Re: Newbie naive question, perhaps - - be kind
From: Peter Pearson (ppearson_at_nowhere.invalid)
Date: Sat, 15 Oct 2005 16:43:31 -0700
> I'm merely a potential end user of some form commercial encryption
> program primarily to protect some sensitive psychiatric case histories
> (as well as other files) from the curious eyes of the computer service
> 1) Some of the commercial programs, such as Cryptainer, seem to suggest
> that their encryptions are essentially unbreakable
> . . . Yet they suggest long passwords or
> pass phrases to make hacking these passwords "more difficult."
> isn't the program as weak as its weakest link, e.g. the
Exactly. If guessing your password is easier than guessing
the encryption key, then it is the weaker of those two
particular links. Today's respectable cipher uses a 128-bit
key, the guessing of which would require about 2^128 = 10^38
guesses. Given that there are only about 2^19 words in the
English language, a simple password will be easier to guess.
So take their advice: choose a password that will be hard
> 2) if these encryption schemes are so unbreakable, and commercially
> available, why haven't I heard news items describing "terrorists" and
> their use of unbreakable encrypted e-mail ("tomorrow at 10:15, Sidney,
> we light the fuse")?
Actually, one does occasionaly hear of law-enforcement actions
thwarted by cryptography. Of course, the thwarted officials
have good reasons to avoid publicizing the products and
techniques that stump them.
> Can I assume that "hackability" or unbreakability
> is merely a matter of degree, and that the police or local computer
> repairman will in all likelihood be intrigued in my newly encrypted data
> files and e-mail and therefore try all the harder to see what's within?
With a respectable encryption program like PGP or GnuPG,
nobody can decrypt your data without the password. If you
pick a good password and don't put it on a yellow sticky
note on your monitor, they'll just have to beat it out of
you or get along without your data.
-- Peter Pearson To get my email address, substitute: nowhere -> spamcop, invalid -> net