Announcement

Collapse
No announcement yet.

Using copy protection dongles to distribute vpn encryption keys by mail?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using copy protection dongles to distribute vpn encryption keys by mail?

    I think I have figured out a "perfect" way to transfer keys for tunnelling an internet connection. The problem with transferring keys is that there always has to be a "first key" which must be sent unencrypted. If it is sent over a tapped line, it gets snorted up into the NSA key pile and any subsequent data sent over that key's encrypted line isn't secure.

    To solve this we must send the first key by mail. this key is used to establish an encrypted link to download the permanent key. But even the mail might be read, and a thumb drive in a letter might be dumped, giving the NSA the first key.

    The solution is to store the data on a copy protection dongle. I understand that they are essentially just a little vault which contains some encrypted data and the only way to decrypt the data or even to dump it in encrypted form (without cracking open the dongle and hooking wires to the chip) is to have a password. This password will not be included in the package with the dongle, but there will be a link to my server which has a file containing the password. What makes it secure is that password can only be downloaded ONCE. And once the password is downloaded (through tapped lines) and the NSA knows it, the dongle is physically out of their hands and (providing they didn't crack open the plastic and solder wires to the chip to dump it) they will not have the code which the password decrypts. After the password is downloaded, the users computer must open the vault on the dongle, remove the encryption key, and write gibberish over it before closing the vault. Thus the NSA can now steal the dongle and it has nothing meaningful on it.

    This is contingent upon there not being a "master password" which can open all of the dongles of that make. I think the SecuTech UniKey is a good choice of dongle because it allows for multiple passworded vaults allowing for users to pass the dongle to their friends, and take one key after another from the dongle until they are all used up. This company also allows the developer to set the password, not like some crappy companies who the NSA can call and give the serial number to and they will cough up the password. The only thing I wish these dongles had is a way to overwrite the serial number. It's best if they absolutely can't be looked up in a database.


    What do you think? Do these dongles keep a secret? Is there any reason to suspect back-doors/master passwords? Is SecuTech known to be any good?
    Tell me if my analysis is all wet.

  • #2
    Re: Using copy protection dongles to distribute vpn encryption keys by mail?

    Yeah, but you just posted it on the forum and the NSA is bound to see it and find a way to bypass it.

    Careful, there might be an NSA black helicoptor and van outside your place right now.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

    Comment


    • #3
      Re: Using copy protection dongles to distribute vpn encryption keys by mail?

      My xyl always wants me dongle in her NSA.

      Comment


      • #4
        Re: Using copy protection dongles to distribute vpn encryption keys by mail?

        Originally posted by caleb View Post
        What do you think? Do these dongles keep a secret? Is there any reason to suspect back-doors/master passwords? Is SecuTech known to be any good?
        Tell me if my analysis is all wet.
        I have more experience with Aladdin than SecuTech, but I think that this will be a path that would lead to more big brother, not less. I can't really warm to, or be comfortable with, a company that is so very new that they haven't yet caught on to the idea that a page in English needs to be proofread by a professional in that language who will spot errors such as "How a software vendor or publisher know how many software has been sold, what is the price for each copy?"

        http://www.esecutech.com/

        I can guarantee you that Aladdin will happily hand over any key that the government requests, and I imagine this company, which is based in that fragile place known as Taiwan, will do no less. Once your hardware key is compromised, there's no going back, either.

        Cryptography is hard, and politics is even harder.

        Comment


        • #5
          Re: Using copy protection dongles to distribute vpn encryption keys by mail?

          What is it that you are trying to achieve that is not avaialbe using PKI. With GnuGPG, which to my knowlege has not been broken by NSA or anyone else, you and I exchange public key pairs. Using these key pairs we can exchange encrypted text that no one else can read unless they obtain our respective private key. This means that big brother can sniff all day but unless he has a backdoor into my computer, all he gets is a public key which can not be used to encrypt/decrypt anything unless I used their public key to encyrpt.

          While your methodoly is sound, as shrdlu pointed out, is dependent on the integrity of the company and that company's relationship with their government and their government's relationship with the US government. How can one be sure that there is no vendor backdoor, as is the case with many large vendor encryption products.
          DaKahuna
          ___________________
          Will Hack for Bandwidth

          Comment


          • #6
            Re: Using copy protection dongles to distribute vpn encryption keys by mail?

            My only experience with dongles are of the parallel port variety used for anti-software piracy. Man those things were a pain in the butt.

            If you are concerned about the NSA you need to do the following to exchange your first key:

            Meet in person, in a sound proof Faraday cage and exchange keys.

            xor
            Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

            Comment


            • #7
              Re: Using copy protection dongles to distribute vpn encryption keys by mail?

              Or you could do it old school and either make up your own cipher, or use one of the traditional ciphers and send it via snail mail. Then you can communicate via electronic mail with your key.

              But honestly PGP seems secure enough to me.

              xor
              Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

              Comment


              • #8
                Re: Using copy protection dongles to distribute vpn encryption keys by mail?

                Originally posted by xor View Post

                If you are concerned about the NSA you need to do the following to exchange your first key:

                Meet in person, in a sound proof Faraday cage and exchange keys.

                xor
                IMO, if you're concerned about the NSA, then you have bigger issues than what encryption to use.
                A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                Comment


                • #9
                  Re: Using copy protection dongles to distribute vpn encryption keys by mail?

                  Originally posted by streaker69 View Post
                  IMO, if you're concerned about the NSA, then you have bigger issues than what encryption to use.
                  Especially if you file a tax return, or have a mail box close by.

                  Comment


                  • #10
                    Re: Using copy protection dongles to distribute vpn encryption keys by mail?

                    Originally posted by Greyhatter View Post
                    Especially if you file a tax return, or have a mail box close by.
                    ...or handled a Penny, cause if you did, they have your DNA, that's the only reason they keep them in circulation.
                    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                    Comment


                    • #11
                      Re: Using copy protection dongles to distribute vpn encryption keys by mail?

                      Originally posted by streaker69 View Post
                      ...or handled a Penny, cause if you did, they have your DNA, that's the only reason they keep them in circulation.
                      I'd protest this as a "tinfoil hat" post heading for dev/nul, but then I'm too paranoid to protest. Now what'd I do with those damn wheat pennies?
                      Last edited by Greyhatter; November 24, 2008, 20:14. Reason: cleaning off my DNA

                      Comment


                      • #12
                        Re: Using copy protection dongles to distribute vpn encryption keys by mail?

                        Some interesting points.

                        To clarify, I am not so much "concerned" with the NSA as I am aggravated with the way they have taken their power to listen in on anyone and made a machine to listen in on everyone. My method of protest is to do my best to bypass their filters and obfuscate my communications as much as possible. I was thinking about starting a little tunnelling service for political dissidents, conspiracy theorists, investigative journalists and the generally paranoid.

                        Why not use PKI? (my understinding is) PKI involves both ends sharing public keys, and depends on the cypher to secure data. When keys are shared in secret, there is no possibility for the cypher to be cracked because the man in the middle has no keys at all. It would be nicer to not have to worry about when some mathematician will make a formula to crack your encryption and all your old communications will be readable. I also have a "build it for the hundred year storm" mentality.

                        I looked at Aladdin hasp. It's no good when the company has a chart of serial numbers matched with passwords. On Aladdin's website they said it was more secure because the keys which you write the passwords to, people can also read them out. Hmmmm.
                        Then I got to wondering whether I could reburn the ROM so the serial number read 0000000. Then there would be nothing to look up. What would be the greatest would be some Aladdin dongles which haven't been programmed yet. No serial No password. I like the idea of taking big brother tools and using them for freedom.

                        "NSA black helicopter and van outside your place right now." -- Thanks for a good laugh. Just to let you know, I listen to The Alex Jones Show. The helicopters and vans have left long ago presumably due to boredom ;)
                        BTW: What do you guys think of The Alex Jones Show? You must have some good info, what's it all about, I still can't figure it out.

                        Comment


                        • #13
                          Re: Using copy protection dongles to distribute vpn encryption keys by mail?

                          PKI is not subject to man in the middle attacks in the way I think you are looking at it. Yes, it uses public keys but even if I have your public key, I don't have your private key, as that SHOULD NEVER be transmitted over the network and the private key is used to encrypte and decrypt. So while I may have both user's public keys, encryption and decryption requires the private key as well. For example. You and I share public keys. I use my private key and your public key to encrypt and email and send to you. You use my public key and your private key to decryption. Public keys are just that, public. They are shared on public servers which any one can access but without the private keys to do the encryption and decryption they are essentially useless.
                          DaKahuna
                          ___________________
                          Will Hack for Bandwidth

                          Comment


                          • #14
                            Re: Using copy protection dongles to distribute vpn encryption keys by mail?

                            Originally posted by caleb View Post
                            Some interesting points.

                            To clarify, I am not so much "concerned" with the NSA as I am aggravated with the way they have taken their power to listen in on anyone and made a machine to listen in on everyone. My method of protest is to do my best to bypass their filters and obfuscate my communications as much as possible. I was thinking about starting a little tunnelling service for political dissidents, conspiracy theorists, investigative journalists and the generally paranoid.
                            If you're aggravated with with the NSA, you should really be fuming over the whole worldwide signals intelligence community. The NSA has the biggest "Friends and Family" plans around, if NSA isn't listening in, there is always the Canadian CSE, United Kingdom's GCHQ, DSD from Australia, and New Zealand's GCSB. Not knowing where you're from, there's entirely a good chance that unless you personally coded your OS, that it might be leaking information about you to one of the above mentioned agencies.

                            Know that NSA is the largest single employer of mathematicians in the U.S. (and very likely the world)

                            Mind you since they only have so many analysts, its a mind boggling exercise to figure out the real signal from the all the noise.

                            As far as starting a tunneling service from scratch, your best bet isn't to reinvent the wheel, but build on some existing technology, mess around with Tor, its the best example of what I like to call "Not ready for prime time" software, but doing a considerably better job than any of the other existing anonymity networks out there.


                            Originally posted by caleb View Post
                            "NSA black helicopter and van outside your place right now." -- Thanks for a good laugh. Just to let you know, I listen to The Alex Jones Show. The helicopters and vans have left long ago presumably due to boredom ;)
                            Just because you can't see them, doesn't mean they aren't there, for all you know there might be a RC-12 loitering around your neighborhood on a joint training operation...
                            Nonnumquam cupido magnas partes Interretis vincendi me corripit

                            Comment


                            • #15
                              Re: Using copy protection dongles to distribute vpn encryption keys by mail?

                              Use two different encryption algorithims with two different keys and bit levels. Then figure out a small .exe that speeds up the process at both ends.

                              Worried about NSA? Worry about your ISP and browser choices and settings first. What are you leaking locally? Your ISP is the first challenge, not the NSA who has your ISP by the balls anyway.

                              Comment

                              Working...
                              X