Forum

Etech,

If I recall, the AES encryption standard is a virtual "1 rotor" version of the German Enigma machine from WWII. This can be broken by a brute force in a reasonable length of time if you have the compute power (and 3 letter agencies do). The PGP (Pretty Good Privacy) encryption is better, particularly if you use a 4,096 bit encryption key. But this, too, can be broken eventually. Using a large key just raises the amount of work involved.

Bruce Schneier http://www.schneier.com/ writes a lot about encryption – what works, what doesn't, and how long to expect your encryption to remain safe. I think what he says can be trusted.

Last time I was reading up on this, the summary was that any encryption which is convenient, can also be broken eventually. Those encryption methods which are more secure are inconvenient, and are attacked not through decryption means but through human-factors.

Good luck,

Bear

Eteck,

I've heard that a one time pad built with a true random number generator, and used correctly, would be impossible to break because there is no pattern to attack. I don't have the advanced math skills to prove or disprove this, but I think it's intriguing.

The big disadvantage to a one time pad, of course, is that you have to have planned ahead of time and have a one time pad on both ends.

One possible improvement to the one time pad that my little brain has tripped over is the idea of not just having single characters and symbols in the table, but common combinations of letters "tt", "tl", "nn" and even whole common words "the", "is", "an", "move", "go to", to further defeat pattern breaking.

Just a thought.

Bear

Bear/Etech,

Good thoughts on encryption. Along with turning up my winmor setup, my plan is to incorporate encryption into my commo needs as well. Any thoughts to get me headed in the right direction?

MCF

First, a hearty second on Bruce Schneier's book and anything by Schneier. He just published Liars and Outliars on the subject of trust. He also has a great site at schneier.com with loads of stuff on security issues.

Another thing is email encryption using Gnu Privacy Guard (GnuPG or GPG). This is the open source version of PGP (Pretty Good Privacy). I use Thunderbird so I have a plug in called Enigmail that acts as the interface with GPG. There are plug ins for other email clients as well.

GPG is an asymmetric encryption program. This means that there are two pass keys. One is your private key that you generate with a pass phrase. You never ever give it out. When the private key is generated you also get a public key. Anyone can have your public key and they are available on public key servers.

If you want to send an encrypted email to someone you encrypt the message using the recipient's public key. Only the recipient can decipher the message as he has to use his private key.

The other thing that GPG does is allow the use of encrypted digital signatures. This gives assurance to the recipient that the sender is really who he says he is just in case his email account was hijacked.

To apply a signature you check the box and then apply your private key. The receiver's email client checks your signature against the public key and flags it as valid or bogus.

I can't vouch for other interfaces other than Enigmail but the installation instructions are very good. It takes you about 15 minutes to go through the process. I do use a separate account as you can't use such nice things as html.

Enigmail: http://enigmail.mozdev.org/home/index.php.html

Some other neat resources:

Parisien Research Freeware: encryption, file shredding, etc.

http://www.parisien.org/archive.htm I use VGP as well as the shredder.

Free as well as inexpensive encryption software from Invsoftworks. Kryptel can be used to perform mass encryptions of multiple files. I have used the free Iron Key for encrypted transmissions.

Openstego: http://openstego.sourceforge.net/

Steganography permits you to embed files in images. It alters the least significant bits in the image so that the image looks unchanged. When you decrypt, the hidden file is revealed. Steganography goes back to the Greeks who tattooed messages on the shaved heads of couriers. After the hair grew back they were sent on their mission. This was not for urgent messages. I think the couriers were also one use only.

Of historical interest, a free simulator for the WWII German Enigma machine: http://users.telenet.be/d.rijmenants/en/enigmasim.htm This is a lot of fun to play with.

That's been on my list too. Easy enough to try even PC to PC, just haven't gotten around to it.

We're using EasyPal on 2m via repeater and also 6 meters SSB and FM. I'm not sure what the loading of an image does but EasyPal will resize so that's a concern. But, once loaded the actual transmission is digital and error corrected so the transmitted image should be faithful to the original.

This truly is a thread that interests me since I've been using a steganography utility (WINHIP from http://homepage.cs.uri.edu/courses/fall2005/hpr108b/Software.html) to place encrypted data within photos. I figure that, with all the digital picture swapping that folks do, there's no sense in drawing attention to yourself with a pgp announcement on your email text.

As a programmer in a previous life I wrote a short utility that creates One Time Pad (OTP) files of various lengths which can be used to either manually (with pencil and paper) or via the utility (if the medium is electronic) encrypt and decrypt information. The OTP pad file selected is automatically wiped clean (5 pass wipe) after either encrypting or decrypting with it. Obviously, if utilized in the manual method where you've printed the pad file to a piece of paper, you must destroy the evidence yourself.

Having the capability to encrypt or decrypt without the use of a computer would be paramount in many situations and using a relatively secure OTP method would defy all but very intense computer resources.

If anyone is interested in the utility or the code listing (in VB 6.0 or a 'no-frills' version in QBasic) let me know how to get it to you since there's no file depository available within the forum.

Good to see a 'pool of knowledge' however the original intent was to get others (zero encryption knowledge) to using some means of securely communicating.

No matter if AES, PGP, Steg or OTP – PRACTICE is an absolute requirement. After a significant event there likely won't be time to practice. People 'attempting' to use encryption will make errors, we all have, practice now and avoid those errors later…