Upload
david-rogers
View
184
Download
3
Tags:
Embed Size (px)
DESCRIPTION
This presentation was given at the Over The Air event #ota11 at Bletchley Park. The idea was to get developers thinking about how they are securing their applications (or not) and to have an open discussion about methods that could be employed to help developers. Julius Caesar was nearly defeated a few times and had his codes have been broken, just maybe, the world might have been a different place. For more information on the individual battles (I did a verbal run through, check out the great wikipedia pages on them). The code breaking exercise contained within is a fun tool to help people understand about the need to protect information.
Citation preview
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
HISTORICAL CODE CRACKING WITH PHONES: WHAT IF PONTUS, THE GAULS, GERMANS, NERVII, EGYPTIANS AND HELVETII HAD IPHONES?OVER THE AIR 2011, BLETCHLEY PARK
David Rogers, Copper Horse Solutions Ltd.
1st October 2011
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
About Me 12 years in the mobile industry Hardware and software background Head of Product Security at Panasonic Mobile
Worked with industry and government on IMEI and SIMlock security Pioneered some early work in mobile phone forensics Brought industry together on security information sharing
Director of External Relations at OMTP Programme Manager for advanced hardware security tasks Chair of Incident Handling task
Head of Security and Chair of Security Group at WAC Owner and Director at Copper Horse Solutions Blog: http://blog.mobilephonesecurity.org, Twitter: @drogersuk
About Copper Horse Solutions Ltd. Established in 2011 Software and security company
Focussed on the mobile phone industry Services:
Mobile phone security consultancy Industry expertise Standards representation Mobile application development
http://www.copperhorsesolutions.com
SOME INFORMATION
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
HISTIAEOUS
In 499BC sent a trusted slave to encourage a revolt against the Persians
Shaved the head of the slave Tattooed a message to his head, let the hair grow back Recipient shave off the slave’s hair to get the message This is an early form of steganography
From: http://www.retroworks.co/scytale.htm
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
SCYTALE
Transposition cipher Ancient Greeks, particularly the Spartans used it for military
communication (also apparently used by the Romans):
From: http://www.retroworks.co/scytale.htm
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
CAESAR SHIFT
Supposedly used by Caesar to protect military messages – by shifting the alphabet 3 places to the left:
Still used today (scarily!) – e.g. ROT13 It helped that a lot of Caesar’s enemies were illiterate
anyway…From: http://www.retroworks.co/scytale.htm
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
PHAISTOS DISC…
Still plenty of mystery text to decipher out there…
http://www.mobilephonesecurity.org
Source: PRA
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
CODE CRACKING CHALLENGE
After each battle I describe there will be some codes to crack in which you would be able to change the course of history. You can also get these at:
http://blog.mobilephonesecurity.org
From: http://www.retroworks.co/scytale.htm
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
SOME SOURCE CODE TO HELP!
Hint: The codes are all Caesar ciphers but with different rotations https://github.com/mkoby/RotationCipher (not mine!) and a cheat: http://
textmechanic.com/ROT13-Caesar-Cipher.html
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
JULIUS CAESAR (BRIEFLY!)
100BC – 44BC Spent 9 years campaigning in
Gaul (and made a fortune) Invaded Britain
Was involved in a civil war with Pompey
Defeated the Egyptians Assassinated on the ‘Ides of
March’ in 44BC
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
LIST OF BATTLES
58BC Battle of the Arar – Helvetii 58BC Battle of Vosges - Germans 57BC Battle of the Sabis – Nervii 52BC Battle of Alesia - Gauls 47BC Battle of the Nile - Egyptians 47BC Battle of Zela - Pontus
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BATTLE OF THE ARAR
http://www.mobilephonesecurity.org
58BC Caesar v Helvetii, Switzerland
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BREAK THIS ROMAN CODE!
Also here: http://blog.mobilephonesecurity.org
Can the Helvetians defeat Caesar?
bgxxwfhkxmbfxyhkkxbgyhkvxfxgml
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BATTLE OF VOSGES
http://www.mobilephonesecurity.org
58BC Caesar v Germans, River Rhine, Alsace
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BREAK THIS ROMAN CODE!
Also here: http://blog.mobilephonesecurity.org
Should the Germans attack the Romans?
bpmumvizmnqopbqvonqbemkivpwtlwcbnwzivwbpmzemms
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BATTLE OF THE SABIS
http://www.mobilephonesecurity.org
57BC Caesar v Nervii, Wallonia
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BREAK THIS ROMAN CODE!
Also here: http://blog.mobilephonesecurity.org
Are the Nervii ready for Caesar?
muqhuweydwjeruqjiqryiydjmetqoi
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BATTLE OF ALESIA
http://www.mobilephonesecurity.org
52BC Caesar v Gauls, France
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BREAK THIS ROMAN CODE!
Also here: http://blog.mobilephonesecurity.org
Is there anything the Gauls do to help themselves?
qebobfpxtbxhmlfkqfklrotxiikbxoqebqobbp
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BATTLE OF THE NILE
47BC Caesar & Cleopatra v Ptoloemic forces, Alexandria, Egypt
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BREAK THIS ROMAN CODE!
Also here: http://blog.mobilephonesecurity.org
Are the Egyptians ready for action?
wbssrgiddcfhhcpfsoycihobrtwuvhdhczsam
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BATTLE OF ZELA 47BC Caesar v Pontus, Turkey
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
BREAK THIS ROMAN CODE!
Also here: http://blog.mobilephonesecurity.org
Save Pontus?
sbkfsfafsfzf
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
Mobile Phones!
Open discussion on mobile application security
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
DON’T USE ROMAN CODES!
ROT13 and XORing / obfuscation are not adequate!! Modern crypto (not surprisingly) is significantly better However, developers don’t have access to secure hardware
APIs on mobile
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
MOBILE DEVELOPMENT
How are you storing keys for both symmetric and asymmetric ciphers? Common issue amongst developers Also application signing keys
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
MOBILE DEVELOPMENT
Think about security when designing your apps Are you playing fast and loose with your users’ private
data? Have you explained to users why you used certain
permissions? What have you (not) encrypted? Is your application designed badly? – gift to hackers /
fraudsters? E.g. asking for credit card details from a QR code
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
MOBILE DEVELOPMENT
Do your research Are you using weak / insecure methods? Do you understand basic secure coding
techniques? Do you understand the platform security
guidelines?
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
DISCUSSION
http://www.mobilephonesecurity.org
From: http://stackoverflow.com/questions/4671859/storing-api-keys-in-android-is-obfustication-enough
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
DISCUSSION
http://www.mobilephonesecurity.org
“I look at KeyStore but it does not really solve my problem. It can store my keys given that I can provide
a password. Then I need to find a secure place to store this password which is same as my original
problem.”
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
PLATFORM SECURITY GUIDELINES
Apple: http://developer.apple.com/library/mac/#documentation/Security/Conceptual/SecureCodingGuide/Introduction.html
Android:http://developer.android.com/guide/topics/security/security.html
Blackberry: http://docs.blackberry.com/en/developers/deliverables/29302/index.jsp?name=Security+-+Development+Guide+-+BlackBerry+Java+SDK7.0&language=English&userType=21&category=Java+Development+Guides+and+API+Reference&subCategory=
Windows Phone 7 (Nokia Guidelines): http://
www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
ROMANS WITH IPHONES….
http://www.flickr.com/photos/laurenthaug/4127870976/sizes/l/in/photostream/
http://www.mobilephonesecurity.org
ContactEmail: [email protected]: @drogersukBlog: http://blog.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
Code Solutions
Don’t look at the next slide if you don’t want the answers!
http://www.mobilephonesecurity.org
Copyright © 2011 Copper Horse Solutions Limited. All rights reserved
CODE SOLUTIONS
Helvetii: I need more time for reinforcements (h shift) Germans: the men are fighting fit we can hold out for
another week (s shift) Nervii: we are going to beat sabis in two days (k shift) Gauls: there is a weak point in our wall near the trees
(d) Egyptians: I need support to break out and fight
ptolemy (m shift) Pontus: veni vidi vici (d shift)
The famous: I came, I saw, I conquered message Of course, the Pontic army could not save themselves!
http://www.mobilephonesecurity.org