Practical Cryptography

1 Conversation

Selecting Cryptographic Tools

Assuming that any individual is looking to secure themselves against invasions of their privacy there are a number of factors to consider when choosing technologies.

  • Who is the potential eavesdropper?
  • How much maintenance will be involved?
  • What sort of equipment is available?

Who is the potential eavesdropper?

It is important to decide how much protection is needed. A simple paper-based cipher would most likely stop family-members from reading a private diary, more substantial risks require more secure ciphers. Assuming that computer based encryption is going to be used:

  • If the threat is from private individuals then any cipher, key schedule and password will probably be sufficient.
  • If the threat is from corporations, the police forces or other such wealthy organisations then selecting a good cipher and using it sensibly will probably be sufficient.
  • If the threat is from national intelligence services then the whole implementation of an encryption system will need to be examined carefully, profesional advice should be sought before puting faith in any products.

How much maintenance will be involved?

Implementing secure communications or data storage is not simply about installing a piece of hardware or software. Decisions must be taken about how the physical hardware will be secured, what rules should be imposed on the operation of the cipher and how often keys should be replaced.

What sort of equipment is available?

What kind of computer will be used? What else is it used for? Who has access to it? If you can't be sure of the equipment then the entire system could be flawed without any obvious sign.

Identifying the requirement

Computer encryption is used in three main ways:

  • Providing instant security for network traffic, such as purchasing goods on the internet. Usually a short-term asymmetric key is generated on the server, the public key is then sent to the client and a secure conversation can take place. This is extremely secure if the key is only used briefly and then discarded and the threat is mere criminal activity. This does not provide the best encryption available but it is strong enough for business needs.
  • Encrypting files stored on computers in case the computer is stolen, seized or hacked. Very secure block-ciphers can handle this case with ease.
  • Providing long-term communications security. There is no simple answer, unfortunately. Use top quality systems, secure the computers at each end as far as possible and change keys very frequently. This is the hardest to manage and the easiest to design badly.

The 'Miracle' of PKI

Public Key Infrastructure (PKI) has become something of a growth industry recently. Simply put it is a structure of organisations and services that attempt to ensure that when you communicate by asymmetric cipher you are using a current, valid key. If the current sales brochures are to be believed PKI is a simple and unbreakable solution to all possible security worries. Of course it is not. PKI, like all the other cryptographic tools available is capable of doing some things and not others, it is unsuitable for the highest security requirements and expensive for low-security issues.

The Tools of the Trade

Block Ciphers

There are a vast selection of block ciphers from which to choose. Most are free for noncommercial use. Because of this the authors of encryption software have a huge range of options available. At the present moment the best understood algorithms for normal usage are DES, Blowfish and IDEA. For really secret information use any of the finalists of the AES competition, Rijndael (AES), Serpent and Twofish are particularly highly regarded.

Provided algorithms of this quality are used the actual software implementation doesn't greatly matter. A neat and simple free example is Puffer, using the Blowfish algorithm.

PGP

When it comes to asymmetric encryption one product stands head and shoulders above all the others. Phil Zimmerman's Pretty Good Privacy is almost a political movement as well as a sensible piece of security software.

PGP is an implementation of the RSA asymmetric encryption algorithm which is used to encrypt a 'session key' generated randomly for each message sent. The session key is used to encrypt the message itself in one of a choice of block ciphers including Twofish, IDEA and triple DES. AES is scheduled to be added soon. The encrypted message and the encrypted session key are sent together as a single file.

Zimmerman himself is realistic about the security afforded by his software, the title of the product encapsulates that position perfectly. If the potential eavesdropper is a national intelligence agency it might be worth looking elsewhere. PGP is free for personal use.

Steganography

There are few good steganographic tools available but a good one, free to noncommercial users, is S-Tools which permits data to be encrypted using a variety of algorithms and then hidden in graphic files.


Bookmark on your Personal Space


Entry

A612604

Infinite Improbability Drive

Infinite Improbability Drive

Read a random Edited Entry


Written and Edited by

Disclaimer

h2g2 is created by h2g2's users, who are members of the public. The views expressed are theirs and unless specifically stated are not those of the Not Panicking Ltd. Unlike Edited Entries, Entries have not been checked by an Editor. If you consider any Entry to be in breach of the site's House Rules, please register a complaint. For any other comments, please visit the Feedback page.

Write an Entry

"The Hitchhiker's Guide to the Galaxy is a wholly remarkable book. It has been compiled and recompiled many times and under many different editorships. It contains contributions from countless numbers of travellers and researchers."

Write an entry
Read more