Tuesday, March 12, 2019

AES vrs DES overhead

AES and DES are two known symmetric crypto ciphers. 

All variant  of  AES  are  built on 128bit blocks or 16bits. So any information encrypted will be padded out to this value. This can not be eliminated.

 by using unix   dd and openssl we can  witness this behavior in a simple demo 

I've crafted  4 files each named simply as "   1byte 2byte2 15byte and 16byte " 


e.g 

   dd if=/dev/random of=./1byte bs=1 count=1 
   dd if=/dev/random of=./2byte bs=2 count=1    
   dd if=/dev/random of=./15byte bs=15 count=1 
   dd if=/dev/random of=./16byte bs=16 count=1 

We also  used openssl with aes and then des for encryption and finally 2 other  cbc ciphers


e.g 

  openssl  des-cbc -in 1byte -out 1byte.des
  openssl  aes-128-cbc -in 2byte -out 2byte.aes

Take notice of the  resulting files





And to  even confused you even more some standards use a smaller block size. Take the same 1 2 15 16 byte files and now we encrypted them with CAST and IDEAL. These are 64bit blocksizes



So remember that the over head with any encryption will have some  type of overhead for the padding




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Friday, March 8, 2019

GEOIP location tool and API

This geoip site has a simple API interface that you can use for GEOIP data and for help when conducting analysis of your traffic flows.

     https://ipgeolocation.io/blog

We've used this in  SOC and during incident  studies to gather data on  possible attackers and where/who they are coming from.   You can  easily use firewall traffic logs and on any device that does not have geoip information pertain in it's logs and for loop them thru a  API call to find information details.

Here's a simple demo from my own account.


The dashboard provides your apikey and basic details on usage. You can reset the apikey and copy out the new apikey. If API key is bad you will received a http.response indicating such.





Now here's an example running this thru a predefined  ipv4-list and extracting details for tld and org


bash; 

 for p in ` cc_list ` ; 

   do curl -k -H "Accept: application/xml"  "https://api.ipgeolocation.io/ipgeo?apiKey=<yourkeyhere>&ip=$p&fields=country_tld,organization" ;

 done 


{ output }





If you start getting  401 respons  ; "You have exceeded your subscription's request limits ", they you will have to wait.




You  can use the  dashboard to monitor you total  request for the day.


The API key can be changed at ease and take some time to become active;



They will send a freely reminder if you hit the max limits via the email that you registered with;

e.g






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Tuesday, March 5, 2019

Securing DNS with HTTPS

DNS is one of oldest protocol on the internet. It has been around ever since mail,  and has to be 35+ years old if I had to guess.

Over 35+ years ago, the internet was a much safer environment. So now DNS based attacks are still being used & and is a  big problem for some organizations.


With an unreliable protocol  such as UDP for transport,  you opening the door for spoof'd flood attacks to a victim network.









Next, UDP/TCP is support for  DNS over port 53 but no privacy. Anybody can peek at your traffic and analyze your traffic patterns  based on just  DNS query/response between client-server.







DNScrypt and DNSSEC was two attempts to secure DNS but these dropped from popularity. DNScurve was also an alternative. I wrote about this over 5 years ago.



Two current method that's available & that address both issues comes up as ;


DoH or DoT ( DNS Over HTTP or DNS Over   TLS)

Cloudflare / Google  and a few others have support for bothservices and these can  prevent and protect dns-data traffic. 

You can  make a simple  dns query to cloudflare over http for testing.



Both { DoH| DoT }  uses TLS for encryption , the over head would be much higher but at the benefit of security and protection from  spoof attacks. It's nice to know with cloudflare and GooG they only handle HTTPS and not HTTP.


A DNS-2-DoH  server could allow you to integrate these functions  with little impact to internal hosts as far as integration since DoH is  a simple HTTP.GET

example



For cloudflare;  you must set application type of JSON for proper response if not they will deliver a 4XX response. Goog does not enforce that requirement and ignore that header.


FWIW: Google seems to be much simpler for DoH queries





quad9 ( 9.9.9.9 ) has been supporting  DNSoverHTTP





NOTE:     I'm very disappointed  that OpenDNS   now { Umbrella };  does not support DoH or DoT and has no plan to do so !








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \