Thursday, July 27, 2017

WAYS OF CRIPTOGRAPHY

Cryptography has many different ways of functioning. Before you can understand the
basic process, you must become familiar with some terminology. With this in mind, let’s
look at a few of the main terms used in the field of cryptography:
Plain Text/Clear Text Plain text is the original message. It has not been altered; it is
the usable information. Remember that even though Caesar’s cipher operates on text, it is
but one form of plain text. Plain text can literally be anything.
Cipher Text Cipher text is the opposite of plain text; it is a message or other data that
has been transformed into a different format using a mechanism known as an algorithm.
It is also something that can be reversed using an algorithm and a key.
Algorithms Ciphers, the algorithms for transforming clear text into cipher text, are the
trickiest and most mysterious part of the encryption process. This component sounds
complex, but the algorithm or cipher is nothing more than a formula that includes
discrete steps that describe how the encryption and decryption process is to be performed
in a given instance.
Keys Keys are an important, and frequently complicated, item. A key is a discrete piece of
information, usually random in nature, that determines the result or output of a given
cryptographic operation. A key in the cryptographic sense can be thought of in the same
way a key in the physical world is: as a special item used to open or unlock something—in
this case, a piece of information. In the encryption world, a key is used to produce a
meaningful result and without it a result would not be possible.
The terms listed here are critical to understanding all forms of cryptography.
You’ll be seeing them again not only in this chapter but in later chapters as well. In
addition, a firm understanding of cryptography will go far in giving you a head start
in understanding many security technologies and concepts outside of the CEH exam.
Next, let’s look at the two major types of cryptography: symmetric and asymmetric (aka
public-key cryptography).
Symmetric Cryptography
Symmetric algorithms do some things really well and other things not so well. Modern
symmetric algorithms are great at all of the following:
Preserving confidentiality
Increased speed over many non-symmetric systems
Ensuring simplicity (relatively speaking, of course)
Providing authenticity
Symmetric algorithms have drawbacks in these areas:
Key management issues
Lack of nonrepudiation features
First, let’s focus on the defining characteristic of symmetric encryption algorithms: the
key. All algorithms that fit into the symmetric variety use a single key to both encrypt and
decrypt (hence the name symmetric). This is an easy concept to grasp if you think of a key
used to lock a gym locker as the same key used to unlock it. A symmetric algorithm works
exactly the same way: The key used to encrypt is the same one used to decrypt. Figure 3.2
shows the concept of symmetric encryption.
Figure 3.2 Symmetric encryption
Common Symmetric Algorithms
There are currently a myriad of symmetric algorithms available to you; a Google search
turns up an endless sea of alphabet soup of algorithms. Let’s look at some common
algorithms in the symmetric category:
Data Encryption Standard (DES) Originally adopted by the U.S. Government in 1977,
the DES algorithm is still in use today. DES is a 56-bit key algorithm, but the key is too
short to be used today for any serious security applications.
DES is still encountered in many applications but should never be chosen without very
careful consideration or the lack of other viable options.
Triple DES (3DES) This algorithm is an extension of the DES algorithm and is three
times more powerful than the DES algorithm. The algorithm uses a 168-bit key.
Triple DES, or 3DES, is very commonly used and is a component of many security
solutions including e-commerce and others.
Blowfish Blowfish is an algorithm that was designed to be strong, fast, and simple in its
design. The algorithm uses a 448-bit key and is optimized for use in today’s 32- and 64-bit
processors (which its predecessor DES was not). The algorithm was designed by
encryption expert Bruce Schneier.
International Data Encryption Algorithm (IDEA) Designed in Switzerland and
made available in 1990, this algorithm is seen in applications such as the Pretty Good
Privacy (PGP) system (see the section “Pretty Good Privacy” later in this chapter).
The goal of the Advanced Encryption Standard (AES) competition,
announced in 1997, was to specify “an unclassified, publicly disclosed encryption
algorithm capable of protecting sensitive government information well into the next
century”

FIG- Symmetric encryption


The National Institute of Standards and Technology (NIST) organized the AES competition.
RC2 Originally an algorithm that was a trade secret of RSA Labs, the RC2 algorithm crept
into the public space in 1996. The algorithm allows keys between 1 and 2,048 bits. The
RC2 key length was traditionally limited to 40 bits in software that was exported to allow
for decryption by the U.S. National Security Agency.
RC4 Another algorithm that was originally a trade secret of RSA Labs, RC4, was revealed
to the public via a newsgroup posting in 1994. The algorithm allows keys between 1 and
2,048 bits.
RC4 is notable for its inclusion in the Wired Equivalent Protection (WEP) protocol used
in early wireless networks.
RC5 Similar to RC2 and RC4, RC5 allows users to define a key length.
RC6 RC6 is another AES finalist developed by RSA Labs and supports key lengths of 128–
256 bits.
Rijndael or Advanced Encryption Standard (AES) This successor to DES was
chosen by the National Institute of Standards and Technology (NIST) to be the new U.S.
encryption standard. The algorithm is very compact and fast and can use keys that are
128-, 192-, or 256-bits long.
Rijndael was and is the name of the encryption algorithm submitted for consideration by
the U.S. Government as its new encryption standard. When the algorithm was selected, it
was renamed AES. While some may argue that Rijndael and AES are different, they are
for all intents and purposes the same.
Twofish This AES candidate, also developed by Bruce Schneier, supports key lengths of
128–256 bits.

Monday, June 12, 2017

PGP LAST PART

Key Management
Finally, we should probably talk a little about key management. One of the downsides to PGP is susceptibility to something called a man-in-the-middle attack. This attack works like this: Let’s say you want to securely communicate with someone using PGP. The first thing you would do is download their public key. However, it may be possible for an attacker to intercept your internet communications before they reach the server containing the public key. The attacker could send you one of his own public keys and make you think it’s the public key of your communication partner. Not knowing any better, you would encrypt your messages with the attacker’s public key allowing him view all your communications. Even worse, the attacker could re-encrypt the message with the correct public key and forward it along it the destination. Neither you nor your communication partner would know the message was intercepted.
Man-In-The-Middle Attack
Obviously, a critical part of security in PGP is the ability to trust that the public key belongs to its purported owner. While complete trust is difficult to achieve, there are a few methods you can use to increase your level of trust.
    1. Meet in person. If someone physically hands you their public key, then obviously this eliminates the problem of trust. Of course, this is very inefficient.
    2. Verify the fingerprint. Each PGP certificate has a unique fingerprint which is calculated as the hash of the certificate represented in hexadecimal. It looks like this:
      0150 2502 DD3A 928D CE52 8CB9 B895 6DBF EE7C 105C
      If you can get the key’s owner to verify the fingerprint, possibly by reading it over the phone, then you can be fairly confident in the validity of the certificate. Obviously, finding an appropriate communication channel to verify the fingerprint can be tricky.
    3. Download the key from multiple IP addresses/devices/servers A MITM attack is difficult to pull off as it is. It becomes much harder if the attacker has to watch the communications of multiple IP addresses and servers. To this end you can increase the trust in the public key by downloading it from multiple locations (home, work, the library, Starbucks, over Tor, etc), from multiple devices, and from multiple servers. Gather up all the keys and check to make sure they are all they same. If so, you can be reasonably confident the key is valid. It would be extremely difficult to pull off a MITM attack after all that.
    4. Web of trust. In PGP you have the ability to use your private key to sign the someone else’s public key. This creates the opportunity to introduce a sort of six degrees of separation trust model. Let’s say you’ve downloaded Charlie’s public key but don’t know if you can trust it. Charlie’s key is signed by Bob, who you also don’t trust, and Bob’s key is signed by Alice, who you do trust. Because you trust Alice, this gives you chain of trust that goes all the way to Charlie, allowing you to trust Charlie’s key. The only downside to web of trust is that it can be difficult to get started and make enough connections to link you to all the keys you wish to download.
So that’s it for now. While we could go much more in depth, what we covered should be enough to get you started using PGP. Just remember, given the revelations about U.S. government spying and depths to which it is sinking to destroy your online privacy, there is really no excuse for not familiarizing yourself with PGP and using it on a regular basis. In a future installment of the series we’ll talk about how to set up an email client to automatically encrypt and decrypt your emails. Until then, stay safe and feel free to email me with questions.

Friday, June 2, 2017

PGP part 3

Decrypting Data
To decrypt either a message or a file, you need to do all of the above in reverse. Just this time use the decypt option from the menu. Here you will be prompted to enter your password for your private key that you created along with your key pair. This is what prevents an attacker from stealing your private key and decrypting messages intended for you.
Keep in mind, if you are decrypting data on your normal computer, you could be running the risk that malware could copy and upload the data after you’ve decrypted it. This might be an acceptable risk for everyday communications, but if you’re dealing with extremely sensitive data you should probably transfer the encrypted data to a secure viewing station prior to decryption.
Any air gapped computer (one permanently disconnected from the internet) would work for this purpose. Or you could boot into a Linux live system (such as Tails) from a USB stick to isolate your work environment from preexisting malware.
Signing Data
Just like with encryption you can either sign a message from your clipboard or sign whole files. The process is just as straightforward as before except this time you will select “sign” rather than “encrypt”. Here you will again be prompted for your password.

Verifying Signatures
To verify a signature on a signed message or file you will obviously have to first download and import the corresponding public key. Just like with decryption, you can either verify the signed message from your clipboard or by selecting the file. If you’re verifying a signed file, you’ll likely be prompted to select both the file and the detached signature (.sig) file.

When verifying the signature on software, the developer will typically provide a link to a .sig file for you to download. However, when releasing software on multiple platforms, it’s not uncommon for a developer to provide a single signed message containing the hashes of the files rather than a separate signature for each version.

So what is going on here is that the installation files for Linux, OS X, and Windows (.exe and .zip) were run through the SHA-256 hash function and the outputs were then signed. To verify the integrity of the Bitcoin-QT for Windows (say), you would first verify the signature on this message then hash the bitcoin-0.8.6-win32-setup.exe file with SHA-256. 


Monday, May 15, 2017

PGP part 2

How Secure Is It?



If all of this is new to you, you’re likely wondering how secure is the encryption used in PGP. Can we really trust it to protect us from from the NSA and its $52.9 billion black budget? All I can really say is that the cryptographic algorithms used in PGP are all part of the public domain have been heavily vetted by the community of experts. At this point in time there are no feasible attacks known to the general public or academia. It’s certainly possible that the NSA has access to highly advanced math that isn’t publicly known, but even there the best attacks typically don’t reveal the plaintext, rather they just make the keys slightly easier to brute force. The fact that the NSA has pressured Google, Microsoft, Apple etc. into giving them backdoors into their systems seems to be prima facie evidence that they can’t break commercial cryptographic algorithms.




Generating A New Certificate
In PGP a “certificate” is essentially a public key with extra data attached to help others verify that the key really belongs to you. In practice this is usually your name, email address and one or more digital signatures from others (more on that later).
Depending on your operating system, you’ll generate a new certificate by clicking “New”, “New Certificate”, or “New PGP Key”.
At minimum you will have to enter your name, email address, and a strong password that you will use for decrypting and signing data. In the advanced options menu you can select your encryption algorithm (RSA, DSA/ElGamal), key size (in bits), and an expiration date if you want your certificate to expire. The defaults here should suffice for our purposes. The differences are technical and unlikely to affect your overall security (just don’t reduce to the key size).

Once this process is complete you will have generated a new certificate and private key. You can click on “export” to save your public key to a .asc file for distributing to others, or you can copy the text of the key block and share it with people that way.


Key Servers
You might want to consider uploading your public key to a key server such as the MIT Key Server or PGP Global Directory. These are searchable directories from which other people can download your public key without first asking you for it. This functionality comes in especially handy when using email. Some email clients can be configured to search the key servers for the PGP keys of your contacts or anyone who has sent you an encrypted email and import them automatically.
Just keep in mind that once you upload a key to a server, you typically can’t remove it. It’s probably a good idea to play around with PGP first, get used to it, then once you’ve created your permanent key, upload it. That way you don’t litter the key server with multiple keys bearing your name.
Importing Keys
In order to encrypt files to send to others, you will first need to import their public key into PGP. You can do this by downloading the .asc file containing their public key (either directly from others or from a key server), clicking “Import” or “Import Certificate”, and selecting the file. In Linux you can import a key simply by double clicking the .asc file. In Windows you have the option to copy the public key block and import it directly from the clipboard.
The software will typically let you view, edit and sign the public keys on your keyring. More on signing other people’s keys later.
Encrypting Data
You have two options for encrypting data in PGP ― you can encrypt a plain text message from the clipboard or encrypt whole files. Let’s start with encrypting plain text messages. The first thing you need to do is pull up your plain text editor (Notepad in Windows, GNU Emacs works well for this in Linux). You’ll have to forgive me for not being familiar with OS X, but I assume you can encrypt from the clipboard in that operating system (though I’m not positive).


Some things to keep in mind, once you encrypt something with someone else’s public key, you can’t decrypt it. You can, however, encrypt a message using multiple public keys and the message can be decrypted with any of the corresponding private keys. So you could encrypt a message with someone else’s public key and your public key, then you can both decrypt it at a later date. Also, if you encrypt data using only your public key, it basically works like symmetric key encryption in that only you will be able to decrypt it.
To encrypt an entire file select “Sign/Encrypt File” from the menu and select the file you want to encrypt. Just like before, you’ll need to select a public key(s) from your keyring with which to encrypt the file.


Tuesday, May 9, 2017

PGP part 1

What is PGP?



PGP stands for Pretty Good Privacy. At it’s core, it is an internet standard (called OpenPGP) used for data encryption and digital signatures. Software that employs this standard is available in  free, open source version .



 In conventional encryption, a secret key is used to transform plaintext (the unencrypted data) into unreadable ciphertext. The same key is also used to decrypt the ciphertext and reveal the plaintext. While this process works well for encrypting data stored on your hard drive, it has its drawbacks for use in communication. For one, you need to somehow communicate the secret key to the other party. But how to do this securely? After all, the reason you are using encryption is because you don’t believe your communication channel is secure. You could meet in person and exchange the secret key offline, but that isn’t very convenient. 






Use Cases

 Anyone who has your public key can send you encrypted emails which only you can view. Likewise, you can send encrypted emails to your contacts by first downloading their public keys. In a future post we’ll provide a more thorough tutorial demonstrating how to set up an email client to work with PGP. What you need to keep in mind, however, is only the body of the email will be encrypted. The subject and metadata (to, from, cc, and timestamp) will still be visible to anyone snooping on your emails.

You aren’t limited to just encrypting emails either. Buyers at anonymous marketplaces like Silk Road frequently download their merchant’s public key and use it to encrypt their shipping address so that only the merchant view it. Edward Snowden persuaded journalist Glenn Greenwald to set up PGP prior to leaking the top secret classified documents that revealed the depths of the NSA’s spying operation. You can encrypt whole folders and files with your own public key to protect them from attackers who may gain access to your hard drive. In other words, PGP can be used in just about every conceivable case where strong encryption is needed.


Digital Signatures

A digital signature is created by a mathematical algorithm which combines your private key with data you wish to “sign”. The validity of the signature can by verified by anyone simply by checking it with your public key.




In the above diagram you see that the plaintext is run through a hash function to produce a message digest which is then signed with your private key. What this process ensures is that a signed document cannot be altered without invalidating the signature, allowing people to not only check the document’s authenticity but also the integrity of the data. Just to give an example, suppose you sign a 10,000 word document. If someone were change even a single punctuation in that document, the signature would show as invalid.

Digital signatures are also extremely useful in verifying the integrity of software. A great example here would be Bitcoin wallets. Given the security implications, you want to be able to trust that the wallet you download is legitimate and wont leak information that would allow someone to steal your bitcoins. While all Bitcoin wallets are open source, unless you check and compile the source code yourself, you will most likely download a pre-compiled version that could contain malicious lines of code. Software developers will typically sign the software and provide a link to download the public key used for signing. With Bitcoin-Qt, lead developer Gavin Andresen signs new versions with his PGP key. Simply by checking the signature with his public key you can guarantee you’ve downloaded a legitimate copy.


Friday, April 14, 2017

IP LOGGER

It honestly astounds me that people are still foolish enough to actually click on links in chat, that's one of the first rules of the internet, don't follow links you don't know, even goo.gl links in chat are dangerous.
On one hand I feel bad for anybody who falls victim to these things, on the other hand if you want to be a personality on the internet you need some cyber security smarts, I feel that links like those weed out those who just aren't cut out for this type of a thing. I mean at least do some basic googling on cyber security before you put yourself on the internet...
Here i publish how a iplogger sniff your data---
PLEASE BE SECURE ; WHEN YOU CLICK ON A LINK OR PLAY THE ONLINE PREDICATION ON FACEBOOK-





Tuesday, April 4, 2017

DMITRY WHERE SOME DEEP MAGIC GOING ON

DMITRY - Today we discuses about a information gathering tool .
DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible sub domains, email addresses, uptime information, tcp port scan, whops lookup, and more.
The following is a list of the current features:
An Open Source Project.
Perform an Internet Number whois lookup.
Retrieve possible uptime data, system and server data.
Perform a SubDomain search on a target host.
Perform an E-Mail address search on a target host.
Perform a TCP Portscan on the host target.
A Modular program allowing user specified modules..
The dmitry has following options :









Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
-o Save output to %host.txt or to file specified by -o file
-i Perform a whois lookup on the IP address of a host
-w Perform a whois lookup on the domain name of a host
-n Retrieve information on a host
-s Perform a search for possible subdomains
-e Perform a search for possible email addresses
-p Perform a TCP port scan on a host
* -f Perform a TCP port scan on a host showing output reporting filtered ports
* -b Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed
THANKS EVERYBODY ....... KEEP SUPPORTING US ..