I want to learn Blockchain, but where do I start from? : Here is My Answer.

I am writing this one exclusive post for guys who just wish to begin their journey in the domain of Blockchain. "Blockchain" term has been buzzing across academia, universities, corporate industries and every where around. In most of the webinars I speak in, I find many inquisitive learners willing to jump in the domain but unable to find that exclusive blockchain sea where to dive in. And if ever they try diving in, the sheer amount of books, videos and sea of information existing on the internet just splashes their visions soon to drown. Herewith I am sharing few slides that are based on my journey in this domain for now over 5 years. The presentation brings out details of topics one should start exploring and dig in followed by few books that I have in person followed and imbibed from.

How to Start Learning BLOCK... by Anupam Tiwari

Aadhaar on Blockchain : Consider or not? - Post 1/2

[This post builds upon introducing Aadhaar,its size,current way of handling the data sets,discuss its problems and subsequently followed by proposing Blockchain as a solution]

1.   When Aadhaar was originally introduced around 2009-10 by the Unique Identification Authority of India (UIDAI),it would not have envisaged the kind of Data juggling,analytics and security threats it would be subjected to in times to come.And here we are around the third quarter of 2018,wherein Aadhaar is central to so many authentications in the country ,being exploited in so many public utility services and also at the same time being subjected to all kind of threats and claims of data theft and leaks.For a record,it is estimated that around 1.2 billion citizens record are held in the CENTRAL servers and thus forms the worlds largest bio-metric identity repository in the world.UIDAI claims that the same is protected by layers of state of art cryptography in central servers located in the country. 

2.  Now in the world of IT,wherein claiming to be 100% secure is likely to remain a myth for ages ahead,can something like un-hackable really exist on this earth? We may harden something,we may actually add layers of security, we may do every possible hard encryption on this earth,but can we imagine a fool-proof IT domain anywhere. The question here attains severe importance when a Bio-metric repository data of 1.2 billion plus population of a country is at stake.

3.  Now what do we have on the platter here,if we consider the size of data,we can have the following assumptions :

(a) Per person biometric data size : 4-6 MB (Maximum I take)

(b) Approx data populated for : Around 1.25 billion plus ie 1,250,000,000 count

Total data ie to say 6 MB x 1,250,000,000 = 7500000000 MB Data ie around 7.5 Petabyte.....that's it...extrapolate the same with on-site backup and mirrors around...disaster recovery sites...we may just be discussing around 20 PB of data.

Even if we consider,augmenting data with the remaining population and generations ahead,we will be at max around 40-45PB of data to suffice around next few decades.That's all from point of view of the scalability of data and size.

4.  Now for this amount data, what are our security options in the present scenario.

Firstly we keep doing permutations and combinations and applying layers of hard coded security to the central servers that we have at various locations mirrored to each other.This presently includes the following : [SOURCE : http://www.cse.iitd.ernet.in/~suban/reports/aadhaar.pdf]

- 2048 bit PKI  encryption of biometric data in transit. End-to-end encryption from enrollment/POS to CIDR.

-   Trusted network carriers.

-  Effective precaution against denial of service (DOS) attacks.

- HMAC(keyed-hash message authentication code) based tamper detection of PID (Personal Identity Data) blocks,  which encapsulate bio-metric and other data at the field devices.

-  Registration and authentication of AUAs.

-  Within CIDR only a SHA-n Hash of Aadhaar number is stored.

-  Audit trails are stored SHA-n encrypted, possibly also with HMAC based tamper detection.

-  Only hashes of passwords and PINs are stored. 

-  Biometric data are stored in original form though.

-  Authentication requests have unique session keys and HMAC.

- Protection against replay attacks.

-  Resident data stored using 100 way sharding (vertical partitioning).First two digits of Aadhaar number are used as shared keys.

-  All system accesses, including administration, through a hardware security module (HSM) which maintains an audit trail.

-  All analytics carried out only on anonymized data.

From the IT guys perspectives,don't we actually know that above are all individual knitted layers and tools of security wherein we are creating a very complex network of solution for ourselves which might get even more complex to handle and manage in times to come with more severe security threats in pipelines. 

At the same time, above all solutions and knits combinations are looking and bracing for external threats while we take the insider threats as negligible or taken for granted any day.

So do we have any other ecosystem of architecture that turns the tables upside down from the security and immutability point of view while OFFERING A MORE ROBUST SECURE IMMUTABLE AND TRANSPARENT ARCHITECTURE...whether BLOCKCHAIN can be a solution?

So,we have the above scenario which discusses what do we have on the platter and what are we actually doing to negate the threats....the next post will discuss how BLOCKCHAIN can assist to negate the security threats Aadhaar faces as on date.

BITCOIN FORENSICS AGAIN : Bsides Delhi 2017

1. I have been on a spree like something giving presentations in the domain of BITCOIN FORENSICS for past few months...and more or less talking discussing around the same terms of references but to a new audience always though.Recently participated at Bsides Delhi. Security BSides is a community driven framework for building events by and for information security community members. These events are already happening in major cities all over the world!

The idea behind the Security BSides Delhi is to organise an Information Security gathering where professionals, experts, researchers, and InfoSec enthusiasts come together to discuss. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

2.  Details on the event and about me at https://bsidesdelhi.in/anupam-tiwari/

BITCOIN FORENSICS : Bsides Delhi Conference from anupriti

Generate Public Key- Private Key Pair and Test them

The Public and Private key pair comprises of two uniquely related cryptographic keys.The Public Key is made available to everyone via a publicly accessible repository or directory. On the other hand, the Private Key must remain confidential to its respective owner. Because the key pair is mathematically related, whatever is encrypted with a Public Key may only be decrypted by its corresponding Private Key and vice versa.In this post we will see how to generate a set of private and public keys and then test to encrypt with public and decrypt with private key.I have a Ubuntu system...and I attempt all here on the terminal.The following commands will be used as we work with RSA keys:

openssl genrsa: Generates an RSA private keys.
openssl rsautl: Encrypt and decrypt files with RSA keys.
openssl rsa: Manage RSA private keys (includes generating a public key from it).

Firstly to generate the key,the terminal command will be as follows and shown in the screenshot :

 :~ openssl genrsa -des3 -out private.pem 2048

 The following command will generate a public key from the private key generated above
: ~ openssl rsa -in private.pem -outform PEM -pubout -out public.pem

 So now we have generated a set of private key and public key with the extension .pem

 To just verify the generation,chk the contents inside as seen below :

:~ more public.pem

 :~ more private.pem

 Use the following command to generate the random key:
 :~ openssl rand -base64 128 -out key.bin

 Encrypt the sample pdf or any other file you want to encrypt with this key vide the following command :

:~ openssl enc -aes-256-cbc -salt -in anupam.pdf -out anupam.pdf.enc -pass file:./key.bin

 So now you have the original file here anupam.pdf and the encrypted file as anupam.pdf.enc

 We see that the files do not have much of a size difference but the file is encrypted.

Now use the following command to encrypt the random keyfile with the other persons public key:

:~ openssl rsautl -encrypt -inkey public.pem -pubin -in key.bin -out key.bin.enc

 The key.bin is encrypted now.
: ~ openssl rsautl -decrypt -inkey private.pem -in key.bin.enc -out key.bin1

 and finally we decrypt the pdf.enc file to original .pdf extension

:~ openssl enc -d -aes-256-cbc -in anupam.pdf.enc -out anupam1.pdf -pass file:./key.bin

BLOCKCHAIN and BITCOIN : A TECHNICAL OVERVIEW

Presented a talk on "Blockchain and Bitcoins : A Technical overview" for the Summer Interns at Gurgaon Commisioner of Police Office.The program was being conducted under aegis of Rakshit Tandon .

Sharing the same here that brings out the technical side involved in the awesome technology ...aka BLOCKCHAIN

Blockchain and Bitcoin : A Technical Overview from anupriti

 

BITCOIN FORENSICS

1.  The increased use of cryptocurrencies such as Bitcoin among private users and some businesses has opened a new avenue of research in the field of digital forensics involving cryptocurrencies. Since the creation of Bitcoin in 2008, cryptocurrencies have begun to make a presence in the world of e-commerce. Cryptography serves as the underlying foundation for Bitcoin, which gives it the benefits of confidentiality, integrity, nonrepudiation and authentication. Having been designed and built upon the foundation of these four objectives makes Bitcoin an attractive alternative to mainstream currency and provides users with the benefits of payment freedom, security, very low fees, and fewer risks for merchants.This presentation brings out the FORENSICS aspects as associated with BITCOINS.

2.  I gave this presentation at DICE-2017 http://digitalinvestigatorsassociation.org/dice/

3.  Sharing the copy here for info please to all interested neitizens

  Bitcoin Forensics by Anupam Tiwari on Scribd

4.   Few pics enclosed below :

5.    A small clip from the conference below

Equation Group : Advanced Secretive Computer Espionage Group

The Equation Group is a highly advanced secretive computer espionage group, suspected by security expert Claudio Guarnieri and unnamed former intelligence operatives of being tied to the United States National Security Agency (NSA). Because of the group's predilection for strong encryption methods in their operations, the name Equation Group was chosen by Kaspersky Lab, which discovered this operation and also documented 500 malware infections by the group's tools in at least 42 countries.This presentation gives an over view in brief based on the Kaspersky Report.

Configuring and using OPENVPN in UBUNTU@14.04 LTS

1.  VPN as discussed recently in my post here is on-way becoming a routine necessity for each one of us.In this post I bring you a screen shot and command terminal step by step procedure to configure and use OPENVPN,an open source application vide which a Ubuntu user can tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port and additionally configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients.OpenVPN is the best and most recommended open-source VPN software world-wide. It is the most secure VPN option. You need to download the open-source OpenVPN Client and our configuration and certificate bundle from the links on site shown below (use TCP if you cannot connect to UDP due to network restriction).

Steps involved : 

- Open a sudo terminal

- Install openvpn by typing

sudo apt-get install openvpn

Goto http://www.vpnbook.com/freevpn and Download one of the VPNBook OpenVPN certificate bundles as seen available in the screenshot below :

After downloading either of the above certificates as seen....do extract the contents in one folder and these should look like as seen below :

If there is any issue with the installation part,install the openvpn client by synaptics as shown below :

Once done ...go to the sudo terminal and type the following :

openvpn --config vpnbook-euro1-tcp443.ovpn

As you see the message INITIALIZATION SEQUENCE COMPLETED...u r on with the VPN..