Encryption, how far will you go?
SQUID 3.5.25 + 4.0.19 RELEASED
Choosing the right path with encryption is a crucial manner in the modern Computers World but I want to take you far behind this era into 2 or 3 hundred years ago.
Back in the 17 centaury there weren’t as many options to encrypt a message, if you wanted to implement a 512 bits based encryption you would first need to invest a lot of money on traveling and security of the first public key exchanging leaving aside the trust you need to have for the key exchange location.
Yes it was a complex and an expensive task that only some had the luxury to have, but today we hear “Let’s encrypt” on a daily basis.
So I took couple minutes to try and understand how would a single mind be affected if it would be required to encrypt a conversation.
It’s not a normal thing to glance at, two persons sitting in a room and talking in an encrypted language. But the only thing they want to say to each other is “This is not a secure place, we need to go elsewhere”.
For this single phrase they had a full 2 hours session!
The first time I have seen such a thing I was stunned but then I started to delve into the depth of “The Encryption Hell”. It’s a place that is reserved for these who would like to talk using encryption on anything.
You must first understand that there is a lot of noise surrounding the plain text so you would need to have some way to handle the noise and also to handle the encryption and only then handle the actual conversation. This is the place of uncertainty! In such a world you cannot have some rest for your mind. The brain is always working and thinking about the possibilities. “Does this word means that I need to leave the room this second?” it’s really a place that is reserved for these who live in a deception on every move they do.
Here comes in handy the arguments about using open-source or closed-source based encryption systems. When you have an open-souce system you can share with others the methods the concepts and the ideas. Then you may have a chance to get into a better place then to stay in a “Stand Alone Complex”. But the closed source has to offer a lot!!
It is possible to have a closed source and still have the benefits of the open-source world just by being connected to the right sponsor. The myth that the closed source world cannot offer alternatives or advantages was proven long ago to be a false positive. There is no need to present an argument because the world works this way, you can have both security and secrecy!
An example for that is one of the projects I helped long ago to handle as a starter proxy servers admin. I was asked to give help with intercepted traffic analysis. Indeed I could write the proxy but there was some hash embedded into each message that resulted in the team trying to crack it clueless to what behind it.
The target was to falsify a 128 bit transmission that is being sent over a tcp socket from the client to the passive server. The hacks were required to hack only 128 bits. The end result was that after about couple days they said that the encryption is impenetrable!
What was the blocker, the lack of CPU? it was a team of more then the most talented hackers.
Was it the money? They got a lot of money only for the trial.
Was it RAM? they had a full fledged servers flat available only for their use.
So what was missing?
Two keys: The main private and the Diffie Helman one.
This technique has been in use in the world for hundreds of years but not many used it. Not many knew how to use it and not many where able to operate such a cipher system. This is one thing that took empires up and down: Encryption.
For us this “function” was off-loaded from the human mind into assisting disposable devices such as a SmartPhone while many do not even know or understand what’s under the hood. We can walk with an encryption device in our pocket without using any of our brain “CPU” and without touching our pocket.
So 128 bits aren’t that much but if you use them right they would be sufficient and you won’t be required to recalculate every second the escape route from you current position to a safe state or place.
One of the most used concepts is blending into big crowd to loose tracers. It’s not the most efficient way to do so but if you begin a session in a very noisy place there is a chance you would be able to exchange keys without anyone knowing. So today we have the option to get some level of secrecy without paying too much like in the old days.
Indeed for a money transfer you would need a big and well shielded truck but with a group of assassins or a well trained ex-army experts you would need couple tiny cars , lot’s of cash\gold\goods and a route. It is possible to secure a transfer without using the “Heavy Gear” but with the “Right Team”!
It’s a known way to run security and my way of things is to help others with it.
I asked myself couple times in the past: Should I start an encrypted session? And then I noticed that it’s not required to invent keys, I already have them. My ancestors left me with many keys and many ways to encrypt even in the harshest conditions.
I have a library which I use as a delta and reference daily to analyse and decrypt the most hardened and complex minds in the world. I can say that I have secrets but I daily lock them and throw the key. After each time I am throwing the key I am chanting a secret spell that was passed in my family for ages and I remeber that we are all in the same boat and in the moment I will try to dig a hole in our unified boat we will all sink together.
So how far will you go deep into hell to throw your keys? will you use your Cerberus to defend this ship? will you throw your given keys to hell ie the most secured place in the entire universe?
Diffie Helman is one of the most proven method for forward secrecy of encryption and I am using it daily long before it was introduced to the public SSL world. I took couple trips to hell because of it but eventually even the most notorious psychiatrists and therapists declared that I am a proof of a truely hardened human.
In my line of work as a Linux SysAdmin you must be Hardened! and you must know what the Linux “Talisman” is made of. You cannot blindly use it as is!!!
Long ago after the Squid-Cache RPM was downloaded more then 10k times I stopped counting. This is since there is a hidden secret inside each and every one of these downloads “I trust you Eliezer Croitoru to provide me a true\good binary of Squid-Cache”.
Squid-Cache is a production ready product but it requires a very Hardened character to use it
Encryption is a challenge, if you are up to it jump into SSL-BUMP and see how and if you manage to make it work.
Throw your fear from a Server Crash!!! the Squid-Cache team is working hard so you would be able to test their ability to make you happy enough to see the magic that they can do. Indeed it’s not the perfect product but it’s worth just trying to see and understadnd what it might lacks.
All The Bests,