Re: Newbie naive question, perhaps - - be kind
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: Newbie naive question, perhaps - - be kind

From: Peter Pearson <ppearson@nowhere.invalid>
Date: Sun Oct 16 2005 - 01:43:31 CEST



Arthur wrote:



> I'm merely a potential end user of some form commercial encryption


> program primarily to protect some sensitive psychiatric case histories


> (as well as other files) from the curious eyes of the computer service


> kids.


> 


> 1) Some of the commercial programs, such as Cryptainer, seem to suggest


> that their  encryptions are essentially unbreakable


[snip]


> . . . Yet they suggest long passwords or


> pass phrases to make hacking these passwords "more difficult."


[snip]


>  isn't the program as weak as its weakest link, e.g. the 


> password??



Exactly. If guessing your password is easier than guessing


the encryption key, then it is the weaker of those two


particular links. Today's respectable cipher uses a 128-bit


key, the guessing of which would require about 2^128 = 10^38


guesses. Given that there are only about 2^19 words in the


English language, a simple password will be easier to guess.


So take their advice: choose a password that will be hard


to guess.



> 2) if these encryption schemes are so unbreakable, and commercially


> available, why haven't I heard news items describing "terrorists" and


> their use of unbreakable encrypted e-mail ("tomorrow at 10:15, Sidney,


> we light the fuse")?



Actually, one does occasionaly hear of law-enforcement actions


thwarted by cryptography. Of course, the thwarted officials


have good reasons to avoid publicizing the products and


techniques that stump them.



> Can I assume that "hackability" or unbreakability


> is merely a matter of degree, and that the police or local computer


> repairman will in all likelihood be intrigued in my newly encrypted data


> files and e-mail and therefore try all the harder to see what's within?



With a respectable encryption program like PGP or GnuPG,


nobody can decrypt your data without the password. If you


pick a good password and don't put it on a yellow sticky 


note on your monitor, they'll just have to beat it out of


you or get along without your data.



-- 
Peter Pearson
To get my email address, substitute:
nowhere -> spamcop, invalid -> net


Received on Mon Oct 17 20:48:20 2005