CryptoSuite v1.050 Features

Hi Jason:

1.
I have not tried CryptoSuite yet. Therefore, my comments do not necessarily apply to CS. They may be useful, however, if you consider adding new features.

2.
Based on my experience /w several other encryption programs I usually distinguish between "on-the-fly harddrive encryption programs /w preboot authentication" (like Safeguard Easy, Safeboot, Safeboot Solo, DriveCrypt Plus Pack) and strong AES/Rijndael-based "container solutions" (like BestCrypt, DriveCrypt etc.).

3.
Generally, it seems to me that container solutions are inconvenient if you cannot mount the encrypted container(s) as a virtual harddrive or something similar.

If you want to encrypt more than a few files it must be ensured that you are not required to type in a password more than once per each start of the computer (i.e., there should be the possibility to unlock all encrypted folders and files at once). It must also be ensured that you can easily encrypt entire folders and, moreover, it should be possible to "work" on-the-fly with encrypted folders/partitions like if they were not encrypted at all.

By contrast, if you are merely encrypting a few files you may also use WinRAR offering 128bit AES (which is still considered uncrackable by most experts) plus good compression.

I believe that it is extremely important whether an encryption program is convenient or not since most users will not timely encrypt all sensitive data if this is a hassle.

Container solutions have the disadvantage that you cannot encrypt the entire harddrive (including the boot partition). In consequence, many folders (e.g., folders containing applications which are autostarted) must remain unprotected.

Personally, I store all backup images in an encrypted container. This is because my encryption program offers a "portable mode" (i.e., I can open the containers on every computer w/o having to install the encryption program -- I merely need to distribute a small portable version of the encryption program together with each container).

IMHO, a container solution is only required if you have to share your computer with other people.

4.
Since I do not need to share my computer I use a harddrive encryption program /w preboot auth. This is the most convenient way to secure all (!) my data. There is no risk that I forget to protect sensitive data. I need to type in the password only once per reboot. Usually, on-the-fly encryption/decryption does not come with a noticeable speed penalty.

There is (almost) no risk of losing my data: if Windows crashes and cannot be repared you can still decrypt the protected partitions. You just need to set up a new OS on a different partion or harddrive and reinstall the encryption program. (Frequent backups are still a good idea ;-)

I do not trust harddrive encryption programs which support a remote challenge response procedure in order to help a user who has forgotten his/her password.

 

Hi ano5, thanks for your thoughts on container/hard-drive based encryption schemes. My own opinions differ slightly, I think whole hard drive encryption is pointless(except in the ease of use stakes) and in some ways offers "worse" protection. Entering the password/key only once basically means once in your operating system everything is as it would be on a normal system. Sure you had to log in decrypt the data in the first place, and your hard-drives if removed from your computer would need to be decrypted first also, but these cases of data theft are very rare. Most cases of data theft these days occur from trojans,spyware, etc, something which these full-harddrive encryption programs don't really offer any protection against. Unless they have the ability to set-up other partitions which you store all your private documents onto and require a password for every read and write then they have full access to these files just like a user who logged in would. Full Disk encryption programs don't really hide the fact to other people that you are using encryption either, at least with other encryption software you can choose whether or not to let people know you are encrypting documents. Some people for instance don't want to let others who use the computer like wives, siblings, daughters, sons, etc that they are encrypting documents. Hiding the fact you encrypt things is a common requirement for a lot of people.

Secondly, full disk encryption means you have areas of your hard-drive which don't need to be encrypted, encrypted. For example your system32 files, 99.9% of them are available everywhere yet they have to be decrypted everytime a program runs or loads something etc. Does it matter that someone knows you have vbm400.dll in your system32 folder if they ever stole your hard-drive? . Is it worth this redundant data from being encrypted? What about the performance hit, meaning only those with fast CPU's can really use these products without noticing a major slow-down.

I do have a certain liking for containers where you can mount them as a partition, usually because these are used to store only documents which need to be protected. CryptoSuite will expand in the future to add support for this, and will probably support existing archives.

One more thing I might add, cryptography software should not merge with "ease-of-use" to the point where it is extremely easy to protect everything but at the cost of privacy and security. I have yet to see a scheme where entering your password/key LESS equates to better or SAME security to a scheme which requires it more. Just because the shortest distance between two points is a straight line, doesn't mean the curvy road isn't the best option.

*EDIT* In regards to your WinRAR statement, most experts are now saying to use 256bit algorithms (CryptoSuite uses two of these), you aren't really getting 128bits of protection using a 128bit cipher, due to the attack methods which reduce this. Whilst using 256bit keys doesn't mean you get 256bits of protection exactly it is what I would recommend people use, there is no reason to still be on 128bit. CryptoSuite archive's are also compressed, whilst RAR offers about 0.01%-2% better compression (depending on size of file), it's not really something that is noticable. Also you might want to compare the time required to add a file to WinRAR compared to adding a file in CryptoSuite, you will be surprised.

-Jason-

 

CS Chat Server is now running 1.050 No problems thus far

81.105.28.14 PW: pc2 Port: 5096

 

Jason:

You arguments are valid. Actually, I expected them ;-)

1.
It is true that harddrive encryption does not protect you from internet attacks (like trojan attacks). For this reason, I combine harddrive encryption & a container solution: very sensitive data like passwords are additionally stored in an encrypted container.

2.
Even a container solution cannot easily protect you from internet attacks. Inter alia, a container solution must prevent keyloggers, screenshot tools etc. from recording the password. Therefore, I believe that it is generally the responsibility of AV/AT scanners, personal firewalls and system firewalls (like SSM, PG or TPF) in connection with common sense to protect you from net spies.

Does CryptoSuite include a concept to protect you from keyloggers etc.?

3.
Harddrive encryption makes a lot of sense for notebook users since notebooks may get stolen. It also makes sense if there is the risk that certain authorities will search your premises. In addition, it is the preferable solution if you want to protect many files.

4.
I completely agree that container solutions are good if you want to hide the fact that you encrypt a few files. Personally, I use a stenographic encryption program which allows me to store encrypted data within my digital photos.

5.
It is true that harddrive encryption protects each & everything. But that's good because it is not only convenient (and thereby increases security) but also makes it harder to distinguish sensitive from non-sensitive data. As regards the performance hit: I did some benchmarking tests a few years ago. Usually, the performance decrease is not noticeable unless you copy very large files like a 800mb DivX video. Computers with a processor speed of less than 1Ghz may be slowed down if they use a very fast harddrive (i.e., it is the ratio between processor speed and harddrive speed which matters).

6.
Entering a "global password" could be an optional feature. It would increase security for people who would not encrypt anything at all if they were required to use an inconvenient solution. On the other hand, paranoid people could still protect every single file with a different password (and then store all passwords in an encrypted master pw file .. ;-)

 

There is no anti-keylogger features in CryptoSuite yet, these are planned to be added very soon.

There is no more protection using different schemes, whether full-disk,container or archive based. The protection with encryption comes with the algorithm used and the key. Each scheme has its pros and cons in "ease-of-use" terms, but cryptographically, it all depends on what algorithm is used. You seem to be under the impression that full-disk encryption offers you more protection than something else in certain situations, this isn't a valid judgement.

For instance, does it matter if your laptop is stolen if you have encrypted all the files which need to be into a CryptoSuite archive compared to full full-disk encryption (with a good algorithm/key)? No, they still can't get your private info without the key/password either way. When people physically steal your computers they typically aren't out to get your data, rather it is the hardware they are after. Trojans,spyware, etc are the biggest data theft causing devices, yet seem to be second on your list compared to authorities/thieves .

I don't find it inconveniant using CryptoSuite to encrypt my files which I do very regularly. There is some things which could be streamlined and they will be. I can also send my CryptoSuite archives very easily through email and other insecure networks without any issues at all. Whereas someone with full disk encryption would have to bother making an archive, that is if the software even supported that.

There is no point arguing about how using full-disk encryption for you is easier because it all depends on the person and situations. And as you said, you still use other software solutions apart from your full-disk encryption package (which are expensive enough as it is), I just use one piece of software now that is very affordable for everyone.

Try and keep this thread on topic also.

-Jason-

 

"You seem to be under the impression that full-disk encryption offers you more protection than something else in certain situations, this isn't a valid judgement."

No. I am not. I generally agree with you. It is the encryption algorithm and the protection against internet spies which matters. In respect of a harddrive encryption program it maybe harder to develop a driver which allows for a bruteforce attach. But this is not important because most AES-based encryption algorithms are safe.

"I don't find it inconveniant using CryptoSuite to encrypt my files which I do very regularly."

I was only talking about container solutions in general and container solutions /w or /wo mounting capabilities in specific.

"I can also send my CryptoSuite archives very easily through email and other insecure networks without any issues at all. "

That's definitely a plus. I assume that the recipient of the email must also have CryptoSuite in order to decrypt the file? If yes: I suggest to create a special free CryptoSuite version which permits only the decryption (but not the encryption) of files. Possibly, this would increase the sales volume. (See for example Enigma 2000). -- EDITED: With CS you can create SFX files. Therefore, it is not absolutely necessary that the recipient has CS installed on his/her computer. However, a SFX file puts the recipient under the risk that the SFX file contains a trojan or the like. Therefore, a free stand-alone decrypt-only version of CS w/o any nag screens would still be helpful. --

"There is no point arguing about how using full-disk encryption for you is easier because it all depends on the person and situations."

Absolutely. That's what I said right at the beginning. It depends. But I would not rule out the possibility to add such feature to CryptoSuite in the future. For example, DriveCrypt has also started as a pure container solution.

"Try and keep this thread on topic also."

Come on. This was on topic since you asked for feature requests and the like. I think at least some of my thoughts were helpful.

 

Ano, Your thoughts are very helpful but arguing about encryption semantics may be better persued in a new thread.

Hope this does not cause offence & thanks for your input.

 

@Pilli Thanks. But I believe that I have already posted all my arguments and thoughts now (i.e., it would have been a very short thread).

 

CryptoSuite will work forever in Decrypt mode, ie even when trial runs out you can still decrypt. The one message box which pops up on startup is hardly THAT nagging in my opinion, does it bother you?

Yes your thoughts were helpful, however it would of been better on your part to first try the program to see what it's features were and then comment on what you thought it needed, rather than just commenting on it from afar. The reason for this is some of your questions could of been anwered just be using the program.

Keeping this thread on topic just meant posting in regards to features wanted in CryptoSuite, and as you can see some of what you posted isn't related to this. You could always start another thread, there is also a privacy forum on Wilders if you are interested. No ill-harm meant just a relaxed suggestion.

Happy New Years!

-Jason-