[UPDATED ENTRY]

A new version of the Clipperz Javascript Crypto Library (CCL JCL) is now available for download from Google Code SourceForge. The new release dramatically enhances execution speeds (the AES cipher is now at least twice as faster as before) and introduces “deferred” mechanisms for a smoother user experience.

More than a year ago, I wrote a post about the terrifying announcement of the forthcoming Regulation of Investigatory Powers Act (RIPA) in the United Kingdom. RIPA went into effect few days ago and it’s even worst than expected.

A long-awaited feature requested by many users it’s now available: a strong random password generator. Generating long, high-quality random passwords is not simple.

Clipperz online password manager is a cryptographic system designed and built to achieve a 128-bit security level. This could be an obscure statement and I will try to clarify it.

[Slashdot][1] says that [NIST is planning][2] to augment and revise the current Secure Hash Standard.

[Vincent Rijmen][1] is the belgian cryptographer that, together with Joan Daemen, developed the Rijndael block cipher.

At Clipperz we are huge fan of cryptography as a tool to empower users and protect freedom, therefore we are beholden to all the people who contributed to the development of this science.

Today’s mail servers, file servers and other data storage servers typically must be fully trusted since they have complete access to your data and are supposed not to reveal them without your authorization.

Few days ago a fire destroyed Sealand, the independent state joke located on an abandoned anti-aircraft deck six miles off the British coast. The silly utopia of a data haven burned with it. HavenCo, the Sealand company running the offshore hosting service, was just a very badly planned business venture, but exotic enough to get good press coverage.

UPDATE - Good news for webmail encryption: read my review of Freenigma.

Mark Langenhoven and Richard Jones have both developed simple tools to use Gmail while safeguarding the privacy of your email messages. These are not bullet-proof systems, but they provide an easy way to encrypt email messages and keep using your favorite webmail interface. Mark used a Greasemonkey script, while Richard adopted a Firefox extension.

Mark solution does not rely on any certificates or browser built-in list of authorities, but it requires to generate an RSA pair of keys. Unfortunately the provided interface to generate the public and private keys is quite basic and no information are given about the chance to use other RSA pairs of different size. To encrypt your message just add the recipient public key and click “Encrypt”.

Richard, on the other hand, developed a Firefox extension to build S/MIME support for Gmail. It requires the user to obtain an S/MIME email certificate - there are several ways to get one for free - and install it in the Firefox certificate database. If there is an entry for the recipient email address in the certificate database, then the body of the email and any attachments are automatically placed in an S/MIME attachment and encrypted with the recipient’s public key. This encrypted message is then sent to Google for delivery.

Mark and Richard cannot guarantee to keep the prying eyes of NSA out of your mailbox, but they can definitely add more privacy to your email relationships.

picture above from WebProNews.com

The UK government has recently made some claims about implementing the provisions included in Part 3 of RIPA, the Regulation of Investigatory Powers Act. This means that, following a lawful search with a warrant issued by a judge, the police can request the keys to any encrypted material that is seized. Refusal to produce keys can then be treated as a crime in its own right.

Legal systems in most countries have laws that will prevent the government from passing such an Act. In the US the fifth amemdment, which is part of the Bill of Rights, asserts”

No person […] shall be compelled in any criminal case to be a witness against himself.

The italian law has a very similar provision, the “nemo tenetur se detegere” principle. It states that a person under investigation can refuse to make declarations.

But what if the encrypted files are disguised as innocent family pictures? No police or judge can request a key if they don’t know or cannot reasonably prove that a key exists.

It’s easy to imagine a mass adoption of steganographic tools where secret documents and communications are hidden inside irreproachable pictures. Similarly, tools like TrueCrypt can conceal encrypted material in a way that prevent its detection.

The UK government is going to deprive honest an law-abiding citizens of their liberties while criminals can carry on theirs businesses as usual, with just a little software upgrade.

UPDATE - Unfortunately Australia is following the same path as UK, at least in Queensland.

Queensland Police are to be given power to force suspects to hand over passwords and encryption codes. Civil libertarians warn the laws could allow corrupt police to fake evidence, because they will have access to suspects’ digital signatures. The legislation, to come into force in July, covers mobile phones, PCs, handhelds and other electronic devices. Non-compliance carries up to 12 months’ jail.

Image created by Neil Johnson, also appearing on the cover of his book Information Hiding: Steganography and Watermarking - Attacks and Countermeasures.

Someone says it’s spooky, others call it weird, creepy, hilarious, …

I’m talking about the kid site released few months ago by the NSA. The “CryptoKids” are cartoon animals each with a passion for a different aspect of cryptography: Crypto Cat is a cryptographer making codes out of everything, Decipher Dog is a codebreaker, Slate is a bunny that loves math and so on. There are tons of games and activities to entertain and educate.

Dynamic Security Skins or DSS emerged about one year ago and sparked some debate on several places. Some were critics of DSS because its effectiveness depended upon a widespread adoption both from browser developers and web site owners. It was unlikely and it has not happened yet.

I like this guy! Phil Zimmermann quietly released a very neat application, Zfone as a reference application of his new cryptographic protocol ZRTP aimed to bring privacy to your VoIP calls. I hope it won’t cause him all the troubles that PGP brought him.