Re: Newbie naive question, perhaps - - be kind

From: Paul Rubin (//phr.cx_at_NOSPAM.invalid)
Date: 10/16/05

  • Next message: Joseph Ashwood: "Re: Newbie naive question, perhaps - - be kind"
    Date: 15 Oct 2005 20:58:10 -0700

    Arthur <Art7@att.not> writes:
    > I'm merely a potential end user of some form commercial encryption
    > program primarily to protect some sensitive psychiatric case histories
    > (as well as other files) from the curious eyes of the computer service
    > kids.

    You should keep that computer locked away from those curious eyes and
    never connect it to the internet. A laptop locked in a file cabinet
    is probably a reasonable start. HIPAA regulations may require more
    and maybe you should discuss that with a HIPAA adviser. I'm presuming
    you're a psychiatrist in some organization large enough to have a
    computer service department.

    > 1) Some of the commercial programs, such as Cryptainer, seem to suggest
    > that their encryptions are essentially unbreakable: trillions of years
    > of computer time would be required to break their Blowfish and AES
    > encryption schemes in the program. Yet they suggest long passwords or
    > pass phrases to make hacking these passwords "more difficult." They
    > encouraged written questions from potential buyers, but have not
    > answered my question: isn't the program as weak as its weakest link,
    > e.g. the password?? ("Wheel of Fortune" comes to mind: "I'll buy a
    > vowel, please.)

    Yes, that's correct. The word should be a multi-word random
    combination or a nonsense phrase. See for a method
    of creating random combinations. You can also do it with a program, e.g.:

    Rather than rely entirely on a passphrase you could also use a
    hardware token:

    > 2) if these encryption schemes are so unbreakable, and commercially
    > available, why haven't I heard news items describing "terrorists" and
    > their use of unbreakable encrypted e-mail ("tomorrow at 10:15, Sidney,
    > we light the fuse")?

    In fact there has been a huge amount of debate (lots of it hysteria)
    coming from the national security and law enforcement crowds in that
    direction. See for example

    > Can I assume that "hackability" or unbreakability is merely a matter
    > of degree, and that the police or local computer repairman will in
    > all likelihood be intrigued in my newly encrypted data files and
    > e-mail and therefore try all the harder to see what's within?

    Your use of encryption to protect medical (psychiatric) records is
    entirely legitimate and maybe even mandatory under HIPAA. The police
    should not be interested in it. Computer repair people in your
    organization should know better than to try to access sensitive files.
    Why would either police or computer repair people even know about the
    existence of these files anyway?

  • Next message: Joseph Ashwood: "Re: Newbie naive question, perhaps - - be kind"

    Relevant Pages

    • Re: Securing data to a process principal
      ... reasonable controls that protect against "casual" abuse. ... hooks into your encryption function) and you cannot prevent an admin using ... The RM analyst also uses an app that has an embedded obfuscated key (I'll ... where the secret is stored in the registry. ...
    • Re: encrypted source file support in jdk?
      ... Encryption is a solution to a problem. ... You want to protect your source files. ... C++ with a highly optimising compiler will do ...
    • Re: database password and encryption
      ... I know the basic concepts about encryption. ... This database should be encrypted with a strong, ... way you can protect the database AT ALL. ... I could encrypt the key several times and hide the new, resulting, keys on ...
    • Re: Obama administration funds motorcycle-only checkpoints
      ... Public-Key Infrastructure ... eMail encryption might be used by terrorists and organized crime. ... We have sub-constitutional law to protect privacy ...