Privacy in Hostile Environments

(1)

Privacy in Hos-le Environments

Mafalda Duarte Freitas

Mestrado Integrado em Engenharia de Redes e Sistemas Informá9cos Departamento de Ciências de Computadores 2015 Orientador Luís Antunes, Professor Associado, FCUP

(2)

Todas as correções determinadas pelo júri, e só essas, foram efetuadas.

O Presidente do Júri,

(3)

Abstract

In recent decades, mobile networks and mobile devices with signiﬁcant computing power have grown in popularity and availability. With ubiquitous Internet access, the public now depends on online services and applications to perform activities that range from everyday social interaction to the exchange of secure communications of the highest level. Each of these activities has its own requirements, and involves diﬀerent risks, but they have in common a fundamental challenge: to exchange private information in a shared communication channel that they cannot control.

In the present work we approach two very diﬀerent scenarios. In the ﬁrst scenario, there is the need to provide secure, encrypted, mobile communications to high visibility government entities that are likely to be individually targeted. In the second scenario, there is the need to protect the average Internet user from unwilling exposure to local data interception, privacy breaches, identity theft or bulk collection of private data.

In the context of secure communications in the ﬁrst scenario, we closely examine a mobile application that is currently in the market, with claims that it can provide a secure communication channel through any set of Android or iOS smartphones. We analyze the application deployment and it’s code, and describe the vulnerabilities found during that analysis, comparing them with the well known vulnerabilities of Wireless Protected Access (WPA)1. We develop a proof-of-concept attack that demonstrates that those vulnerabilities make the application unsuitable to be used to provide a secure communication channel. We also recommend some steps to improve the application and to prevent the commercialization of software solutions whose safety has not been tested.

In the second scenario, to address the protection of the average Internet users, we start by doing a historical analysis of the concept of privacy as a human right. Our goal is to establish the level of privacy that each individual can rightly aspire to, and what provisions have been made in the past to preserve that level of privacy. We show that the technological development has constantly been a source of danger to personal privacy and freedoms, and that a constant eﬀort must be done to counteract that eﬀect. We then review current initiatives to protect citizens from massive surveillance and bulk data collection, and design our own tool to help the average user regain control over his or her online experience.

(4)

Resumo

Nas últimas décadas tem havido um crescente aumento na disponibilidade e popularidade de redes e dispositivos móveis, estes últimos com com um poder de computação cada vez mais significativo. Com acesso ubíquo à Internet, o público depende cada vez mais de serviços e aplicações online para atividades que vão desde a interação social diária a comunicações seguras do mais alto nível. Cada uma destas atividades tem necessidades específicas e envolve riscos diferentes, mas têm em comum um desafio fundamental: trocar informação privada num canal de comunicação partilhado que não podem controlar.

Neste trabalho abordamos dois cenários muito diferentes. No primeiro, existe a necessidade de providenciar comunicações móveis seguras e encriptadas para entidades governamentais. Estas têm muita visibilidade e uma probabilidade elevada de serem alvo de ataque. No segundo cenário, existe a necessidade de proteger os utilizadores comuns da Internet da interceção local de informação, da invasão de privacidade, do roubo de identidade e da recolha em massa de dados privados.

No contexto das comunicações seguras, inserido no primeiro cenário, examinamos uma aplicação móvel existente no mercado, que aﬁrma providenciar um canal de comunicações seguro entre qualquer par de smartphones Android ou iOS. É feita uma análise da aplicação e do seu código, e as vulnerabilidades encontradas durante essa análise são descritas e comparadas com vulnerabilidades reconhecidas doWPA1. Desenvolvemos um ataque demonstrativo para mostrar que as vulnerabilidades encontradas tornam a aplicação incapaz de providenciar um canal de comunicação seguro. Recomendamos também alguns passos para melhorar a aplicação e para prevenir a comercialização de soluções de software cuja segurança não foi adequadamente testada.

No segundo cenário, para abordar a proteção do utilizador comum na Internet, começamos por fazer uma análise histórica do conceito de privacidade como um direito fundamental. O nosso objetivo é estabelecer qual é o nível de privacidade a que cada indivíduo pode aspirar, e que medidas é que foram tomadas no passado para preservar esse nível de privacidade. Mostramos que o desenvolvimento tecnológico tem sido uma fonte constante de perigo à privacidade e às liberdades individuais, e que é necessário desenvolver um esforço permanente para contrariar esse efeito. Revemos as iniciativas existentes para proteger os cidadãos da vigilância permanente e da recolha de dados em massa, e criamos a nossa própria ferramenta para permitir que o cidadão comum volte a ganhar controlo sobre a sua experiência online.

(5)

Dedication

I dedicate this work to my parents, who I’d choose again if I had another chance at life, to my sister, my greatest joy, in the hope she grows to a better world, to Hugo, who I met so brieﬂy, but whose talent and passion still inspire me, and to all the programmers and hackers out there that work in the shadow so that others can bring their stories to light.

(6)

Acknowledgments

First and foremost, I would like to thank my thesis advisor, Luís Antunes, for his guidance, support and understanding. His dedication made this work possible.

In November 2013, I had the opportunity to join the Centro de Competências em Cibersegu-rança e Privacidade, at University of Porto. My time at C3P was an extraordinary experience, giving me renewed energy and passion for my work. Much of the work presented in this thesis was made possible by the assistance and expertise provided by my colleagues at C3P, who also provided me with much needed help and companionship. In particular, I am very grateful to Luís Maia, Luís Valente, and Pedro Brandão, who gave me precious support, and the right advice and insights in the right moments.

I am very grateful to Filipa Calvão for her time and support. Her collaboration, together with the team at Comissão Nacional de Protecção de Dados, was essential to the development and success of C3Priv, and I truly appreciate the work we did together.

I have to thank both Filipa Calvão and Luís Torgo for making my defense a moment I enjoyed and will remember fondly. I appreciate their kind words and the positive criticism.

I thank Alexandra Ferreira for her unwavering support, her faith in my abilities, and the expert navigation through the dangerous seas of academic bureaucracy.

To my friends, Mário, Pedro, Cristiano, Daniel, Patrícia, Ivo, Rui and André, I thank for the late night talks, the hours of fun, my new TF2 skills and for remembering me regularly that there is a lighter side to life. I am forever grateful to Mário, who dreamed for me when I forgot how to.

Last, but certainly not least, I thank my parents, Paula and Júlio, and my sister Matilde. I am deeply grateful for the ﬁnancial and moral support, for believing in me when I did not, and for always being near, despite the distance. Your unconditional love and encouragement keeps pushing me forward.

(7)

List of Figures

3.1 Example of PKCS5 Padding in blocks containing 3, 5 and 8 byte messages, in blocks of 8 bytes. . . 11

3.2 Padding oracle attack on the last byte of an 8 byte block, producing an incorrect padding. . . 11

3.3 Padding oracle attack on the last byte of an 8 byte block, producing a correct padding of 0x01. . . 11

3.4 Padding oracle attack on the second-last byte of an 8 byte block, producing an incorrect padding. . . 12

3.5 Padding oracle attack on the second-last byte of an 8 byte block, producing a correct padding of 0x02. . . 12

5.1 PortableApps menu . . . 21

5.2 Contents of a Universal Serial Bus (USB) pen-drive with C3Priv already installed 22

5.3 Volume of C3Priv downloads from February 2014 to October 2014 . . . 24

5.4 C3Priv download distribution globally . . . 24

5.5 C3Priv download distribution in Europe . . . 25

(10)

List of Tables

2.1 List of the ﬁles found in the smartphone’s Secure Digital (SD) cards . . . 4

2.2 Speciﬁc values that PBKDF2 receives as input . . . 4

3.1 PBKDF2 Key Derivation in WPA1 and in the analyzed application. . . 8

(11)

Chapter 1 Introduction

In the early days of telephony, circuit switched connections created a communication channel that was well deﬁned and exclusive to the participants. This allowed the use of wire telegraph circuits to establish secure connections between parties that needed to keep their communications secret. A famous example of one such use is the Direct Communications Link between Washington and Moscow, known as Washington-Moscow Hotline. This line, established in 1963, was a secure emergency communications channel between the American and the Russian government.

Unlike the more modern package based, connectionless networks, the telephone switched networks were very linear. There were few telecommunication companies providing telephony services, and the small number of users allowed them to have a great level of control over the infrastructure. The communications usually were not private, but to access them, one had to have physical access to the network. To keep the privacy in special communication channels, direct lines such as the Washington-Moscow Hotline used encryption to ensure that only the receiving end could receive the plaintext message, and the lines themselves where deployed in secret underground tunnels, to stop physical interception.

Initially, the volume of data exchanged through these connections was very small. The messages where mostly text, and beyond the daily tests, the system was only rarely used. The one time tapes used to keep messages encrypted during transit where provided by both sides, and carried half across the world.[37] With the rise of satellite communications, however, and the falling prices in both communication equipment and telephone data plans, land lines and switched circuit networks were replaced by mobile and packet switched networks, such as the Internet. Today, the pervasiveness of Global System for Mobile Communications (GSM), Third Generation (3G) and Fourth Generation (4G) mobile networks, and the availability and low cost of devices to access them, makes them the ideal medium for always-ready communication channels between any set of terminals, independently of location.

Rather than relying on the security of the network to protect communications, as was done with private landlines, or even in satellite based communications, access through this shared networks relies heavily on the terminal’s ability to preserve the secrecy and integrity of the

(12)

CHAPTER 1. INTRODUCTION 2

messages exchanged. With the evolution of mobile phones to PDAs, and later to smartphones, it became increasingly easier to ensure the processing power to build terminals that could rise up to that challenge. But, as the complexity of the technology grew, so did the odds of committing mistakes or oversights in the design and implementation of protocols and terminal applications.

During this work, to gain some insight on the level of security of commercially available solutions for secret communications through smartphones, we examine an application for secure communication that is currently available on the market. This application was submitted to the Centro de Competências em Cibersegurança e Privacidade (C3P) of the University of Porto for review, and the work performed is done in articulation with the C3P team. We analyze the application, identify and study ﬂaws and vulnerabilities, and determine if and how those vulnerabilities may compromise the application’s security. Based on the results of this analysis, we implement an attack to work as proof of concept of the vulnerabilities found.

We will also examine the concept of privacy as it exists today, how it was created and how it evolved through history. We will take a brief look at the legal protections oﬀered to citizens and to how they integrate with the enormous technological growth we have faced in the last decades, trying to reveal its current shortcomings and the consequences of such shortcomings, in the present and in the near future.

Finally we will propose, design and implement a tool that aims to oﬀer a greater degree of control over their privacy to Internet users, whether on their own PCs or on the move.

(13)

Chapter 2 App Analysis

In the last semester of 2013 an application for Android and iOS smartphones built for secure mobile communication was submitted to C3P for analysis. The C3P team examined the system in order to assess the level of security it provided to both the information stored in the smartphone and to the communications done through it.

To the scope of the present work, the most relevant aspect was the analysis of the cellphones internal storage ﬁles, and the information achieved through the reverse engineering of the code. This particular analysis is included in the following chapter, allowing a closer look at the integrity and security of commercially available solutions that are being deployed and used in real world scenarios.

2.1 The Application

The brief description of the application that was provided by its creators on their website gives some insights on its internal workings. They describe their product as a system built to allow secure Short Message System (SMS) and voice communications through any Android or iOS smartphone it is installed on, to recipients who use the same application to receive said calls and

SMSs.

The communications done through the app are processed by a server that may be either privately owned, running on the clients premises, or available “in the cloud”. In the latter case, the server is rented and kept in the provider company’s facilities, but the client remains the exclusive user of the system.

In the company’s website, as well as in communications made to several local newspapers, it is stated that the encryption used by the system is RSA[54]1 _{with 3072 bit keys, and Advanced}

Encryption Standard (AES) with 256 bit keys, both presented as “extremely secure”.

1_{The RSA is a public-key cryptosystem published in 1978. The name comes from the initials in the surnames}

of it’s creators, Ron Rivest, Adi Shamir, and Leonard Adleman.

(14)

CHAPTER 2. APP ANALYSIS 4

We were provided with a pair of Android smartphones, with the application already installed, and their respective Personal Identiﬁcation Numbers (PINs). The PINs unlocked the phones and allowed the use of the application.

The first step was to examine the smartphonesSDcards. After connecting each SDcard to a computer, we where able to examine the file system, which contained the files listed in2.1. the files where copied and kept for later use.

Files Present in the SD Card

IV Public Key Private Key Public Server Key

Table 2.1: List of the ﬁles found in the smartphone’s SDcards

We proceeded with the analysis of the application source code, written in Java. We found that the communications done through the application were being encrypted using public-key cryptography, through RSA, using the keys found in the SD card. The data stored on the phone, including the keys and the Initialization Vector (IV), was encrypted with symmetric cryptography, using AES.

By examining the code, we learned that the key used byAESto encrypt the files was derived from the application’s PIN, using PBKDF2, which is part of the Public Key Cryptography Standard (PKCS)5[50]. We also verified that the salt used for PBKDF2 was a fixed string, composed of six alphabetic characters, which we found declared in plain text inside the code. The values that are given to PBKDF2as input can be seen in2.1.

Upon examination it was established that the IV contained in one of the ﬁles is device dependent, and is generated and saved in the SDCard in the application’s ﬁrst run. ThisIV

was encrypted withAES,ECBmode and PKCS5 padding, as where the remaining ﬁles, using

PBKDF2 Input Parameters

Description Value

PRF

Hash-based Message Authentication Code (HMAC

)-Secure Hash Algorithm (SHA)1 Master Password PIN

Salt value ﬁxed string Number of iterations of thePRFrequired 1024

Expected length of the derived key 256 Table 2.2: Speciﬁc values that PBKDF2receives as input

(15)

thePIN as key.

2.2 Vulnerabilities

At a first glance, the encryption algorithms used seem adequate, with both being internationally recommended ciphers. However, a closer look shows several choices made in their deployment that can be considered to have been poorly done. Of this choices, the most significant are the encryption mode selected for AES, the number of iterations of the PRF, and the use of a fixed salt. As we will show, this choices severely compromise the application’s security.

2.2.1 ECB encryption mode

The encryption mode chosen for AESisECB, which is a weak choice for the cipher’s mode of operation. ECB’s main problem lies in the fact that all blocks of plaintext that are identical will produce the same ciphertext when encrypted with the same key. This behavior reveals patterns in the encrypted data that may result in the loss of conﬁdentiality. With key reuse, an attacker can compare sets of know plaintext and the respective ciphertext with unknown blocks of ciphertext to decrypt them. The fact that all blocks will be deciphered in the same way also makesECBvulnerable to replay attacks.

2.2.2 Number of iterations of the PRF in PBKDF2

The choice of HMAC-SHA1 as a pseudorandom function for PBKDF2 is still considered appropriate, despite some shortcomings regarding SHA1 itself. SHA1 is considered vulnerable to collision attacks, with know attacks since 2005 and abandonment by federal agencies and companies like Microsoft[44], Mozilla[47] and Google[46]. Since HMACs are less aﬀected by collisions than their underlying hashing algorithms, SHA1 can still be used for this end. Nevertheless, the National Institute of Standards and Technology (NIST) policy from 2012 advises the use ofSHA256 orSHA3 as a replacement to SHA1. [43]

Regarding the number of iterations of the pseudorandom function inPBKDF2, in 2000 the

PKCS5 standard recommended 1000 iterations. At the time, it was already foreseeable that this number would have to be increased to match the growing computing power of more recent Central Processing Units (CPUs). NIST, in a recommendation from 2010, advised that the iteration count for PBKDF2 should be “as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users.” The minimum iteration count is still considered 1000, but the document states that “for especially critical keys, (...) an iteration count of 10,000,000 may be appropriate.”[51] 10.000.000 iterations may be excessive in this case, since the limitations of the smartphone’s hardware would result in unresponsiveness of the device, and that situation would not be acceptable to users. However, an iteration count of

(16)

1024 is too low to eﬀectively delay attacks.

2.2.3 Use of a fixed salt

Of the vulnerabilities found, the most alarming is possibly the use of a ﬁxed salt. In cryptography, a salt is a piece of random data that is combined with a password, usually by concatenation. To avoid storing the password in plain text, the combined string is hashed, and only this hash and the respective salt is kept.

Users often choose short and simple passwords that are easier to remember, but these passwords oﬀer little security. Adding a salt to such a password increases it’s length and complexity to a more reasonable level.

Additionally, salts substantially increase the diﬃculty of cracking passwords with a dictionary attack against a hash list. Without a salt, the attacker would have to build pre-computed hash tables (known as rainbow tables) with the hashes of all possible passwords. When a salt is used, the involved workload is increased, since the attacker will now have to build tables containing the hashes of each possible password, combined with each possible salt.

Regarding the choice of a salt, the Request For Comments (RFC) 2898 states that, if there is no need to distinguish different uses of the key, “the salt may be generated at random and need not be checked for a particular format by the party receiving the salt. It should be at least eight octets (64 bits) long.”[50] The salt used in the application is fixed, not random, and shorter than the recommended 64 bits, with a length of only 48 bits. Although it is not public, since we had to look into the code to find it, it is still short enough to make the password vulnerable to attacks.

Since we know the salt, we can use it to build a rainbow table with the hashes of all the combinations of the salt with the possible PINs, with the same cost we had if no salt was used, eﬀectively defeating it’s purpose. Furthermore, since the salt is reused in all smartphones running the application, our rainbow tables can be reused to crack the PIN in those other instances, saving us the added computing eﬀort.

(17)

Chapter 3 Proposed attack

As we will see in this section, the vulnerabilities found in the application are enough to plan an attack. We will show how that attack takes a very similar form to the widely performed attacks onWPA, and how the software for such an attack can be modified to work on our own scenario. We will show that using this method, it is possible to recover the application’sPIN in any smartphone running it, effectively taking control over the communications done through the smartphone. To start the attack, the only requirement is a copy of the SDcard’s files.

3.1 Description of

WPA

There are two main modes ofWPA:

• WPAEnterprise, which is based on Remote Authentication Dial In User Service (RADIUS) authentication;

• WPA Personal, which uses a Pre-Shared Key (PSK). WPA PSK has two variants:

– WPA1, based on Temporal Key Integrity Protocol (TKIP);

– WPA2, with Counter Mode Cipher Block Chaining Message Authentication Code

Protocol (CCMP), based onAES.

WPA1, which was deprecated in 2012’s revision of the 802.11 standard, uses a 256 bit key to encrypt network traﬃc. This key can be either a string of 64 hex digits, or derived from a passphrase of 8 to 63 printable American Standard Code for Information Interchange (ASCII) characters. In this last case, a derivation function, PBKDF2, is applied to the passphrase, to provide a key with the necessary length. InWPA1,PBKDF2uses 4096 iterations ofHMAC-SHA1 and uses the network’s Service Set Identiﬁer (SSID) as salt.

In theory, due to the huge number of possible combinations ofSSIDs and passphrases that can be used in a network, brute-force or dictionary attacks onWPA1 would be infeasible. However,

(18)

CHAPTER 3. PROPOSED ATTACK 8

empirical observation shows that the SSID of domestic networks is rarely changed from the default hardware brand or Internet Service Provider (ISP) name, meaning that many domestic wireless networks share the salt used in the key derivation process. This allows the computation and reuse of huge pre-computed hash tables that combine possible keys with each of the most common SSIDs.

SinceWPA1 was speciﬁed as a temporary replacement for Wired Equivalent Privacy (WEP) that was compatible with older hardware, this possibility of attack was not taken as a serious risk. However, WPA1 remained in use for much longer, providing motivation for the creation of software to simplify WPA1 cracking, and for the publication of very large pre-computed hash tables for the most common brands and ISPs.

3.2 Comparison with our software

Table 3.2 summarizes the WPA1 password derivation process, and compares it to that of the application under analysis at C3P.

WPA1 Analized Application

IV Captured in the handshake,

encrypted with thePSK

Stored in a ﬁle, encrypted with the pin, usingAES

Key Captured in the network Stored in a ﬁle in the sdcard Key Derivation

Function PBKDF2 PBKDF2 Pseudo Random

Function HMAC-SHA1 HMAC-SHA1 Master Password Passphrase (PSK) PIN

HMAC-SHA1 Salt NetworkSSID Fixed salt string

HMAC-SHA1 Iterations 4096 1024

Derived Key Lenght 256 bit 256 bit

Table 3.1: PBKDF2 Key Derivation inWPA1 and in the analyzed application

The table shows that the process has many similarities, which allow us to start from the attack of WPA1, and adapt it to our application. There are also some small differences, such as the PINbeing shorter than a typical network passphrase, and a fixed string being used as salt, instead of the SSID. Of this differences, however, the only one that will reflect itself on the code is the PRFnumber of iterations, which is four times smaller compared to that ofWPA1.

The use of a ﬁxed salt provides an advantage, since it means that we will be able to reuse the generated set of rainbow tables to attack other devices using the same application.

(19)

3.3 A distributed attack on

WPA

1

CoWPAtty [57] is a program that performs oﬄine dictionary attacks against WPA/WPA2 networks that use PSK based authentication, which is the case withWPAPersonal. CoWPAtty’s attack can be accelerated if pre-computed Pairwise Master Key (PMK) hashes for the target

SSIDare provided. This can be produced using genpmk, a script that comes included with the software.

Genpmk receives as input a password dictionary, salts each password with the desiredSSID, and generates a ﬁle with the hashes of the salted passwords. This hashes can then be provided to CoWPAtty together with the SSIDof the target network, and a ﬁle containing a capture of the four-way TKIPhandshake between one client and the Access Point (AP).

In 2011, a group of students from the University of Colorado published an adapted version of coWPAtty that could speed up the attack onWPA1 by using several nodes to perform distributed look-ups on rainbow tables.[55] They wrote a Java web application to be run on the master node that handled the job submission process and the job queue. This master node was also responsible for starting the worker nodes in the cluster via Secure Shell (SSH), and by dividing the work equally among them.

Due to the similarities between attacks, and the significant speed up obtained with distributed lookups, we opted to study and adapt this software to develop our own program to exploit of the smartphones vulnerabilities. Besides the changes needed in the software to adapt it to the differences in our use of PBKDF2, our worker nodes did not need to perform much of the work that coWPAtty did, such as processing the capture files and the four-way handshake. We also needed our program to perform an additional test, that would determine which of the rainbow table entries corresponded to the correct PIN.

After a close examination of the code of the distributed version of the attack, and given the differences between coWPAtty’s requirements and our own, we concluded that the best approach would be to write new software for the worker nodes. This new approach would allow us to create cleaner software, that would be easier to debug and that would fit more tightly with our objectives. However, due to lack of experience working with web applications and the JBoss web application server, especially when considering the aditional dificulties of working with distributed computation nodes, the new version of the application took more than the expected time to develop, and presented an excessive amount of bugs. To adress this issues, we eventually decided not to develop a distributed program, and focused instead in obtaining a non-distributed program, that was only loosely based in the original distributed code. This last version was still controled remotely by another node that offered a web service to start, stop and monitor the worker node.

(20)

3.4 Padding Oracle Attack

In cryptography, a padding oracle attack is an attack that can be performed on the padding of messages encrypted with block ciphers. The attack is only possible if, in failing to decrypt the message because the padding is incorrect, the receiver discloses that information. When this happens, an attacker can gain information about the plaintext by modifying the message and asking the Oracle to decrypt it. A sucessfull attack can decrypt the message without knowing the encryption key.

The application under analysis uses the Java Cipher class[2], with the AES/ECB/PKCS5Padding transformation. PKCS5 padding is defined in PKCS 5[? ]. To pad a message, this method appends the n bytes required to fill the block, each one containing the value n. An example of this type of padding for 8-byte blocks can be seen in 3.4. With this type of padding, when the size of the message equals the block size, an extra block is appended, filled with the appropriate padding.

Since AES is a block cipher, and is operating in ECB mode, all blocks ciphered with it may be attacked with this method. The doFinal() method provided by the Cipher class is appropriate to implement an oracle, since it returns a speciﬁc error (a BadPaddingException) when it fails to decrypt a message with a correct padding.

✄

1 public final int doFinal( byte[] input,

2 int inputOffset, 3 int inputLen, 4 byte[] output, 5 int outputOffset) 6 throws ShortBufferException, 7 IllegalBlockSizeException, 8 BadPaddingException ✂ ✁

Listing 3.1: The Java Cipher class method doFinal(). The BadPaddingException thrown by the function enables the padding oracle attack.

This is the case of theECBcypher mode used in our application, that requires the message to be encrypted to have a lenght multiple of 16 bytes. The message can be altered and sent to the oracle, and the oracle replies saying if the message is well formed. A well formed message has a correct padding, that makes sense when decrypted. Thus, the last bytes of a message may be changed at will to produce correct paddings, until the attacker has decrypted the whole message, without ever knowing the encryption key. Images3.4, 3.4, 3.4and3.4show the decryption of the last two bytes of the message. The process can be repited until the entire message is decrypted.

(21)

Figure 3.1: Example of PKCS5 Padding in blocks containing 3, 5 and 8 byte messages, in blocks of 8 bytes.

Figure 3.2: Padding oracle attack on the last byte of an 8 byte block, producing an incorrect padding.

Figure 3.3: Padding oracle attack on the last byte of an 8 byte block, producing a correct padding of 0x01.

(22)

Figure 3.4: Padding oracle attack on the second-last byte of an 8 byte block, producing an incorrect padding.

Figure 3.5: Padding oracle attack on the second-last byte of an 8 byte block, producing a correct padding of 0x02.

3.5 Results

In order to crack the application’sPIN number, we attempted to decrypt theIVs found in the

SDs card with each of the keys present in our pre-generated rainbow tables. To verify if the key suceeded, we caught the Java Exceptions thrown by the doFinal() method shown in 3.1. Whenever the key fails to correctly decrypt the IVs , the method throws a BadPaddingException, meaning that it was provided with the wrong key.

The delay introduced with develpment diﬃculties and the necessary adaptations to the existing code resulted in insuﬃcient time to complete the program. Therefore, the application built has some stability issues and produces unreliable results. However, the test runs performed

(23)

showed that the attack could be made with success, and we were able to recover the PINs and to sucessfully gain full access to the application, demonstrating that the application was unsuitable to provide a secure communication channel.

3.6 Possible improvements

To increase the security of the application, we suggest a larger iteration count ofHMAC-SHA. A popular current application of HMAC-SHA1 is inWPA1, where the iteration count is 4096. To increase the diﬁculty to compute pre-computed hash tables, it would be advisable to use more that the present 1024 iterations of HMAC-SHA1 to derive theAESencryption key, especially when considering the level of security that the application intends to achieve.

The choice of salt should also be revised. The salt should be longer and generated randomly, so that when appended to the PIN it may result in a strenghtened passphrase. This is especially relevant if we consider that PINs are usually very short, with a length between 4 and 6, and formed exclusively by digits. If the appended salt is not long enough, hashing a list of bruteforced passwords can result in a sucessfull attack without much computing eﬀort. The salt should also be diﬀerent for each device, so that each device requires it’s own set of rainbow tables to be computed for a successful attack.

The operation mode forAESrequires additional consideration, sinceECBis too simple and easily attacked. To avoid padding oracle attacks on the cyphertext, AESshould be used with an operation mode that allows it to work as a stream cipher, or replaced with a stream cipher.

To ensure the correction of the code in such a critical application, the code should be reviewed and audited prior to launching the application commercially. The potencial buyer should also consider creating a set of standards that the developers must follow to ensure their product has an adequate level of quality and can work with the required level of security.

(24)

Chapter 4 Privacy in hostile environments

Throughout this work, we will deﬁne the right to privacy as the “right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.”[52] In the present chapter, we will review the evolution of this concept from the late 19th century to the present day, following court cases that challenged the legality of certain methods of information gathering while pursuing an elusive deﬁnition of the right to privacy. We will show how such cases are closely related to the use of new technology, and how the inability to understand the growing complexity of that technology hinders the ability of the law to protect citizens from abuse.

4.1 The right to be let alone

The history of privacy as a human right is intimately connected with the history of technology. Before the advent of the printing press, breaches of privacy were very limited, since news did not propagate further than what was strictly necessary, and records, oﬃcial and otherwise, were rare and hard to access.

The ﬁrst publication to advocate privacy as a right was written by Samuel Warren and Louis Brandeis, and published in 1890. Their main concern was that the laws in place did not account for technological advancements like the instantaneous photography, and that those advancements, coupled with the widespread circulation of newspapers, had opened a new market for “idle

gossip, which can only be procured by intrusion upon the domestic circle”. In their article they

examine concepts already present in the law, such as libel, slander, breach of conﬁdence and intellectual property, only to conclude that they do not adequately cover the harm that comes to the individual when facts of his private sphere come to the scrutiny of the public eye. They go on to prove that there was a principle in the existing law that aﬀorded what they called “right to

be let alone”. [56]

(25)

CHAPTER 4. PRIVACY IN HOSTILE ENVIRONMENTS 15

In 1928, Brandeis was a justice on the Supreme Court and expressed a dissenting opinion in Olmstead v. United States[4], a court case that became famous as the ﬁrst USA Government accusation based in wiretapping. Although the defendant, accused of running a huge network dedicated to “bootlegging”, plead the 4th and 5th Amendments1_{, the government considered that}

there was no similarity between this new telephone technology and written mail. Furthermore, the wiretapping had been done in boxes on the street, in the neighborhood where the defendant lived, thereby excluding any possibility that the information gathered had been obtained outside the existing laws concerning the gathering of proof. Brandeis argued that the 4th and 5th ammendments where created to protect citizens from force and violence, which where at the time the only means by which the government could compel self-incrimination. However, technological advancements had allowed the government to change to more subtle methods, that nevertheless endangered citizens rights. He questions whether the constitution grants any protection against such abuses and concludes that it does. He reasons that the 4th and 5th ammendments are broad in scope, as the constitution aims to protect Americans from intrusion of the Government in their private lives, and that to protect the right to be let alone, "every unjustiﬁable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment”. He goes on to expose the fact that the use of evidence that was obtained ilegally (wiretapping was a crime according to the law of Washington), and through infringement of such a fundamental right, was a violation of the 5th amendment.

The ruling in Olmstead v. United States was eventually overturned by another case, Katz v. United States[3], in 1967. This case deﬁned that immaterial intrusion with the aid of technology, such as wiretapping, constitutes a search, and as such it is covered by the rules for reasonable search and seizure. It also extended the scope of the 4th amendment to all the places where an individual has a "reasonable expectation of privacy". Justice Harlan gave a concurring opinion in which he established what became known as Harlan’s test. This test established that there was a right to privacy whenever the individual exhibited an expectation of privacy, and where society recognized that expectation of privacy to be reasonable.

In “First Principles of Communications Privacy”, author Susan Freiwald states her belief that “diﬃculty with the reasonable expectation of privacy test has led courts to avoid using it to resolve the constitutional status of modern communications technologies. But the answer cannot be to withhold constitutional protection from electronic communications, as courts do when they fail to act. (...) If courts do not establish constitutional protections for the electronic communications that are now central to our lives and work, then we will have accorded law enforcement surveillance powers of Orwellian magnitude.”[49]

1_{The 4th ammendment to the United States Constitution protects the right to be secure against unreasonable}

searches and seizures. The 5th ammendment protects, among others, the right to due process. A process is not due process if it conficts with any of the provisions of the constitution,or if it “offends some principle of justice so rooted in the traditions and conscience of our people as to be ranked as fundamental”. [Snyder v. Massachusetts, 291 U.S. 97, 105 (1934) https://supreme.justia.com/cases/federal/us/291/97/case.html#105}]

(26)

4.2 Mass surveillance

In Europe, presumption of innocence is a right protected by the Universal Declaration of Human Rights and by the Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe. Formally, presumption of innocence means that the burden of proof is on the accuser, not on the defendant. At this point, the right to presumption of innocence is being infringed upon in important ways, mostly due to mass surveillance and the illegal seizure of personal information.

If we look hard enough at an individual citizen, it is very likely that he broke the law in some way, knowing or unknowingly, but not with criminal intent. In most countries where presumption of innocence is considered a right, prosecuting a citizen would require a strong suspicion, followed by the gathering of proof. Depending of the nature of the proof, and the strength of the accusation, a judge may have to authorize such gathering. In countries with mass surveillance, however, every citizen is treated as a possible suspect, and evidence collection is permanent and unﬁltered. It is possible for the authorities in such a country to single out an individual and check his records for activity that can be used to initiate prosecution. The analysis of this information can even be automated, so that the prosecution may start without human intervention or judgment.

Although frowned upon in liberal democracies, mechanisms of mass surveillance have been tolerated, and sometimes accepted, by the public as a necessary evil. However, no western government has been able to produce evidence of the necessity of such programs, despite the pressure to do so. The popular claim recently made by the USA that 54 terrorist attacks had been stopped by their contested mass surveillance program was found untrue by two independent White House reviews of the relevant classiﬁed data.[45][31]

Paired with this fact, the disclosure of classiﬁed information about secret programs developed in the USA and Europe has shown the depth to which innocent citizens life’s are being scrutinized and intruded upon by this ruthless mechanisms of bulk data collection.

The ubiquity of electronic personal devices, many of them with signiﬁcant data storage capabilities, adds to the problem, since the amount of personal and private information that can currently be seized in the event of a legitimate body search is enormous. Because this devices have only recently become widely available, their seizure, together with the data they contain, is not bounded by law. This allows the authorities to apprehend cellphones, hand-held GPSs, digital storage devices, and cards containing biometric data, most notably The possibilities created by the massive collection of this sort of data are very relevant to the health of democracy in western states, but they become particularly dangerous if a government or a law enforcement agency chooses to abandon the principles that it is expected to follow, a situation not altogether uncommon in very recent or unstable democracies, in dictatorships or in police states.

(27)

4.3 Privacy and technology

Throughout the history of privacy, there are two main facts that come to light: One is that there is an omnipresent temptation for political, economical or military powers to exploit the lack of privacy regulations for proﬁt or for legal advantage; The other is that the lack of regulations protecting privacy is always present when new technologies emerge.

In the late years of the past century and through past decade, technology surfaced and became widely available at a pace that had not been seen before. Internet access has led a signiﬁcant layer of the population to rely heavily on online services, putting a huge amount of trust in the availability and integrity of those services and their underlying technology.

Due both to the popularity and ubiquitous need for Internet access, a vast array of terminals have been developed, as diverse as smartphones, tablets or wristwatches. In general, they are so complex that their core is opaque to most users, even to those that know in detail one of its many components.

Although they could have done otherwise, and perhaps to their own benefit, companies and brands have made no effort to create and adopt clear standards, or to educate users. Obscure concepts such as “Cloud Services”, or the “Internet of Things”, are used to lead the public to wrongly infer that the complex, intermediary ridden network their data and meta-data has to cross, is a simple, vague and secure place, that they need not know or care about. With no incentive to learn and no perception of the increasing gap between user and device, the population in general is acquiring no significant knowledge on the inner workings of services, the hardware they use, or the channels they use to reach them.

To combat this, there has to be a signiﬁcant investment in educating users, and in establishing rules for transparency in the design of software and hardware that needs to be trusted. New technologies will have to be created according to a principle of “privacy by design”.

(28)

Chapter 5 Easy to use Privacy: C3Priv

As public awareness on the topics of online privacy and data security increases, there is also an increasing need to provide adequate tools for enhancing safety in the use of networks and terminals. To address this issue, a project was developed in the context of the present work, in conjunction with theC3P from Universidade do Porto (UP), and the Comissão Nacional de Protecção de Dados (CNPD). The project, named C3Priv, aims to develop a tool to return to the user the ability to take control over his own privacy. In the following chapter we expose the challenges faced while designing a solution, and describe how we surpassed those challenges.

5.1 Guiding premises

C3Priv starts with the premise that the biggest risks for users arise from the lack of control they have over the software they use. Frequently browsers, websites and applications store personal data and sensitive information without the awareness or permission of the user. When this occurs in an uncontrolled environment the risk multiplies, and it is almost certain that privacy - and even safety - of the user is compromised.

Our goal is to allow users to reduce their “online footprint”, allowing them to have a safer online experience independently of their computer know-how and their ability to correctly conﬁgure complex software. Organizations and projects like the Electronic Frontier Foundation[14], the Open Rights Group[5], the American Civil Liberties Union[42], or the TOR Project[36] exist, but their aim is directed either at educating users, appealing to major online websites and companies to become accountable and ethical in their data collection, cover anonymity needs, or pushing for stricter rules to regulate abusive data collection. Unlike this projects, C3Priv starts with the conservative view that every computer used and every site visited is hostile, unless the user explicitly says otherwise. We change the focus to the user, giving him the responsibility and the choice to protect himself.

In order to ensure the users will adhere to this new paradigm of taking control over their 18

(29)

CHAPTER 5. EASY TO USE PRIVACY: C3PRIV 19

own “online footprint”, any solution has to do more than giving them the tools to keep them safe. We therefore opted by a design directed towards solving the users needs, oﬀering them applications that are easy to use, with an easy learning curve, and that ultimately do address their day-to-day needs with no additional burden.

Ultimately, the purpose of C3Priv is to return control to the user, allowing him to choose what he sees, when he sees it, what he keeps to the future, who can track him, and for how long.

5.2 Privacy By Default

Observing users needs, a common challenge seems to be keeping files and configurations synchronized between computers. Between the workplace and home, users often need to copy files and bookmarks to keep them updated, or to write down passwords in order to use the same services from everywhere. This procedures are both ponderous and risky. Recent files may be overwritten by older versions, passwords and documents may be misplaced, lost or even captured by an hostile party.

Although there is a growing concern of the public and the media over security topics, close observation also shows that a large base of concerned users is not computer savvy, and is both unable to choose appropriate software, and to correctly conﬁgure it on their own. Software wrongly conﬁgured or obtained online from disputable sources can be as much or even more dangerous that having no protection at all.

From this observations, it becomes clear that a useful solution has to integrate software equal or very similar to the one the user already works with, in a format that he can carry with him. This solution must also be bundled in a way that allows for easy deployment, and can be used successfully with default conﬁgurations by users with very little computer experience.

5.3 Recognizing Limits

When building a solution that is, ultimately, a “best eﬀort” approach to protect users, it is crucial to identify threats, and to establish limits beyond our ability to counteract.

Without considering the good sense and the computer literacy of the user, the protection we can aﬀord will ultimately depend on the scope and the power of the intercepting party, which we will call adversary.

It is a well known rule of cybersecurity that no system is secure unless it is oﬄine and physically isolated. To us, this means there are concerns we must choose to leave behind. Chief among them, is the possibility of the physical capture of data or storage devices, by legal means or by force, as well as the coercion of the user to reveal whichever data he aims to keep secret. At best, this could be approached by building a system that supports plausible deniability. However,

(30)

besides the increased complexity of the design restrains, such mechanism could be a hindrance to the common user unless seamlessly done, and is likely beyond the needs of the targeted audience.

When talking about securing data that transverses a network, it is also important to establish who owns that network, and the level of control the owners have over it. As such, an adversary that owns either both ends, or a sufficiently large number of nodes in the network, will be able to time connections and gather large amounts of information. This may allow him to correlate separate communications, possibly identifying users and patterns of behavior and link together different sessions done by the same user, both in the same and in different services. Among many others, with control of middle nodes the adversary can manipulate or redirect the connection, conducting effective phishing or man-in-the-middle attacks. This situation becomes especially severe if the adversary also has control over a relevant certificate authority, allowing him to create false secure connections and to easily hijack secure communications. Ultimately, a powerful adversary could in extreme cases block all HTTPS traffic, so that the communications done could be intercepted unencrypted, or even block all communication. Actual examples of this occurrences where seen in countries such as Syria, Iran and China, where the victims of the attacks ranged from activists, to journalists, to civilians opposed to the regime. For the time being, and to limit the complexity of the project, this groups of users will be left out of our target public.

5.4 Proposed Solution

With this considerations in mind, we are able to narrow down a group of users that is more likely to beneﬁt from a solution such as C3Priv. These are users that have little computer literacy but use computers and the Internet in a day-to-day basis. To give these users a swiss-knife of applications they can recognize and actively use in both at home and in less secure environments, Portable Apps was chosen as the base for the software bundle. As mentioned on their website, PortableApps is a fully open source and free platform that works in any portable storage device, and can be installed and run locally.

With millions of users worldwide, and online since 2004, PortableApps has established itself as a trusted platform, and has a large collection of open-source, freeware and commercial software easily available. PortableApps is highly customizable and ﬂexible, allowing the user to pick between a vast array of portable applications from a built in store, that can be regularly updated with no more that a click. A set of customizable menus can be organized in the most convenient way, and the application can be conﬁgured to run selected portable apps every time the menu opens.

Portable applications have the functionality of the installed versions, but where adapted so that all ﬁles and data needed by the program is kept in sub-folders of the program’s main folder. The PortableApps software can be installed in a portable device, such as aUSBpen-drive, together with the selected applications. When the user plugs the pen-drive in any Personal

(31)

Figure 5.1: PortableApps menu

Computer (PC), he can use those applications without having to install them locally.

All the files are saved to the drive, instead of thePC. Therefore, the user has always with him the files he needs, as well as his usual programs, configured according to his preferences and needs. From a privacy-preserving point-of-view, this solution has the significant advantage of reducing to the minimum necessary the information left in thePC used, reducing the risk of the user inadvertently leaving private data in the wrong hands.

Together with this software, the C3Priv bundle will also include two browsers, one with add-ons speciﬁcally chosen for enhanced privacy and security, and another, the TOR Project bundle, which addresses user anonymity and is left unaltered. Encryption software will also be included, together with an encrypted folder that can be used as a “safe” folder for important ﬁles. The full contents of the C3Priv bundle, already installed to a USBusb-pendrive, can be seen bellow.

(32)

Figure 5.2: Contents of aUSB pen-drive with C3Priv already installed

5.5 Advantages of Open Source

Besides PortableApps itself being open-source, all programs selected to be in the C3Priv bundle by default are open source.

Compared to freeware or paid proprietary software, whose source code is not disclosed, the code from open source software is easily available, and can be read and analyzed by any user that wishes to do so. Due to the popularity and widespread use of these particular applications, the source code is reviewed by a large amount of people, from all over the world. This gives us a greater trust in the software we include in the bundle, since it is unlikely that any purposely placed exploit or “back-door” would pass unnoticed to the eyes of so many independent and diversely motivated users.

5.6 Selected Applications

C3Priv contains a small set of applications selected for their usefulness to the majority of our target users. This includes programs such as oﬃce software to edit documents and spreadsheets,

(33)

an audio player, an anti-virus, an application to compress and decompress ﬁles, an image editor, an e-mail client, programs for secure remote access, an Instant Messaging client, and a browser. Users can add software they ﬁnd useful through the PortableApps available software menu, including proprietary software, if they choose to. A full list of the software included is present in Annex A.

5.7 Selected Browser Add-ons

Add-ons are small pieces of optional software that add to a programs functionality. To address privacy and online safety concerns we included in the Firefox browser present in C3Priv a set of relevant add-ons, already configured to offer maximum protection. This includes a vast array of add-ons that range from blocking online tracking, cookies, dangerous scripts, flash animations, pop-ups or invasive advertisement, to verifying a secure connection, or a website’s reputation. A full list of the add-ons included is present in Annex B.

5.8 Observations and Results

The first public release of C3Priv happened in the 11th of February 2014, in celebration of the Safer Internet Day, through the CNPD website[11]. Since then, it has been available for download in it’s own webpage[9]. It received a significant amount of attention by the press, and the C3Priv bundle available online had over 8.000 downloads during the first month. We retained some of the download’s metadata, in order to map the geographical areas that showed interest in C3Priv. As the graphics displayed below show, the vast majority of downloads was made from Portugal. After Portugal, the largest number of downloads in Europe came from France and from the United Kingdom. Some interesting results show a large number of downloads in areas such as Brazil (in particular in the north and in the western frontier with Bolivia), Morocco, Angola, and South Korea.

The large number of downloads from Brazil and Angola may be a result of the shared cultural and linguistic legacy, and possibly due to the signiﬁcant presence of Portuguese citizens living in those countries. Downloads from South Korea and Morrocco are, however, harder to explain, and may be related to the awareness about privacy and freedom of speech that the recent political turmoil both in North African countries and in North Korea has created. Unfortunately, there is not enough data to allow us to retrieve further conclusions. Mehcanisms for retrieving more information can be found in the proposals for future work.

(34)

Figure 5.3: Volume of C3Priv downloads from February 2014 to October 2014

(35)

Figure 5.5: C3Priv download distribution in Europe

5.9 Future

During the creation of C3Priv and the analysis of results, we perceived a large space for improvement on the existing technologies that address user privacy and security. The interest demonstrated by the public in our project, both through the press and through the individual C3Priv downloads, leads us to believe that the development and evolution of C3Priv must continue. The lines of work that appear particularly relevant for the time being are explained bellow.

5.9.1 Creating an indistinguishable online identity

Research has shown that the use of specific options to avoid online tracking and protect user data may actually make the user more visible to an observer looking for distinguishing profiles. In fact, to be anonymous in a crowd, the user has to mingle with it, becoming unidentifiable within that anonymity set. This can only be done when a significant number of individuals in the crowd have very similar profiles. To this end, using a large number of security plug-ins, or disabling common features of the browser, such as Javascript or Flash, can have a detrimental effect for the user.[53][48]

Although C3Priv could create an anonymity set on its own, making all of its users indistin-guishable from each other, our users are not enough to achieve that at this point. Therefore, a useful approach would be to keep updated records of the most common browser settings, and apply them to the C3Priv browser automatically. Since this extra anonymity could come at the cost of a lever of privacy or protection, each conﬁguration would have to be carefully evaluated to assess its impact. A possible solution to this dilemma would be to provide diﬀerent bundles,

(36)

allowing the user to chose the one he ﬁnds more adequate to address his needs. This bundles should then be tested for uniqueness using tools such as Panopticlick, a website created by the Electronic Frontier Foundation to evaluate how singular is a certain browser ﬁngerprint.[28]

5.9.2 Surveying users needs

To establish the needs and the level of satisfaction users have with C3Priv, a small survey could be done on the website, or a feedback tool could be included in the software. This could allow the users to express their preferences about the usability of C3Priv, the applications they wish to see included in future editions, and possible problems and bugs they may encounter during use.

(37)

Chapter 6 Conclusion

During this thesis we examined several scenarios where privacy, anonimity or secrecy are needed in communications but dificult to achieve. We did research on existing solutions to mitigate the dificulty in controling and securing a working environment for entities with diferent needs and motivations, from the exchange of classified information by governent officials, to the need for privacy of the common citizen.

In the realm of classified communications, together with the C3P team, we examined a mobile application that is commercially available for design flaws. We described the flaws found and detailed how they could be exploited, showing that the communications done through the application where not secure. We implemented software to exploit one of those design flaws. However, due to problems with the initial solution of adapting an existing program, we had to develop new software for our distributed worker nodes. The problems found delayed the implementation of the software, resulting in an unstable program that still needs debugging and testing before it can produce reliable results.

The generalization of our observations about the examined application to other similar apps is limited by the lack of an exaustive analysis of commercial software for secure communications. However, the fact that such critical design ﬂaws where found in an application meant for secure communications at the highest level, makes us reasonably suspicious that applications with the same, or higher, level of oversight may be available commercially, especially among those marketed for secure communications for businesses or individuals. Our ﬁndings prove alarming enough to instigate more caution and stricter rules in the selection of software for secure communications, and underline the need for rigourous security audits when high levels of security are required.

On the ﬁeld of online privacy, the focus of this work was the every day activity of a common individual. We started by studying the evolution of the concept of privacy and the way it has been infriged upon with the aid of new technology, from the dissemination of street photography to bulk data collection. We’ve shown that the discussion on the concept of privacy and the need to frame it in legal terms has remained subject of debate to the present day. With courts avoiding the application of Harlan’s test, both due to the diﬃculty of assessing the public’s

(38)

CHAPTER 6. CONCLUSION 28

expectations towards privacy, and to the complexity of the technology involved in the current methods of information gathering, we concluded that there is an urgent need to provide a clear and resilient deﬁnition of privacy, together with a set of rules and guidelines that can eﬀectivelly protect citizens in from the threats of existing and future technology.[49]

In paralel with the struggle to create mechanisms to protect citizens, we searched for a solution for the lack of control that users experience over their online footprint. We developed C3Priv, a solution that could return a measure of control to the user, by allowing it to use computers that he does not trust without leaving any significant information behind. The tool includes a version of the popular Firefox browser, costumized to minimize as much as possible the information that is collected by websites during regular Internet use. By tracking the number of downloads of C3Priv and their distribution throughout the globe, we where able to verify that the interest in the tool spreads beyond Portuguese speaking contries, indicating that internationalizing the tool may be a possible direction for future development. Other future improvements can be made as the weaknesses identified in the tool are adressed and fixed.

In the research done for the present work, it has been a fact that the average computer or smartphone user, or the average netizen, is vulnerable to the technology he does not understand. Because users in this group are very numerous, and the most vulnerable to scams and online attacks, we believe that the most important achievement in this work was the creation of a tool that takes the burden of correct conﬁguration and deep technological knowledge from the user. Although there is ample room for improvement, C3Priv is a unique tool, and it is ready to fulﬁll its purpose, contributing towards a user experience that is safe by default.

(39)

Annex A - Portable Applications

7-Zip This application is popular ﬁle compressor. It allows the creation of archives with the

following compression formats:7z, ZIP, GZIP, BZIP2, TAR, RAR, among others.[1]

ClamWin This application is a free anti-virus for Microsoft windows. It boasts high levels of

detection of virus and spyware and is constantly being updated. The portable version does not allow for automatic updates, and ﬁle veriﬁcation must be made manually by the user. [10]

Evince Evince is a PDF, DJVU, TIFF and DVI reader. More information at: [15]

GIMP The GNU Image Manipulation Program is a complete image editor. It contains all the

basic functionality if an image editor, allowing advanced users tools for professional photo editing or illustration creation. [21]

KeePass This application is a password manager that allows the user to save in a secure manner

all his passwords. The passwords are retrieved and stored in a secure database. The user only needs to remember one password, that will work as a master key, allowing the access to the full database. [22]

KiTTY This is a telnet and ssh client for windows, that allows to connect in a secure manner

to remote systems. [23]

Libre Office This is an oﬃce suite of programs with full compatibility with the Microsoft

products and others (Lotus, Word perfect and similar apps).[24]

MicroSIP This applications allow the user to make VoIP calls of high quality, using the SIP

protocol. [25]

Mozilla Firefox This is one of the most known web browsers, boasting several security

enhancements that secure the privacy of the users. The portable version does not let any personal information on the computer that is used, allowing complete privacy. [16]

Mozilla Thunderbird The Mozilla Thunderbird application is an electronic mail client, secure

and easy to use. It allows IMAP/POP and RSS. The portable version leaves no trace in the computer where it is used, allowing the transportation and secure access to e-mails and contacts.[34]

(40)

CHAPTER 6. CONCLUSION 30

openVPN This application allows the creation of connections through encrypted tunnels,

allowing the access to remote resources in a secure manner.[27]

Pidgin Portable This is an application that allows the exchange of instant messages. It has

support for the protocols used by AOL, ICQ, MSN, YAHOO among others. All the deﬁnitions and contacts are private and no information is retained on the used machine. The available plugins can be easily added to allow for message encryption. [30]

Songbird This is an audio player with MP3, FLAC, Vorbis, and WMA support.[33] VLC This is a multimedia player that supports several video and audio formats. [38]

WinSCP This applications is a SFTP and FTP client for Windows and allows for a secure way

to copy ﬁles to/from a remote location to the local machine.[40]

WinWGET This application is a download manager based on wget.[41]

Tor Bundle This package includes a modiﬁed Firefox version to use with the Tor network,