n2n

n2n looks like a lovely piece of technology.

It's basically a VPN system, but quite different from existing VPN technologies. Existing VPNs work by creating a point-to-point link between two systems, usually a personal computer on an untrusted, remote, and often frequently changing network - and a router which then routes or bridges traffic (depending on the layer the VPN operates on) to other VPN clients and/or a physical private network.

The usual configuration is that there's a network with some resources on it that can't be trusted to the open Internet - insecure file sharing or network management services, for example - with an access device connected both to that network and the public Internet, such that remote computers can connect to the access device via the Internet and thus be virtually and securely connected to the private network so they can access the resources therein as if they were physically plugged into it. All over an encrypted link that they need to authenticate to set up, keeping third parties from reading or injecting traffic.

But the conventional VPN approach doesn't work so well for more complex setups. I, for example, have two private networks with various servers and workstations on, an isolated server, and two roaming laptops. It would be nice if I could set up varying levels of trusted connectivity between the three; the isolated server should really appear to be local to the first private network, which could be done with a conventional VPN, except that a permanent connection would require the isolated server to try to set the VPN up on boot and, if it goes down due to network problems or the access server on the private network rebooting, retry the connection automatically. Likewise, I'd like some level of routing between the two private networks, with a bit of packet filtering to tailor the precise trust relationship; I'd have to choose one network's router to be the VPN server and the other the client, set up another auto-reconnecting VPN, and set up routing across it. Then have the laptops also connect to a VPN server on one of the private networks, or perhaps the isolated server, to then use routing across the VPN links between the two private networks in order to reach everything they should be able to.

In practice, I'd probably pick the best connected private network to be the hub, and run a VPN server on it, and have everything else connect to that. Traffic between a laptop and the other private network would go via the hub, causing double bandwidth consumption at the hub and increasing latency. If the hub goes down, the whole network is fragmented.

Plus, mainstream VPN protocols are a pain to configure and use, as they tend to use strange protocols like GRE.

But n2n is much better than all that.

Social engineering

Bruce Schneier's blog as an article on a recent diamon heist carried out purely through social engineering. No high-tech descending on wires through skylights, gymnastic climbing through nets of laser beams, or reprogramming advanced electronic locks. Nope, the perpetrator just earnt the trust of the staff by appearing to be a nice harmless guy.

No amount of snazzy technology can prevent this kind of thing. Sure, you can make it harder in some ways, but people will still be the weakest link.

My suggested solution to this kind of crime is to make it everybody's civic duty to test security systems. Teach social engineering at school. If somebody is caught in an attempted non-violent non-property-damaging security breach attempt, congratulate them. If they manage to pull one off and get away with it but then fail to report the fact, throw 'em in jail - but if they DO report it and turn the goods back in, they get congratulated and a reward from the victim's insurance company.

Sure, this makes an actual malicious robbery slightly less risky (as long as you don't damage anything or anyone during the attempt, which is clearly against the rules of a good-natured security probe), since if you get caught in the act you can say it was just for fun and you'd have handed in the winnings if you'd not been caught, but actual successful robberies at that level are rare. And with a segment of the population worrying at any possible security hole in search of a finder's bounty, there'll be less security holes to exploit, and the staff will be a lot less trusting of nice folks...

Cryptanalysis 2

In a previous post, I discussed the analysis of an initially robust-looking combination of S-boxes, then suggested two potential extensions of the algorithm to examine.

Read more »

Cryptanalysis

Cryptanalysis is the science/art of analysing an encryption system's design to try and figure out how you'd break it.

If encryption systems were used properly, this would be very hard. After all, in that case, all you'd ever have access to was the design of the encryption system and a stream of intercepted encrypted messages.

However, in practice, it's possible to guess parts of the messages (perhaps most start with "Dear ..."), or even to occasionally steal a decrypted message and pair it up with its encrypted version, then study the relationships between them (known plaintext attacks). Or sneak a spy into the organisation being studied, and just ask them to send emails to the person at the other end of the encrypted link, in the middle of the night, at agreed times, so it's easy to spot the encrypted version of the message. Then you have a chosen plaintext attack, which is the most powerful kind.

Read more »

Splay trees, compression, encryption, and embedding

There's a little-known data structure with some useful properties; the Splay tree.

It's quite a useful data structure in its own right, but it also has interesting applications in data compression, and cryptography...

Read more »