Choosing Encryption Packages

Discussion in 'privacy technology' started by Escalader, Sep 27, 2006.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I'm submitting a new thread:

    What criteria should one use for selecting an encryption package? Exclude price since it might be good and free or good with a price, or visa versa. Price then is NOT a factor.

    I'm going to try AxCrypt 1st as suggested on throwaway files until I get used to the technology.

    FYI, PC World ranked 3 programs:

    1. DESlock+3.2.4 which has free personal use version, uses 3DES, AES or Blowfish
    2. Namo FileLock 3.10 but it has one of those proprietry algorithim
    3. T3 Basic Security for laptops with 128 bit CAST algorithim


    They recommended DESlock for home use.

    Has anybody got real experience + or - to share as opposed to just opinions on the thread subject with any or all of those?

    Here is a subset of postings made in the orginal thread made twixt Devinco and myself.

    Originally Posted by Escalader
    Hey Devinco:

    Finally got back to this reponse here, thanks....

    "TrueCrypt or AxCrypt will serve your purpose very well"

    Given these 2 which one is simplest for my purposes in your view?

    Least number of bugs? Strongest mathematics .

    Do I have to "keep track of the matching keys, not just the encrypted file? "

    Your celtic friend

    Escalader
    I think AxCrypt will be easier to setup and use for this task.
    Both of them are mature, stable, and reliable programs.
    AxCrypt is better for individual files.
    TrueCrypt is better for lots of files, folders, and partitions.
    I have not encountered any bugs in the time that I have used them.
    They are both open source, which is important for encryption programs to allow peer review.
    They will both guard your data securely from physical theft, if you use a strong enough password.
    TrueCrypt does have more algorithms and features, but most people end up using AES anyway because it is fast, reliable, and secure.
    Both AxCrypt and TrueCrypt use AES (Advanced Encryption Standard).
    Which has the strongest mathematics? I couldn't say. But if I knew my important data would be physically stolen tomorrow and there was no way I could prevent it, I would trust either AxCrypt or TrueCrypt to keep the data from being read by the thieves.

    No you don't need to keep track of matching keys with either of them.
    You just encrypt the file, give it a password, and that's it.
    You can move the file, back it up while it is still encrypted so your backup will be encrypted too, all you need to remember is the password. If you forget the password, then you won't be able to get the data.
    AxCrypt can even make an encrypted executable version of the encrypted file that can travel with you to another computer so you don't have to install AxCrypt there to access the file.

    Remember to keep unencrypted backup copies of the data for a while until you are familiar with the whole encryption, decryption, and backup process.
    Reply With Quote
     
  2. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Give it some time and maybe others will post too.

    I think an Encryption Package should:

    1. Use a secure algorithm. Never a proprietary "super secret uncrackable" algorithm.
    2. Implement the algorithm securely. Encryption is only as strong as the weakest link.
    3. Be open for peer review. This ensures that more eyes with independent views look for weaknesses in the code. When a security researcher discovers a real flaw in a security program, the researcher becomes well regarded in the community.
    While being open source or open for peer review eliminates most commercial programs, it doesn't have to be that way, PGP is a commercial program and allows for peer review.
    4. Be easy to use.
    5. Be actively maintained so any new bugs can be removed.
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks, I'll wait since there is plenty of time. I've downloaded AxCrypt last night.
    Just stated messing about with it. So after I've worked with it a bit I might be able to add to your list.

    I like your initial set of criteria.

    One comment question, if a tool is open source, doesn't mean the bad guys could crack to code eventually? Or are we saying the math is so strong open code won't help them?

    The other notion is don't commercial packages have to be "secret" or they can't be protected, like a new drug for colds or something, the competion would get it and make a better pill. I like the acedemic notion of peer review but in that case the goal is shareware and universal good completely different goals!
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    That's what it initially looks like, but in reality it ends up to be just the opposite.
    Look at how many exploits and vulnerabilities closed source Microsoft software has.
    By it's very nature a closed source program will have less eyes on the code.
    The company/corporation will always push the programming team to hurry up so it can move on to the next project.
    In Open Source, anyone can look at the code and improve it if they want. That is a lot of potential eyes looking for flaws.
    The bad guys have much more to gain by exploiting closed source programs because the flaw may not be discovered or fixed for some time. This allows for much more time for the exploit to live.
    So with more eyes on the code, yes, the math (and the implementation of it) will be stronger.

    PGP was able to do peer review with an NDA (non-disclosure agreement).
    It is not as good as open source, but the next best thing.
     
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hey D how are you?

    I just want to ask a question, I have been using AxCrypt to encrypt an old excel file, (my key file is on my USB stick it didn't let me go on Roboform USB disk). I did save my passcodes for the file on Roboforms safe notes feature so I don't forget them.

    So I happily encrypted and deencrypted all was fine, quite simple really

    Then plunging forward, I did a encrypt.exe to see if I could email this file as an attachment to my son as a test.

    Well! Outlook refuses to send/access this file as it is potentially dangerous!

    Well, I guess it is since trojans have exe's don't they?

    Have you tried to do this and did /can one avoid the issue?

    Your risk taking celtic associate!:doubt:
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Good. Thank you.

    Yes, that is Outlook's attempt to block malware by blocking just the file extension.
    Try renaming the encrypt.exe file you created to encrypt.RenameToExe.
    Your son will then rename the file to encrypt.exe, run it, type in the password, and it will be decrypted.
    That should bypass the Outlook extension check.
    If Outlook still blocks it then you will need to use a zip program like 7zip to compress the file.
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks a lot Devinco!

    i now know my son or anybody else would need the PSW!

    Now I have to figure out how they get those securely. In his case I just tell him.

    But in say your case how would I tell you?

    I've got it! I'll post it here! r7JU9b67YKmykNipBJSpUjvdsixuarQS,

    Ha ha this isn't it!

    Escalader!:D
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    LOL :D :D

    There are two main types of encryption which are used for different purposes.

    Symmetric Encryption
    This basically means same password to encrypt and decrypt.
    This is ideal for all forms of file/folder/partition/drive encryption.
    It is great, but it also creates a new problem that you encountered, which is:
    How do I securely communicate the password to the other party over an insecure channel (the internet).

    Asymmetric Encryption
    This basically means that one password is used to encrypt and a different password is used to decrypt.
    It is also called Public Key Cryptography and is ideal for securely communicating a message over an insecure channel.
    It would solve the problem of securely communicating the password to your son.
    It is a little more complicated to setup and use, but once you learn it, it is very easy.
    It is primarily used for secure communications like encrypting email and establishing secure encrypted communication channels like SSH.

    Encryption packages will use one type or the other, or both depending on the purpose.

    Programs like AxCrypt and TrueCrypt encrypt Files and Folders. So they use Symmetric Encryption.
    Programs like Enigmail(that works with Thunderbird email client) allow sending encrypted email and use Asymmetric Encryption.

    Programs like PGP and DESlock+ have two main uses: encrypting Files and Folders and encrypting email.
    When they encrypt Files and Folders, they are using Symmetric Encryption.
    When they encrypt email, they are using Asymmetric Encryption.
     
  9. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Devinco:

    I guess you found my 32 character psw didn't work! :D

    Your tutoring skills are outstanding, you could get a job on on-line training just by saving some of your back and forth posts with guy's like me and show it to the local college!

    I even understand now what you are saying about the two types of encryption!

    On Asymmetric Encryption, can I assume that in our example here I know my code to encrypt (and deencrypt) and my son knows his codes to do the same at his end. BUT neither of us knows the other guys codes?

    I hope you are getting some value out of all the work I cause you?
    Did you do anything with DESlock+?

    Celtic friend Escalader
     
  10. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Yeah well so much for secure communication!
    The password shown is actually pretty strong.
    Play around with the Generate Password feature in RoboForm. You will see this password is about 186bit strength.
    Try different options, add punctuation and you will see the effects of different lengths and types of passwords.

    Thank you Celtic friend. I am glad to share the knowledge I gained from all the great people here.

    Yes, in Asymmetric Encryption, you have 2 codes(keys).
    A public key that you can share with the world including you son.
    And a private key that you keep secret and never share with anyone.
    Follow the link on Asymmetric Encryption and that should help to make it clear.
    Basically, you want to send a message to your son, so you encrypt it with your son's public key.
    Only your son's private key will be able to decrypt it.
    When your son wants to send you a message, he uses your public key to encrypt and you use your private key to decrypt.

    My typing skills have increased dramatically.

    No I just studied the specs and info offered.
    I like Thunderbird, so I will use Enigmail when I want to send encrypted email.
    But I like what DESlock+ has to offer. It appears easy to use and works with Outlook, and so does PGP.
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Just tested the rename procedure and sent it via outlook via my ISP.

    File sailed through outgoing scan on my computer, the ISP scanners and then when I downloaded back from the ISP it passed through my incomming scanners.

    Did NOt have to zip it.

    Good thing it wasn't a virus!

    :blink:
     
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    F$DzG36Pfv27q6^hdnGsmJK%P^VLSXYW

    Here is a 196 bit one. If you set minimal number digits to zero you get higher strength codes!
     
  13. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    That's a good one. Use one of those for your online website accounts like Amazon or Ebay and there is no way they will be able to guess it, dictionary attack it, or brute force it.
    The only way that they will get into your account is if they hack your computer or the website's server.
    The good part is you won't need to remember the different passwords for all the different sites.

    Occassionally backup your USB Flash Drive with Roboform data to either CD, Floppy, or another USB Flash Drive. USB Flash Drive's are great, but they can eventually fail.
    If you click on the roboform system tray icon/options, the RoboForm options window appears.
    Click in the left pane on User Data.
    In the right pane a button labeled Backup will let you do this easily.
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Yes, thats a very good idea.

    I found it very interesting to note that not asking for a minimum number of digits increases the bit strength.

    I deal with 1 bank that allows 32 position psw's, the other only 8!

    I contacted the 8 bank, and their response was people can't remember passwords! This is the security people! There is a huge education problem!

    When will you book come out, Title="Devinco's Security for Dummies!"

    You could become even better known!:D

    There is some research on using long memorable pass phrases, containing syntax and deliberate spelling errors as better that complex 32 random character passwords.
     
  15. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    You will find a lot of good password info here: Good and Bad Passwords How-To

    People can't remember 8 character passwords either.
    There are simple methods available to reset passwords whether they are 8 or 32 characters.
    Their excuse is not valid for offering weaker security for your money. That's not what you pay them for.

    Syntax and spelling errors are very good for passwords you have to remember.
    But a good random password will be immune to any type of dictionary attack.
    There are a lot of different ways to make up good passwords/passphrases.
    Here's another method: Diceware
     
Loading...
Thread Status:
Not open for further replies.