Re: Newbie naive question, perhaps - - be kind

From: Peter Pearson (ppearson_at_nowhere.invalid)
Date: 10/16/05

Date: Sat, 15 Oct 2005 16:43:31 -0700

Arthur wrote:

> I'm merely a potential end user of some form commercial encryption
> program primarily to protect some sensitive psychiatric case histories
> (as well as other files) from the curious eyes of the computer service
> kids.
> 1) Some of the commercial programs, such as Cryptainer, seem to suggest
> that their encryptions are essentially unbreakable
> . . . Yet they suggest long passwords or
> pass phrases to make hacking these passwords "more difficult."
> isn't the program as weak as its weakest link, e.g. the
> password??

Exactly. If guessing your password is easier than guessing
the encryption key, then it is the weaker of those two
particular links. Today's respectable cipher uses a 128-bit
key, the guessing of which would require about 2^128 = 10^38
guesses. Given that there are only about 2^19 words in the
English language, a simple password will be easier to guess.
So take their advice: choose a password that will be hard
to guess.

> 2) if these encryption schemes are so unbreakable, and commercially
> available, why haven't I heard news items describing "terrorists" and
> their use of unbreakable encrypted e-mail ("tomorrow at 10:15, Sidney,
> we light the fuse")?

Actually, one does occasionaly hear of law-enforcement actions
thwarted by cryptography. Of course, the thwarted officials
have good reasons to avoid publicizing the products and
techniques that stump them.

> Can I assume that "hackability" or unbreakability
> is merely a matter of degree, and that the police or local computer
> repairman will in all likelihood be intrigued in my newly encrypted data
> files and e-mail and therefore try all the harder to see what's within?

With a respectable encryption program like PGP or GnuPG,
nobody can decrypt your data without the password. If you
pick a good password and don't put it on a yellow sticky
note on your monitor, they'll just have to beat it out of
you or get along without your data.

Peter Pearson
To get my email address, substitute:
nowhere -> spamcop, invalid -> net

Relevant Pages

  • Re: lightweight encryption of text file
    ... guessing a random password. ... shift = password ... this looks simple enough and probably sufficient for my purposes! ... You need proper, heavy-weight encryption. ...
  • Re: Newbie naive question, perhaps - - be kind
    ... > from the curious eyes of the computer service ... just about any form of encryption can be successfully attacked - the ... the server used for PHI is not encrypted, ... our local drives, or other network drives. ...
  • Re: Anonymous surfing
    ... >:There is no such thing as truly anonymous surfing. ... I'm guessing this ... If you want some config settings, I will be putting it all down on the Security and Encryption ... FAQ new revision within days. ...
  • Re: Is my system secure? What else should I do?
    ... > encryption even be needed? ... I am guessing yes, because am I correct in that ... > MAC address spoofing can easily be done? ...