General Encryption

From The Black OP Security Wiki

  Main Page >> Tutorial Directory >> General Encryption

Contents 1 Encryption FAQ 2 Symmetric Encryption 3 Plausible Deniability 4 Asymmetric Encryption + Signatures (and hybrid systems)

Encryption FAQ

Q. I hear that you can crack strong encryption with [An expensive laptop, Secret government quantum computers]

A. First of all, a distinction needs to be made between breaking encryption and breaking a password. If you encrypt a file with a military grade encryption algorithm but use a passphrase such as "password" or "gd1", your password can indeed be broken with an expensive laptop (or even a cheap one) via various password cracking methods. This is not really breaking the encryption, it is breaking the password. With asymmetric systems like GPG, an eavesdropper with a traditional computer is not going to be able to break your communications with out finding your private key (meaning compromising a location your private key is stored at, most likely your PC), even if the password protecting your private key is itself weak.

As far as cracking a strong encryption algorithm with a strong password, this is not in the realms of something someone with a traditional computer (be it a hundred thousand dollar super computer, or a cheap laptop) is going to be able to do.

Asymmetric encryption can be broken trivially by an eavesdropper with a quantum computer capable of running Shors algorithm. This is not as worrisome as it sounds, as the existence of such a computer is unlikely. On the off chance that such a computer exists, it is safe to say that it is in the realms of military intelligence (NSA), and they are very unlikely to use it to see what you are saying. Even if they do use it to see what you are saying, they are unlikely to act directly on the intelligence. NSA is more concerned with foreign militarys than they are with anyone else, and they are not about to blow the fact that they have a powerful quantum computer by breaking your encryption with it and acting on it. Even if you are interesting to the NSA (this is not likely), keeping the secrecy of possessing a quantum computer is probably a higher priority for them than blowing their cover by acting on information they have gained by breaking your asymmetric communications. In short, yes it is theoretically possible that someone with a type of computer that may or (more likely) may not exist can eavesdrop on your communications. Also, it is extremely unlikely they will use said computer to look at your communications, and also is unlikely they will directly act on information they gather on anyones communications.

Symmetric encryption stands up much better against Quantum computers than asymmetric encryption does. Where as a quantum computer capable of running shors algorithm can trivially break asymmetric encryption, symmetric encryption will only have its bit strength cut approximately in half. This means that against a powerful quantum computer, a 256 bit algorithm is about as powerful as a 128 bit algorithm is against a traditional computer. As strong encryption algorithms using a 128 bit key have never been broken by a traditional computer, this means that it is very unlikely that a 256 bit equivalent can be broken by a quantum computer. Even a strong encryption algorithm using a 128 bit key is not going to be trivially broken by a quantum computer.

Q. So as long as I use a strong encryption algorithm and a good password, I am set.

A. This is not necessarily true. There are a few things you need to keep in mind.

1. When you mount a drive, or make use of your private key, the key is temporarily stored in RAM unencrypted. On occasion, RAM will write to the hard drive. This means that it is quite possible your encryption keys are stored in part or in whole on your hard drive, and someone who seizes or gains access to your computer can recover them with forensics software. You can combat this by setting your system up to be unfriendly to forensics, and by using full drive encryption. If you use full drive encryption, even if your key is written to the hard drive, it will be encrypted during the time the computer is turned off.

2. With full drive encryption, your key is stored in RAM the duration of the time your computer is turned on and decrypted. This brings up two interesting points. The first point is that, even with full drive encryption, when your computer is actually on and running (you are using the OS), it is not encrypted. Someone could seize your computer violently before you have time to turn it off, and make a copy of your drive (in which case they will get the decrypted contents). Someone could also hack your system remotely and have access to the decrypted contents. The second point is, when you turn your computer off the RAM does not instantly clear. For some time after power is cut to your computer, your key will remain in RAM decaying at a relatively rapid but not instant rate (it will take approximately one to five minutes after cutting power for the key to be adequately decayed to such a state that someone could not gather useful information from it). Someone interested in your computers contents could dramatically increase this time by flash freezing your RAM. All someone needs to do to flash freeze your RAM is hold a can of compressed air upside down and spray the freezing liquid out onto your RAM. After this is done, the RAM will maintain its state for significantly longer than five minutes, giving the attacker adequate time to load your ram into a forensics laptop and make an image of it. Once this is done, they will likely be able to get either your entire key or at least a very large amount of it, and be able to break your full drive encryption (and then sniff around with other forensic software for other keys that might have been written to the drive from RAM). The moral of the story is, your non-full-drive encryption can be side channeled via RAM leaks, and your full drive encryption is only protecting you when your computer is turned off, and at that it is only protecting you after your computer has been off for a few minutes.

3. Encryption only protects files that are encrypted. If you encrypt a file and do not securely erase the source file, there will be no need to break your encryption as the adversary can merely recover the insecurely erased source file.

4. Another thing to keep in mind is legislation. In some countries (the United Kingdom being the first that comes to mind), it is illegal to not reveal your private keys to law enforcement on demand. Failure to do so could result in you going to prison for a lengthy time (but possibly not as long as you would go for if you do turn your keys over). The way to combat this is with plausible deniability encryption, which is discussed later on. You can also combat this by steganographically hiding encrypted data inside of images or other files.

Q. I found an awesome E-mail service will handle all my encryption for me. Great deal huh?

A. No, no, no. There are many "secure" E-mail services that say they allow for you to send GPG encrypted E-mails with out actually using GPG. They really do this, because they manage GPG for you. Meaning they manage your private keys for you. And you enter your password into their servers. And some of the particularly snake-oil ones will require you to use Java applets. If you are not careful with Java applets, not only can they get your password and decypt your E-mails, but they can do more specific attacks against you, including trying to break your anonymity if you are using Tor. My advice is to keep a safe distance from most services that say you can rely on them to manage your encryption, especially if they do not prominently point out the limitations of their systems. You are going to need to manage your own encryption if you want to really be secure. It is not hard to manage your own encryption, so you might as well. There have already been government operations where "secure" E-mail providers handed over tens of thousands of E-mails to the government. All encrypted web mail systems that are fully server side have the same exact vulnerabilities.

Q. So is GPG a type of encryption?

Symmetric Encryption

Symmetric encryption is a method of obscuring information in such a way that it can not be unobscured with out a key. The key is often a password or a string that can be uniquely derived from a password, although the key can also be a file (or also a string derived from a file). I will discuss symmetric encryption in the terms of using a password rather than a keyfile. You can imagine symmetrically encrypting a file as putting it in a combination safe, with the combination being the password. Unlike a traditional combination safe, you can not break strong symmetric encryption, even with extremely powerful equipment (super computers). You can however attack the combination safe by trying to guess the combination, which means that you should use a strong password. With strong encryption, your 'combination safe' is extremely unlikely to be broken open (the encryption algorithm wont be broken), but if someone can guess your combination (password) they can still access what you have put in the safe.

Usually with symmetric encryption you are going to want to use a 128 or a 256 bit key. I suggest 256 bit keys, just so you can rest soundly if the government does have secret quantum computers (they don't). There are 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 possible 256 bit keys. This is an extremely big number. It is so big that if every single computer currently on earth (including any secret quantum computers, considering they only cut a 256 bit key to 128 bits of comparative bit strength) was spending all of its CPU cycles on trying to exhaust the key space, it would take more time than there is time left before the universe dies of heat death. If there was a data storage device that stored this many 256 bit keys on it, it would collapse into a black hole under its own weight.

Symmetric encryption tends to be more resilient than asymmetric encryption, and also is usually much faster. Unfortunately, by itself, symmetric encryption is not good for communications. This is because, although you can transfer the encrypted information with out risk, the key transfer is vulnerable to a man in the middle. This man in the middle could be your ISP, it could be someone sniffing your network, it could be your Tor exit node, it could be the FBI using their carnivore system, etc.

Symmetric encryption is similar to storing information in a combination safe, with the combination being the password. Alternatively, it can be like storing information in a key safe with a single key to open it. Although you can send someone the symmetricly encrypted information, they can not get the decrypted information (open the safe) with out a password or keyfile (the combination).

Even if a malicious entity intercepts the combination safe (symmetrically encrypted data), they can not do anything with it alone. This is fairly irrelevant though, as even the person you want to be able to open the safe (decrypt the data) can not do so with out the combination (password or keyfile).

To be useful for data communications, you would need to send to password to the person you want to communicate with. This is where the weakness in symmetric communications is displayed. The interceptor (man in the middle) can intercept the password and eavesdrop on your communications. They can even forward the password on to the intended recipient so neither you nor the recipient can tell your communications are being eavesdropped on.

A man in the middle could even forward on their own safe and password with different information in them than they received. This would allow the MIM to make it appear you sent information other than what you really sent (probably they would send you something that would make you act in a way they want you to).

Although symmetric encryption is not good by itself for communications, it is great for fully client side encryption. For example, you can encrypt your entire computer symmetrically and then you will need a password or a keyfile to get onto your computer. If you use a good enough password, even a quantum computer is not going to be able to break into your computer. You can also encrypt individual files and partitions on your computer.

There are a great many symmetric encryption algorithms, but only a few are considered to be strong encryption. The most popular symmetric encryption algorithm is Rijndael (AES). Other popular strong symmetric encryption algorithms are Serpent and Twofish. AES is the algorithm used to protect military communications. I personally suggest people tend towards Serpent, and here is my reasoning behind this:

The Advanced Encryption Standard (Rijndael) was selected out of fifteen other algorithms in a competition to find a next generation encryption algorithm to replace DES; Serpent came in second place. Although Rijndael won the competition, it lost to Serpent in terms of security. The algorithms were tested for many attributes, including security and speed. Rijndael is a faster algorithm than Serpent, but not as conservative in terms of security. Rijndael winning the title of AES caused it to be adopted on a large scale, businesses and many military organizations use AES. AES has been approved by the NSA for encryption of top secret documents. It is worth noting that the NSA most likely had a large amount of influence in the selection of the AES title holder, and they have a rather dubious track record in regard to their suggestions. For example the NSA published and released a PRNG by the name of Dual_EC_DRBG which included a back door. NSA pushed this PRNG and got it published as a NIST recognized standard, despite it being much less efficient in general than the other standards published (and of course including a back door!). The fact that Rijndael was selected over Serpent despite Serpents significant security advantages (Even taking Rijndaels speed advantages into consideration) combined with the NSAs influence in the competition and their history of dishonesty leads me to believe that Serpent is a better choice of algorithm than AES. It should also be noted that serpent stands up better to XSL attacks than AES does, although XSL is said by some to be a dream rather than an attack.

Conversely, some people believe that AES is the best choice regardless of the NSAs track record. Their reasoning is something like: AES has been studied on a massive scale and no backdoors or weakness have been found. Although Serpent has also been studied to a good extent, it doesn't near the amount of research that has been done on AES. It seems unlikely the NSA has a backdoor in AES as one would imagine researchers would have discovered it by now, and it is less likely a before unknown weakness arises in AES than in Serpent, as AES has had more research done on it that Serpent has.

What symmetric encryption algorithm you use is up to you of course, but I suggest you go with either AES or Serpent. Twofish is, in my opinion, best used in cascades (where multiple encryption algorithms are used together). I say this because Twofish uses mathematical principles different from those used by both AES and Serpent, and therefor if some exploit is found that effects AES and Serpent, it wont be as likely to effect Twofish as well.

Plausible Deniability

Plausible deniability is a sort of encryption where you have one combination safe, but depending on the combination you enter it opens to different contents. For example, you could have one encrypted shell file that when mounted with one password reveals one set of files, and when decrypted with another password reveals a separate set of files. One of the goals of plausible deniability is to make it impossible to tell that plausible deniability is being used. You don't want the adversary to be able to know you are using plausible deniability, or they can demand you give up multiple passwords.

Plausible deniability tries to protect against rubberhose attacks, which are attacks where the adversary forces you to give up a password (perhaps they beat you until you give them your password, or they threaten to throw you in prison). If you use plausible deniability and are forced to give up a password, you can give up one that decrypts a set of non-sensitive files. When you normally decrypt the shell file, you use your normal password, and it decrypts into the sensitive files you are trying to protect.

The most popular program that supports plausible deniable encryption is Truecrypt. If you use Windows, you can even use Truecrypt to encrypt your entire operating system with plausible deniability. When you boot your computer, you will be asked for a password. If you enter one password, a operating system you use for sensitive things decrypts. If you are forced to give up a password, you can give up your other password, and an operating system you use for normal activity will decrypt. Truecrypt uses steganography for its plausible deniability, and also the fact that it is impossible to differentiate random data from cipher data. Many people believe Truecrypts plausible deniability is fairly weak (meaning a sophisticated enough adversary may be able to prove you are using plausible deniability). Although this is probably true (most plausible deniability is fairly weak, it is difficult to pull a strong plausible deniability design in most 'applicable' systems), it is likely that many realistic adversaries will be unable to prove this. Also, even if the adversary can prove you are using plausible deniability, you can still take advantage of using it. Perhaps you are court ordered to give up a password, and you give up a password that decrypts non-sensitive files. The adversary proves you are using plausible deniability and demands you give up your other password. Even if you don't give the password up, you can appeal to a non-tech savvy jury by playing up the fact that you in fact did give up a password that decrypted your machine. The concepts of plausible deniability are likely going to be missed by the average jury, and even with professional testimony explaining the concepts, you are likely to plant some seeds of doubt in their minds. I suggest people use plausible deniable encryption when possible. If you live in the Untied Kingdom or other countries where it is a crime to not reveal passwords to law enforcement, you should certainly use plausible deniability. If you require plausible deniability and do not use Windows, I suggest you use virtual machines and keep the virtual hard drives stored in the hidden section of a Truecrypt container file.

Asymmetric Encryption + Signatures (and hybrid systems)

 Asymmetric encryption works by using a public and private key. The public key is used to encrypt information which is then decrypted with the private key. Usually the information encrypted is a string that can decrypt symmetrically encrypted information, and the actual communications are sent along with the asymmetrically encrypted string. A good way to visualize this process is to think of an open padlock and a metal case. If you wish to communicate with someone privately, you send them your open padlock (public key). They can then write a message to you and put it inside a combination safe. Then they write the combination down, put it in a metal case, and lock it with your open padlock. Once they have locked the case even they can not extract the combination from it, unless they can break the case (break the encryption algorithm) or bust the lock open (break the lock aka key). They can then send you the metal case, and you can use your key (private key) to open the padlock. You can rest assured that as long as the metal case (encryption) is strong enough, that no one besides you (or someone with your key) can read the safes combination, thus open the combination safe and get the message out of it. Usually asymmetric systems keep the private key symmetrically encrypted on your computer (so the private key is kept inside of a combination safe only you ever have access to), and only someone with the combination (passphrase) can open the safe to use the key. After you get the metal box with the combination to a combination safe with a message in it that someone sent you, you open your personal combination safe (type in your passphrase, aka enter your combination into the safe) to take your private key out, which you then use to open the metal box and extract the combination to the combination safe your message was sent to you in (decrypt the message).

Asymmetric encryption has several weaknesses that symmetric encryption does not have. For one, asymmetric encryption requires more bits for the same security as symmetric encryption, resulting in bigger cipher texts and slower computation. This is because asymmetric encryption relies on mathematical problems which are hard to solve with out extra information (the extra information being your private key), and although there are a great many possible (incorrect) answers to the mathematical question, there are not as many possible answers as there are possible keys of a large bit length. For example, RSA asymmetric encryption relies on factoring a large number that is the sum of two primes. Although there are a huge amount of primes that multiply to equal a 256 bit number, there are tremendously more numbers that are 256 bits in length. It is estimated that a 1,024 bit key based on prime numbers is roughly equivalent to an 80 bit symmetric key where all combinations are taken into consideration. I suggest people using RSA encryption use 4,096 bit keys.

Asymmetric encryption has various other flaws. Asymmetric keys typically are used to encrypt far more per key than symmetric key encryption. This gives an adversary the possibility of possessing more cipher texts, for cryptanalysis. This property of asymmetric encryption also means that a single compromised asymmetric key will likely be far more damaging than a single compromised symmetric key. Yet another disadvantage of the vast majority of asymmetric encryption algorithms is that they are incredibly weak to certain attacks from quantum computers, such as Shors algorithm. Where as a symmetric encryption algorithm will have its bit strength cut approximately in half when faced with a quantum computer, an asymmetric encryption algorithm will usually be trivially broken. This is true of the overwhelming majority of asymmetric encryption algorithms, but not all of them (Mceleice cryptosystem being one exception, but this is not a novice friendly cryptosystem in the slightest, and has its own major disadvantages).

Asymmetric encryption has one huge advantage over symmetric encryption, its use of a public key which can be freely distributed for encryption allows for it to be used for strong communications systems. Symmetric encryption can be used to encrypt communications, but this gives rise to the problem of how the correspondents will know the key (combination) for decrypting the encrypted message. This is especially true when the correspondents have no means of communicating in a secure environment, or a trusted channel. Asymmetric encryption is for the aforementioned reason incredibly well suited to symmetric key distribution. The actual message will be encrypted symmetrically, and the combination to the symmetric “safe” will be encrypted asymmetrically.

Another concept to discuss is digital signatures. It is difficult to make an analogy to digital signatures, but a close one is to imagine a wax press and a wax seal. The wax press is kept private, in your symmetric 'safe' along with your private key. The impression the wax makes is shared with those you communicate with. When you write a message for them, you put it inside an envelope and seal it shut with wax, leaving your unique impression that they can verify against your impression that they keep on record. This is not a perfect analogy of digital signatures however, as digital signatures are not always the same impression, and the impression they leave depends on what you are signing.

There are two keys in a standard hybrid cryptosystem (a system that uses symmetric and asymmetric). The private key is stored symmetrically (in a "combination safe"), and include a key that opens a padlock and a wax press. The public key includes a "wax impression" and an "open padlock".

You share your public key with people that you want to talk with. It is safe to give your public key to who ever you want to.

An eavesdropper who can see your outgoing communications can not do anything to hurt you. All that they can do is get a copy of your public key, which merely means they can send you encrypted messages and verify messages you have digitally signed. They can not compromise future encrypted communications.

An eavesdropper who can modify communications can do a man in the middle attack. In this case, they intercept you as you send your public key to the person you wish to communicate with, and send on a copy of their own public key instead. Presumably they do the same thing between the person you wish to communicate with and you. Now communications between you are the person you wish to communicate with are encrypted to the MIMs key, and he can eavesdrop on your communications. They will likely continue to forward messages on between the two of you to remain undetected as they eavesdrop. They may even create false messages in an attempt to get one of you to act in a certain way they want you to.

There are a few ways to try and fight against this threat. First of all, you should use multiple channels of communication with those you talk with. Don't relay all your communications through a single server. Your ISP is a prime candidate to MIM you, so use Tor to help prevent this. If a single Tor exit node MIMs you with asymmetric encryption, it will be noticed as soon as you use a different exit node that is not in on the MIM attack. Another thing you can do is use authentication systems, such as shared secrets. These systems are available transparently in programs such as OTR.

If the person who has your public key wishes to communicate with you, the following steps take place. First, they generate a string (combination to symmetric 'safe'), usually this happens automatically and transparently to the user of a cryptosystem. Secondly, the string is asymmetrically encrypted with your public key (put inside a 'metal box' which is locked with your 'open pad lock'). The actual data they want to send to you is digitally signed (placed in an envelope that is sealed with wax) and is then symmetrically encrypted (put inside a second combination safe) using a 'safe' that opens with the 'combination' that was placed in the 'metal box'.

The 'metal box' and 'combination safe' are sent to you. Usually both the types of encryption are molded together into one cipher text block that looks like a solid string of code. Once you have the metal box and the combination safe with the message in it, you open your private combination safe (type in your password) and take your private key out. You then open the lock on the metal box with your private key, and use the combination you find in the metal box to open the safe with the message in it. After taking the message out, you compare the wax impression on it to the wax impression you have on record for the person you are corresponding with (you verify their signature to make sure it is really from them).