks, an extra day of festivities, soldering irons, and an epic hardware badge. We’ve been working on this badge for a while now, and it’s finally time to share some early details. This is an awesome badge and a great example of how to manufacture electronics on an extremely compressed timetable. This is badgelife, the hardware demoscene of electronic conference badges.

So, what does this badge do? It’s a camera. It has games, and it’s designed by [Mike Harrison] of Mike’s Electric Stuff. He designed and prototyped this badge in a single weekend. On board is a PIC32 microcontroller, an OV9650 camera module, and a bright, crisp 128×128 resolution color OLED display. Tie everything together with a few buttons, and you have a badge that’s really incredible.

So, how do you get one? You’ve got to come to the Hackaday Superconference. This year we’re doing things a bit differently and opening the doors a day early to get the hacker village started with badge hacking topped off by a party that evening and everyone coming to Supercon is invited! This is a badge full of games, puzzles, and video capture and isn’t something to miss. We have less than 30 tickets left so grab your ticket now and read on.

Continue reading “Building The Hackaday Superconference Badge” →

Happy Ada Lovelace Day!

October 10, 2017 by Elliot Williams 74 Comments

Today is Ada Lovelace Day, a day to celebrate and encourage women in the fields of science and technology. The day is named after Augusta Ada King-Noel, Countess of Lovelace, born Byron. (You can see why we just call her Ada Lovelace.) She was a brilliant mathematician, and the writer of what’s probably the first real computer program — it computed the Bernoulli series. At least according Charles Babbage, in correspondence to Michael Faraday, she was an “enchanted math fairy”. Not only a proto-coder, she wrote almost all of the existing documentation about Babbage’s computation engine. She’s a stellar example of a brilliant and unique individual. If you were looking for a superhero to represent women in science and tech, Ada’s a good pick.

In our minds, she gets stiff competition from Marie Curie. Curie did fundamental research on radioactivity, is one of two people with Nobel Prizes in two different sciences, and got to name the two elements that she discovered. 2011 was the Year of Marie Curie in France and Poland. She has her own year in addition to her own unit. Even Spiderman doesn’t have those radioactive super powers!

Don’t Need Another Hero?

But on a day dedicated to getting more women into the technical arts, it’s also a little bit daunting to pick Lovelace or Curie as a symbol. Are you ever going to have something that equals “first computer program” or “two Nobel Prizes” on your résumé? We aren’t. It’s great to have heroes, but maybe we need more than just heroes — we also need mentors.

Continue reading “Happy Ada Lovelace Day!” →

Our Reactions To The Treatment Of Robots

October 9, 2017 by Steven Dufresne 80 Comments

Most of us have seen employees of Boston Dynamics kicking their robots, and many of us instinctively react with horror. More recently I’ve watched my own robots being petted, applauded for their achievements, and yes, even kicked.

Why do people react the way they do when mechanical creations are treated as if they were people, pets, or worse? There are some very interesting things to learn about ourselves when considering the treatment of robots as subhuman. But it’s equally interesting to consider the ramifications of treating them as human.

The Boston Dynamics Syndrome

Atlas - Boston Dynamics robot being pushed

Atlas being pushed

Spot - Boston Dynamics robot being kicked

Spot being kicked

Shown here are two snapshots of Boston Dynamics robots taken from their videos about Spot and Atlas. Why do scenes like this create the empathic reactions they do? Two possible reasons come to mind. One is that the we anthropomorphize the human-shaped one, meaning we think of it as human. That’s easy to do since not only is it human-shaped but the video shows it carrying a box using human-like movements. The second snapshot perhaps evokes the strongest reactions in anyone who owns a dog, though its similarity to any four-legged animal will usually do.

Is it wrong for Boston Dynamics, or anyone else, to treat robots in this way? Being an electronic and mechanical wizard, you might have an emotional reaction and then catch yourself with the reminder that these machines aren’t conscious and don’t feel emotional pain. But it may be wrong for one very good reason.

Continue reading “Our Reactions To The Treatment Of Robots” →