Skip to content

Keys and encryption

This is a technical post in response to the useful provocation Stephen provided with his video for #el30 exploring Yubi keys and Public / Private keys. Stephen began by saying it is not his area of expertise (mine either). There is a LOT in these topics and I have a friend who is a specialist who helped me put this post together to give an intro in a way we could understand. It was not something I could research and correctly put together on my own, as terminology and details matter a lot with the intricacies of these things and their uses. (and it’s very complicated!) I hope this tutorial-style post is helpful.

My post is divided into that intro, and then some comments/explanation from me on things in the video.

Intro:

Passwords:

Positives:

  • They are good because of usability.
  • Everyone knows how to use them.

Negatives:

  • They are hard to remember and easy for computers to guess (generally).
  • People reuse them (this is a human error)
  • When credentials (password or email) are reused, compromised details on one site generally leave you open on another site if you have reused them elsewhere.

A good example of a good intention that weakens the use of (more) secure passwords:

Websites that disable ‘paste into password fields’ Those sites thing they are improving security by disabling that feature, but it also means you cannot use a password manager where you can use a randomly generated long string including umpteen special characters and thus most people resort to a more simple, easy to type password that is simply weaker.

  • PII (Personally Identifiable Information) like mother’s maiden name, DOB… is also bad because generally available on public record

One approach to counter the weakness of passwords is to strengthen passwords with another factor.

Possible factors include:

  • What you know
  • What you have
  • What you are

A password is something you know

If you are using more than one factor, it ensures that if someone has guessed your password, they still can’t get in because they need another factor.

A fingerprint is another factor (something you are – biometrics)

SMS is not a second factor – it’s something you know, like a password. Many people will argue with this, but it is more like 2-step authentication, where you use 2 passwords. The phone number is something you know, even though we *think* of receiving a SMS as a ‘thing’ but it would be easy to clone your sim and the first thing you would know about it having been ‘popped’ is when you suddenly have no service on your phone.

A Yubi keysomething you have. It is a physical token, and thus is a true second factor. There are also RSA tokens (some places of work use these as a factor to log on to a system) which are a physical second factor. Google Authenticator, which is an app that generates a time-sensitive changing code, is like RSA, but not as good because it is still cloneable.

A true second factor (the something you have type) is a hardware product and not a software product.

Despite all the things that are wrong with passwords, people do know how to use them.

Certificates- What if to sign up to a site you had to generate a domain-specific public key and sign it with your private key? How well would that work in an online world measured by sign-up rates and similar metrics?

Beside the human ‘friction’ of onboarding, there is also the problem of compatibility. For example look at GPG tools. I used to send encrypted, key-signed messages with one of my good friends, but when email upgraded with High Sierra, GPG tools broke and you couldn’t use key-encrypted mail any more. It still doesn’t work. (*Sigh*)

So if we asked people to generate those site specific keys, understand it, sign it with their public key, there would be a very high probability that even if they had the gumption to learn how to do it (and believe me, it took me a couple of weeks to sort out key) it is also overwhelmingly likely that people get it wrong in a way that degrades security instead of enhancing it.

My public key is on my website. 🙂

ONE person has ever used it, and that is because we promised to both help each other learn how to use keys!

The idea that Yubi keys replace passwords as a single way in / use device?

Definitely not. Replacing the password factor (something you know factor) and ONLY using a Yubi key (something you have factor) as a single factor is possibly worse than a password, and is certainly no better. Here’s why I say possibly:

The ‘threat model’ is so important. For example, if you live in a very secure house in the middle of nowhere and the Yubi key is in a locked drawer to which only you hold the key, then it may be quite secure. Whereas if you are in an open plan office or university setting and someone could walk by and pick up your Yubi key if you left it on your desk while going to the loo or to get a coffee, then it is not secure. There are no absolutes and it is all completely context specific. What is your threat model? At another end of the spectrum, if you are operating on a network where everyone is meticulously put through a security clearance process, you can operate on a completely different model.

Anytime people make absolute statements it is a clue that they only understand part of the picture. (That’s my friend speaking. I promise I do not understand all the picture, and I can only claim to have a fuzzy image of parts of it.)

A Yubi key is a second factor.Something you have. To use it as a second factor, it can be used with either something you are or something you know. You want at least two of these, so the Yubi key could be used with biometrics (fingerprint, retina scan, face recognition) and bypass the password (which would then be a third factor) completely, but it is not an all-in replacement system. We really want to aspire to use all three.

Part 2: Comments on the video and a bit of discussion:

Identity is a component of authentication.

Stephen is correct that a system is only as strong as the weakest factor.

In the video at 6:30 Stephen mentions something really important in passing, and perhaps doesn’t realise how important it is. He’s talking about two factor completely correctly- log in with biometrics, and then use the physical token. YES.

Public/private keys are for encryption.

Public and Private keys are generally used for assertion and non-reputation (to show signatures). This can have to do with chains of trust. (I’ve been told that’s a whole separate topic and terminology matters quite a lot there, so I don’t dare convey my extremely limited understanding of it)

Public / Private keys are definitely worth knowing about and understanding the mechanics of how-to. But the possibility of making errors so very easy and real… I’ve done it at least a million times and I only used them for fun, to learn how with a friend – not with anything that actually mattered. The tiny slip with private/public that Stephen highlighted in his newsletter, is exactly how it goes wrong. It is so very, very easy to slip up.

To complete the image Stephen shows us in the video at about 11:15:

In Stephen’s diagram, he is correct that only Alice can read the message, but it doesn’t say anything about where the message came from. To prove it comes from Bob, he would sign with his private key, and encrypt with Alice’s public key. That way only Alice could read it, using her private key, and she could verify it came from Bob with his public key. Simple!?!? (not at all)

It is totally complicated, I realise. Like I said, I only send stuff this way with one friend and we were running a security challenge together a few years back as part of an open course, and yes, we both had to have regular tutorials with an expert to get it even close to right.

Stephen mentioned buying a certificate. If you pay for a certificate from CA you are paying to inherit trust from them. If I self-sign a certificate it is free but nobody (browser) will validate it. At that point the certificate is an assertion of trust. With a self-signed certificate you say ‘you should trust me, but I give you no evidence to support this’.

More on what Stephen explains at 13:15ish. Let’s Encrypt is free (yay!) and yes, Reclaim Hosting offers this on their C-Panel. Https gives you confidentiality, integrity, authenticity. Https does not verify who you are connected to – although people think this – You could be connected to anybody.

  • Once the https connection is established, the connection is encrypted. This gives you confidentiality.
  • Integrity – someone else cannot inject information into the information you are receiving. In the US you see ISPs injecting ads into http (unencrypted) connections – and the result is you may see adds on a website that the author of the site did not intend to be there.
  • Authenticity means whoever provided the cite managed to present a valid certificate that matches the domain. For example this cite lauraritchie.com – it sends a certificate that has been signed. That certificate resolves against the root certificate on your local browser, and that resolution says it is a valid certificate.

Https does not guarantee that the connection is to the person you think it is. It says that cite presented a valid certificate that maintains the chain of trust (signed by a certificate authority) and matches the domain.

A reference and little activity to demonstrate this.

This gives you the error message you would get if someone stole your domain, but didn’t get the certificate right.

When I click on Show Details it shows:

This is an example of how it is not to do just with having a certificate. In this badssl example, they had a valid certificate signed by a certificate authority, but it was presented for the wrong domain. This results in the browser refused to create an https connection, because a valid certificate was presented for the wrong domain. Imagine that we are going through passport control and I hand over your passport. If your passport is valid, I should still be rejected, as it is not ‘mine’. Someone might have stolen your domain and they then present a certificate that doesn’t match. This error message is the very first, most basic step in knowing something has gone wrong with knowing you are connecting to who you think you are.

If it did resolve, you pass the first step in the authenticity test. It still does not guarantee the site (or person) is who you think they are.

One tiny step to show more:

Go to protonmail.com (as an aside, different browsers will display things differently). At the moment in Firefox you can see the ‘handbag’ and you can see that xx cite has presented xx certificate. This is pretty good, but it is possible to do this and pretend to be someone else – e.g. there is nothing saying ‘this is me’. This cite presents an EV certificate which matches the domain name, has been correctly signed by the CA. EV means extended validation, and is the highest level of certification. They are expensive and difficult to get a hold of.

 

I think I need a cup of tea now. I do get it, but have had to check and retype al least 30% of what I thought I had right. I hope this tutorial helps more than just me! Thanks to my (patient) friend. 🙂

My Graph #el30

I did it!

Got out the metaphoric gardening gloves, and dug around to figure this graph business out. I’ll admit that the thought of making a 2D representation of me as a graph did not instantly appeal, but I also realise that there is HUGE benefit to seeing other points of view, and to learning how to make something both accessible and enticing. Although the result is not rocket science, I got there. 😀

I’ll take you through my process, ending with a 2 min video demonstrating my graph. Read more

Who are you?

(6 min read) “Who are you?” the small child asks, looking up with curious eyes.

I am a growing fractal, a friend you haven’t met (yet), a dreamer tethered to the ground by a thin thread like a balloon and rooted like an old old tree. I am a reflective surface that smiles back at you, not blindly, but with insight. I am content and mostly I wake up eager to greet the day.

What am I is a different question. How do people perceive me? To be honest, I don’t think many people know me, despite my being quite frank and open about my personal quests, interests, struggles, and daily goings-on. I often speak of using music as a medium to communicate, as it is somewhat free from the confines of words and their societal associations, and allows me to put people into new thinking situations they might not otherwise meet (or invite meeting). I think though, that music sometimes gets in the way. My quest is not to teach music, or to be a cellist, as such.

I think; I am a communicator. That puts a finger on it. Whether with the cello, or words, or sitting and looking, or walking with someone, I associate with being a communicator; one who communicates – sending and receiving meaningful exchanges. Everything else stems from that, really. Image CC BY-NS-SA by Michael Levine-Clark

In this #el30 course Stephen has asked for an identity graph without reference to the ‘me’. Graphs are tricky for me. There are levels of connections that bend toward the ‘who’, having to do with time allocation, responsibilities, physical and mental energy directed toward something or someone, and our own understanding of our identity evolves as we do. I will make one; watch this space. Read more

From Chorister to Professional: A Father’s Perspective

Today I had the pleasure of talking to Scott Waddington about his son Isaac, a professional singer-songwriter. This interests me from both the angle of making it within the music industry and from the perspective of learning and teaching in music. Isaac’s skill as a singer, pianist, composer, and someone who can work have carried him through. He has been fortunate to have a family setting where he was both supported and allowed to explore and pursue his chosen avenues.

In the interview Scott gives a snapshot of where Isaac is now, and then explains the path of his musical education. He talks about the impact of a suggestion from a stranger on becoming a chorister, and the journey to London studios and the profession. Scott describes some of the challenges Isaac navigated to get to where he is today. Have a listen to the 22 min interview below.


At the end of the interview he mentions a couple of current projects. I’ve embedded the Cadbury’s advert and the track Someone Like Me below so you can have a listen. Read more

Putting words to music

This post is an open activity to anyone. One of my classes has been discussing expression and the communication and teaching of this in music. It is a challenge to listen to short piano examples and say what words it conjures up in your mind. On a more abstract level the task is to name the ineffable. As teachers we somehow need to convey this abstraction to another person, our students, so that they can achieve this for themselves on their instruments. What makes it even more difficult is that in music we speak through sound, yet describe it with something else… well, you know Plato’s allegory of the cave? Yes, that’s the perpetual state of communication in music. -Not really, but we never *touch* the essence.

Teaching expression is a topic that is rarely taught in an experiential way, partly because it is easier that way. I mean, as a teacher, I have answers if there is something definitive, but with music and expression we are drawing upon associations. For me to create something that embodies a certain emotion is different, conceptually, than the way my 14 year old student would do it, and will be different still than how the student who is a 50 year old father conceives of the same musical sentiment.

As a class we wanted to explore this idea of experience and understanding and so we created a few examples for you to listen to. The task is to choose an example (you are welcome to choose all three if you like!) and listen to it. Comment on this post with whatever words the example conjures up for you. If a certain place in the example is where you thought of the word, add the time when it happens. For example you might write that you thought of ‘red’ at 8 seconds and ‘tricycle’ at 23 seconds. We are looking for words.

The hope is that as many different people from all walks of life can contribute, because that will expand our collective experience. Having this window into your understanding can in turn allow us to deepen our understanding and will be food for our discussion on how we might teach and explain to our students.

Example 1

Example 2

Example 3

Please do post a comment! Thank you!

🙂

Featured image CC BY-NC-SA by Phil Hilficker

What makes us human?

This post is in response to the question asked by Frank Polster in his post about the conversation between Stephen Downes and George Siemens.  I found the question via Jenny Mackness’ post. The basic question was What are the core qualities that make us human?

 

Here’s what my gut says:

 

Primitive machines were reactionary. They performed functions. We perform functions too (and are often reactionary), but, as a human I have the synthesis of agency, vision, and drive in self-efficacy. Put super-simply: my belief that I can do something. There’s a lot in there. Read more

Encouraging learning: A graph with perspective

At uni my teaching students follow along with the topics of open music class #MUS654 as a stimulus for learning about designing a curriculum. One of my aims is that students connect outwardly and begin to form wider networks of inquiry with teachers and musicians. Although this year I haven’t succeeded in convincing people to make blogs and post outwardly, the students occasionally allow me to share their ideas. This post is about a task I gave students to create a representation of their 1-year curriculum to present in our class session, with strict instructions not to use powerpoint. I wanted some creative representation, and that is exactly what I got.

Brady made a graph and a graphical representation, and gave me permission to share his ideas with you. It is also fitting that he made a graph, as in another course (where I’m the student), #el30, the task this week was to make a graph. Lovely when strands of life cross paths, isn’t it? Read more

Graph #el30 Week 3

Stephen has tasked us all with creating a graph of some sort for #el30 this week. Questions that came into my mind were:

  • What are the parameters?
  • How do they interact?
  • How can I make visible the potentials?

I’m thinking of learning and what’s visible, what we bring, resources, and what is ideal to implement in each of our situations. I began with things I know (or have seen) and the examples of music and astronomy guided me to an image. Read more

Sharing joy & the quest for excellence

One of my students, Francesca Raimondi, an accomplished teacher studying on the ESTA Postgraduate Certificate for String Teaching course shared her writing about striving for excellence with and for our students. It is with her permission that I’m sharing it – because I found it so inspiring. Joy, achievement, self-efficacy, real learning, it’s all in there. This is also on Francesca’s blog, but that’s in Italian, as that is her first language! I am grateful she has translated it for me.

Francesca’s translation:

Given each student’s features and skills, one of my biggest aim is to teach them to go beyond their limits. I believe everyone can reach his maximum and excellence. Excellence is not perfection, but it’s the highest level one can reach in terms of performance, learning and musical skills’s development.

A student should reach excellence just for himself. He shouldn’t have an abstract idea of perfection. He shouldn’t compare himself with anyone else. But he just should have the constant increase of his skills as a goal.

To put it in statistic terms, he should have an idiographic and not nomothetic approach. This way he’ll be able to create his personal story of success and growth.

This goals aren’t, in my opinion, just for the “most talented” pupils. They’re for everyone.

I expect the excellence from all my students. Even the youngest ones, aged often 2 or 3. And the disabled ones. Each one has his maximum and his excellence, and he can reach them. My job as a teacher is “just” to adapt my work to each one of them and work oh their motivation. I also want to discover and foster their strengths.

Using positive reinforcement, games and motivation, I demand them total earnestness and dedication. I don’t like making distinctions or discounts or this matter.

All of them know they can get better and they’re happy about it.

The cutest example of happiness is Maria, who has Down syndrome and after few months of lessons shows all her satisfaction for having learnt her first rhythm on the violin :

 

I want first of all teach my students to let anyone say to them “You can’t do this” or “You won’t succeed”. I want them to have high expectations for themselves. And I want them to try once more, practice, engage. Without neither anxiety nor fear but with tenacity and enthusiasm.

This way, when they’ll be grown up they’ll be able to face life’s challenges without being taken aback.  They’ll develop resilience and self esteem, and music will have been for them not just a nice activity. It will have been first of all an opportunity of growth and a great learning for their life that will last forever.”

Thank you Francesca.I love the topic of ‘going beyond your limits’. They aren’t limits, most often we don’t realise they are just corners, or we need to stand on blocks to see beyond the walls – and teachers can help guide us to that freedom of thought and possibility of making those dreams reality. This is music with joy, and I agree 100% Bravissima!

To find out more about Francesca and her teaching, see her blog HERE.