diff --git a/_config.yml b/_config.yml
index 2c9bdec..8a54a0f 100644
--- a/_config.yml
+++ b/_config.yml
@@ -3,3 +3,5 @@ plugins:
- jekyll-minifier
highlihger: rouge
+
+permalink: /:categories/:year/:month/:day/:title/
diff --git a/_posts/2020-11-15-nas2.md b/_posts/2020-11-15-nas2.md
index 02183d6..6a046fd 100644
--- a/_posts/2020-11-15-nas2.md
+++ b/_posts/2020-11-15-nas2.md
@@ -4,7 +4,7 @@ description: "How to get ZFS working on a Linux machine and how to try it yourse
layout: post
---
-Back in [part one of my NAS project]() I discussed how I wanted to set up my hardware.
+Back in [part one of my NAS project]({% post_url 2020-04-12-nas1 %}) I discussed how I wanted to set up my hardware.
Today, I set up the NAS (almost).
There were some hiccup along the way, like learning that M.2 slots can disable some of your SATA ports or waiting a month for a host bus adapter to come in from China.
diff --git a/_posts/2020-12-14-orca-raspberry-pi-manjaro.md b/_posts/2020-12-14-orca-raspberry-pi-manjaro.md
index 18584e2..04d948d 100644
--- a/_posts/2020-12-14-orca-raspberry-pi-manjaro.md
+++ b/_posts/2020-12-14-orca-raspberry-pi-manjaro.md
@@ -73,7 +73,7 @@ Basically, you download a file which will tell your computer how to download, bu
To get the AUR working in a more automatic way, we need to install the `pacaur` helper.
This merited its own article, so check that out here:
-[How to Install Pacaur on Manjaro ARM](/2020/12/01/pacaur-rpi.html)
+[How to Install Pacaur on Manjaro ARM]({% post_url 2020-12-01-pacaur-rpi %})
The TL;DR is that we need to open the `/etc/makepkg.conf` file and replace any mention of `-march=armv8-a` with `-march=armv8-a+crypto`.
diff --git a/_site/2020-04-27-quiz-your-friends-xss.html b/_site/2020-04-27-quiz-your-friends-xss/index.html
similarity index 98%
rename from _site/2020-04-27-quiz-your-friends-xss.html
rename to _site/2020-04-27-quiz-your-friends-xss/index.html
index 9850186..31c342d 100644
--- a/_site/2020-04-27-quiz-your-friends-xss.html
+++ b/_site/2020-04-27-quiz-your-friends-xss/index.html
@@ -1 +1 @@
-
The "Quiz Your Friends" XSS Exploit | tait.tech
The "Quiz Your Friends" XSS Exploit
TODO write intro
How I Found This Exploit
While filling in one of my friend’s surveys I thought it would be funny for them to know it is me without anyone else knowing. We were young and had Inspect Elemented a few things together, so it was a safe bet that an HTML joke would let them know.
I decided to write my name like so: <b>Steve</b>. Steve is in reference to the main character in the video game Minecraft.
Now in theory this should have shown in in the leaderboard as: “<b>Steve</b>” However, to my horror and excitement, I saw this in the leaderboard:
The text “Steve” showed up in bold on the leaderboard. This told me all I needed to know. How did this happen? You might wonder.
Server-Side Validation
Here is a great demonstration why you should do most of your validation on the server side. As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.
Quiz your friends uses the maxlength=20 HTML attribute on the name input field. Imagine trying to fit in a script tag doing anything useful with 20 characters! Don’t forget that includes the <script> tag. That would leave 13 characters for Javascript. Although I’m sure a genius would be able to code golf that, I know I couldn’t.
Now obviously I can edit any HTML that a server has sent to me. If I open up my inspect element window, I can go ahead and change that maxlength attribute to anything I want. Let’s change it to 100!
In theory, there is a way that a site can stop people from just putting in their name of any length: server-side validation. The server could check to see if the input is too long and reject it if it is. The Quiz My Friends server has no such checks in place. Therefore, I can send an almost arbitrary load to them. Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own. Imagine being able to send entire executable programs as your “name” in one of these quizzes?
Hacking:
So I went on my merry way thinking about ways to use malicious javascript. Then, I thought that might be mean, so I decided to warn users instead. I filled in the name with a script tag and a call to alert() to warn the user about this site.
JAVASCRIPT_NAME.JPG
I ran out of room before I could finish it. Hmmm. What if I do “Inspect Element” and manually override the max-length attribute?
The unfortunate truth is: this worked as well!
Not only could I manually set the max-length by changing it in the HTML, but there were no client-side OR server-side checks to make sure the name I was sending was less than or equal to 20 characters.
If Javascript checked it, it would have stopped me (although maybe not a professional). If the server checked it, it could have stopped almost anyone.
Executing An Exploit
Suppose we’re on a vulnerable site like Quiz Your Friends and you decide you want to hack your friend’s quiz! How can this be done?
Creating A Quiz
Here is my quiz below:
CREATING_QUIZ.IMG
Setting A Name With an HTML Tag
Just like the image above, about how I found out about this vulnerability: go ahead and use an HTML tag in your name to test this out.
BOLD_ITALIC_STEVE.JPG
\ No newline at end of file
+ The "Quiz Your Friends" XSS Exploit | tait.tech
The "Quiz Your Friends" XSS Exploit
TODO write intro
How I Found This Exploit
While filling in one of my friend’s surveys I thought it would be funny for them to know it is me without anyone else knowing. We were young and had Inspect Elemented a few things together, so it was a safe bet that an HTML joke would let them know.
I decided to write my name like so: <b>Steve</b>. Steve is in reference to the main character in the video game Minecraft.
Now in theory this should have shown in in the leaderboard as: “<b>Steve</b>” However, to my horror and excitement, I saw this in the leaderboard:
The text “Steve” showed up in bold on the leaderboard. This told me all I needed to know. How did this happen? You might wonder.
Server-Side Validation
Here is a great demonstration why you should do most of your validation on the server side. As a user, I can edit any of the HTML, CSS, or Javascript your server serves to me.
Quiz your friends uses the maxlength=20 HTML attribute on the name input field. Imagine trying to fit in a script tag doing anything useful with 20 characters! Don’t forget that includes the <script> tag. That would leave 13 characters for Javascript. Although I’m sure a genius would be able to code golf that, I know I couldn’t.
Now obviously I can edit any HTML that a server has sent to me. If I open up my inspect element window, I can go ahead and change that maxlength attribute to anything I want. Let’s change it to 100!
In theory, there is a way that a site can stop people from just putting in their name of any length: server-side validation. The server could check to see if the input is too long and reject it if it is. The Quiz My Friends server has no such checks in place. Therefore, I can send an almost arbitrary load to them. Being able to send something potentially very large (more than a few megabytes) is a vulnerability of its own. Imagine being able to send entire executable programs as your “name” in one of these quizzes?
Hacking:
So I went on my merry way thinking about ways to use malicious javascript. Then, I thought that might be mean, so I decided to warn users instead. I filled in the name with a script tag and a call to alert() to warn the user about this site.
JAVASCRIPT_NAME.JPG
I ran out of room before I could finish it. Hmmm. What if I do “Inspect Element” and manually override the max-length attribute?
The unfortunate truth is: this worked as well!
Not only could I manually set the max-length by changing it in the HTML, but there were no client-side OR server-side checks to make sure the name I was sending was less than or equal to 20 characters.
If Javascript checked it, it would have stopped me (although maybe not a professional). If the server checked it, it could have stopped almost anyone.
Executing An Exploit
Suppose we’re on a vulnerable site like Quiz Your Friends and you decide you want to hack your friend’s quiz! How can this be done?
Creating A Quiz
Here is my quiz below:
CREATING_QUIZ.IMG
Setting A Name With an HTML Tag
Just like the image above, about how I found out about this vulnerability: go ahead and use an HTML tag in your name to test this out.
BOLD_ITALIC_STEVE.JPG
\ No newline at end of file
diff --git a/_site/2020/01/22/padding-and-margin.html b/_site/2020/01/22/padding-and-margin/index.html
similarity index 97%
rename from _site/2020/01/22/padding-and-margin.html
rename to _site/2020/01/22/padding-and-margin/index.html
index 52f3061..b6ee95c 100644
--- a/_site/2020/01/22/padding-and-margin.html
+++ b/_site/2020/01/22/padding-and-margin/index.html
@@ -1 +1 @@
- Padding And Margin | tait.tech
Padding And Margin
Many people have expressed confusion over how padding and margins work in HTML/CSS. I have been one of those people. In this short article I will explain what the differences are between the two, and how it may affect the functionality of your site.
Here is an image from the World Wide Web Consortium (W3C) who sets the standards for the web.
Now although this image shows all the different types of spacing as equal, the majority of the time these will mostly be padding (inner) and margin (outer). Padding is the inner space between the element and its border; margin is the outer space between two different elements.
Within the margin the user is unable to press any links or execute any javascript code. It is empty space. If each <link> on your navigation bar has 10 pixels of margin, then there would be 20 pixels in between each <link> that would not be clickable by the user.
If you have <link>s on your navigation bar with padding set to 20 pixels, however, then there will be 20 pixels on each side of the <link> text where the user is able to click.
If that part is confusing, try thinking about it in terms of whether background-color would apply.
Attribute
Padding
Margin
Spacing
within element
between elements
background-color applies
Yes
No
In summary:
Padding: the space within a tag which is still part of the same tag. background-color applies.
Margin: the space in between two seperate tags. background-color does not apply; it is empty space.
Border: the space in between the two; it surrounds the padding, but is not the margin. It looks nice somtimes, but it has no non-visual function. background-color does not apply.
I hope this covers the basics of margin and padding! Happy coding!
\ No newline at end of file
+ Padding And Margin | tait.tech
Padding And Margin
Many people have expressed confusion over how padding and margins work in HTML/CSS. I have been one of those people. In this short article I will explain what the differences are between the two, and how it may affect the functionality of your site.
Here is an image from the World Wide Web Consortium (W3C) who sets the standards for the web.
Now although this image shows all the different types of spacing as equal, the majority of the time these will mostly be padding (inner) and margin (outer). Padding is the inner space between the element and its border; margin is the outer space between two different elements.
Within the margin the user is unable to press any links or execute any javascript code. It is empty space. If each <link> on your navigation bar has 10 pixels of margin, then there would be 20 pixels in between each <link> that would not be clickable by the user.
If you have <link>s on your navigation bar with padding set to 20 pixels, however, then there will be 20 pixels on each side of the <link> text where the user is able to click.
If that part is confusing, try thinking about it in terms of whether background-color would apply.
Attribute
Padding
Margin
Spacing
within element
between elements
background-color applies
Yes
No
In summary:
Padding: the space within a tag which is still part of the same tag. background-color applies.
Margin: the space in between two seperate tags. background-color does not apply; it is empty space.
Border: the space in between the two; it surrounds the padding, but is not the margin. It looks nice somtimes, but it has no non-visual function. background-color does not apply.
I hope this covers the basics of margin and padding! Happy coding!
\ No newline at end of file
diff --git a/_site/2020/01/26/rsa1.html b/_site/2020/01/26/rsa1/index.html
similarity index 98%
rename from _site/2020/01/26/rsa1.html
rename to _site/2020/01/26/rsa1/index.html
index 2cf2c33..a760d4e 100644
--- a/_site/2020/01/26/rsa1.html
+++ b/_site/2020/01/26/rsa1/index.html
@@ -1 +1 @@
- Is Encryption Worth It? | tait.tech
Is Encryption Worth It?
What is the most embarassing thing you have typed into Google search? What is the most personal secret you told a friend in confidence? What is your bank password? What is your business’s secret to stay ahead of the competition?
Now at first these questions may seem not completely related. There is a point though: You likely sent all of this information over the internet.
When you send that messege to your friend or business partner, why is it that any person can’t just listen to the signals coming from your phone or laptop and know what you sent to your friend or colleague? The answer: encryption.
First, some background about internet privacy. You can’t have a conversation about internet encryption and privacy without discussing the man himself:
Snowden
Edward Joseph Snowden is an ex-NSA, ex-CIA employee who felt the United State’s 4th Ammendment was being violated by their programs of msas survailence. Snowden was raised a staunch establishmentarian conservative; his girlfriend Lisndey however, slowly started changing his mind. Snowden became very influenced by the ideology of populism. His populist thinking is shown very clearly when he explains his reasoning for his disclosure of humongous troves of NSA documents.
“My sole motive is to inform the public as to that which is done in their name and that which is done against them.” —Edward Snowden
Snowden’s first set of leaks went public in The Gaurdian, The New York Times, and ProPublica in late 2013; people started to realize that their governments and internet service providers (ISPs) are listening. People understood there might be more sinister motives than “national security” at play.
Personally, I have seen a lot of non-tech-savy individuals using security-conscious software when I am helping them fix a problem. In fact, there was one time I saw a collage student from rural Alberta who had a VPN running on her phone. This impressed me!
Encryption on The Web
The type of encryption used on the web is called: HyperText Transfer Protocol–Secure (HTTPS). This kind of encryption stops two things from happening: A) it stops the information you are sending and recieving online from being seen by easvesdroppers and criminals, and B) stops those same third-parties from tampering with the data.
Without HTTPS it is possible for sombody to listen in and change the data being sent between you and a server.
Only in recent years has HTTPS become near-universal across the web. It is used even on the simplest sites these days: this one included. After 2013, people became weary of government, criminal, and ISP interference with their web traffic. This can be backed up by statistics: The level of encrypted web traffic around the time of the Snowden leaks was around 30 percent. It was mostly used by banks, email providers, government, and journalists. At the turn of the 2020s however, this has risen to nearly 90 percent among U.S. users of Firefox. Japan lags slightly behind with 80 percent encrypted traffic.
This is just the data we know of. You can disable the telemetry settings in Firefox, and it is very likely that hardcore privacy advocates would disable this data collection, so perhaps the amount of encrypted web traffic is slightly higher.
What about RSA?
RSA is an encryption method named after the initials of the inventors’ sir names: Ron Rivest, Adi Shamir, and Leonard Adleman. It uses the mathematical “factoring problem” to secure communication. The details of this specific type of encryption will be discussed in an article soon to come.
\ No newline at end of file
+ Is Encryption Worth It? | tait.tech
Is Encryption Worth It?
What is the most embarassing thing you have typed into Google search? What is the most personal secret you told a friend in confidence? What is your bank password? What is your business’s secret to stay ahead of the competition?
Now at first these questions may seem not completely related. There is a point though: You likely sent all of this information over the internet.
When you send that messege to your friend or business partner, why is it that any person can’t just listen to the signals coming from your phone or laptop and know what you sent to your friend or colleague? The answer: encryption.
First, some background about internet privacy. You can’t have a conversation about internet encryption and privacy without discussing the man himself:
Snowden
Edward Joseph Snowden is an ex-NSA, ex-CIA employee who felt the United State’s 4th Ammendment was being violated by their programs of msas survailence. Snowden was raised a staunch establishmentarian conservative; his girlfriend Lisndey however, slowly started changing his mind. Snowden became very influenced by the ideology of populism. His populist thinking is shown very clearly when he explains his reasoning for his disclosure of humongous troves of NSA documents.
“My sole motive is to inform the public as to that which is done in their name and that which is done against them.” —Edward Snowden
Snowden’s first set of leaks went public in The Gaurdian, The New York Times, and ProPublica in late 2013; people started to realize that their governments and internet service providers (ISPs) are listening. People understood there might be more sinister motives than “national security” at play.
Personally, I have seen a lot of non-tech-savy individuals using security-conscious software when I am helping them fix a problem. In fact, there was one time I saw a collage student from rural Alberta who had a VPN running on her phone. This impressed me!
Encryption on The Web
The type of encryption used on the web is called: HyperText Transfer Protocol–Secure (HTTPS). This kind of encryption stops two things from happening: A) it stops the information you are sending and recieving online from being seen by easvesdroppers and criminals, and B) stops those same third-parties from tampering with the data.
Without HTTPS it is possible for sombody to listen in and change the data being sent between you and a server.
Only in recent years has HTTPS become near-universal across the web. It is used even on the simplest sites these days: this one included. After 2013, people became weary of government, criminal, and ISP interference with their web traffic. This can be backed up by statistics: The level of encrypted web traffic around the time of the Snowden leaks was around 30 percent. It was mostly used by banks, email providers, government, and journalists. At the turn of the 2020s however, this has risen to nearly 90 percent among U.S. users of Firefox. Japan lags slightly behind with 80 percent encrypted traffic.
This is just the data we know of. You can disable the telemetry settings in Firefox, and it is very likely that hardcore privacy advocates would disable this data collection, so perhaps the amount of encrypted web traffic is slightly higher.
What about RSA?
RSA is an encryption method named after the initials of the inventors’ sir names: Ron Rivest, Adi Shamir, and Leonard Adleman. It uses the mathematical “factoring problem” to secure communication. The details of this specific type of encryption will be discussed in an article soon to come.
\ No newline at end of file
diff --git a/_site/2020/02/19/rsa2.html b/_site/2020/02/19/rsa2/index.html
similarity index 98%
rename from _site/2020/02/19/rsa2.html
rename to _site/2020/02/19/rsa2/index.html
index 7d172a9..8aa77f1 100644
--- a/_site/2020/02/19/rsa2.html
+++ b/_site/2020/02/19/rsa2/index.html
@@ -1 +1 @@
- How Does Encryption Work, in Theory? | tait.tech
How Does Encryption Work, in Theory?
There are many kinds of encryption used in our everyday communication. Online and offline, over the internet and in person. In this article, I will explain the basics of how encryption should work in theory. I explain in this article why encryption is important, and why you should care about it.
We will start by looking at in-person, offline encryption.
Cryptography We Do Everyday
We encrypt things all the time without even thinking about it. If you spend a significant amount of time with the same group of friends, you will tend to develop common codes that may not make sense to others outside the group. For example: for years, my family called sombody falling from a sitting position “doing a Don”. There is a story of course—We knew a guy named Don who fell from his plastic beach chair in a rather hilarious way; “doing a Don” was born.
These types of minor dialects in speech are cryptographic in their own way. The truth is though, that we use cryptography much more than that!
“Is cryptography any different than talking? We say something other than what we mean, and then expect everyone is able to decipher the true meaning behind the words. Only, I never do…” — Adapted from a scene in The Imitation Game (p. 39-40)
How many times have you hinted, flirted, and innuendoed to try to say “I find you very physically attractive”? Have you told your friend that always stinks to wear more deodorant? Have you ever had someone say the words “I’m fine” when you know for certain that they are indeed not okay?
Words Said
Meaning
What can you do?
I don’t want to talk about this anymore.
I don’t want to overstay my welcome.
I want to go home now.
I don’t like them and don’t know why.
They threaten my ego.
Creepy
Unattractive and friendly
All of these scenarios are perfect examples of lies encryption! If we have the key to these codes, we can start to understand what people really mean. Hopefully I have convinced you that you use deceit cryptography on a regular basis in your life, so let us consider what a basic encryption method might be:
Grade-School Encryption
Back when I was in middle school I used to pass notes like these:
This is a message encrypted using the Caesar cipher. This encryption technique was used by Julius Caesar during the reign of the Roman Empire to “encrypt messages of military significance.”[1] This is one of the oldest and simplest methods of encryption known to us today.
You can try this out yourself by moving some letters forward in the alphabet. An ‘A’ turns into a ‘B’, ‘B’ into ‘C’, ‘C’ into ‘D’, et cetera. In this case, “Hello!” would become “Ifmmp!” That is just using a shift of one. You can use a shift of seven, for example, and then you would shift letters like so:
A -> +7 -> H
Q -> +7 -> X
T -> +7 -> A
When you reach the end of the alphabet, wrap around to the beginning to find the encrypted letter.
Example of a Caesar Cipher
Let’s setup a little story to illustrate the problems of encryption. We will have three characters:
Alice, young lady with feelings for Bob
Bob, a young lad with an addiction to pancakes
Eve, a wee jealous girl scout who sits between Bob and Alice
Alice really likes Bob and wants to tell Bob her feelings, so she writes “I love you, Bob! Please eat healthier!” on a sticky note. She passes it to Eve, so Eve can pass it to Alice’s love interest. However, in an unfortunate turn of events Eve reads the note herself, and decides not to give it to Bob.
Oh the horror! Alice is without young love! How could she remedy this so that Bob can read her message, but evil Eve can not? Let’s use the Caesar cipher to fix this problem.
Let us assume that Alice and Bob already have a shared key, 7 for example. To encrypt this message, she should shift her letters seven letters forward in the alphabet—just like the example above.
Now, when Alice sends her Romeo a little note, all he has to do is decrypt the text by shifting the letters down by 7. Here is a site which can do longer pieces of text for you instead of doing it manually.
Problems
Before the two love-birds start smooching on the branch of a big pine tree in the schoolyard, perhaps we should consider some problems with the Ceasar cipher.
It is Very Easy to Break
Even Eve with her measly grade 4 math skills could easily start going through this message with pen and paper and figure out any combination in a couple hours at maximum. Imagine how easy this is for a computer? This could be broken in a few microseconds even on an older processor like the Intel Core 2 Duo.
No Secure Way of Sharing Keys
We assumed in our previous example that Bob and Alice already have a shared key (seven) to encrypt and decrypt all of their messages. If Bob and Alice did not have a previous friendship and time to share secrets of this sort, there is no way to share their key with eachother without Eve also knowing. This would defeat the entire purpose of obscuring the message in the first place.
Universal Vulnerability of Messages
Every message sent between the two parties uses the same code to encrypt and decrypt. If someone finds out the code once, all previous communications are comprimised.
Better Encryption Methods
To combat the issues with easily breakable, shared-key cryptography, we can turn to the beautiful beast that is Asymetric Cryptography. I will discuss this more in another article, but for the technically inclined:
RSA/EC provides very large cryptographic keys. It would be impossible for a human to encrypt or decrypt a message manually.
Asymetric cryptography provides four keys, instead of just one; stopping evesdroppers from listening in on your secret conversations—even if you do not have the chance to exchange keys in advance.
\ No newline at end of file
+ How Does Encryption Work, in Theory? | tait.tech
How Does Encryption Work, in Theory?
There are many kinds of encryption used in our everyday communication. Online and offline, over the internet and in person. In this article, I will explain the basics of how encryption should work in theory. I explain in this article why encryption is important, and why you should care about it.
We will start by looking at in-person, offline encryption.
Cryptography We Do Everyday
We encrypt things all the time without even thinking about it. If you spend a significant amount of time with the same group of friends, you will tend to develop common codes that may not make sense to others outside the group. For example: for years, my family called sombody falling from a sitting position “doing a Don”. There is a story of course—We knew a guy named Don who fell from his plastic beach chair in a rather hilarious way; “doing a Don” was born.
These types of minor dialects in speech are cryptographic in their own way. The truth is though, that we use cryptography much more than that!
“Is cryptography any different than talking? We say something other than what we mean, and then expect everyone is able to decipher the true meaning behind the words. Only, I never do…” — Adapted from a scene in The Imitation Game (p. 39-40)
How many times have you hinted, flirted, and innuendoed to try to say “I find you very physically attractive”? Have you told your friend that always stinks to wear more deodorant? Have you ever had someone say the words “I’m fine” when you know for certain that they are indeed not okay?
Words Said
Meaning
What can you do?
I don’t want to talk about this anymore.
I don’t want to overstay my welcome.
I want to go home now.
I don’t like them and don’t know why.
They threaten my ego.
Creepy
Unattractive and friendly
All of these scenarios are perfect examples of lies encryption! If we have the key to these codes, we can start to understand what people really mean. Hopefully I have convinced you that you use deceit cryptography on a regular basis in your life, so let us consider what a basic encryption method might be:
Grade-School Encryption
Back when I was in middle school I used to pass notes like these:
This is a message encrypted using the Caesar cipher. This encryption technique was used by Julius Caesar during the reign of the Roman Empire to “encrypt messages of military significance.”[1] This is one of the oldest and simplest methods of encryption known to us today.
You can try this out yourself by moving some letters forward in the alphabet. An ‘A’ turns into a ‘B’, ‘B’ into ‘C’, ‘C’ into ‘D’, et cetera. In this case, “Hello!” would become “Ifmmp!” That is just using a shift of one. You can use a shift of seven, for example, and then you would shift letters like so:
A -> +7 -> H
Q -> +7 -> X
T -> +7 -> A
When you reach the end of the alphabet, wrap around to the beginning to find the encrypted letter.
Example of a Caesar Cipher
Let’s setup a little story to illustrate the problems of encryption. We will have three characters:
Alice, young lady with feelings for Bob
Bob, a young lad with an addiction to pancakes
Eve, a wee jealous girl scout who sits between Bob and Alice
Alice really likes Bob and wants to tell Bob her feelings, so she writes “I love you, Bob! Please eat healthier!” on a sticky note. She passes it to Eve, so Eve can pass it to Alice’s love interest. However, in an unfortunate turn of events Eve reads the note herself, and decides not to give it to Bob.
Oh the horror! Alice is without young love! How could she remedy this so that Bob can read her message, but evil Eve can not? Let’s use the Caesar cipher to fix this problem.
Let us assume that Alice and Bob already have a shared key, 7 for example. To encrypt this message, she should shift her letters seven letters forward in the alphabet—just like the example above.
Now, when Alice sends her Romeo a little note, all he has to do is decrypt the text by shifting the letters down by 7. Here is a site which can do longer pieces of text for you instead of doing it manually.
Problems
Before the two love-birds start smooching on the branch of a big pine tree in the schoolyard, perhaps we should consider some problems with the Ceasar cipher.
It is Very Easy to Break
Even Eve with her measly grade 4 math skills could easily start going through this message with pen and paper and figure out any combination in a couple hours at maximum. Imagine how easy this is for a computer? This could be broken in a few microseconds even on an older processor like the Intel Core 2 Duo.
No Secure Way of Sharing Keys
We assumed in our previous example that Bob and Alice already have a shared key (seven) to encrypt and decrypt all of their messages. If Bob and Alice did not have a previous friendship and time to share secrets of this sort, there is no way to share their key with eachother without Eve also knowing. This would defeat the entire purpose of obscuring the message in the first place.
Universal Vulnerability of Messages
Every message sent between the two parties uses the same code to encrypt and decrypt. If someone finds out the code once, all previous communications are comprimised.
Better Encryption Methods
To combat the issues with easily breakable, shared-key cryptography, we can turn to the beautiful beast that is Asymetric Cryptography. I will discuss this more in another article, but for the technically inclined:
RSA/EC provides very large cryptographic keys. It would be impossible for a human to encrypt or decrypt a message manually.
Asymetric cryptography provides four keys, instead of just one; stopping evesdroppers from listening in on your secret conversations—even if you do not have the chance to exchange keys in advance.
\ No newline at end of file
diff --git a/_site/2020/04/02/rsa3.html b/_site/2020/04/02/rsa3/index.html
similarity index 98%
rename from _site/2020/04/02/rsa3.html
rename to _site/2020/04/02/rsa3/index.html
index cf3a47c..e67fd10 100644
--- a/_site/2020/04/02/rsa3.html
+++ b/_site/2020/04/02/rsa3/index.html
@@ -1 +1 @@
- How Asymetric Encryption Works | tait.tech
Previously, we talked about how symetric encryption works. This is by having a shared key that both parties use to simultaniously encrypt, and decrypt the data. (See Ceasar Cipher for example).
Public-key, or Asymetric Encryption
Asymetric encryption is based on the idea of having multiple keys instead of only one shared key. For example: instead of encrypting with one key, and decrypting with that same key (like our ROT ciphers we talked about previously), we can use one key to encrypt the information, and a different key to decrypt the information.
In the picture above, see how Alice uses Bob’s public key to encrypt some data, then sends it to Bob for him to decrypt with his private key? That is the essense of public-key encryption.
The great thing about public-key encryption is that your public key is public! There is no need to be afraid of sending this everywhere! You can attach it at the end of all your emails, the end of your forum posts, a link to it on your low-power webserver (wink). There are even things called keyservers that will save your public key on them for retrival in case somebody wants to verify your public key.
Anything encrypted with your public key can only be decrypted with your private key. Provided you never, NEVER share your private key with anyone ever, we can assume that all messages sent to you encrypted with your public key will never be read by anyone else.
Asymetric encryption, however, often contains four keys instead of two. Why is this?
Verification of Author
One interesting thing about keys pairs is that not only can the private key decrypt anything the public key encrypts, but the public key can decrypt anything the private key encrypts.
Now why would one want to encrypt a message that can be decrypted by anyone?
This is how you can verify that the person who says they wrote the message really did indeed write the message! If their private key was never shared with anyone else, then the message must have come from them!
For maximum security, these methods are often layered. First, signing with the sender’s private key, ensuring only they could have sent it— then encrypted with the recipient’s pulbic key, making sure only the reciever can read it.
Note that both sides must first have eachother’s public keys to do this. This is easy if they communicate often, but when first contacting somebody, people will generally send their encrypted message along with the their own pulbic key attached in a seperate file.
What This Means
Notice neither Alice nor Bob had to share any comprimsing information over the network? This is why public-key encryption is so powerful!
Alice and Bob can both safely send their public keys in the open. They can even send them over the insecure HTTP, or FTP protocols.
Whilst not sending any encryption-breaking messages, Alice and Bob now have a way to communicate securely. If you trust nothing and no one, this is your perfered method of security.
The two biggest “implementations” of public-key cryptography vary only in the mathamatical equations used to generate the numbers, and how the numbers are “trapdoored” to decrypt if you have the correct key.
I will discuss the differences in approach here. If you want to skip to the next article where I show you how to encrypt your own documents using RSA, see this link.
RSA
The mathamatic center of the RSA system was developed over the course of a year or so. Three men were involved. Ron Rivest, Adi Shamir, and Leonard Aldeman. They worked as a kind of “team”: Each idea by Rivest and Shamir were critisized by the mathamatician on their team: Mr. Aldeman.
One night, after consuming “liberal quantities of Manischewitz wine” Rivest had trouble sleeping. After taking long gazes into the abyss of his math textbook, he came up with an idea which would change cryptography forever. By the next morning, an academic mathamatical paper was nearly finished. He named it after himself and the two others that had been helping him along this whole time. Rivest, Shamir, Aldeman.
Key sizes of RSA range from 1024-bit to 4096-bit. 1024-bit keys are considered somewhat insecure. However, it should be noted that every bit doubles the complexity of the key, so 2048 is 2^1024 times more complex than 1024.
Eliptic-Curve (EC)
Eliptic-Curve (EC) is a family of algorithms that use the Eliptic curve mathamatical structure to generate the numbers for the keys. EC can effectivly provide the security of an RSA key one order of magnitude larger than an RSA key.
It’s fast; it’s secure! Perfect right?
Of course not!
One problem is that due to the smaller key size, it can more easily be broken by brute-force. This is why EC is mostly used for temporary communication (like HTTPS), not permenant communication (like having an encrypted email conversation with a journalist).
The other problem is that a certain EC algrorithm called P-256 is suspected to be introduced with malice to National Institute of Standards and Technology (NIST) by the NSA. Supposedly, the NSA is able to crack anything encrypted with this algorithm. I will let the experts argure about that.
Other well-known EC algorithms that are more-or-less trusted as secure do exist though. The premeire one being Curve25519. The reference implementation of this algrorithm is also public-domain, so it is easy for devlopers to work into their own applications without worrying about copywrite.
Conslusion
In this article we went over some basic points:
Public-key encryption enables secure communication over insecure networks.
RSA is considered the standard for extra-seure communication.
EC is a newer, faster, more transient encryption method.
Previously, we talked about how symetric encryption works. This is by having a shared key that both parties use to simultaniously encrypt, and decrypt the data. (See Ceasar Cipher for example).
Public-key, or Asymetric Encryption
Asymetric encryption is based on the idea of having multiple keys instead of only one shared key. For example: instead of encrypting with one key, and decrypting with that same key (like our ROT ciphers we talked about previously), we can use one key to encrypt the information, and a different key to decrypt the information.
In the picture above, see how Alice uses Bob’s public key to encrypt some data, then sends it to Bob for him to decrypt with his private key? That is the essense of public-key encryption.
The great thing about public-key encryption is that your public key is public! There is no need to be afraid of sending this everywhere! You can attach it at the end of all your emails, the end of your forum posts, a link to it on your low-power webserver (wink). There are even things called keyservers that will save your public key on them for retrival in case somebody wants to verify your public key.
Anything encrypted with your public key can only be decrypted with your private key. Provided you never, NEVER share your private key with anyone ever, we can assume that all messages sent to you encrypted with your public key will never be read by anyone else.
Asymetric encryption, however, often contains four keys instead of two. Why is this?
Verification of Author
One interesting thing about keys pairs is that not only can the private key decrypt anything the public key encrypts, but the public key can decrypt anything the private key encrypts.
Now why would one want to encrypt a message that can be decrypted by anyone?
This is how you can verify that the person who says they wrote the message really did indeed write the message! If their private key was never shared with anyone else, then the message must have come from them!
For maximum security, these methods are often layered. First, signing with the sender’s private key, ensuring only they could have sent it— then encrypted with the recipient’s pulbic key, making sure only the reciever can read it.
Note that both sides must first have eachother’s public keys to do this. This is easy if they communicate often, but when first contacting somebody, people will generally send their encrypted message along with the their own pulbic key attached in a seperate file.
What This Means
Notice neither Alice nor Bob had to share any comprimsing information over the network? This is why public-key encryption is so powerful!
Alice and Bob can both safely send their public keys in the open. They can even send them over the insecure HTTP, or FTP protocols.
Whilst not sending any encryption-breaking messages, Alice and Bob now have a way to communicate securely. If you trust nothing and no one, this is your perfered method of security.
The two biggest “implementations” of public-key cryptography vary only in the mathamatical equations used to generate the numbers, and how the numbers are “trapdoored” to decrypt if you have the correct key.
I will discuss the differences in approach here. If you want to skip to the next article where I show you how to encrypt your own documents using RSA, see this link.
RSA
The mathamatic center of the RSA system was developed over the course of a year or so. Three men were involved. Ron Rivest, Adi Shamir, and Leonard Aldeman. They worked as a kind of “team”: Each idea by Rivest and Shamir were critisized by the mathamatician on their team: Mr. Aldeman.
One night, after consuming “liberal quantities of Manischewitz wine” Rivest had trouble sleeping. After taking long gazes into the abyss of his math textbook, he came up with an idea which would change cryptography forever. By the next morning, an academic mathamatical paper was nearly finished. He named it after himself and the two others that had been helping him along this whole time. Rivest, Shamir, Aldeman.
Key sizes of RSA range from 1024-bit to 4096-bit. 1024-bit keys are considered somewhat insecure. However, it should be noted that every bit doubles the complexity of the key, so 2048 is 2^1024 times more complex than 1024.
Eliptic-Curve (EC)
Eliptic-Curve (EC) is a family of algorithms that use the Eliptic curve mathamatical structure to generate the numbers for the keys. EC can effectivly provide the security of an RSA key one order of magnitude larger than an RSA key.
It’s fast; it’s secure! Perfect right?
Of course not!
One problem is that due to the smaller key size, it can more easily be broken by brute-force. This is why EC is mostly used for temporary communication (like HTTPS), not permenant communication (like having an encrypted email conversation with a journalist).
The other problem is that a certain EC algrorithm called P-256 is suspected to be introduced with malice to National Institute of Standards and Technology (NIST) by the NSA. Supposedly, the NSA is able to crack anything encrypted with this algorithm. I will let the experts argure about that.
Other well-known EC algorithms that are more-or-less trusted as secure do exist though. The premeire one being Curve25519. The reference implementation of this algrorithm is also public-domain, so it is easy for devlopers to work into their own applications without worrying about copywrite.
Conslusion
In this article we went over some basic points:
Public-key encryption enables secure communication over insecure networks.
RSA is considered the standard for extra-seure communication.
EC is a newer, faster, more transient encryption method.
\ No newline at end of file
diff --git a/_site/2020/04/06/rsa4.html b/_site/2020/04/06/rsa4/index.html
similarity index 99%
rename from _site/2020/04/06/rsa4.html
rename to _site/2020/04/06/rsa4/index.html
index 37b5d65..992249d 100644
--- a/_site/2020/04/06/rsa4.html
+++ b/_site/2020/04/06/rsa4/index.html
@@ -114,4 +114,4 @@ Rules Of A Good Life:
2. Work hard!
3. Be firm.
5. Have good friends!
-
Step 6: Finale!
Ladies and gentleman, you have done it! You have encrypted our very own document. (And maybe even decrypted it yourself too :)
If you encrypted using my public key, feel free to send it to my email. I am happy to verify if it worked.
For more information on this subject, check out gnugp.org’s guide on using GPG. They are the ones that make these tools available, and the GNU Project has been instrumental in creating the open-source world as it exists today. Give ‘em some love, eh!
Thank you so much for sticking through this whole thing! Let me know if there is anything that doesn’t make sense. I am happy to improve this guide as time goes on if that is necessary.