Learning Security

Unclassified things, as it grows, it can be splitted on articles. As I’m seeing, it is feeded by mailing list


Thread model

Everyone talks about thread model, what is exactly?

Security keywords (security properties given attacker goal)

Attacker goal Security property
Compromise messages Confidentiality of messages
Alter sent messages Integrity of messages
Inject false messages Authenticity of messages
Identify as another person Authentication of communication partner
Block communication Availability of communication
Learn communication metadata Privacy protection
Prove what was said Deniability of message content
Prove that two persons communicated Deniability of the conversation
Learn past communication after compromise Forward secrecy
Prolong a successful attack Future secrecy

src https://conversations.im/omemo/audit.pdf


  • Plausible deniability
    • https://en.wikipedia.org/wiki/Plausible_deniability
    • https://en.wikipedia.org/wiki/VeraCrypt#Plausible_deniability

Fundamental tools

Tools very present in lots of technologies, you must know

x509 and TLS

TLS - Common way to secure communications through applications

  • Common uses
    • https: secure Web Applications and Web surfing
    • ssh: remote access to hosts and tunneling of lots of applications



Verify (sign) and encrypt data



  • PGP (Pretty Good Privacy) [Propietary] / GPG (GNU PGP Guard) [FOSS]
  • PEP (Pretty Easy Security) theoretically (TODO read whitepaper) solves problems of GPG
    • GPG Problems
      • Difficult to manage public keys / Trust
      • GPG armor encrypts to bcc as well
      • Leaked metadata (plus x509 is not helping a lot)

Eliptic curve


Double Ratchet Algorithm

based on signal (audit EN, trans -> ES) by open whisper systems. Whatsapp says uses it (general, detail).

  • Generic
    • https://github.com/trevp/double_ratchet/wiki –deprecated–> https://whispersystems.org/docs/
      • https://whispersystems.org/docs/specifications/doubleratchet/
      • [why?] https://whispersystems.org/docs/specifications/xeddsa/
      • [why?] https://whispersystems.org/docs/specifications/x3dh/
  • For XMPP
    • https://conversations.im/omemo/audit.pdf
    • https://conversations.im/omemo/
  • For matrix (matrix vs XMPP, matrix vs signal)
  • Bridges
    • question: with the bridge you can still encrypt? (key exchange…)
    • XMPP-matrix
      • easy-simple https://daemons.cf/cgit/yaxxb/about/
      • more complete https://github.com/pztrn/matrix-xmpp-bridge

Decentralization tools for our networks

  • DHT https://en.wikipedia.org/wiki/Distributed_hash_table
  • Blockchain https://en.wikipedia.org/wiki/Blockchain_(database)

Anonimity on Internet

  • Onion routing https://en.wikipedia.org/wiki/Onion_routing (used in tor)
  • Tor: onion routing at the application layer. Try to solve problem of Internet (TCP/IP stack), hide ip to preserve privacy
  • Hornet: Efficiency: onion routing at the network layer
  • GNUnet: Lots of stuff in application layer (including onion routing)

Mesh routing protocols

place to discuss this: battlemesh.org

  • babel https://en.wikipedia.org/wiki/Babel_(protocol)
  • batman-advanced (comming from batman) https://www.open-mesh.org/projects/open-mesh/wiki
  • bmx6 (fork-rethink of batman) https://bmx6.net/projects/bmx6/wiki
  • olsr https://en.wikipedia.org/wiki/Optimized_Link_State_Routing_Protocol
  • others

Firmwares for routers

Usually, with projects like OpenWrt and Lede, Community Networks (by region) do more specific firmwares:

  • Libremesh: batman-adv + bmx6/7, switched to Lede
  • qMp: bmx6, switched to Lede
  • Gluon: ?

Sensors in equipment



Smart* (going to IoT)

  • Toys (kids)
    • Barbie
      • http://www.ccma.cat/324/alerta-de-locu-hello-barbie-robot-i-que-i-cayla-tres-joguines-amb-connexio-a-internet-insegures/noticia/2762688/
      • http://www.bbc.com/mundo/noticias/2015/12/151215_finde_tecnologia_barbie_interactiva_habla_polemica_espia_ninos_lv

Mitigation: control your gateway - http://dowse.equipment/ - https://librerouter.org/

Access Control


  • Reuse password (solution: keepassx) https://xkcd.com/792/
  • Password strength https://xkcd.com/936/


  • Smartcards
    • https://en.wikipedia.org/wiki/OpenPGP_card
    • https://en.wikipedia.org/wiki/YubiKey

Biometrics (you are the key)

Some people to pretend substitute password with biometric stuff. This way, you are the key

In the past they used shape of the hand

Now they prefer ocular scanner and veins of the fingers

src /dev/null


  • http://www.genbeta.com/a-fondo/que-son-los-cypherpunks-y-por-que-son-tan-importanes-en-la-lucha-por-la-privacidad