Slashdot Log In
Is Encryption Really Secure?
from the things-you-might-not-have-thought-about dept.
taustin continues: "I made a disturbing connection the other day between PGP (or any encryption program) and the many security vulnerabilities that keep cropping up in web browsers and mail clients. It seems we don't go a week without some new way for a 'hostile web site' or 'malicious email' to read files from our hard drives. These are usually downplayed, because, in general, they can only read, not write to or delete, files, and because one needs to know the exact file name and path to exploit them. How easy is it to guess at the path and file name of a file that could be damaging for someone to just read?
Encryption relies on keys, which are kept in keyrings, which are computer files; and those keyring files have a default install location; and while that default location can be changed, the program still keeps track of where it is. In the case of PGP, this is a file called PGPprefs.txt, and that has a default location that (as far as I know) cannot be changed. And if it can be changed, the location of the preferences file has to be stored somewhere.
So it looks to me like it wouldn't be all that tough for someone who knows how to exploit one or more of these vulnerabilities to just grab someone's entire private keyring if they don't have all the patches installed.
What's really disturbing is to compare all this to current 'sneak-and-peek' search warrant practices - where police agents can break into your home or business to conduct a search without having to tell you, before or after, that they've done so. It is not entirely clear if such searches are illegal now, but they would be sanctioned by bills like HR. 2987, the Methamphetamine Anti-Proliferation Act of 1999. With the ability to remotely steal a private key, without even having to enter you home, and legal sanction to do so, there are frightening possibilities.
Having the keyring, of course, is not quite all there is to it. Keyrings are protected by passphrases, as well. But passphrases are not as secure as encryption keys themselves are - they are chosen by the user, and most will fall to dictionary attacks very quickly.
So what are good practices to adopt when using encryption software? Should one keep the keyring on a floppy disk, and never have it in the computer when it's connected? Should PGP (and other encryption programs) be changed so that the user has to manually identify where the keyring is whenever the program starts? Is it possible to make the program as safe in Real Life as the alogrithm is mathematically?"
Weakest link in any crypto is... post-it notes! (Score:3)
Encryption is necessary, but not sufficient (Score:3)
Rather, what you should remember is that 'if it is not encrypted, it is not secure'.
Personally, I think it is more important to get encryption in there - even with *bad* practices - than to worry about getting the last 1% of security from already-encrypted apps. For example, going from telnet to ssh with password-sending (your password is encrypted in transit) is a huge leap in security. Going from ssh password-sending to public-key authentication is only a small extra step, if anything. Choosing a long passphrase, or going from Blowfish to 3DES, are pretty unimportant for most people. Few crackers are going to see encrypted bits going over the wire and attempt to crack that - even if the passphrase might only be quite short. More important to focus on replacing the existing highly insecure protocols such as NFS.
Re:I thought the keyring was encrypted (Score:4)
There are, however, many more than 26 words...
Thus, an eight word pass*phrase* is -vastly- more difficult to dictionary-attack than an eight character pass-word-. If this isn't powerful enough for you, add more words... gpg and pgp allow some silly length of passphrase.
But supposing there are 10000 words in the english language (and that your passphrase is in english, but why should it be? Even we under-cultured americans take some token foreign language class and can cobble together a sentance or three in another language...), well, then, an eight word passphrase has 10000^8 = (10^4)^8 = 10^48
(ie, "this is my secret passphrase dont you know" is different from "This is my secret passphrase, don't you know." is different from "THIS IS MY SECRET PASS... " eh, you get the idea.)
In short, passphrases are not vulnerable to dictionary attacks if your passphrase is a reasonable length. (Or rather, the removal of a few orders of magnitude from the problem will not make it crackable on todays hardware, and when
it -does- make a difference, brute force will be only a few years behind, the same way that 8 character passwords are brute-forceable today and were only dictionary attackable a few years back...)
Though, it would be advisable to avoid using famous lines and quotes, since the first passphrase dictionary attack attempt would almost certainly include the 'to be or not to be' speech with various truncations, the first line and chorus line from every top forty song in the last fifty years, etc.
Also, remember, most dictionary based cracking tools try substituting zero for 'O', four for 'A', etc, to match 31337 'spelling' styles, and trying all the case combinations... so those obfuscations don't really help.
It -does- help to try something like, taking the first letter of every word in a sentence, like,
'I'm going to obfuscate my password' -> 'igtomp', which you can that capitalize or obfuscate at leisure (though -nothing- will make a six-character password secure, so use a longer sentence!); this gives the benefits of passphrases (memorizability) even for passwords that have to fit in some small space (like 32 characters or whatever, where a password spelled out might be short enough to still be dictionary vulnerable because it's only 5 words instead of 8 to 10... )
Anyway, that's my thoughts for to-day.
Parity Odd
--Parity
Use some common sense (Score:4)
Another good assumption is that the intelligence services prefer breaking fingers to keys. Why waste a billion dollars in computing power when you can simply crack the guys fingers unless they give you the key?
A third one is that they aren't usually that interested in your pr0n collection.
(Yes, it're stolen from applied crypto. But it's good advice.)
-henrik
ibutton (Score:5)
PPS (Score:3)
To solve for this, I'm writing a specification for transparent encryption of email using standard MUAs. Please feel free to check out the PPS homepage [ajs.com], which will be moving to SourceForge sometime RSN (basically, I'm just waiting to get over the learning curve at my new company). The nice things about PSS are that it does not require that a user know their email is being encrypted and that it does not require a specific encryption back-end (it's design assumes something PGP-like, but you could easily adapt any public-key system).
Let me know what you think, and send me email if you have any questions at all. Thanks!
To answer some questions (Score:3)
One of the points made in Secrets and Lies is no, you can't make it as secure. At least, not without much effort. For your PGP data to be really secure you woould have the key in ROM, on some sort of PCMCIA type card, and locked in a safe when not in use. The message would be encrypted on a computer that's not on a network, and the encrypted message would be put on a floppy and sneaker-netted to the networked pc. Due diligence would be used in selecting the public/private pair.
The real question is, how secure do you need the data to be? Secure for a few hours to days (tactical) or secure for a few years to forever (strategic)? For tactical, PGP is Good Enough. For strategic(in text messages) a one time pad is required. Also, who is it secure from? Your annoying kid brother, or the NSA/GCHQ? That, too, determines what security you use.
Re:I thought the keyring was encrypted (Score:3)
Security is NOT absolute (Score:4)
So, for example, my private email communications with my friend in New Jersey are done using GPG. We both have 1024 bit keys. Do I store my private key on some non-interceptible media? Do I have my computer room tempest shielded? No, of course not. But why should I. The risk of my emails being wanted by anyone other than my friend is not very high. My only reason for encrypting our communication is to make it difficult for casual snoops. And given me and my friend's relative importance in the world, those are the only people who will try to eavesdrop on our communication. I'm sure that professional snoops would easily be able to get our communication without our even knowing it. But I'm also pretty sure that there are no professional snoops running around even trying to read our email.
My conclusion: GPG is good enough, becuase the relative risk is very low. Is the exact same set up good enough for communication between the President and the National Security Advisor when talking about issues of national security? Probably not. (Ignore for the moment that the Pres has sworn off email.)
My point: you can't answer the question of "is PGP (or GPG) secure enough?". The answer depends on what you're trying to protect.
The Golden Rule of Encryption (Score:3)
Encryption is secure, people aren't.
Like the poster states, the biggest problem with the encryption tools is how well we use them. The safety of today's encryption standards are very good. For the average user, and even most users with high security needs, today's encryption tools provide enough safety to make any attempts at decryption just not worthwhile.
But, the only way to make it work is to make the encryption just one part of a total privacy methodology. It has to become a habit and not an afterthought. Because if it's not a central part of you practice, mistakes will be made, and data will be compromised.
Don't rely on defaults. Know where your data is. Know what's encrypted and what isn't. Know who has access to your information. Yes, it's difficult, but it's necessary. We are in the middle of entering a stage of humanity when the free flowing of information will be both a blessing and a curse. The information we need to survive will be easier to find, but at the same time, the information we need to keep from others will be harder to secure. Rather than thinking of security and encryption as just a "Spy thing" we have to think of it as a normal part of our everyday lives, much like shopping online has become a regular thing, when it was just a novelty a few years ago.
It will be hard, and not everyone will care, but eventually we'll get there.
--
Re:I thought the keyring was encrypted (Score:4)
For a dictionary attack, it wouldn't get it. For a brute force attack, using the 93 or so characters.. "IlovetuxIlovetuxIlovetux" - that's 24 characters. There are 93 permute 24 options for that, or 6.75e45. Now, to be fair, starting with one digit characters, thare are a total of 93 P 24 + 93 P 23 + 93 P 22 ... + 93 P 1 - or 6.856e45. A brute force attacker will give up before then, because even if you can do 1,000,000 tries a second with a really fast computer, it will still take 2.174e32 years. Now, even if you limit your passphrase to say, the set a-z, there are still 2.89e26 combinations. A million per second (which, AFAIK, is much higher than you can expect to get in scenarios such as this) and you'll still need 9.16e13 years.
The real weakness comes when your passphrase is say, 6 characters long and no punctuation (and the latter is known to the attacker) - then you have only 1.49e10 combinations, which will be solved by our fictional computer in just under 2 days.
Semtex. (Score:3)
Or did you mean things like making sure the key is only used on YOUR private system and to keep the private key ring on a floppy that's with you at all times?
In addition... (Score:3)
Jason
Re:Some ideas.... (Score:3)
3) Keep up-to-date software. Remember the pgp 6.5.1 problem ? (I don't know if I have the right version, but it was something to do with not generating sufficient random numbers - although someone will probably correct me)
Not sure what you're refering to. "Recent" bugs in PGP include:
Hope this helps?
Re:Some ideas.... (Score:3)
Hey - I'm involved with Scramdisk [clara.net] - I'm not going to help you ;)))
Read my FAQ! (Score:5)
Interesting story - you may like to look at my PGP DH vs PGP RSA FAQ [clara.net].
To quote the FAQ:
8.2. Get the threat in perspective!
The NSA (probably!) aren't specifically interested in you. They aren't going to break into your house to install bugs, or monitor your screen from a block away. They will however collect all of your messages sent over public networks.
PGP protects you from one form of monitoring - Echelon or other passive network sniffing. When your messages are captured by this global monitoring system, along with millions of other messages a day, the NSA can possibly decide to try and decode your message.
The most significant threat to PGP comes from user sloppiness. It is far easier to install a keylogger on your computer, install a trojan version of PGP, or bruteforce your passphrase than to break any of the cryptographic mechanisms employed by PGP.
If you are seriously worried about Intelligence Agencies actively monitoring you, then the last thing you should be worried about is them cryptographically attacking your PGP crypto implementation!
I'm currently working on a new version, and the ToDo list is here [samsimpson.com].
Re:In addition... (Score:3)
The government wants to routinely intercept all communications. By forcing them to break into your house to install keyloggers you vastly increase the cost of spying to the point where it isn't economic to spy on everyone.
Keyloggers are still hassle though - especially if people use multiple computers / change keyboards etc.
Re:How many anger-inducing stories will /. post? (Score:3)
Next time, how about reading the article before going off half-cocked? As usual, the Slashdot story has a less-than-accurate summary line. However, if you read the last paragraph (i.e. where we get to the actual question after wading through the background material), it reads "So what are good practices to adopt when using encryption software?". The supplicant then goes on to ask about some particular possibilities for improving overall security (such as keeping your key on a disk). Given that security practices are often as important as security software, I don't see where the problem is.
As far as possible solutions go, one interesting possibility might be dynamically generated chroot jails for network clients. For example, every time I start up lynx, my ~/.lynxrc and ~/lynx_bookmarks would get copied to ~/lynx-jail. Lynx would then be run out of ~/lynx-jail using a dynamically generated "nobody" user account. After lynx terminates, the config files get copied back and any saved files get chown'd over to my normal user account.
All this worry about encryption (Score:5)
AOL'ers so stupid they type PayPal Id's and passwords into bogus email, which forwards this on to a mailbox somewhere. (I got the spam but spotted the bogousity immediately.)
Security holes in M$ IIS so big that it gets hacked on a regular basis, because either there are so many holes or admins can't/don't keep up. So much for a quality product.
People who open email attachments (let alone use clients well known for their integrated virus vulnerability) even when this sort of scare has gone on for years.
People write passwords on Post-It notes and leave them in their drawers, or que horre on the monitor.
We have met the enemy and he is us. Never was more true.
--
Keyrings are as secure as the passphrase (Score:3)
The whole point of a passphrase is to use a phrase. That means more than one word! I compose a nonsense sentence with misspellings and other substitutions that make it virtually impossible to guess. Go with the suggestion of nonsense obscenity--mix in a variety of misspellings and obscenities into a usually inocuous phrase. Mix in numerics as any 31337 hax0r would (only don't stick to the 31337 rules) and you have something unguessable. There is no need to write it down, since it is memorable to you. If you need to, write yourself a hint that leads obliquely to the phrase. Someone will still have to spend a lot of time to recover a 50-60 character sentence to decode your keyring.
PGP helps my courtship. (Score:5)
But there is another demographic that uses it: Lovers.
I have been trying to court Heidi Wall and save her sweet innocence from that bastard offspring of de Sade, shoeboy, for some time. PGP allows me to talk to her and my friends who are aiding me in complete secrecy. By using PGP, I can be much more open in my billet doux than I would ever dare to be normally, as I am sure that third parties are not watching over my shoulder.
Speaking as a virgin, and one who has reserved his heart for one girl and one girl alone, I can say that PGP is enormously useful to me in my courtship. I hope that it further breaks out of its criminal ghetto and is used by lovers everywhere.
If you are courting a girl, try PGP. It helps you reveal your heart.
KTB:Lover, Poet, Artiste, Aesthete, Programmer.
Do you know what PGP stands for? (Score:5)
I think what you want is the upgraded version, DGP (Damn Good Privacy), or perhaps UFBP (Unfucking-Believable Privacy). We're expected to release those upgrades Real Soon Now (tm).
PGP manual, absolute security, human users (Score:3)
There was already a Word marco virus Caligula [f-secure.com] that attacked the PGP secret keyring and mails it to codebreakers.org, circa 1998.
You are mainly concerned with your private key ring, since lose or corruption of that would be the most damage. If the public key ring was modified you could alter local trust of a specified key, but it could not sign a public key without the private key.
As others have stated the private key itself is protected by symmetric encryption (e.g. IDEA, TripleDES) and you need the passphrase to unencrypt this encryption. So, a private key protected by a poor passphrase could be brute forced using a fast dictonary search tool, similar to Alex Muffett's crack for Unix passwords.
There are several ways to increase the security without irrating the user, such as using a floppy based key ring, using a smartcard [linuxnet.com] memory card to store your own public/private keys, using a Dallas iButton, a removable PCCard (PCMCIA) storage device, or using a crypto smart card that stores your own private/public key, and does the RSA calculations on the card, designed in a such a manner as the keys cannot be extracted from the card. This gets into Differential Power Analysis [cryptography.com] (PDA) and tamper resistance [cam.ac.uk] attacks.
For a high security application, you could consider a hybrid smartcard and PDA (e.g. Palm), which forms a small trusted computer. Of course most security experts wouldn't call a out of the box Palm and PalmOS a trusted platform, but it's an example of a smartcard with a direct human interface (human input & output), rather than trusting a larger more complicated computer which is also more flexible because it is designed to be general purpose. Some 3G cell phones plan on having similar smartcard interfaces I believe. I think Nokia had a prototype. Of course since there have been some trojan SMS messages already seen in Europe, and with WAP expected to expand its capabilities rather than die, you can expect this to be a more virus friendly platform as cellphones evolve.
While Bruce's Secrets and Lies shows his change of heart from the absolute security through cryptography that he and cypherpunks dreamt of in the early 90's, he now understands that absolute security in a practial system is a myth, and wants readers to think like engineers in weighing of trade-offs, how easy to use verus how secure, and how expensive vs. how secure. It is not a reason to give up on cryptography, but to realise that in designing and working with secure systems you need to look at more than just which neat cryptographic algorithms to use.
Some ideas.... (Score:5)
2) Make your passphrase something stupidly difficult. Even two words without spaces is n^2 (where n = number of words you know, probably about 30,000 if your averagely(sic?) smart) harder to crack.
3) Keep up-to-date software. Remember the pgp 6.5.1 problem ? (I don't know if I have the right version, but it was something to do with not generating sufficient random numbers - although someone will probably correct me)
4) Treat all unencrypted email as public domain. Consider it read by your boss, IT department, the recipient's boss and the recipients IT department.
5) Treat all encrypted stuff as just encrypted for a certain period of time. All those encrypted archives that people made 10 years ago ? With todays tech, it'll probably be just a matter of hours before they're all plain text again.
6) Use cryptology for messages that don't require it - otherwise only the interesting stuff will be attacked
That's my 0.03 EUR. Chances are I've kept some gaping holes in their, but what the hell - have to make some posts sometimes....
Re:Some ideas.... (Score:4)
Also, you can make use of the PGPDisk feature in recent versions of PGP. Make an encrypted PGPdisk and store you key in there. In windows, whenever you want to encrypt something, you mount the PGPDisk (under an assigned drive letter) with a password. Until you enter this password, this drive does not exist. If someone finds the PGPDisk file, they still have to crack that first. And if the PGPDisk file happens to be on the order of 100MB in size, it will be difficult to move around undetected.
That PGPDisk may also be store on your favorite removable media to be taken with you wherever you go.
So there you have it, redundant passpword protection, a hint of storing the key in an obscure place, and a fairly large encrypted file that may be difficult to yoink without passing under some network traffic radar.
Now if only someone could point me to a FAQ or How-To set up a PGPDisk (preferably compatible with the windows-PGPDisk standard) or other encrypted loopback device, that would really help me out.
My dear boy (Score:5)
Speaking as Slashdot Playboy since 1997, I feel I am qualified to advise young pups such as yourself on the appropriate etiquette when wooing a young lady such as this.
I recommend you make the young lady feel in control. Remember - you are a love god and she is your willing pupil. Young ladies love a man who can show her who is boss. Speak firmly but not roughly to here.
Do not suggest PGP to her, tell her that you will be using PGP.
Hold this young lady by the hand. Carry her over the romantic threshold. Slather her in kisses. Make your own provision for prophylatics. Buy her a single red rose. Whisk her off to Paris. Do whatever it is it takes.
Show this feisty young lady you are in command. Fear not the monstrous shoeboy, with his rough and ready approach to women. You shall woo her like she's never been wooed before and will never be wooed again.
--
Slashdot playboy.
Slashdot love god since 1997
How many anger-inducing stories will /. post? (Score:4)
If you're going to ask questions like these, you have to say, "well, is any security really secure?" And the answer to that is of course "no". "You almost certainly don't own a secure computing system with physical access controls, TEMPEST shielding, "air wall" network security, and other protections." DUH! How is this insightful? How does this lead to any meaningful solution to the problem? So what, just stop using encryption? So what, just stop assigning a root password?
This Ask /. implies that it doesn't work at all and that we aughta just stop using it. Why? Because there's no answer - there's no solution. You can't just have everyone shield their PC's from TEMPEST - and of course, exactly how many people are getting scanned in the first place? Not everyone is willing to drop their PC into a vat of concrete with no net connection to keep people from sitting at it to gain access.
So what's my bottom line here? "Is encryption really secure?" Well, as I mentioned, nothing is really secure, so the answer is "no". Of course then again, security works 99% of the time (or a little less), so let's just keep using it and not ask stupid questions like these. They've been thought about before.