What Encryption softwares do you use?

Essentially, a "good encryption scheme" should achieve security against chosen-plaintext attacks (i.e., IND-CPA), but what we really want to end up with is security against adaptive chosen-ciphertext attacks (i.e., IND-CCA2), which is why we apply a "good authentication scheme," which should be strongly unforgeable under chosen-message attacks (i.e., SUF-CMA), to the ciphertext of the aforementioned good encryption scheme. In addition to the robust confidentiality that IND-CCA2 provides, we also want robust integrity for our ciphertext, or INT-CTXT.

If we first encrypt with AES-CBC (i.e., IND-CPA secure), then authenticate the resulting ciphertext with AES-CMAC (i.e., SUF-CMA secure), we end up with is IND-CCA2 /\ INT-CTXT security, and that's about as good as it gets. In other words, IND-CCA2 /\ INT-CTXT captures the strongest notions of confidentiality and integrity that we currently have, in the symmetric sense. Our [Vincent and myself] work on green cryptography is about recycling the AES alone, in order to minimize implementation complexity and maximize cryptographic security.

I'll have the extended, unedited draft online soon, to share.

I haven't used it, but it seems to be on par -- feature-wise -- with software like TrueCrypt. However, having not used it, I can't say much about it. Assuming its implementation is sound, it's probably decent, since it uses good block ciphers in a good disk encryption mode of operation.

 

Has anyone here used Dekart Private Disk? They have many different encryption options. I remember reading good reviews about them several years ago. I may take it for a spin, and see how i like it. http://www.dekart.com/products/encryption/ http://www.dekart.com/free_download/

 

Justin, thanks for taking the time to expand on "good authentication" and the notion of robust integrity as it is paired to the concept with which most of us are more familiar: encryption itself. I actually spent quite a bit of time thinking about this in conjunction with your work in green cryptography.

I'm wondering if you see symmetric encryption as inherently more amenable to the some of the goals that you've outlined for green cryptography, especially since you stated at one point that you were interested in tailoring cryptography to fit the shape-shifting model of communication we see on the internet. Regardless, you've set off some thoughts about designing communication models based on differing encryption schemes that might help me advise others on how to visualize and simplify internet key exchange, for instance.

I'll look forward to the unedited, extended draft of what I assume is the IEEE paper, when it is ready.

 

While asymmetric cryptography can achieve very similar notions of security, all of this work is definitely geared towards symmetric cryptography; more specifically, it's focused around symmetric authenticated encryption and its relation to the data exchange part of communication. Key exchange is a beast of its own, and probably a bigger one. Nonetheless, we hope that this work will present some design cues that will come in handy even outside of the scope of the work itself. I'm ultra-enthused about this stuff and where it's going.

This extended draft is essentially a "master" paper that was born out of my first IEEE paper, on the virtues of mature and minimalist cryptography; it was also from this draft that the two-part series introducing green cryptography, by Vincent and me, was adapted by IEEE. It will be available in a couple of days.

I'm currently putting together the paper on Mackerel, which focuses a lot more on better usability of cryptography via abstraction, as well as the realignment of cryptographic and communication models. One of the key points will be that we often pay attention to the data at hand -- what it is we're specifically trying to protect -- while forgetting about the contextual and residual fragments surrounding that data. If green cryptography is about assembling the implementation the right way, then Mackerel will be about applying that implementation to the right stuff.

 

Using AxCrypt, LastPass and Tor.

 

There are 3 major points of weakness in encryption concept, so choosing right application should IMO go something like this:

1. Application may have faults in its design and algorithm usage or even have a back door and is in some relationship to "you know who". Best way to minimize that threat is to use open-source apps that have been around for a while, and we can have some assurance it doesn't have back-doors and is working flawlessly.

2. You have a encrypted data and a "bad guy" wants it. As Schneier said (not a quote), the "bad guy" will not try to break the algorithm, because that would take too much energy and time. So the "bad guy" will try to interfere with the password input procedure; break the password or intercept the password. So if we are lazy and use only those 4 digit passwords or something that can be social-engineered for our persona (like important dates, pet names, favorite sports team, favorite movie etc.) or dictionary words (like sunshine, happiness etc), it won't take too much energy to find the correct password. And where would he find such info on us; i would start with social networks, and huge dictionary databases are all over the web.

3. If we did our homework and used good password with all possible sings etc, and it is impractical to bruteforce it, then our "bad guy" will try to intercept the password input. He will try to use hardware/software keyloggers (to minimize the threat, using on-screen keyboard could do the job most of the time) and clipboard loggers (using on-screen keyboard that has "drag and drop" option should prevent this). Then there are screen-loggers and click loggers, but these can be relatively easily detected since they use a lot of computers resources.

Only thing left for our "bad guy" is to steal or legally steal (confiscate) our machine. Then he will run a full forensics job on it, trying to find some peaces of original non-encrypted data that wasn't wiped out or some bits inside swap file. So wipe out your sensitive data, wipe free space on a regular basis or use full disk encryption.

Long story short: Use open source well known applications; use good long passwords; use on-screen keyboard when you are entering the password; wipe unencrypted data.

So much for my "wisdom" on the subject. Be gentle.

 

What are some other good opensource options for full disk encryption? Something that has most of the features that TrueCrypt offers. I'm trying Dekart Private Disk, and i love it. The only thing is it cost $65.00, and it is not open source. I don't know if there would be any way of knowing if Dekart has a back door. I would hope not. It's a really nice piece of software. I'm not an expert in encryption so i would be really interested in hearing what the experts have to say about it. Ok, any other open source suggestions?

 

DiskCryptor

It's open source, has better handling of dual-boot scenarios than TrueCrypt, but it only supports windows.

 

Sadeghi85, thank your for your reply. After making that post i found an excellent listing of encryption software on Wiki.
http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

 

Maybe Freeotfe.org, its opensource, has portable version, no admin rights needed...

 

I would say that's generally good advice. One point about using only well-known, open-source applications is that it's not a matter of how many eyes can look at source code; it's whose eyes that's important. Oftentimes, open-source groups don't have the resources of commercial entities -- these entities of which can hire the right folks to sling the code securely. Neither model -- open or closed -- is inherently more secure, but being open certainly has the potential to reign king. I'm all for openness in security, but recognize that open-source may not always be suitable.

Here's the paper on green cryptography. (That links to a PDF, by the way.)

 

The “open source” versus “commercial entities” comparison is not, fortunately, an ‘either/or’ proposition. Consider that PGP, a commercial entity, provides open access to its core cryptographic source code and, in that way, combines the best of both approaches.

Are there other “commercial entities” that do likewise?

 

My thoughts were with PGP, exactly, as a balance between commercial openness; it makes good sense, all around. I like their products largely because of it.

I'm not sure of any, right off hand.

As for commercial, closed-source entities that I'd have confidence in, one example would by the System Integrity Team at -- believe it or not -- Microsoft. BitLocker exhibits the compromise of competent cryptographers; it's not ideal, but there's no questioning the know-how of those behind it.

 

This paper is a hoot! I love the embedded humor scattered throughout the document – it is very “AESthetic”! Example:

 

Haha, well I'm glad you enjoyed it!

I'm sure I have too much fun with it, but then again, how often do you laugh while reading a crypto paper?

 

Thanks Sadeghi85!
After doing several hours of research DiskCryptor has been the best alternative to TrueCrypt I have found yet for free open source full disk encryption. I really like the layout of DiskCryptor. If it's development is continued i believe it could compete with some of the commercial encryption packages in the near future.

 

oh thanks, Justin! I haven't had time to delve into the paper, yet. But I'll be spending a very enjoyable weekend with this.

 

You're welcome.

Don't forget to backup partition header(in DC GUI) and create unencrypted backup of your partition(set your imaging app to use VSS).

Unfortunately this program lacks proper documentation, but it's pretty good otherwise.

 

Great! I look forward to any feedback you might have.

I suppose I should be true to the thread's original focus, by saying that I like PGP Whole Disk Encryption. Encrypting the whole dad-blamed thing is the most conservatively safe bet, due to potential information leakage from contextual and residual data.

Also, I wanted to add that the first step to protecting data is to minimize the presence of data -- particularly in the case of a mobile device (e.g., laptop). Data that doesn't exist will always be the most secure. We tend to accumulate data, and given that storage is next-to-free, we are evolving into data-hoarders. And the little quip you've heard is true: data is the pollution of the information age. That, and we're really good at generating it, but really lousy at managing it. Ensure that you're lugging around only what you need; then encrypt that. Go easy on your threat model.

 

By the way guys, this is a post about what SOFTWARE you use, not a discussion on the lessons of Encryption, that you have so badly hijacked this thread with no respect for Cutting_Edgetech. So please in the future people let's show some forum etiquette and stay on topic. Granted your babbling on about encryption which is part of the topic title, but it was to ask what software you're using.

So next time you guys want to go off on a rant, start another topic!


I've always enjoyed going to Filehippo as a one stop for apps and to keep up with some of the latest versions there, rather then jumping from site to site for an update and I noticed they list TrueCrypt and AxCrypt, so it made me wonder about these two.

THANKS

 

While we did get deep in the rabbit hole, it was in reference to the good, bad, and ugly of the software mentioned in this thread. If we're going to mention what we use, then it seems prudent to share thoughts on the pros and cons of using it. But, it wouldn't be a bad idea to carry on with taking liberties, in a fresh thread.

 

It happens as with any good conversation it sometimes starts with one theme and leaps to another. But agreed, if you intend to continue and further discuss encryption create a new thread.

 

I found any post explaining the authentication or algorithm that the software used to be very helpful. Information about the softwares capabilities, and limitations would have also been appropriate for this thread. I'm at partial fault by not making the thread more specific. I believe any post made turning this thread into a debate is what caused this thread to become unproductive. Any post made challenging another member to defeat, hack, or crack an encryption software should have never been made in this thread. This thread should have been a reference of encryption software, and any technical information about the software.

 

So I'd like to hear about some more great encryption software...


THANKS