Cryptography

Linux User & Developer, Issue 160

Leave a comment

Linux User & Developer Issue 160In this month’s Linux User & Developer, following my regular four-page news spread, you’ll find a review of a device that’s a little out of the ordinary: the NeuG, a true random number generator (TRNG) which costs a remarkably small amount.

When you’re using cryptography, you’re chewing up your system’s supply of randomness – or entropy. Linux, in common with other operating systems, works to fill its entropy pool by sampling a variety of things: traffic coming in on the network port, where you’re pointing the mouse and how fast it’s moving, and even how long it takes you to press particular keys. That’s all well and good for a desktop, but for a headless server it can take a while to fill a depleted entropy pool.

Coupled with the fact that it’s very difficult for a computer to produce truly random output, there’s a market for true random number generators. These devices typically cost a small fortune but use a variety of techniques – ranging from physically breaking down pieces of hardware with high voltages and measuring the resulting changes to pointing a webcam at a lava lamp – to generate a constant stream of high-quality entropy.

Enter the NeuG, which was kindly supplied for test by the Free Software Foundation. While it looks like a flash drive that has lost it’s casing, the device is actually a miniature computer in its own right. Using on-board analogue sensors, the NeuG can generate what is claimed to be a stream of true random numbers – numbers which are then pushed through a conditioning hash and spat out of a virtual serial port. Simply link the NeuG to something like the rngd entropy gathering daemon, and kiss goodbye to entropy exhaustion in even headless or virtualised environments.

I have been extremely impressed with the NeuG, especially given its low $50 cost. While there are cheaper alternatives – such as using a $5 Pi Zero and USB TTL serial adapter to create something similar using the BCM2835’s on-board hardware random number generator module – the NeuG’s free nature, whereby the design and source code are all available for review and modification, make it a great choice where certified security isn’t a requirement.

For the full run-down, including benchmarks, you can pick up the latest issue of Linux User & Developer from your nearest newsagent, supermarket, or electronically via Zinio and similar digital distribution platforms.

Linux User & Developer, Issue 149

Leave a comment

Linux User & Developer Issue 149This month’s Linux User & Developer features my usual four pages of news from the world of openness alongside a review of some interesting software I’ve been playing with: Keybase.

Created, oddly enough, by the co-founders of dating site OkCupid, Max Krohn and Chris Coyne, Keybase is technically little more than a wrapper around the open-source Pretty Good Privacy (PGP) implementation GNU Privacy Guard (GPG). Conceptually, however, it turns the entire PGP/GPG concept on its head, and in doing so aims to make it as easy as possible for less technical types to enjoy the benefits of strong cryptography.

A quick backgrounder: PGP/GPG use public-key cryptography, which is a highly-secure method of sharing secrets. Rather than traditional encryption, which requires a secret known to both parties, public-key cryptography splits the secret in two: the public key is available to anyone, but can only be used for encryption; decryption requires the private key, kept secret. It can be best imagined as an extremely secure padlock: I can give you the padlock, but once you’ve snapped it shut only my key will open it again.

The trouble then comes from verifying that the public key you’ve encrypted to genuinely belongs to your intended recipient, and not to a third-party trying to eavesdrop on your conversation. In the PGP/GPG world, this is assured by a ‘web of trust’ in which individuals physically meet and verify the identity of others, whose public keys are then cryptographically signed. Secure, but awkward.

Keybase’s solution: automated verification powered by social networking. ‘Proofs’ are posted to various social networks, currently ranging from Twitter and Reddit to Coinbase and even the DNS records of your personal website. These proofs are cryptographically signed with your private key. When someone wants to encrypt a message to you, they can verify these proofs through the Keybase website – or, for improved security, an open-source command-line application which wraps around GPG – to confirm that the key they are using belongs to the person in control of said accounts.

Coupled with a neat web interface which allows, among other features, non-members to quickly send encrypted messages to any Keybase member, it’s a great project. While it’s currently in beta, it shows considerable promise – and given the government du jour’s focus on eroding privacy, it’s something everyone should at least consider playing with.

To read the full review, plus my ever-enlightening four-page news spread and event calendar, head to your local newsagent or supermarket, or grab a digital copy via Zinio or similar distribution services.

Linux User & Developer, Issue 138

1 Comment

Linux User & Developer Issue 138Aside from my regular four-page news spread, this month’s Linux User & Developer includes two reviews: the Intel Galileo board, the company’s Quark-based answer to the Raspberry Pi; and the Pogoplug Safeplug, a Linux-based privacy-enhancing TOR gateway.

First, the Galileo. I was lucky enough to get my hands on one of the first retail units to hit the UK, and was eager to see what Intel had come up with. Based on its low-power Quark processor, which is a die-shrunk version of the classic Pentium instruction set architecture, the Galileo boasts full x86 compatibility and plenty of on-board connectivity. Where it differs from its rivals – and anything Intel has ever produced before – is that it’s also Arduino certified, and fully compatible with shields developed for that microcontroller’s esoteric pin layout.

It promises much: on-board Ethernet, out-of-the-box support for existing Arduino sketches, the ability to run a Linux environment, and even a mini-PCI Express slot on the rear for adding in wireless connectivity or other additional hardware. Can it live up to expectations? Well, you’ll have to read the review to find out.

The Pogoplug Safeplug, despite what the contents page splash might suggest, is not a storage device; rather, it’s a modified version of the company’s existing embedded storage gateway product to find a new market in the post-Snowden world. Connected to your internal network, the Safeplug acts as a gateway to the TOR network; all traffic is encrypted and anonymised with little client configuration required. As an added bonus, there’s even an advertising removal feature.

My verdict on both devices, plus stories covering Ubuntu 14.04, the Intel Next Unit of Computing, the Penn Manor School’s move to Linux, a £15 Firefox OS smartphone, Cisco’s IoT security challenge, the Nokia X and more can be yours in newsagents now. Alternatively, you can get the magazine digitally via Zinio.