Bluetooth Dissed

One argument I hear often from laypeople, is that they don’t like Bluetooth, because at the user-level, Bluetooth Pairing is hard.

People who are knowledgeable in Computing understand, that every time we create a Bluetooth Pairing, our devices are establishing a communications channel, which is as secure as the authors of Bluetooth can make it, due to Advanced Encryption. So we see that there is a potential benefit to this.

For example, in the case of a keyboard which is connected to a tablet – which means that a BT session is underway – it can happen at any time, that we type in our password to unlock the tablet, or to unlock any of our accounts on the Internet. That could be made a generic wireless link which is extremely easy to set up. But then, since we’re always weary of an eavesdropper, the link would be of an ideal format, to steal all our passwords from us through direct exploitation.

But because we’re using Bluetooth, in fact it’s an encrypted link. So even if the ones and zeroes that make up a communication were intercepted, the hypothetical eavesdropper would still not be able to exploit them.

And so I can empathize with knowledgeable people, who feel that the added difficulty in establishing a Bluetooth Pairing, is well worth the effort.

Continue reading Bluetooth Dissed

Some Notes on the Merits of Hybrid Encryption

In my most recent postings, I sort of took the perspective, that ‘RSA’ is the only form of public key cryptography. But in reality, this is far from true.

As far as the actual public-key methods go, there is also ‘El-Gamal’ and ‘Diffie-Hellman’ in public use, as well as ‘DSA’. The last of those is only useful for signing, not for encrypting. But what that means in practice, requires that people understand another concept in public-key cryptography, which is called ‘hybrid encryption’, which marries one of the public key exchanges with strong, symmetrical encryption. Symmetrical encryption is any scheme where the same key can be used to decrypt, which was used to encrypt. Symmetrical methods in use include ‘AES’ and ‘Blowfish’, and several others.

A concept which exists purely with RSA, is that a sender of a message can use the public key of the recipient to encrypt, so that only the recipient will be able to decrypt, using his own private key.

Well, if we consider SSL-secured Web-sites, we do not see that our Web-browser needs to build any public and private key-pairs. And so according to that, it might be imaginable that the server has a public key to receive data with securely, but it is not obvious how the browser receives data securely from the server. And what actually happens with SSL, is that a pseudo-random key is built essentially by the client, and is then sent to the server securely via RSA. That key is then used by both peers, to send and receive the actual user data via strong, symmetrical encryption. And this idea, of only using public key-exchange to encrypt a strong, symmetrical key once per session, is referred to as hybrid encryption.

This also makes sense from the standpoint, that a single public-key, RSA encryption requires much more CPU time, than the repeated use of AES aor Blowfish.

TLS key exchange is based on methods, that more closely resemble Diffie-Hellman than RSA, but again forms a basis of hybrid encryption.

And this is also why SSH, which is also known as ‘Secure Shell Protocol’, only requires that the client have a DSA key. Given that an SSH client uses his public key to authenticate himself, in theory an SSH server can be set to allow RSA authentication, but then all the client must do is to encrypt a piece of data which he cannot control, using his private key, to prove to the server that he is in fact the owner of a stated public key.

Hence, for SSH authentication, DSA works just as well for the client to use.

Dirk

 

Kanotix makes it easy, to install a Linux version on a UEFI motherboard.

The Linux versions I have stayed with in my past, are Kanotix versions. This does not change the fact that they are Debian-based; it only means that the Kanotix Team has simplified the packaging of a specific Debian system, so that it is ready to go.

Kanotix Dragonfire -> Debian / Wheezy (obsolete),

Kanotix Spitfire -> Debian / Jessie (actual).

Kanotix can be found here.

I have never had to do this. But if we wanted to install Linux on a UEFI-BIOS Motherboard, Kanotix makes it easy. They have a fabled installer called their ‘Acritox Installer’, which allows the user to specify an arbitrary part of the file system, which should be mounted from non-root disk partitions. Typically, this was done with the ‘/home‘ mount-point, using a Linux-oriented file system, such as ‘ext4‘. But for UEFI, we need to tell Acritox, to makeĀ  custom, FAT32 mount-point at ‘/boot/efi‘ , which therefore has its own partition.

The fact that this needs to be done, implies that this partition, which will either need to be a ‘Primary MBR’ or ‘Any GPT’ partition, will be readable by the BIOS, even before the O/S boots. This is the logical place where the O/S will store the signatures, of all the Images which are supposed to be bootable. Hence, there has been no special change to the format, in which the actual ‘initramfs‘ images are stored, but rather, every time we do an ‘update-initramfs‘, doing so will also add an entry to this FAT32 partition, for the newly-added image.

(Edit 04/05/2016 : ) According to the fact that I have discovered a major error in my thinking, it is also a fact, that this partition does not really store EFI signatures…

 

Dirk