Greetings everyone. I’ve been GMing an Eclipse Phase game for over a year now. I’ve got a question regarding hacking and encryption. I’ve read many forum topics on both of them. I get that by using Public Key Cryptography (PKC) you can encrypt data traffic between two users/networks/devices. I also get that you can encrypt files. What I’m not sure is whether or not you can encrypt your mesh inserts and Private Area Network (PAN). Also, can a server simply be encrypted? Not just datafiles, but the interface and interactions with it, like programs and such?
For example, I’m the computer expert of my Sentinel team. I sneak down a corridor and see a guard at a door I need to get through. I want to try and use AR illusion software on him to distract him and get him to leave his post. I make an Interfacing test to find his wireless signal. His muse is actively stealthing his wireless signals so I make an opposed Interfacing roll. I succeed and the muse fails. I locate the signal of his PAN. Now, can he be running encryption software in such a way that I can’t even touch him at this point. Basically, I get to his firewall and find it’s encrypted?
Welcome! These forums will be deactivated by the end of this year. The conversation continues in a new morph over on Discord! Please join us there for a more active conversation and the occasional opportunity to ask developers questions directly! Go to the PS+ Discord Server.
Hacking and Encryption
Thu, 2013-08-01 20:22
#1
Dravick
Hacking and Encryption
Fri, 2013-08-02 13:12
#2
The Doctor
Dravick wrote:What I’m not
Encryption of most network traffic should be a matter of course in Eclipse Phase. Protocols which strongly authenticate the server a user is accessing (to verify that it is, in fact, the correct service) can be assumed to be in effect. Cryptosystems which encrypt traffic to and from a service can also be assumed to be in effect. Cryptosystems which implement strong user authentication (everything from [url=http://www.xmlgrrl.com/blog/2010/07/06/tofu-online-trust-and-spiritual-w... done in-house prior to deployment to multi-factor user authentication, most of which would be handled by one's muse) would certainly exist for any reasonably sensitive service or application. This tends to be handwaved away by the game mechanics.
As for software executing in a system, I would think that it would be possible (in the form of [url=https://en.wikipedia.org/wiki/Homomorphic_encryption]homomorphic encryption[/url]), but all that does is prevent other users of a server from being able to easily eavesdrop on other users' parts of the memory field. In truth, I do not know how common such a thing would be. There may be potential problems with homomorphic encryption, from CPU overhead to whole classes of vulnerabilities that are as yet unknown. In my game I have yet to introduce such a thing, but it would be reflected in significant penalties to users' rolls.
Oh, you could touch him - crypto does not prevent you from sending packets (and thus potentially influencing the other system in some fashion). It just prevents most packets from being parseable (the mesh inserts of the guard would be waiting for session initiation before anything else, ignore anything else and probably alert on the reception of lots of unexpected traffic). In which case, your hacking attempt would probably take the form of trying to open a connection to the guard's PAN as a new node (maybe as a new device on the PAN (got Spoof?)), negotiate and initiate the encrypted connection (which is done by the network protocols), and then trying to exploit one or more pieces of hardware in the guard's PAN to gain access.
To be really secure, the guard would have to shut down all of their wireless network connections and rely on hardwired (or skinwired, for that matter) links.
—
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img]
[img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img]
[url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Sat, 2013-08-03 17:19
#3
Dravick
Thanks for the response
Thanks for the response Doctor. Let's see if I'm doing this right. So, when I connect with the guard I'm confronted with his firewall. Regardless of encryption I can then use my exploit software to try and bypass it. Once past it I have to make a contested infosec roll verses his monitoring muse. Again encryption doesn't matter at this point?
Assuming I end up covert or hidden in his system, does encryption matter when I run the AR illusion software? What about if I make various subversion attempts to, for example, enable the safety on his rifle or have his mesh inserts identify me as a friend. Can encryption software prevent that?
Mon, 2013-08-05 08:31
#4
Lorsa
I suppose you need to think
I suppose you need to think about what encyption actually is. It is a rewriting a sequence of information as something else that can only be unlocked with a specific key. So if you are demanding that all signals that connect with you need to be encrypted a certain way then it's basically the same as isolating yourself from the mesh. What you use it for is to make sure that a specific transmission can't be understood by someone else. Very rarely would your computer demand encyption for commands if you can properly access it, but individual files might be encrypted. So all in all, encryption only matters if you are trying to access files on his cranial computer that may be protected.
—
Lorsa is a Forum moderator
[color=red]Red text is for moderator stuff[/color]
Wed, 2013-08-07 14:54
#5
The Doctor
Dravick wrote:Thanks for the
Correct, on the hypothesis that either the firewall or the application you are jimmying has some bugs that can be exploited to give you access (or at least inject and run code that does something indirectly). Or, the application you are jimmying does not try to authenticate remote connections before negotiating the encrypted channel.
Also correct, on the hypothesis that the muse is actively monitoring the state of the system in realtime for anomalies (muses have InfoSec at 40 and are programmed to not get bored).
I would say no, it would not. Either you would have logged in via an encrypted channel (meaning that nobody watching would know what was going on aside from traffic passing from node to node) and would be monkeying with the enemy's headware, or you would have found a way to inject the AR Illusion software into the enemy's headware without the system or the muse noticing. Either way, their perceptions are being hacked in realtime.
I would say no, because encryption is used to either protect traffic in transit (in realtime) or data at rest (sitting in storage and not being accessed). The same basic pattern applies here.
—
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img]
[img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img]
[url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Wed, 2013-08-07 14:57
#6
The Doctor
Lorsa wrote:I suppose you
For this discussion, call it Encryption Mode A. IRL, we call it Data-In-Motion (or traffic being transferred from system to system). It is for preventing passive attackers from understanding the nature of the traffic on the wire.
For this discussion, call it Encryption Mode B. IRL, we call it Data-At-Rest (data in the form of files sitting in storage that are not being used).
Authentication (proving that an identity presented by a user actually belongs to the real user) is a related function, but is actually a separate issue entirely.
—
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img]
[img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img]
[url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...