Detailed outline on How Alphaseq Box works
i. Intro:
I am a Site/System Reliability Engineer with more then 15 years of experience in DevOps, software development, setting up corporation infrastructure, architecting it, securing it and administrating it. I have worked for many renowned corportaions like Maxar, MDA, Mastercard, Airbus and banks as well.
In my freetime I am a white-hat hacker and I have a passion for innovation. I have published more then 10 white papers in international conferences and have filed 30+ patents.
Many of my white papers are published through IEEE conferences, which one can get access through my profile.
As a DevOps security administrator my work involves around taking care of the security for the infrastructure. I had been working to secure the companies infrastructure from various types of attacks such as Denial-of-service (DoS), Man-in-the-middle (MitM), Phishing, SQL injection, Cross-site scripting (XSS), Eavesdropping, Malware. Also as an innovator I have always thought deeply about how to make a foolproof system that is an alchemy and one tool all that takes care in security from all the types of attacks in the world. With wide experience in this field and deep introspection I have come up with an idea that atleast secures our day to day text and voice communication, which I would say makes the most important part of everyones life.
ii. Background
Communication and privacy in communication is one of the basic need of every human. Many anti-hacking laws like CFAA and privacy laws like GDPR in Europe and CCPA in USA have come in to protect privacy of individual. But it has not prevented the hacking and spying. Because apart from individuals, hacking and spying are done by Government spying agencies around the world as well. Recently a security flaw in Whatsapp [1] helped an Israeli firm to create and distribute a spyware used to spy on human rights activists and journalists in anti-freedom countries like India and China. And whatsapp had created one of the best secure infrastructure for communication. Another best known and trusted company in security realm is RSA which provide two-factor-authentication. It came in news back in 2011 when it got hacked as well [2]. So no matter what we do hacker always found one or other way around to hack the most secure systems.
That made me ponder to think of a system which goes up and above two-factor-authentication system in securing communication between parties. After deep thinking I have come up with Alphaseq security system that is one system that serves in securing in almost all forms of attacks and hacking.
iii. Problem
As defined in background, almost all systems are hackable. The problem is all these systems are online and works through the computer system that has to be online. As long as any system is online and has a way to talk, it is always susceptible to someone sending in someone which seems harmless but turns out to be not. Below is one example of how even a school going boy can hack someones system which might be using two-factor-auth hailed as one of most secure system of world.
iv. How even school boy can hack mighty two-factor-auth of RSA
In a typical two-factor-auth a user puts authentication token along with password to login.
A keylogger is one of the most simplest easiest to create software. Its because all languages provide way to intercept and read keys as they get typed. Even a school going boy can create a keylogger.
And suppose someones deploys this keylogger which sends key information immediately to hacker online on victims computer. Suppose now victim tries to login into his bank account using two-factor Authenticator. He types in his password, which gets sent to hacker through keylogger as he types. Then he types authentication token which again gets sent to hacker as he types. Now suppose hacker has coded keylogger to bug the last key of authentication key typed on by victims on browser to wrong value. The victim will get error on his computer. And in mean time hacker will have a way to log into bank account with the password and authentication token before victim does, and he carries out his operation easily.
So you see this kind of hacking can be done by even a school going boy without much technical knowledge and know-how to get past one of the perceived most secure system of two-factor-authentication.
v. Solution
As stated earlier the biggest problem is computer itself. As long as it ever gets online or been online, it has exposed itself to the world of hackers. The only system that cannot be hacked by anyone unknown is offline system. An alphaseq system is one such system that uses offline systems to advantage in communication. It secures below three forms of communication:
1) Securing text communication
An Alphaseq system is basically encrypting anything before its fed to computer. And only another target Alphaseq system connected to target computer knows how to decrypt the information. Alphaseq bxes are sold in pairs of like 2 to 10. So that only these paired boxes stores the keys used to encrypt/decrypt the communication. The Alphaseq box is offline box and connects to computer through USB. It has a touch screen to allow user to type in his text and send encrypted text to computer. The same touch screen is used to display the decrypted text from computer. Along with this box, a user has to install a chrome plugin on its browser. This browser reads the encrypted text from browser and sends to Alphaseq Box for decryption and display.
You can see the full box in action at this video: https://youtu.be/QfDvo6LgHKA
Now there are some other forms of hacking also. Suppose someone tries to clandestinely use Alphaseq box when suppose main User is sleeping. In that case the box has been secured with master password. Whenever User connects the box to computer, he has to supply this master password.
But how about if someone steals the box? In that case, alphaseq box has been designed to store all keys and PII of User in EEPROM. And this EEPROM uses Users master password to encrypt data before storage on EEPROM. Hence the thief wont be able to get any data by breaking box after stealing it.
2) Securing credentials much better then two factor Authentication
As shown in section iv, even a school going boy can create system to go past two-factor-auth. I have created another Alphaseq system, that also stores all credentials of User and its website name in Alphaseq box. The user also has to install Alphaseq Plugin in chrome browser for it to work. When a User tries to log into website like suppose Facebook, he needs to click on this plugin. This plugin then sends this site URL to Alphaseq Box. The Alphaseq Box then searches for credentials matching that site. It then sends these credentials as encrypted text to browser and fills in Username and password with encrypted text. The plugin also for few seconds, proxies the browser to a cloud proxy server which is running fiddler, that knows how to decrypt this text. It decrypts the username & password, logs the person into facebook and sends control back to browser. The plugin now removes the proxy, and user securely logs into his website. Now even if the hacker is using most advanced methods of hacking like even if taking screen dumps, he can never hack the Users credentials.
You can see the full box in action securing credentials at this another video: https://www.youtube.com/watch?v=KBvfRW6PNT0
3) Securing voice communication.
As we have seen with whatsapp, your voice communication is also hackable. But what suppose you encrypt your voice in Alphaseq box before you send it to your mobile. Unlike the two systems described above, securing text communication and credentials, we are still in development phase of building proof of concept for securing voice communication. We will basically remove the built in microphone of a mobile phone. Then Alphaseq box will be connected to phone. The box will have its own microphone and speaker. All User voice will be recorded and encrypted before sending over air through phone. Then receiving party phone will again send to paired alphaseq box which knows how to decrypt it and plays to user.
vi) Even offline system are hackable
Even offline system are hackable. A famous case on it is Stuxnet[3] that wrecked havoc on Irans nuclear program. The computers were air-gapped from the internet, however, they cannot be reached directly by the remote attackers. So the attackers had designed their weapon to spread via infected USB flash drives. To get Stuxnet to its target machines, the attackers infected computers belonging to five outside companies that are believed to be connected in some way to the nuclear program. Then it travelled to these computers through them.
So even offline Computers are hackable. But Alphaseq box secures communication even on these offline computers. If you are using Alphaseq communication even on such infected Computers, the communication never gets hacked because it is encrypted before it is fed to computer.
Also the Alphaseq box itself is designed to never take any input from outside once it has been programmed. It only takes few pre-defined commands and encrypted text from Computers browser plugin, it processes them and displays. It never takes any file or code input from computer or outside world.
vii) Encryption:
The encryption used for the purpose is AES, which is perceived to be one of worlds best and most secure encryption. A big list of Keys and vectors are stored in paired Alphaseq boxes. The Alphaseq box keeps on changing this encryption keys and IV's every few seconds. And only paired device knows which encryption key and IV is getting used at what time.
viii) Conclusion:
Hence you can see that in todays world no one is secure from hacking unless he has kept himself totally isolated from online world. And even totally isolated systems are not secure if it has ports to store information. And two-factor-authentication is not as secure as we perceive it to be. To secure our communication in such scenarios, the only alternative available in Alphaseq box, which a User can carry along with himself anywhere and can have secure communication with his peers using any computer even if infected.