Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

HISTORICAL CODE CRACKING WITH PHONES: WHAT IF PONTUS, THE GAULS, GERMANS, NERVII, EGYPTIANS AND HELVETII HAD IPHONES?OVER THE AIR 2011, BLETCHLEY PARK

David Rogers, Copper Horse Solutions Ltd.

1st October 2011

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

About Me 12 years in the mobile industry Hardware and software background Head of Product Security at Panasonic Mobile

Worked with industry and government on IMEI and SIMlock security Pioneered some early work in mobile phone forensics Brought industry together on security information sharing

Director of External Relations at OMTP Programme Manager for advanced hardware security tasks Chair of Incident Handling task

Head of Security and Chair of Security Group at WAC Owner and Director at Copper Horse Solutions Blog: http://blog.mobilephonesecurity.org, Twitter: @drogersuk

About Copper Horse Solutions Ltd. Established in 2011 Software and security company

Focussed on the mobile phone industry Services:

Mobile phone security consultancy Industry expertise Standards representation Mobile application development

http://www.copperhorsesolutions.com

SOME INFORMATION

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

HISTIAEOUS

In 499BC sent a trusted slave to encourage a revolt against the Persians

Shaved the head of the slave Tattooed a message to his head, let the hair grow back Recipient shave off the slave’s hair to get the message This is an early form of steganography

From: http://www.retroworks.co/scytale.htm

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

SCYTALE

Transposition cipher Ancient Greeks, particularly the Spartans used it for military

communication (also apparently used by the Romans):

From: http://www.retroworks.co/scytale.htm

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

CAESAR SHIFT

Supposedly used by Caesar to protect military messages – by shifting the alphabet 3 places to the left:

Still used today (scarily!) – e.g. ROT13 It helped that a lot of Caesar’s enemies were illiterate

anyway…From: http://www.retroworks.co/scytale.htm

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

PHAISTOS DISC…

Still plenty of mystery text to decipher out there…

http://www.mobilephonesecurity.org

Source: PRA

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

CODE CRACKING CHALLENGE

After each battle I describe there will be some codes to crack in which you would be able to change the course of history. You can also get these at:

http://blog.mobilephonesecurity.org

From: http://www.retroworks.co/scytale.htm

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

SOME SOURCE CODE TO HELP!

Hint: The codes are all Caesar ciphers but with different rotations https://github.com/mkoby/RotationCipher (not mine!) and a cheat: http://

textmechanic.com/ROT13-Caesar-Cipher.html

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

JULIUS CAESAR (BRIEFLY!)

100BC – 44BC Spent 9 years campaigning in

Gaul (and made a fortune) Invaded Britain

Was involved in a civil war with Pompey

Defeated the Egyptians Assassinated on the ‘Ides of

March’ in 44BC

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

LIST OF BATTLES

58BC Battle of the Arar – Helvetii 58BC Battle of Vosges - Germans 57BC Battle of the Sabis – Nervii 52BC Battle of Alesia - Gauls 47BC Battle of the Nile - Egyptians 47BC Battle of Zela - Pontus

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BATTLE OF THE ARAR

http://www.mobilephonesecurity.org

58BC Caesar v Helvetii, Switzerland

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BREAK THIS ROMAN CODE!

Also here: http://blog.mobilephonesecurity.org

Can the Helvetians defeat Caesar?

bgxxwfhkxmbfxyhkkxbgyhkvxfxgml

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BATTLE OF VOSGES

http://www.mobilephonesecurity.org

58BC Caesar v Germans, River Rhine, Alsace

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BREAK THIS ROMAN CODE!

Also here: http://blog.mobilephonesecurity.org

Should the Germans attack the Romans?

bpmumvizmnqopbqvonqbemkivpwtlwcbnwzivwbpmzemms

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BATTLE OF THE SABIS

http://www.mobilephonesecurity.org

57BC Caesar v Nervii, Wallonia

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BREAK THIS ROMAN CODE!

Also here: http://blog.mobilephonesecurity.org

Are the Nervii ready for Caesar?

muqhuweydwjeruqjiqryiydjmetqoi

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BATTLE OF ALESIA

http://www.mobilephonesecurity.org

52BC Caesar v Gauls, France

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BREAK THIS ROMAN CODE!

Also here: http://blog.mobilephonesecurity.org

Is there anything the Gauls do to help themselves?

qebobfpxtbxhmlfkqfklrotxiikbxoqebqobbp

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BATTLE OF THE NILE

47BC Caesar & Cleopatra v Ptoloemic forces, Alexandria, Egypt

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BREAK THIS ROMAN CODE!

Also here: http://blog.mobilephonesecurity.org

Are the Egyptians ready for action?

wbssrgiddcfhhcpfsoycihobrtwuvhdhczsam

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BATTLE OF ZELA 47BC Caesar v Pontus, Turkey

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

BREAK THIS ROMAN CODE!

Also here: http://blog.mobilephonesecurity.org

Save Pontus?

sbkfsfafsfzf

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

Mobile Phones!

Open discussion on mobile application security

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

DON’T USE ROMAN CODES!

ROT13 and XORing / obfuscation are not adequate!! Modern crypto (not surprisingly) is significantly better However, developers don’t have access to secure hardware

APIs on mobile

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

MOBILE DEVELOPMENT

How are you storing keys for both symmetric and asymmetric ciphers? Common issue amongst developers Also application signing keys

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

MOBILE DEVELOPMENT

Think about security when designing your apps Are you playing fast and loose with your users’ private

data? Have you explained to users why you used certain

permissions? What have you (not) encrypted? Is your application designed badly? – gift to hackers /

fraudsters? E.g. asking for credit card details from a QR code

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

MOBILE DEVELOPMENT

Do your research Are you using weak / insecure methods? Do you understand basic secure coding

techniques? Do you understand the platform security

guidelines?

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

DISCUSSION

http://www.mobilephonesecurity.org

From: http://stackoverflow.com/questions/4671859/storing-api-keys-in-android-is-obfustication-enough

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

DISCUSSION

http://www.mobilephonesecurity.org

“I look at KeyStore but it does not really solve my problem. It can store my keys given that I can provide

a password. Then I need to find a secure place to store this password which is same as my original

problem.”

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

PLATFORM SECURITY GUIDELINES

Apple: http://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecureCodingGuide/Introduction.html

Android:http://developer.android.com/guide/topics/security/security.html

Blackberry: http://docs.blackberry.com/en/developers/deliverables/29302/index.jsp?name=Security+-+Development+Guide+-+BlackBerry+Java+SDK7.0&language=English&userType=21&category=Java+Development+Guides+and+API+Reference&subCategory=

Windows Phone 7 (Nokia Guidelines): http://

www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

ROMANS WITH IPHONES….

http://www.flickr.com/photos/laurenthaug/4127870976/sizes/l/in/photostream/

http://www.mobilephonesecurity.org

ContactEmail: david.rogers@copperhorses.comTwitter: @drogersukBlog: http://blog.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

Code Solutions

Don’t look at the next slide if you don’t want the answers!

http://www.mobilephonesecurity.org

Copyright © 2011 Copper Horse Solutions Limited. All rights reserved

CODE SOLUTIONS

Helvetii: I need more time for reinforcements (h shift) Germans: the men are fighting fit we can hold out for

another week (s shift) Nervii: we are going to beat sabis in two days (k shift) Gauls: there is a weak point in our wall near the trees

(d) Egyptians: I need support to break out and fight

ptolemy (m shift) Pontus: veni vidi vici (d shift)

The famous: I came, I saw, I conquered message Of course, the Pontic army could not save themselves!

http://www.mobilephonesecurity.org