Very basic questions
in [Cryptography]
|
Prev: Counted Hash Basics
Next: Certicate chain
From: unruh on 27 Mar 2010 13:44 On 2010-03-27, Greg Rose <ggr(a)nope.ucsd.edu> wrote: > In article <osmqq51kp6ttfictta03qaerek6861feee(a)4ax.com>, > John Bischoff <mingol(a)roadrunner.com> wrote: >>Last I heard, PGP provided pretty solid security. Is that still the case? > > It is well studied, and backed by reputable > professionals. It is very solid, IMO. The company > I work for supplies it standard for all employees > (although many don't use it, or anything at all). > I use it on a daily basis, and have never had a > problem. Sorry, how would you recognize a problem if it occured? The problem for encryption is that an enemy reads your messages. How would you know that has occured? I agree that pgp has a good reputation and there is nothing that anyone has discovered that is problematic, but promulgating the idea that "using it on a daily basis and have never had a problem" is a good way of evaluating crypto is what allows all kinds of junk to be sold as encryption technology.
From: unruh on 27 Mar 2010 13:46 On 2010-03-27, George Orwell <nobody(a)mixmaster.it> wrote: > "John Bischoff" <mingol(a)roadrunner.com> wrote in message > news:osmqq51kp6ttfictta03qaerek6861feee(a)4ax.com... >> Gentlemen >> Maybe I have the wrong venue, but than maybe one of you knowledgeable gents will >> kindly enlighten me. >> Last I heard, PGP provided pretty solid security. Is that still the case? >> Is there anything better, and about as easy to use, these days? >> I'll wish to encrypt a file up to several MB, and maybe a whole drive. >> I'll wish to use it for two-way, friend-to-friend file sharing. >> Naturally, the better the resistance to brute force the better. >> Thanks, gents >> John > > I'd opt for Truecrypt or even better, FreeOTFE. > > FreeOTFE especially is so good that it's quietly being blocked or at > the least discouraged in certain European countries. That you would make such a statement arouses all of my "snake oil" sensors. I have no idea if FreeOTFE is a good product or not, but this is the opposite of an endoresement. >
From: Greg Rose on 27 Mar 2010 17:27 In article <slrnhqsh05.4a5.unruh(a)wormhole.physics.ubc.ca>, unruh <unruh(a)wormhole.physics.ubc.ca> wrote: >On 2010-03-27, Greg Rose <ggr(a)nope.ucsd.edu> wrote: >> In article <osmqq51kp6ttfictta03qaerek6861feee(a)4ax.com>, >> John Bischoff <mingol(a)roadrunner.com> wrote: >>>Last I heard, PGP provided pretty solid security. Is that still the case? >> >> It is well studied, and backed by reputable >> professionals. It is very solid, IMO. The company >> I work for supplies it standard for all employees >> (although many don't use it, or anything at all). >> I use it on a daily basis, and have never had a >> problem. > >Sorry, how would you recognize a problem if it occured? The problem for >encryption is that an enemy reads your messages. How would you know that >has occured? First, when I talk about no problems using it, I am talking about usability! Many problems occur because something isn't used at all, or is used wrongly. Second, I personally reviewed PGP code around the 2.3 release. Since that release, there has been continued compatible evolution, a standard written, and a complete second implementation (GPG) which is still available for review. So we *know* what the underlying crypto primitives are, we *know* that there is no extra stuff in messages, so in the absence of new cryptanalytic results, we *know* that the enemy can't read encrypted messages eavesdropped in transmission. (If he accesses your computer all bets are off, of course.) >I agree that pgp has a good reputation and there is nothing that anyone >has discovered that is problematic, but promulgating the idea that >"using it on a daily basis and have never had a problem" is a good way >of evaluating crypto is what allows all kinds of junk to be sold as >encryption technology. It's a good way of evaluating usability. I agree I could have been clearer on that point, but I still think it's important. Frankly, I think the security part of it is a given, for the reasons expanded upon above. Greg. --
From: Mehdi Tibouchi on 27 Mar 2010 21:32 Greg Rose wrote in message <holt75$qp$1(a)ihnp4.ucsd.edu>: > > and a complete second implementation > (GPG) which is still available for review. The only actual review of GPG by a professional cryptographer I am aware of is P. Nguyen's rather pessimistic paper at Eurocrypt 2004: http://www.di.ens.fr/~pnguyen/pub.html#Ng04
From: Joseph Ashwood on 28 Mar 2010 08:28
"John Bischoff" <mingol(a)roadrunner.com> wrote in message news:osmqq51kp6ttfictta03qaerek6861feee(a)4ax.com... > Gentlemen > Maybe I have the wrong venue, but than maybe one of you knowledgeable > gents will > kindly enlighten me. > Last I heard, PGP provided pretty solid security. Is that still the case? > Is there anything better, and about as easy to use, these days? > I'll wish to encrypt a file up to several MB, and maybe a whole drive. > I'll wish to use it for two-way, friend-to-friend file sharing. > Naturally, the better the resistance to brute force the better. Provided you don't have any special considerations, PGP is a solid choice. It is reasonably well analyzed, as noted compatible open source implementation (GPG), should be secure to thousands of PetaBytes, etc. By "special considerations" I mean that I wouldn't trust PGP/GPG for any secrets that could compromise my ability to continue living, but almost anything short of that there shouldn't be any problems. You should send a couple of simple test files first, open them without decryption to make sure you're configured to encrypt, then decrypt them and verify correctness. Probably not a big issue, but it does provide an easy sanity check. As long as PGP fits well in the communication method you choose, use it. Joe |