Privacy in Hos-le Environments  

Mafalda Duarte Freitas Mestrado Integrado em Engenharia de Redes e Sistemas Informá9cos Departamento de Ciências de Computadores 

2015 

 

Orientador  

Luís Antunes, Professor Associado, FCUP  

Todas as correções determinadas

pelo júri, e só essas, foram efetuadas.

O Presidente do Júri,

Porto, ______/______/_________

Abstract

In recent decades, mobile networks and mobile devices with significant computing power have

grown in popularity and availability. With ubiquitous Internet access, the public now depends on

online services and applications to perform activities that range from everyday social interaction

to the exchange of secure communications of the highest level. Each of these activities has its

own requirements, and involves different risks, but they have in common a fundamental challenge:

to exchange private information in a shared communication channel that they cannot control.

In the present work we approach two very different scenarios. In the first scenario, there

is the need to provide secure, encrypted, mobile communications to high visibility government

entities that are likely to be individually targeted. In the second scenario, there is the need to

protect the average Internet user from unwilling exposure to local data interception, privacy

breaches, identity theft or bulk collection of private data.

In the context of secure communications in the first scenario, we closely examine a mobile

application that is currently in the market, with claims that it can provide a secure communication

channel through any set of Android or iOS smartphones. We analyze the application deployment

and it’s code, and describe the vulnerabilities found during that analysis, comparing them with

the well known vulnerabilities of Wireless Protected Access (WPA)1. We develop a proof-of-

concept attack that demonstrates that those vulnerabilities make the application unsuitable to

be used to provide a secure communication channel. We also recommend some steps to improve

the application and to prevent the commercialization of software solutions whose safety has not

been tested.

In the second scenario, to address the protection of the average Internet users, we start by

doing a historical analysis of the concept of privacy as a human right. Our goal is to establish the

level of privacy that each individual can rightly aspire to, and what provisions have been made

in the past to preserve that level of privacy. We show that the technological development has

constantly been a source of danger to personal privacy and freedoms, and that a constant effort

must be done to counteract that effect. We then review current initiatives to protect citizens

from massive surveillance and bulk data collection, and design our own tool to help the average

user regain control over his or her online experience.

1

Resumo

Nas últimas décadas tem havido um crescente aumento na disponibilidade e popularidade de

redes e dispositivos móveis, estes últimos com com um poder de computação cada vez mais

significativo. Com acesso ubíquo à Internet, o público depende cada vez mais de serviços e

aplicações online para atividades que vão desde a interação social diária a comunicações seguras

do mais alto nível. Cada uma destas atividades tem necessidades específicas e envolve riscos

diferentes, mas têm em comum um desafio fundamental: trocar informação privada num canal

de comunicação partilhado que não podem controlar.

Neste trabalho abordamos dois cenários muito diferentes. No primeiro, existe a necessidade

de providenciar comunicações móveis seguras e encriptadas para entidades governamentais. Estas

têm muita visibilidade e uma probabilidade elevada de serem alvo de ataque. No segundo

cenário, existe a necessidade de proteger os utilizadores comuns da Internet da interceção local

de informação, da invasão de privacidade, do roubo de identidade e da recolha em massa de

dados privados.

No contexto das comunicações seguras, inserido no primeiro cenário, examinamos uma

aplicação móvel existente no mercado, que afirma providenciar um canal de comunicações seguro

entre qualquer par de smartphones Android ou iOS. É feita uma análise da aplicação e do seu

código, e as vulnerabilidades encontradas durante essa análise são descritas e comparadas com

vulnerabilidades reconhecidas do WPA1. Desenvolvemos um ataque demonstrativo para mostrar

que as vulnerabilidades encontradas tornam a aplicação incapaz de providenciar um canal de

comunicação seguro. Recomendamos também alguns passos para melhorar a aplicação e para

prevenir a comercialização de soluções de software cuja segurança não foi adequadamente testada.

No segundo cenário, para abordar a proteção do utilizador comum na Internet, começamos

por fazer uma análise histórica do conceito de privacidade como um direito fundamental. O nosso

objetivo é estabelecer qual é o nível de privacidade a que cada indivíduo pode aspirar, e que

medidas é que foram tomadas no passado para preservar esse nível de privacidade. Mostramos

que o desenvolvimento tecnológico tem sido uma fonte constante de perigo à privacidade e às

liberdades individuais, e que é necessário desenvolver um esforço permanente para contrariar esse

efeito. Revemos as iniciativas existentes para proteger os cidadãos da vigilância permanente e da

recolha de dados em massa, e criamos a nossa própria ferramenta para permitir que o cidadão

comum volte a ganhar controlo sobre a sua experiência online.

2

Dedication

I dedicate this work to my parents, who I’d choose again if I had another chance at life, to my

sister, my greatest joy, in the hope she grows to a better world, to Hugo, who I met so briefly,

but whose talent and passion still inspire me, and to all the programmers and hackers out there

that work in the shadow so that others can bring their stories to light.

3

Acknowledgments

First and foremost, I would like to thank my thesis advisor, Luís Antunes, for his guidance,

support and understanding. His dedication made this work possible.

In November 2013, I had the opportunity to join the Centro de Competências em Cibersegu-

rança e Privacidade, at University of Porto. My time at C3P was an extraordinary experience,

giving me renewed energy and passion for my work. Much of the work presented in this thesis

was made possible by the assistance and expertise provided by my colleagues at C3P, who also

provided me with much needed help and companionship. In particular, I am very grateful to Luís

Maia, Luís Valente, and Pedro Brandão, who gave me precious support, and the right advice

and insights in the right moments.

I am very grateful to Filipa Calvão for her time and support. Her collaboration, together

with the team at Comissão Nacional de Protecção de Dados, was essential to the development

and success of C3Priv, and I truly appreciate the work we did together.

I have to thank both Filipa Calvão and Luís Torgo for making my defense a moment I enjoyed

and will remember fondly. I appreciate their kind words and the positive criticism.

I thank Alexandra Ferreira for her unwavering support, her faith in my abilities, and the

expert navigation through the dangerous seas of academic bureaucracy.

To my friends, Mário, Pedro, Cristiano, Daniel, Patrícia, Ivo, Rui and André, I thank for

the late night talks, the hours of fun, my new TF2 skills and for remembering me regularly that

there is a lighter side to life. I am forever grateful to Mário, who dreamed for me when I forgot

how to.

Last, but certainly not least, I thank my parents, Paula and Júlio, and my sister Matilde. I

am deeply grateful for the financial and moral support, for believing in me when I did not, and

for always being near, despite the distance. Your unconditional love and encouragement keeps

pushing me forward.

4

Contents

Abstract 1

Resumo 2

1 Introduction 1

2 App Analysis 3

2.1 The Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.2 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2.1 Electronic Codebook (ECB) encryption mode . . . . . . . . . . . . . . . . 5

2.2.2 Number of iterations of the Pseudorandom Function (PRF) in Password-

Based Key Derivation Function 2 (PBKDF2) . . . . . . . . . . . . . . . . 5

2.2.3 Use of a fixed salt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Proposed attack 7

3.1 Description of WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.2 Comparison with our software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.3 A distributed attack on WPA1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.4 Padding Oracle Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.5 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.6 Possible improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4 Privacy in hostile environments 14

4.1 The right to be let alone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

5

CONTENTS 6

4.2 Mass surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4.3 Privacy and technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 Easy to use Privacy: C3Priv 18

5.1 Guiding premises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.2 Privacy By Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.3 Recognizing Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.4 Proposed Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

5.5 Advantages of Open Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

5.6 Selected Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

5.7 Selected Browser Add-ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5.8 Observations and Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5.9 Future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5.9.1 Creating an indistinguishable online identity . . . . . . . . . . . . . . . . 25

5.9.2 Surveying users needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

6 Conclusion 27

Annex A - Portable Applications 29

Annex B - Firefox Add-Ons 31

Acronyms 33

Bibliography 35

List of Figures

3.1 Example of PKCS5 Padding in blocks containing 3, 5 and 8 byte messages, in

blocks of 8 bytes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.2 Padding oracle attack on the last byte of an 8 byte block, producing an incorrect

padding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.3 Padding oracle attack on the last byte of an 8 byte block, producing a correct

padding of 0x01. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.4 Padding oracle attack on the second-last byte of an 8 byte block, producing an

incorrect padding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.5 Padding oracle attack on the second-last byte of an 8 byte block, producing a

correct padding of 0x02. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5.1 PortableApps menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

5.2 Contents of a Universal Serial Bus (USB) pen-drive with C3Priv already installed 22

5.3 Volume of C3Priv downloads from February 2014 to October 2014 . . . . . . . . 24

5.4 C3Priv download distribution globally . . . . . . . . . . . . . . . . . . . . . . . . 24

5.5 C3Priv download distribution in Europe . . . . . . . . . . . . . . . . . . . . . . . 25

7

List of Tables

2.1 List of the files found in the smartphone’s Secure Digital (SD) cards . . . . . . . 4

2.2 Specific values that PBKDF2 receives as input . . . . . . . . . . . . . . . . . . . 4

3.1 PBKDF2 Key Derivation in WPA1 and in the analyzed application . . . . . . . . 8

8

Chapter 1

Introduction

In the early days of telephony, circuit switched connections created a communication channel that

was well defined and exclusive to the participants. This allowed the use of wire telegraph circuits

to establish secure connections between parties that needed to keep their communications secret.

A famous example of one such use is the Direct Communications Link between Washington and

Moscow, known as Washington-Moscow Hotline. This line, established in 1963, was a secure

emergency communications channel between the American and the Russian government.

Unlike the more modern package based, connectionless networks, the telephone switched

networks were very linear. There were few telecommunication companies providing telephony

services, and the small number of users allowed them to have a great level of control over the

infrastructure. The communications usually were not private, but to access them, one had to

have physical access to the network. To keep the privacy in special communication channels,

direct lines such as the Washington-Moscow Hotline used encryption to ensure that only the

receiving end could receive the plaintext message, and the lines themselves where deployed in

secret underground tunnels, to stop physical interception.

Initially, the volume of data exchanged through these connections was very small. The

messages where mostly text, and beyond the daily tests, the system was only rarely used. The

one time tapes used to keep messages encrypted during transit where provided by both sides,

and carried half across the world.[37] With the rise of satellite communications, however, and

the falling prices in both communication equipment and telephone data plans, land lines and

switched circuit networks were replaced by mobile and packet switched networks, such as the

Internet. Today, the pervasiveness of Global System for Mobile Communications (GSM), Third

Generation (3G) and Fourth Generation (4G) mobile networks, and the availability and low

cost of devices to access them, makes them the ideal medium for always-ready communication

channels between any set of terminals, independently of location.

Rather than relying on the security of the network to protect communications, as was done

with private landlines, or even in satellite based communications, access through this shared

networks relies heavily on the terminal’s ability to preserve the secrecy and integrity of the

1

CHAPTER 1. INTRODUCTION 2

messages exchanged. With the evolution of mobile phones to PDAs, and later to smartphones, it

became increasingly easier to ensure the processing power to build terminals that could rise up

to that challenge. But, as the complexity of the technology grew, so did the odds of committing

mistakes or oversights in the design and implementation of protocols and terminal applications.

During this work, to gain some insight on the level of security of commercially available

solutions for secret communications through smartphones, we examine an application for secure

communication that is currently available on the market. This application was submitted to

the Centro de Competências em Cibersegurança e Privacidade (C3P) of the University of Porto

for review, and the work performed is done in articulation with the C3P team. We analyze

the application, identify and study flaws and vulnerabilities, and determine if and how those

vulnerabilities may compromise the application’s security. Based on the results of this analysis,

we implement an attack to work as proof of concept of the vulnerabilities found.

We will also examine the concept of privacy as it exists today, how it was created and how

it evolved through history. We will take a brief look at the legal protections offered to citizens

and to how they integrate with the enormous technological growth we have faced in the last

decades, trying to reveal its current shortcomings and the consequences of such shortcomings, in

the present and in the near future.

Finally we will propose, design and implement a tool that aims to offer a greater degree of

control over their privacy to Internet users, whether on their own PCs or on the move.

Chapter 2

App Analysis

In the last semester of 2013 an application for Android and iOS smartphones built for secure

mobile communication was submitted to C3P for analysis. The C3P team examined the system in

order to assess the level of security it provided to both the information stored in the smartphone

and to the communications done through it.

To the scope of the present work, the most relevant aspect was the analysis of the cellphones

internal storage files, and the information achieved through the reverse engineering of the code.

This particular analysis is included in the following chapter, allowing a closer look at the integrity

and security of commercially available solutions that are being deployed and used in real world

scenarios.

2.1 The Application

The brief description of the application that was provided by its creators on their website gives

some insights on its internal workings. They describe their product as a system built to allow

secure Short Message System (SMS) and voice communications through any Android or iOS

smartphone it is installed on, to recipients who use the same application to receive said calls and

SMSs.

The communications done through the app are processed by a server that may be either

privately owned, running on the clients premises, or available “in the cloud”. In the latter case,

the server is rented and kept in the provider company’s facilities, but the client remains the

exclusive user of the system.

In the company’s website, as well as in communications made to several local newspapers, it

is stated that the encryption used by the system is RSA[54]1 with 3072 bit keys, and Advanced

Encryption Standard (AES) with 256 bit keys, both presented as “extremely secure”.

1The RSA is a public-key cryptosystem published in 1978. The name comes from the initials in the surnames

of it’s creators, Ron Rivest, Adi Shamir, and Leonard Adleman.

3

CHAPTER 2. APP ANALYSIS 4

We were provided with a pair of Android smartphones, with the application already installed,

and their respective Personal Identification Numbers (PINs). The PINs unlocked the phones

and allowed the use of the application.

The first step was to examine the smartphones SD cards. After connecting each SD card to

a computer, we where able to examine the file system, which contained the files listed in 2.1. the

files where copied and kept for later use.

Files Present in the SD

Card

IV

Public Key

Private Key

Public Server Key

Table 2.1: List of the files found in the smartphone’s SD cards

We proceeded with the analysis of the application source code, written in Java. We found

that the communications done through the application were being encrypted using public-key

cryptography, through RSA, using the keys found in the SD card. The data stored on the

phone, including the keys and the Initialization Vector (IV), was encrypted with symmetric

cryptography, using AES.

By examining the code, we learned that the key used by AES to encrypt the files was derived

from the application’s PIN, using PBKDF2, which is part of the Public Key Cryptography

Standard (PKCS)5[50]. We also verified that the salt used for PBKDF2 was a fixed string,

composed of six alphabetic characters, which we found declared in plain text inside the code.

The values that are given to PBKDF2 as input can be seen in 2.1.

Upon examination it was established that the IV contained in one of the files is device

dependent, and is generated and saved in the SD Card in the application’s first run. This IV

was encrypted with AES, ECB mode and PKCS5 padding, as where the remaining files, using

PBKDF2 Input Parameters

Description Value

PRFHash-based Message Authentication

Code (HMAC)-

Secure Hash Algorithm (SHA)1

Master Password PIN

Salt value fixed string

Number of iterations of the PRF required 1024

Expected length of the derived key 256

Table 2.2: Specific values that PBKDF2 receives as input

CHAPTER 2. APP ANALYSIS 5

the PIN as key.

2.2 Vulnerabilities

At a first glance, the encryption algorithms used seem adequate, with both being internationally

recommended ciphers. However, a closer look shows several choices made in their deployment

that can be considered to have been poorly done. Of this choices, the most significant are the

encryption mode selected for AES, the number of iterations of the PRF, and the use of a fixed

salt. As we will show, this choices severely compromise the application’s security.

2.2.1 ECB encryption mode

The encryption mode chosen for AES is ECB, which is a weak choice for the cipher’s mode of

operation. ECB’s main problem lies in the fact that all blocks of plaintext that are identical

will produce the same ciphertext when encrypted with the same key. This behavior reveals

patterns in the encrypted data that may result in the loss of confidentiality. With key reuse, an

attacker can compare sets of know plaintext and the respective ciphertext with unknown blocks

of ciphertext to decrypt them. The fact that all blocks will be deciphered in the same way also

makes ECB vulnerable to replay attacks.

2.2.2 Number of iterations of the PRF in PBKDF2

The choice of HMAC-SHA1 as a pseudorandom function for PBKDF2 is still considered

appropriate, despite some shortcomings regarding SHA1 itself. SHA1 is considered vulnerable to

collision attacks, with know attacks since 2005 and abandonment by federal agencies and

companies like Microsoft[44], Mozilla[47] and Google[46]. Since HMACs are less affected

by collisions than their underlying hashing algorithms, SHA1 can still be used for this end.

Nevertheless, the National Institute of Standards and Technology (NIST) policy from 2012

advises the use of SHA256 or SHA3 as a replacement to SHA1. [43]

Regarding the number of iterations of the pseudorandom function in PBKDF2, in 2000 the

PKCS5 standard recommended 1000 iterations. At the time, it was already foreseeable that

this number would have to be increased to match the growing computing power of more recent

Central Processing Units (CPUs). NIST, in a recommendation from 2010, advised that the

iteration count for PBKDF2 should be “as large as possible, as long as the time required to

generate the key using the entered password is acceptable for the users.” The minimum iteration

count is still considered 1000, but the document states that “for especially critical keys, (...) an

iteration count of 10,000,000 may be appropriate.”[51] 10.000.000 iterations may be excessive in

this case, since the limitations of the smartphone’s hardware would result in unresponsiveness of

the device, and that situation would not be acceptable to users. However, an iteration count of

CHAPTER 2. APP ANALYSIS 6

1024 is too low to effectively delay attacks.

2.2.3 Use of a fixed salt

Of the vulnerabilities found, the most alarming is possibly the use of a fixed salt. In cryptography,

a salt is a piece of random data that is combined with a password, usually by concatenation. To

avoid storing the password in plain text, the combined string is hashed, and only this hash and

the respective salt is kept.

Users often choose short and simple passwords that are easier to remember, but these

passwords offer little security. Adding a salt to such a password increases it’s length and

complexity to a more reasonable level.

Additionally, salts substantially increase the difficulty of cracking passwords with a dictionary

attack against a hash list. Without a salt, the attacker would have to build pre-computed hash

tables (known as rainbow tables) with the hashes of all possible passwords. When a salt is used,

the involved workload is increased, since the attacker will now have to build tables containing

the hashes of each possible password, combined with each possible salt.

Regarding the choice of a salt, the Request For Comments (RFC) 2898 states that, if there

is no need to distinguish different uses of the key, “the salt may be generated at random and

need not be checked for a particular format by the party receiving the salt. It should be at least

eight octets (64 bits) long.”[50] The salt used in the application is fixed, not random, and shorter

than the recommended 64 bits, with a length of only 48 bits. Although it is not public, since we

had to look into the code to find it, it is still short enough to make the password vulnerable to

attacks.

Since we know the salt, we can use it to build a rainbow table with the hashes of all the

combinations of the salt with the possible PINs, with the same cost we had if no salt was used,

effectively defeating it’s purpose. Furthermore, since the salt is reused in all smartphones running

the application, our rainbow tables can be reused to crack the PIN in those other instances,

saving us the added computing effort.

Chapter 3

Proposed attack

As we will see in this section, the vulnerabilities found in the application are enough to plan

an attack. We will show how that attack takes a very similar form to the widely performed

attacks on WPA, and how the software for such an attack can be modified to work on our own

scenario. We will show that using this method, it is possible to recover the application’s PIN in

any smartphone running it, effectively taking control over the communications done through the

smartphone. To start the attack, the only requirement is a copy of the SD card’s files.

3.1 Description of WPA

There are two main modes of WPA:

• WPA Enterprise, which is based on Remote Authentication Dial In User Service (RADIUS)

authentication;

• WPA Personal, which uses a Pre-Shared Key (PSK). WPA PSK has two variants:

– WPA1, based on Temporal Key Integrity Protocol (TKIP);

– WPA2, with Counter Mode Cipher Block Chaining Message Authentication Code

Protocol (CCMP), based on AES.

WPA1, which was deprecated in 2012’s revision of the 802.11 standard, uses a 256 bit key to

encrypt network traffic. This key can be either a string of 64 hex digits, or derived from a

passphrase of 8 to 63 printable American Standard Code for Information Interchange (ASCII)

characters. In this last case, a derivation function, PBKDF2, is applied to the passphrase, to

provide a key with the necessary length. In WPA1, PBKDF2 uses 4096 iterations of HMAC-SHA1

and uses the network’s Service Set Identifier (SSID) as salt.

In theory, due to the huge number of possible combinations of SSIDs and passphrases that can

be used in a network, brute-force or dictionary attacks on WPA1 would be infeasible. However,

7

CHAPTER 3. PROPOSED ATTACK 8

empirical observation shows that the SSID of domestic networks is rarely changed from the

default hardware brand or Internet Service Provider (ISP) name, meaning that many domestic

wireless networks share the salt used in the key derivation process. This allows the computation

and reuse of huge pre-computed hash tables that combine possible keys with each of the most

common SSIDs.

Since WPA1 was specified as a temporary replacement for Wired Equivalent Privacy (WEP)

that was compatible with older hardware, this possibility of attack was not taken as a serious

risk. However, WPA1 remained in use for much longer, providing motivation for the creation of

software to simplify WPA1 cracking, and for the publication of very large pre-computed hash

tables for the most common brands and ISPs.

3.2 Comparison with our software

Table 3.2 summarizes the WPA1 password derivation process, and compares it to that of the

application under analysis at C3P.

WPA1 Analized Application

IVCaptured in the handshake,

encrypted with the PSK

Stored in a file, encrypted

with the pin, using AES

Key Captured in the network Stored in a file in the sdcard

Key Derivation

FunctionPBKDF2 PBKDF2

Pseudo Random

FunctionHMAC-SHA1 HMAC-SHA1

Master Password Passphrase (PSK) PIN

HMAC-SHA1 Salt Network SSID Fixed salt string

HMAC-SHA1 Iterations 4096 1024

Derived Key Lenght 256 bit 256 bit

Table 3.1: PBKDF2 Key Derivation in WPA1 and in the analyzed application

The table shows that the process has many similarities, which allow us to start from the

attack of WPA1, and adapt it to our application. There are also some small differences, such as

the PIN being shorter than a typical network passphrase, and a fixed string being used as salt,

instead of the SSID. Of this differences, however, the only one that will reflect itself on the code

is the PRF number of iterations, which is four times smaller compared to that of WPA1.

The use of a fixed salt provides an advantage, since it means that we will be able to reuse

the generated set of rainbow tables to attack other devices using the same application.

CHAPTER 3. PROPOSED ATTACK 9

3.3 A distributed attack on WPA1

CoWPAtty [57] is a program that performs offline dictionary attacks against WPA/WPA2

networks that use PSK based authentication, which is the case with WPA Personal. CoWPAtty’s

attack can be accelerated if pre-computed Pairwise Master Key (PMK) hashes for the target

SSID are provided. This can be produced using genpmk, a script that comes included with the

software.

Genpmk receives as input a password dictionary, salts each password with the desired SSID,

and generates a file with the hashes of the salted passwords. This hashes can then be provided

to CoWPAtty together with the SSID of the target network, and a file containing a capture of

the four-way TKIP handshake between one client and the Access Point (AP).

In 2011, a group of students from the University of Colorado published an adapted version of

coWPAtty that could speed up the attack on WPA1 by using several nodes to perform distributed

look-ups on rainbow tables.[55] They wrote a Java web application to be run on the master

node that handled the job submission process and the job queue. This master node was also

responsible for starting the worker nodes in the cluster via Secure Shell (SSH), and by dividing

the work equally among them.

Due to the similarities between attacks, and the significant speed up obtained with distributed

lookups, we opted to study and adapt this software to develop our own program to exploit of

the smartphones vulnerabilities. Besides the changes needed in the software to adapt it to the

differences in our use of PBKDF2, our worker nodes did not need to perform much of the work

that coWPAtty did, such as processing the capture files and the four-way handshake. We also

needed our program to perform an additional test, that would determine which of the rainbow

table entries corresponded to the correct PIN.

After a close examination of the code of the distributed version of the attack, and given the

differences between coWPAtty’s requirements and our own, we concluded that the best approach

would be to write new software for the worker nodes. This new approach would allow us to

create cleaner software, that would be easier to debug and that would fit more tightly with our

objectives. However, due to lack of experience working with web applications and the JBoss

web application server, especially when considering the aditional dificulties of working with

distributed computation nodes, the new version of the application took more than the expected

time to develop, and presented an excessive amount of bugs. To adress this issues, we eventually

decided not to develop a distributed program, and focused instead in obtaining a non-distributed

program, that was only loosely based in the original distributed code. This last version was still

controled remotely by another node that offered a web service to start, stop and monitor the

worker node.

CHAPTER 3. PROPOSED ATTACK 10

3.4 Padding Oracle Attack

In cryptography, a padding oracle attack is an attack that can be performed on the padding of

messages encrypted with block ciphers. The attack is only possible if, in failing to decrypt the

message because the padding is incorrect, the receiver discloses that information. When this

happens, an attacker can gain information about the plaintext by modifying the message and

asking the Oracle to decrypt it. A sucessfull attack can decrypt the message without knowing

the encryption key.

The application under analysis uses the Java Cipher class[2], with the AES/ECB/PKCS5Padding

transformation. PKCS5 padding is defined in PKCS 5[? ]. To pad a message, this method

appends the n bytes required to fill the block, each one containing the value n. An example of

this type of padding for 8-byte blocks can be seen in 3.4. With this type of padding, when the

size of the message equals the block size, an extra block is appended, filled with the appropriate

padding.

Since AES is a block cipher, and is operating in ECB mode, all blocks ciphered with it may

be attacked with this method. The doFinal() method provided by the Cipher class is appropriate

to implement an oracle, since it returns a specific error (a BadPaddingException) when it fails

to decrypt a message with a correct padding.

✄ �

1 public final int doFinal( byte[] input,

2 int inputOffset,

3 int inputLen,

4 byte[] output,

5 int outputOffset)

6 throws ShortBufferException,

7 IllegalBlockSizeException,

8 BadPaddingException✂ ✁

Listing 3.1: The Java Cipher class method doFinal(). The BadPaddingException thrown by the

function enables the padding oracle attack.

This is the case of the ECB cypher mode used in our application, that requires the message

to be encrypted to have a lenght multiple of 16 bytes. The message can be altered and sent to

the oracle, and the oracle replies saying if the message is well formed. A well formed message has

a correct padding, that makes sense when decrypted. Thus, the last bytes of a message may be

changed at will to produce correct paddings, until the attacker has decrypted the whole message,

without ever knowing the encryption key. Images3.4, 3.4, 3.4 and 3.4 show the decryption of the

last two bytes of the message. The process can be repited until the entire message is decrypted.

CHAPTER 3. PROPOSED ATTACK 11

Figure 3.1: Example of PKCS5 Padding in blocks containing 3, 5 and 8 byte messages, in blocks

of 8 bytes.

Figure 3.2: Padding oracle attack on the last byte of an 8 byte block, producing an incorrect

padding.

Figure 3.3: Padding oracle attack on the last byte of an 8 byte block, producing a correct padding

of 0x01.

CHAPTER 3. PROPOSED ATTACK 12

Figure 3.4: Padding oracle attack on the second-last byte of an 8 byte block, producing an

incorrect padding.

Figure 3.5: Padding oracle attack on the second-last byte of an 8 byte block, producing a correct

padding of 0x02.

3.5 Results

In order to crack the application’s PIN number, we attempted to decrypt the IVs found in the

SDs card with each of the keys present in our pre-generated rainbow tables. To verify if the

key suceeded, we caught the Java Exceptions thrown by the doFinal() method shown in 3.1.

Whenever the key fails to correctly decrypt the IVs , the method throws a BadPaddingException,

meaning that it was provided with the wrong key.

The delay introduced with develpment difficulties and the necessary adaptations to the

existing code resulted in insufficient time to complete the program. Therefore, the application

built has some stability issues and produces unreliable results. However, the test runs performed

CHAPTER 3. PROPOSED ATTACK 13

showed that the attack could be made with success, and we were able to recover the PINs and to

sucessfully gain full access to the application, demonstrating that the application was unsuitable

to provide a secure communication channel.

3.6 Possible improvements

To increase the security of the application, we suggest a larger iteration count of HMAC-SHA. A

popular current application of HMAC-SHA1 is in WPA1, where the iteration count is 4096. To

increase the dificulty to compute pre-computed hash tables, it would be advisable to use more

that the present 1024 iterations of HMAC-SHA1 to derive the AES encryption key, especially

when considering the level of security that the application intends to achieve.

The choice of salt should also be revised. The salt should be longer and generated randomly,

so that when appended to the PIN it may result in a strenghtened passphrase. This is especially

relevant if we consider that PINs are usually very short, with a length between 4 and 6, and

formed exclusively by digits. If the appended salt is not long enough, hashing a list of bruteforced

passwords can result in a sucessfull attack without much computing effort. The salt should also

be different for each device, so that each device requires it’s own set of rainbow tables to be

computed for a successful attack.

The operation mode for AES requires additional consideration, since ECB is too simple and

easily attacked. To avoid padding oracle attacks on the cyphertext, AES should be used with an

operation mode that allows it to work as a stream cipher, or replaced with a stream cipher.

To ensure the correction of the code in such a critical application, the code should be reviewed

and audited prior to launching the application commercially. The potencial buyer should also

consider creating a set of standards that the developers must follow to ensure their product has

an adequate level of quality and can work with the required level of security.

Chapter 4

Privacy in hostile environments

Throughout this work, we will define the right to privacy as the “right to keep a domain around

us, which includes all those things that are part of us, such as our body, home, property, thoughts,

feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in

this domain can be accessed by others, and to control the extent, manner and timing of the use

of those parts we choose to disclose.”[52] In the present chapter, we will review the evolution of

this concept from the late 19th century to the present day, following court cases that challenged

the legality of certain methods of information gathering while pursuing an elusive definition of

the right to privacy. We will show how such cases are closely related to the use of new technology,

and how the inability to understand the growing complexity of that technology hinders the ability

of the law to protect citizens from abuse.

4.1 The right to be let alone

The history of privacy as a human right is intimately connected with the history of technology.

Before the advent of the printing press, breaches of privacy were very limited, since news did not

propagate further than what was strictly necessary, and records, official and otherwise, were rare

and hard to access.

The first publication to advocate privacy as a right was written by Samuel Warren and Louis

Brandeis, and published in 1890. Their main concern was that the laws in place did not account

for technological advancements like the instantaneous photography, and that those advancements,

coupled with the widespread circulation of newspapers, had opened a new market for “idle

gossip, which can only be procured by intrusion upon the domestic circle”. In their article they

examine concepts already present in the law, such as libel, slander, breach of confidence and

intellectual property, only to conclude that they do not adequately cover the harm that comes to

the individual when facts of his private sphere come to the scrutiny of the public eye. They go

on to prove that there was a principle in the existing law that afforded what they called “right to

be let alone”. [56]

14

CHAPTER 4. PRIVACY IN HOSTILE ENVIRONMENTS 15

In 1928, Brandeis was a justice on the Supreme Court and expressed a dissenting opinion in

Olmstead v. United States[4], a court case that became famous as the first USA Government

accusation based in wiretapping. Although the defendant, accused of running a huge network

dedicated to “bootlegging”, plead the 4th and 5th Amendments1, the government considered that

there was no similarity between this new telephone technology and written mail. Furthermore,

the wiretapping had been done in boxes on the street, in the neighborhood where the defendant

lived, thereby excluding any possibility that the information gathered had been obtained outside

the existing laws concerning the gathering of proof. Brandeis argued that the 4th and 5th

ammendments where created to protect citizens from force and violence, which where at the time

the only means by which the government could compel self-incrimination. However, technological

advancements had allowed the government to change to more subtle methods, that nevertheless

endangered citizens rights. He questions whether the constitution grants any protection against

such abuses and concludes that it does. He reasons that the 4th and 5th ammendments are broad

in scope, as the constitution aims to protect Americans from intrusion of the Government in their

private lives, and that to protect the right to be let alone, "every unjustifiable intrusion by the

government upon the privacy of the individual, whatever the means employed, must be deemed

a violation of the Fourth Amendment”. He goes on to expose the fact that the use of evidence

that was obtained ilegally (wiretapping was a crime according to the law of Washington), and

through infringement of such a fundamental right, was a violation of the 5th amendment.

The ruling in Olmstead v. United States was eventually overturned by another case, Katz v.

United States[3], in 1967. This case defined that immaterial intrusion with the aid of technology,

such as wiretapping, constitutes a search, and as such it is covered by the rules for reasonable

search and seizure. It also extended the scope of the 4th amendment to all the places where an

individual has a "reasonable expectation of privacy". Justice Harlan gave a concurring opinion in

which he established what became known as Harlan’s test. This test established that there was a

right to privacy whenever the individual exhibited an expectation of privacy, and where society

recognized that expectation of privacy to be reasonable.

In “First Principles of Communications Privacy”, author Susan Freiwald states her belief

that “difficulty with the reasonable expectation of privacy test has led courts to avoid using it

to resolve the constitutional status of modern communications technologies. But the answer

cannot be to withhold constitutional protection from electronic communications, as courts do

when they fail to act. (...) If courts do not establish constitutional protections for the electronic

communications that are now central to our lives and work, then we will have accorded law

enforcement surveillance powers of Orwellian magnitude.”[49]

1The 4th ammendment to the United States Constitution protects the right to be secure against unreasonable

searches and seizures. The 5th ammendment protects, among others, the right to due process. A process is not

due process if it conficts with any of the provisions of the constitution,or if it “offends some principle of justice so

rooted in the traditions and conscience of our people as to be ranked as fundamental”. [Snyder v. Massachusetts,

291 U.S. 97, 105 (1934) https://supreme.justia.com/cases/federal/us/291/97/case.html#105}]

CHAPTER 4. PRIVACY IN HOSTILE ENVIRONMENTS 16

4.2 Mass surveillance

In Europe, presumption of innocence is a right protected by the Universal Declaration of Human

Rights and by the Convention for the Protection of Human Rights and Fundamental Freedoms

of the Council of Europe. Formally, presumption of innocence means that the burden of proof is

on the accuser, not on the defendant. At this point, the right to presumption of innocence is

being infringed upon in important ways, mostly due to mass surveillance and the illegal seizure

of personal information.

If we look hard enough at an individual citizen, it is very likely that he broke the law in

some way, knowing or unknowingly, but not with criminal intent. In most countries where

presumption of innocence is considered a right, prosecuting a citizen would require a strong

suspicion, followed by the gathering of proof. Depending of the nature of the proof, and the

strength of the accusation, a judge may have to authorize such gathering. In countries with

mass surveillance, however, every citizen is treated as a possible suspect, and evidence collection

is permanent and unfiltered. It is possible for the authorities in such a country to single out

an individual and check his records for activity that can be used to initiate prosecution. The

analysis of this information can even be automated, so that the prosecution may start without

human intervention or judgment.

Although frowned upon in liberal democracies, mechanisms of mass surveillance have been

tolerated, and sometimes accepted, by the public as a necessary evil. However, no western

government has been able to produce evidence of the necessity of such programs, despite the

pressure to do so. The popular claim recently made by the USA that 54 terrorist attacks had

been stopped by their contested mass surveillance program was found untrue by two independent

White House reviews of the relevant classified data.[45][31]

Paired with this fact, the disclosure of classified information about secret programs developed

in the USA and Europe has shown the depth to which innocent citizens life’s are being scrutinized

and intruded upon by this ruthless mechanisms of bulk data collection.

The ubiquity of electronic personal devices, many of them with significant data storage

capabilities, adds to the problem, since the amount of personal and private information that can

currently be seized in the event of a legitimate body search is enormous. Because this devices

have only recently become widely available, their seizure, together with the data they contain,

is not bounded by law. This allows the authorities to apprehend cellphones, hand-held GPSs,

digital storage devices, and cards containing biometric data, most notably The possibilities

created by the massive collection of this sort of data are very relevant to the health of democracy

in western states, but they become particularly dangerous if a government or a law enforcement

agency chooses to abandon the principles that it is expected to follow, a situation not altogether

uncommon in very recent or unstable democracies, in dictatorships or in police states.

CHAPTER 4. PRIVACY IN HOSTILE ENVIRONMENTS 17

4.3 Privacy and technology

Throughout the history of privacy, there are two main facts that come to light: One is that there

is an omnipresent temptation for political, economical or military powers to exploit the lack of

privacy regulations for profit or for legal advantage; The other is that the lack of regulations

protecting privacy is always present when new technologies emerge.

In the late years of the past century and through past decade, technology surfaced and

became widely available at a pace that had not been seen before. Internet access has led a

significant layer of the population to rely heavily on online services, putting a huge amount of

trust in the availability and integrity of those services and their underlying technology.

Due both to the popularity and ubiquitous need for Internet access, a vast array of terminals

have been developed, as diverse as smartphones, tablets or wristwatches. In general, they are

so complex that their core is opaque to most users, even to those that know in detail one of its

many components.

Although they could have done otherwise, and perhaps to their own benefit, companies and

brands have made no effort to create and adopt clear standards, or to educate users. Obscure

concepts such as “Cloud Services”, or the “Internet of Things”, are used to lead the public to

wrongly infer that the complex, intermediary ridden network their data and meta-data has to

cross, is a simple, vague and secure place, that they need not know or care about. With no

incentive to learn and no perception of the increasing gap between user and device, the population

in general is acquiring no significant knowledge on the inner workings of services, the hardware

they use, or the channels they use to reach them.

To combat this, there has to be a significant investment in educating users, and in establishing

rules for transparency in the design of software and hardware that needs to be trusted. New

technologies will have to be created according to a principle of “privacy by design”.

Chapter 5

Easy to use Privacy: C3Priv

As public awareness on the topics of online privacy and data security increases, there is also

an increasing need to provide adequate tools for enhancing safety in the use of networks and

terminals. To address this issue, a project was developed in the context of the present work,

in conjunction with the C3P from Universidade do Porto (UP), and the Comissão Nacional de

Protecção de Dados (CNPD). The project, named C3Priv, aims to develop a tool to return to

the user the ability to take control over his own privacy. In the following chapter we expose the

challenges faced while designing a solution, and describe how we surpassed those challenges.

5.1 Guiding premises

C3Priv starts with the premise that the biggest risks for users arise from the lack of control they

have over the software they use. Frequently browsers, websites and applications store personal

data and sensitive information without the awareness or permission of the user. When this occurs

in an uncontrolled environment the risk multiplies, and it is almost certain that privacy - and

even safety - of the user is compromised.

Our goal is to allow users to reduce their “online footprint”, allowing them to have a safer online

experience independently of their computer know-how and their ability to correctly configure

complex software. Organizations and projects like the Electronic Frontier Foundation[14], the

Open Rights Group[5], the American Civil Liberties Union[42], or the TOR Project[36] exist, but

their aim is directed either at educating users, appealing to major online websites and companies

to become accountable and ethical in their data collection, cover anonymity needs, or pushing

for stricter rules to regulate abusive data collection. Unlike this projects, C3Priv starts with

the conservative view that every computer used and every site visited is hostile, unless the user

explicitly says otherwise. We change the focus to the user, giving him the responsibility and the

choice to protect himself.

In order to ensure the users will adhere to this new paradigm of taking control over their

18

CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 19

own “online footprint”, any solution has to do more than giving them the tools to keep them

safe. We therefore opted by a design directed towards solving the users needs, offering them

applications that are easy to use, with an easy learning curve, and that ultimately do address

their day-to-day needs with no additional burden.

Ultimately, the purpose of C3Priv is to return control to the user, allowing him to choose

what he sees, when he sees it, what he keeps to the future, who can track him, and for how long.

5.2 Privacy By Default

Observing users needs, a common challenge seems to be keeping files and configurations

synchronized between computers. Between the workplace and home, users often need to copy

files and bookmarks to keep them updated, or to write down passwords in order to use the same

services from everywhere. This procedures are both ponderous and risky. Recent files may be

overwritten by older versions, passwords and documents may be misplaced, lost or even captured

by an hostile party.

Although there is a growing concern of the public and the media over security topics, close

observation also shows that a large base of concerned users is not computer savvy, and is both

unable to choose appropriate software, and to correctly configure it on their own. Software

wrongly configured or obtained online from disputable sources can be as much or even more

dangerous that having no protection at all.

From this observations, it becomes clear that a useful solution has to integrate software equal

or very similar to the one the user already works with, in a format that he can carry with him.

This solution must also be bundled in a way that allows for easy deployment, and can be used

successfully with default configurations by users with very little computer experience.

5.3 Recognizing Limits

When building a solution that is, ultimately, a “best effort” approach to protect users, it is

crucial to identify threats, and to establish limits beyond our ability to counteract.

Without considering the good sense and the computer literacy of the user, the protection we

can afford will ultimately depend on the scope and the power of the intercepting party, which we

will call adversary.

It is a well known rule of cybersecurity that no system is secure unless it is offline and

physically isolated. To us, this means there are concerns we must choose to leave behind. Chief

among them, is the possibility of the physical capture of data or storage devices, by legal means

or by force, as well as the coercion of the user to reveal whichever data he aims to keep secret. At

best, this could be approached by building a system that supports plausible deniability. However,

CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 20

besides the increased complexity of the design restrains, such mechanism could be a hindrance to

the common user unless seamlessly done, and is likely beyond the needs of the targeted audience.

When talking about securing data that transverses a network, it is also important to establish

who owns that network, and the level of control the owners have over it. As such, an adversary

that owns either both ends, or a sufficiently large number of nodes in the network, will be able

to time connections and gather large amounts of information. This may allow him to correlate

separate communications, possibly identifying users and patterns of behavior and link together

different sessions done by the same user, both in the same and in different services. Among many

others, with control of middle nodes the adversary can manipulate or redirect the connection,

conducting effective phishing or man-in-the-middle attacks. This situation becomes especially

severe if the adversary also has control over a relevant certificate authority, allowing him to create

false secure connections and to easily hijack secure communications. Ultimately, a powerful

adversary could in extreme cases block all HTTPS traffic, so that the communications done

could be intercepted unencrypted, or even block all communication. Actual examples of this

occurrences where seen in countries such as Syria, Iran and China, where the victims of the

attacks ranged from activists, to journalists, to civilians opposed to the regime. For the time

being, and to limit the complexity of the project, this groups of users will be left out of our

target public.

5.4 Proposed Solution

With this considerations in mind, we are able to narrow down a group of users that is more likely

to benefit from a solution such as C3Priv. These are users that have little computer literacy

but use computers and the Internet in a day-to-day basis. To give these users a swiss-knife of

applications they can recognize and actively use in both at home and in less secure environments,

Portable Apps was chosen as the base for the software bundle. As mentioned on their website,

PortableApps is a fully open source and free platform that works in any portable storage device,

and can be installed and run locally.

With millions of users worldwide, and online since 2004, PortableApps has established itself

as a trusted platform, and has a large collection of open-source, freeware and commercial software

easily available. PortableApps is highly customizable and flexible, allowing the user to pick

between a vast array of portable applications from a built in store, that can be regularly updated

with no more that a click. A set of customizable menus can be organized in the most convenient

way, and the application can be configured to run selected portable apps every time the menu

opens.

Portable applications have the functionality of the installed versions, but where adapted

so that all files and data needed by the program is kept in sub-folders of the program’s main

folder. The PortableApps software can be installed in a portable device, such as a USB pen-drive,

together with the selected applications. When the user plugs the pen-drive in any Personal

CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 21

Figure 5.1: PortableApps menu

Computer (PC), he can use those applications without having to install them locally.

All the files are saved to the drive, instead of the PC. Therefore, the user has always with

him the files he needs, as well as his usual programs, configured according to his preferences and

needs. From a privacy-preserving point-of-view, this solution has the significant advantage of

reducing to the minimum necessary the information left in the PC used, reducing the risk of the

user inadvertently leaving private data in the wrong hands.

Together with this software, the C3Priv bundle will also include two browsers, one with

add-ons specifically chosen for enhanced privacy and security, and another, the TOR Project

bundle, which addresses user anonymity and is left unaltered. Encryption software will also be

included, together with an encrypted folder that can be used as a “safe” folder for important

files. The full contents of the C3Priv bundle, already installed to a USB usb-pendrive, can be

seen bellow.

CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 22

Figure 5.2: Contents of a USB pen-drive with C3Priv already installed

5.5 Advantages of Open Source

Besides PortableApps itself being open-source, all programs selected to be in the C3Priv bundle

by default are open source.

Compared to freeware or paid proprietary software, whose source code is not disclosed, the

code from open source software is easily available, and can be read and analyzed by any user

that wishes to do so. Due to the popularity and widespread use of these particular applications,

the source code is reviewed by a large amount of people, from all over the world. This gives us a

greater trust in the software we include in the bundle, since it is unlikely that any purposely

placed exploit or “back-door” would pass unnoticed to the eyes of so many independent and

diversely motivated users.

5.6 Selected Applications

C3Priv contains a small set of applications selected for their usefulness to the majority of our

target users. This includes programs such as office software to edit documents and spreadsheets,

CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 23

an audio player, an anti-virus, an application to compress and decompress files, an image editor,

an e-mail client, programs for secure remote access, an Instant Messaging client, and a browser.

Users can add software they find useful through the PortableApps available software menu,

including proprietary software, if they choose to. A full list of the software included is present in

Annex A.

5.7 Selected Browser Add-ons

Add-ons are small pieces of optional software that add to a programs functionality. To address

privacy and online safety concerns we included in the Firefox browser present in C3Priv a set of

relevant add-ons, already configured to offer maximum protection. This includes a vast array of

add-ons that range from blocking online tracking, cookies, dangerous scripts, flash animations,

pop-ups or invasive advertisement, to verifying a secure connection, or a website’s reputation. A

full list of the add-ons included is present in Annex B.

5.8 Observations and Results

The first public release of C3Priv happened in the 11th of February 2014, in celebration of

the Safer Internet Day, through the CNPD website[11]. Since then, it has been available for

download in it’s own webpage[9]. It received a significant amount of attention by the press, and

the C3Priv bundle available online had over 8.000 downloads during the first month. We retained

some of the download’s metadata, in order to map the geographical areas that showed interest in

C3Priv. As the graphics displayed below show, the vast majority of downloads was made from

Portugal. After Portugal, the largest number of downloads in Europe came from France and

from the United Kingdom. Some interesting results show a large number of downloads in areas

such as Brazil (in particular in the north and in the western frontier with Bolivia), Morocco,

Angola, and South Korea.

The large number of downloads from Brazil and Angola may be a result of the shared cultural

and linguistic legacy, and possibly due to the significant presence of Portuguese citizens living in

those countries. Downloads from South Korea and Morrocco are, however, harder to explain, and

may be related to the awareness about privacy and freedom of speech that the recent political

turmoil both in North African countries and in North Korea has created. Unfortunately, there

is not enough data to allow us to retrieve further conclusions. Mehcanisms for retrieving more

information can be found in the proposals for future work.

CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 24

Figure 5.3: Volume of C3Priv downloads from February 2014 to October 2014

Figure 5.4: C3Priv download distribution globally

CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 25

Figure 5.5: C3Priv download distribution in Europe

5.9 Future

During the creation of C3Priv and the analysis of results, we perceived a large space for

improvement on the existing technologies that address user privacy and security. The interest

demonstrated by the public in our project, both through the press and through the individual

C3Priv downloads, leads us to believe that the development and evolution of C3Priv must

continue. The lines of work that appear particularly relevant for the time being are explained

bellow.

5.9.1 Creating an indistinguishable online identity

Research has shown that the use of specific options to avoid online tracking and protect user

data may actually make the user more visible to an observer looking for distinguishing profiles.

In fact, to be anonymous in a crowd, the user has to mingle with it, becoming unidentifiable

within that anonymity set. This can only be done when a significant number of individuals in

the crowd have very similar profiles. To this end, using a large number of security plug-ins, or

disabling common features of the browser, such as Javascript or Flash, can have a detrimental

effect for the user.[53][48]

Although C3Priv could create an anonymity set on its own, making all of its users indistin-

guishable from each other, our users are not enough to achieve that at this point. Therefore, a

useful approach would be to keep updated records of the most common browser settings, and

apply them to the C3Priv browser automatically. Since this extra anonymity could come at the

cost of a lever of privacy or protection, each configuration would have to be carefully evaluated

to assess its impact. A possible solution to this dilemma would be to provide different bundles,

CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 26

allowing the user to chose the one he finds more adequate to address his needs. This bundles

should then be tested for uniqueness using tools such as Panopticlick, a website created by the

Electronic Frontier Foundation to evaluate how singular is a certain browser fingerprint.[28]

5.9.2 Surveying users needs

To establish the needs and the level of satisfaction users have with C3Priv, a small survey could

be done on the website, or a feedback tool could be included in the software. This could allow

the users to express their preferences about the usability of C3Priv, the applications they wish to

see included in future editions, and possible problems and bugs they may encounter during use.

Chapter 6

Conclusion

During this thesis we examined several scenarios where privacy, anonimity or secrecy are needed

in communications but dificult to achieve. We did research on existing solutions to mitigate the

dificulty in controling and securing a working environment for entities with diferent needs and

motivations, from the exchange of classified information by governent officials, to the need for

privacy of the common citizen.

In the realm of classified communications, together with the C3P team, we examined a

mobile application that is commercially available for design flaws. We described the flaws found

and detailed how they could be exploited, showing that the communications done through the

application where not secure. We implemented software to exploit one of those design flaws.

However, due to problems with the initial solution of adapting an existing program, we had

to develop new software for our distributed worker nodes. The problems found delayed the

implementation of the software, resulting in an unstable program that still needs debugging and

testing before it can produce reliable results.

The generalization of our observations about the examined application to other similar apps

is limited by the lack of an exaustive analysis of commercial software for secure communications.

However, the fact that such critical design flaws where found in an application meant for secure

communications at the highest level, makes us reasonably suspicious that applications with the

same, or higher, level of oversight may be available commercially, especially among those marketed

for secure communications for businesses or individuals. Our findings prove alarming enough to

instigate more caution and stricter rules in the selection of software for secure communications,

and underline the need for rigourous security audits when high levels of security are required.

On the field of online privacy, the focus of this work was the every day activity of a common

individual. We started by studying the evolution of the concept of privacy and the way it has

been infriged upon with the aid of new technology, from the dissemination of street photography

to bulk data collection. We’ve shown that the discussion on the concept of privacy and the

need to frame it in legal terms has remained subject of debate to the present day. With courts

avoiding the application of Harlan’s test, both due to the difficulty of assessing the public’s

27

CHAPTER 6. CONCLUSION 28

expectations towards privacy, and to the complexity of the technology involved in the current

methods of information gathering, we concluded that there is an urgent need to provide a clear

and resilient definition of privacy, together with a set of rules and guidelines that can effectivelly

protect citizens in from the threats of existing and future technology.[49]

In paralel with the struggle to create mechanisms to protect citizens, we searched for a solution

for the lack of control that users experience over their online footprint. We developed C3Priv, a

solution that could return a measure of control to the user, by allowing it to use computers that

he does not trust without leaving any significant information behind. The tool includes a version

of the popular Firefox browser, costumized to minimize as much as possible the information that

is collected by websites during regular Internet use. By tracking the number of downloads of

C3Priv and their distribution throughout the globe, we where able to verify that the interest in

the tool spreads beyond Portuguese speaking contries, indicating that internationalizing the tool

may be a possible direction for future development. Other future improvements can be made as

the weaknesses identified in the tool are adressed and fixed.

In the research done for the present work, it has been a fact that the average computer or

smartphone user, or the average netizen, is vulnerable to the technology he does not understand.

Because users in this group are very numerous, and the most vulnerable to scams and online

attacks, we believe that the most important achievement in this work was the creation of a tool

that takes the burden of correct configuration and deep technological knowledge from the user.

Although there is ample room for improvement, C3Priv is a unique tool, and it is ready to fulfill

its purpose, contributing towards a user experience that is safe by default.

Annex A - Portable Applications

7-Zip This application is popular file compressor. It allows the creation of archives with the

following compression formats:7z, ZIP, GZIP, BZIP2, TAR, RAR, among others.[1]

ClamWin This application is a free anti-virus for Microsoft windows. It boasts high levels of

detection of virus and spyware and is constantly being updated. The portable version does

not allow for automatic updates, and file verification must be made manually by the user.

[10]

Evince Evince is a PDF, DJVU, TIFF and DVI reader. More information at: [15]

GIMP The GNU Image Manipulation Program is a complete image editor. It contains all the

basic functionality if an image editor, allowing advanced users tools for professional photo

editing or illustration creation. [21]

KeePass This application is a password manager that allows the user to save in a secure manner

all his passwords. The passwords are retrieved and stored in a secure database. The user

only needs to remember one password, that will work as a master key, allowing the access

to the full database. [22]

KiTTY This is a telnet and ssh client for windows, that allows to connect in a secure manner

to remote systems. [23]

Libre Office This is an office suite of programs with full compatibility with the Microsoft

products and others (Lotus, Word perfect and similar apps).[24]

MicroSIP This applications allow the user to make VoIP calls of high quality, using the SIP

protocol. [25]

Mozilla Firefox This is one of the most known web browsers, boasting several security

enhancements that secure the privacy of the users. The portable version does not let

any personal information on the computer that is used, allowing complete privacy. [16]

Mozilla Thunderbird The Mozilla Thunderbird application is an electronic mail client, secure

and easy to use. It allows IMAP/POP and RSS. The portable version leaves no trace in

the computer where it is used, allowing the transportation and secure access to e-mails

and contacts.[34]

29

CHAPTER 6. CONCLUSION 30

openVPN This application allows the creation of connections through encrypted tunnels,

allowing the access to remote resources in a secure manner.[27]

Pidgin Portable This is an application that allows the exchange of instant messages. It has

support for the protocols used by AOL, ICQ, MSN, YAHOO among others. All the

definitions and contacts are private and no information is retained on the used machine.

The available plugins can be easily added to allow for message encryption. [30]

Songbird This is an audio player with MP3, FLAC, Vorbis, and WMA support.[33]

VLC This is a multimedia player that supports several video and audio formats. [38]

WinSCP This applications is a SFTP and FTP client for Windows and allows for a secure way

to copy files to/from a remote location to the local machine.[40]

WinWGET This application is a download manager based on wget.[41]

Tor Bundle This package includes a modified Firefox version to use with the Tor network,

allowing anonymous access to the internet.[36]

Annex B - Firefox Add-Ons

Adblock Plus Adblock Plus uses several filters to remove online advertising and block sites

containing malware. [6]

BetterPrivacy Protects the user against “super” cookies. This new generation of cookies allow

the profiling of the user behavior on the web. This information is easily accessible by

marketing companies. This add-on was created to alert the users to the hidden objects

that never expire, and allow for a easier visualization and management of them as the

automatic methods of control are not reliable. [7]

Bloody Vikings! This add-on simplifies the use of temporary e-mail addresses. It allows for

the user to remain anonymous and at the same time protects his real address from SPAM.

More information available at [8]

Do Not Track Me Every time we browse on the web, companies, marketing agents and social

networks collect information about the users. Everything one reads, clicks and buys is

being recorded and stored. The DoNotTrackMe plugin stops this unwanted profiling. [12]

DuckDuckGo Plus DuckDuckGo can be added as the default search engine for the address

and search bar.[13]

Flagfox Among other advanced functionality, Flagfox shows on the address bar the flag

corresponding to the country that is currently serving the webpage.[17]

FlashBlock Flashblock blocks all the Flash content in a webpage and adds a button that gives

the user the option to download and run that content. It blocks content from Macromedia

Flash, Macromedia Shockwave e Macromedia Authorware.[18]

Force TLS This add-on replaces insecure HTTP connections for HTTPS (secure HTTP)

whenever a server supports it.[19]

Ghostery This add-on detects trackers, beacons and other tools used by publicity and marketing

companies to follow the behavior of users online, allowing the user to deactivate them.[20]

NoScript Security Suite This suit guarantees that Javascript, Java and other scripts and

programs are only executed if they come from safe domains, chosen by the user. This

allows for protection against some common web attacks.[26]

31

CHAPTER 6. CONCLUSION 32

Perspectives This add-on creates an identity database, using information gathered from

different places on the internet. Every time a user accesses a secure site, this extra

compares the site’s certificate with the information it has collected in its database, alerting

if any discrepancy is detected.[29]

Self Destructing Cookies This extra deletes the cookies and local cache as soon as the browser

tab that created them is closed.[32]

Toggle Javascript This add-on adds a button to the tool bar that allows the user to switch

Javascript on/off in a quick manner.[35]

Web Of Trust This extra shows a site’s reputation, by displaying a traffic light next to each

result from a search engine. The symbol is also visible in links from sites like Facebook,

Twitter, Gmail, Wikipedia, among others. A green light means that the users classified the

site as being trustful, a yellow or red one alerts for potential danger.[39]

Acronyms

3G Third Generation

4G Fourth Generation

GSM Global System for Mobile

Communications

SMS Short Message System

AP Access Point

SD Secure Digital

ISP Internet Service Provider

RFC Request For Comments

PRF Pseudorandom Function

ASCII American Standard Code for

Information Interchange

CPU Central Processing Unit

SSH Secure Shell

PC Personal Computer

USB Universal Serial Bus

HTTP Hypertext Transfer Protocol

IP Internet Protocol

OS Operating System

AES Advanced Encryption Standard

CCMP Counter Mode Cipher Block

Chaining Message Authentication

Code Protocol

ECB Electronic Codebook

HMAC Hash-based Message

Authentication Code

IV Initialization Vector

PBKDF2 Password-Based Key Derivation

Function 2

PIN Personal Identification Number

PKCS Public Key Cryptography

Standard

PSK Pre-Shared Key

SHA Secure Hash Algorithm

SHA1 Secure Hash Algorithm 1

SHA3 Secure Hash Algorithm 3

SSID Service Set Identifier

TKIP Temporal Key Integrity Protocol

WPA Wireless Protected Access

WPA1 Wireless Protected Access 1

WPA2 Wireless Protected Access 2

WEP Wired Equivalent Privacy

RADIUS Remote Authentication Dial In

User Service

PMK Pairwise Master Key

USA United States of America

US United States

33

Acronyms 34

UP Universidade do Porto

CNPD Comissão Nacional de Protecção

de Dados

C3P Centro de Competências em

Cibersegurança e Privacidade

NIST National Institute of Standards

and Technology

NSA National Security Agency

Bibliography

[1] 7-zip. Online. URL http://www.7-zip.org/. Last accessed: January 20, 2015.

[2] Java platform, standard edition 7 - api specification - class cipher. Online. URL http:

//docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html. Last accessed: January 20,

2015.

[3] Katz v. united states, 389 u.s. 347, (9th cir. 1967). Online. URL https://supreme.justia.

com/cases/federal/us/389/347/case.html. Last accessed: January 20, 2015.

[4] Olmstead v. united states, 277 u.s. 438, (9th cir. 1928). Online. URL https://supreme.justia.

com/cases/federal/us/277/438/case.html. Last accessed: January 20, 2015.

[5] Open rights group. Online. URL https://www.openrightsgroup.org/. Last accessed: January

20, 2015.

[6] Adblock plus. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/adblock-plus/.

Last accessed: January 20, 2015.

[7] Better privacy. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/

betterprivacy/. Last accessed: January 20, 2015.

[8] Bloody vikings! Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/bloody-

vikings/. Last accessed: January 20, 2015.

[9] C3priv. Online. URL http://www.c3p.up.pt/c3priv/. Last accessed: January 20, 2015.

[10] Clamwin. Online. URL http://www.clamav.net/. Last accessed: January 20, 2015.

[11] Comissão nacional de protecção de dados. Online. URL http://www.cnpd.pt/. Last

accessed: January 20, 2015.

[12] Do not track plus. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/

donottrackplus/. Last accessed: January 20, 2015.

[13] Duck duck go for firefox. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/

duckduckgo-for-firefox. Last accessed: January 20, 2015.

[14] Electronic frontier foundation. Online. URL https://www.eff.org/. Last accessed: January

20, 2015.

35

BIBLIOGRAPHY 36

[15] Evince. Online. URL http://projects.gnome.org/evince/. Last accessed: January 20, 2015.

[16] Mozilla firefox. Online. URL http://www.mozilla.com/firefox/. Last accessed: January 20,

2015.

[17] Flagfox. Online, . URL https://addons.mozilla.org/pt-PT/firefox/addon/flagfox. Last

accessed: January 20, 2015.

[18] Flash block. Online, . URL https://addons.mozilla.org/pt-PT/firefox/addon/flashblock/.

Last accessed: January 20, 2015.

[19] Force tls. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/force-tls. Last

accessed: January 20, 2015.

[20] Ghostery. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/ghostery/. Last

accessed: January 20, 2015.

[21] Gimp. Online. URL http://www.gimp.org/about/introduction.html. Last accessed: January

20, 2015.

[22] Keepass. Online. URL http://keepass.info/. Last accessed: January 20, 2015.

[23] Kitty. Online. URL emhttp://kitty.9bis.com/. Last accessed: January 20, 2015.

[24] Libreoffice. Online. URL https://www.libreoffice.org/. Last accessed: January 20, 2015.

[25] Microsip. Online. URL http://microsip.org.ua/. Last accessed: January 20, 2015.

[26] Noscript. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/noscript. Last

accessed: January 20, 2015.

[27] Openvpn. Online. URL http://sourceforge.net/projects/openvpn/. Last accessed: January

20, 2015.

[28] Panopticlick. Online. URL https://panopticlick.eff.org/index.php?action=log&js=yes. Last

accessed: January 20, 2015.

[29] Perspectives. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/perspectives.

Last accessed: January 20, 2015.

[30] Off-the-record messaging. Online. URL https://otr.cypherpunks.ca/. Last accessed: January

20, 2015.

[31] Nsa slides explain the prism data-collection program. Online. URL http://www.

washingtonpost.com/wp-srv/special/politics/prism-collection-documents/. Last accessed:

January 20, 2015.

[32] Self-destructing cookies. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/self-

destructing-cookies. Last accessed: January 20, 2015.

BIBLIOGRAPHY 37

[33] Songbird. Online. URL http://getsongbird.com/. Last accessed: January 20, 2015.

[34] Mozilla thunderbird. Online. URL http://www.mozilla.com/thunderbird/. Last accessed:

January 20, 2015.

[35] Toggle javascript. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/togglejs.

Last accessed: January 20, 2015.

[36] Tor project. Online. URL https://www.torproject.org/. Last accessed: January 20, 2015.

[37] Crypto museum. Online. URL http://www.cryptomuseum.com/crypto/vernam.htm. Last

accessed: January 20, 2015.

[38] Vlc. Online. URL http://www.videolan.org/vlc/. Last accessed: January 20, 2015.

[39] Web of trust. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/wot-safe-

browsing-tool. Last accessed: January 20, 2015.

[40] Winscp. Online, . URL http://winscp.net/. Last accessed: January 20, 2015.

[41] Winwget. Online, . URL http://www.cybershade.us/winwget/. Last accessed: January 20,

2015.

[42] Complaint for declaratory and injunctive relief ("nsa spying complaint"), aclu v. nsa. Online,

January 2006. URL https://www.aclu.org/national-security/nsa-spying-complaint#attach.

Last accessed: January 20, 2015.

[43] Nist’s policy on hash functions. Online, September 2012. URL http://csrc.nist.gov/groups/

ST/hash/policy.html. Last accessed: January 20, 2015.

[44] Sha1 deprecation policy. Online, Novembro 2013. URL http://blogs.technet.com/b/pki/

archive/2013/11/12/sha1-deprecation-policy.aspx. Last accessed: January 20, 2015.

[45] Privacy and civil liberties oversight board report on the surveillance program oper-

ated pursuant to section 702 of the foreign intelligence surveillance act, July 2014.

URL http://www.wired.com/wp-content/uploads/2014/07/PCLOB-Section-702-Report-

PRE-RELEASE.pdf.

[46] Google’s sha-1 deprecation plan for chrome. Online, September 2014. URL http://

www.symantec.com/connect/blogs/google-s-sha-1-deprecation-plan-chrome. Last accessed:

January 20, 2015.

[47] Phasing out certificates with sha-1 based signature algorithms. Online, September

2014. URL https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-

sha-1-based-signature-algorithms/. Last accessed: January 20, 2015.

[48] Peter Eckersley. How unique is your web browser? URL https://panopticlick.eff.org/browser-

uniqueness.pdf. Last accessed: January 20, 2015.

BIBLIOGRAPHY 38

[49] Susan Freiwald. First principles of communications privacy. Stanford Technology Law Review,

2007.

[50] B. Kaliski. Pkcs #5: Password-based cryptography specification version 2.0, rfc 2898. Online,

September 2000. URL https://tools.ietf.org/html/rfc2898#page-6. Last accessed: January

20, 2015.

[51] William Burr Meltem Sönmez Turan, Elaine Barker and Lily Chen. Recommendation

for password-based key derivation part 1: Storage applications. Online, December 2010.

URL http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf. Last accessed:

January 20, 2015.

[52] Yael Onn, Michael Geva, Yaniv Druckman, Ariel Zyssman, Rom Timor, Inbal Lev, Arz

Maroun, Tamar Maron, Yossi Nachmani, Yaniv Simsolo, Saar Sicklai, Adi Fuches, Maor

Fishman, Shai Packer, and Lotem Pery. Privacy in the digital environment. Haifa Center

of Law & Technology, 2005. ISBN 965-90924-1-5.

[53] Mike Perry. [tor-talk] tor browser disabling javascript anonymity set reduction. Online, May

2012. URL https://lists.torproject.org/pipermail/tor-talk/2012-May/024227.html. Last

accessed: January 20, 2015.

[54] A. Shamir R.L. Rivest and L. Adleman. A method for obtaining digital signatures and

public-key cryptosystems. Communications of the ACM, Volume 21 Issue 2, 1978.

[55] Arpit Sud Rodney Beede, Ryan Kroiss. Distributed wpa cracking. Online. URL https:

//code.google.com/p/distributed-wpa-cracking/wiki/WelcomePage. Last accessed: January

20, 2015.

[56] Warren and Brandeis. The Right to Privacy. Online, 1890. URL http://groups.csail.mit.

edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html.

[57] Joshua Wright. Cowpatty. Online. URL http://www.willhackforsushi.com/?page_id=50.

Last accessed: January 20, 2015.