What Encryption Do People In The Know Use?

A reader writes "What do cypherpunks in the know recommend for the paranoid types. I'm wondering because of the rising amount of protests. I look and most of these people seem clueless when using the net. Paranoia runs rampant (try taping a protest), yet they use stuff like real, which has been known to violate privacy. So my question is, what would slashdot readers recommend for people who have privacy they actually wish to protect? Are there any good laymen level papers on this?"

Re:Depends on what you're protecting

Pegwit is a program. RSA is an algorithm. There IS a difference-- PGP implements RSA (among other algorithms). Pegwit implements ECC algorithms; it is not an algorithm by itself.

As for symmetric algorithms: take your pick.

A lot of programmers and cryptographers are familiar with Blowfish, and it's very popular. It's easy to understand and implement (the F-function is dirt simple, and the key schedule is only a little more complicated), so there are a lot of products using the algorithm. So far, there haven't been any successful attacks against the full, 16-round algorithm, and lots of cryptologists have tried.

Triple-DES is, of course, based on DES. DES has been analyzed thoroughly over the years, and has held up relatively well-- none of the attacks found were within practical ranges. Triple-DES hasn't been broken-- and likely won't be.

Rijndael is, of course, the AES. It's based on some very innovative concepts, and I'm comfortable with it. It's a little unconventional (most ciphers nowadays seem to be Feistel ciphers, or variants thereof-- Rijndael is a step in a different direction), but it's been analyzed extensively. Nothing too damning has been found. It's probably good enough to use right now without worry, but the ultra-paranoid will wait a few years to watch for new analysis.

Serpent was an AES candidate algorithm. It was based on VERY conservative design principles; this has led to a rock-solid cipher. Serpent doesn't do anything truly unconventional-- everything in the cipher spec is based on sound reasoning and is backed up by YEARS of analysis. A little slower than other algorithms, Serpent still has a lot going for it, and I'd recommend it as soon as any other algorithm.

As for public-key algorithms:

RSA and ElGamal. Old, trusted, and well-understood. RSA has been analyzed since the early 1980's, and has held up VERY well. ElGamal has received a boatload of analysis, as well-- it's not likely to crack soon.

ECC is a very open field, currently, and it holds a LOT of potential. But the comfort level isn't quite there, for me. I'd give it another year or two-- there's a lot of research because of the advantages ECC can bring to public-key cryptography.

Programs:

PGP/GPG. Take your pick. I like GPG, partially for the more intensive peer review, partially for the licensing. PGP has been around longer, however, so it may be more comfortable.

Well we could tell you...

[davidu]

...but then we'd have to kill you.

sorry,
davidu

Scheier recommends PGP

[offby1]

Last I checked, Bruce Schneier (in his book Applied Cryptography) recommended PGP.

If your're smart

[randombit]

you won't take the algorithms specified in other posts and toss them into a program, because it would almost certainly be insecure. Algorithms are fine, but strong block ciphers, public key encryption algorithms, and hash functions have been around for 10 years or more. OTOH, getting the key managemnet, random number generation, etc right is hard and takes a lot of experience and knowledge.

My call would be to use GnuPG. It uses strong algorithms, uses a well know and fairly intensivley studied format, open source, and the people who did it seem to know what they're doing pretty well. If you're feeling paranoid, use the TripleDES or Rijndael-256 options to encrypt, though personally I feel perfectly safe encrypting even very personal things with CAST5.

If you're actually interested in papers, etc, I would start it out with more practical-oriented things (for example, the specifications of Blowfish, MD5, SHA-1, and RSA - not what you find in Applied Crytography or whatever, but the original academic papers - with fairly minimal experience in programming you should be able to understand things like this fairly easily). From there, you can start to read the more involved papers, with complex algorithms and protocols, weird mathematical systems, etc.

Basicaly "in the know" people know that it's not encryption that breaks a secure system. It's the fact that your OS has a remote root hole (or equivalent), or the FBI put a keylogger in your keyboard, or there is a microphone planted in your room. It's much, much simpler to do any of those things than actually break modern encryption algorithms (consider that the FBI actually carried out my keylogging point in order to grab a PGP passphrase that some mob guy was using to encrypt his books). So unless you're sure that the FBI (or anyone else) can't do something like that, there is no point in using anything that might theoretically be more secure cryptographically speaking.

Depends on what you're protecting

[jd]

Rijndael, Blowfish and Twofish are pretty good, all-round algorithms, if you want to secure something you're storing, or sending between one trusted machine and another, over an untrusted connection. They -do- require that you can transfer the key securely, though.

RSA and Pegwit are excellent public key systems, where it is impossible to safely convey a secret key from one machine to another, or where a secret key could be stolen from a machine.

For ultra-solid security for archive material, 3DES and Serpent are probably the best. They're slow, but they're very very solid. Nobody is going to be breaking them in a hurry.

If you're ultra-paranoid, though, you can always take the Square algorithm out of Pegwit and replace it with Serpent, making other changes as needed. Elliptic Curve encryption is faster than classic Public Key encryption, but (so far) it's about as secure.

Depends a lot on your needs.

[rjh]

For public-key algorithms, I'm actually really fond of Rabin. RSA (and ElGamal) is built on three totally unproven conjectures:

• P != NP
• Factoring very large composites is an NP problem (El Gamal: calculating discrete logarithms is an NP problem)
• There is no other way to break RSA than by factoring large numbers (El Gamal: no other way to break it than by calculating discrete logarithms)

Rabin, on the other hand, is based on two totally unproven conjectures:

• P != NP
• Factoring very large composites is an NP problem

... Yes, Rabin has some problems--the ciphertext tends to be much larger than with RSA--but on the whole, it's on a much stronger mathematical foundation. There have been some interesting hints, throughout the years, that the third of RSA's assumptions is not valid--nothing to make any but the most out-there mathematicians drool, but hints nonetheless.

By dodging the third issue, Rabin manages to be (theoretically) safer than RSA for a given modulus size. The word `theoretical' is extremely important, though; putting algorithms into practice is a far different thing than analyzing them in theory!

For this reason, although I prefer Rabin in theory, in practice I really don't care much which algorithm you use--RSA, El Gamal or Rabin are all just fine.

For symmetric algorithms, there is one and only one option for the hardcore and paranoid cryptogeek. That option is TripleDES--either two or three subkeys doesn't matter all that much, but three is definitely preferred. No other symmetric algorithm in history has been cryptanalyzed as heavily as DES. No other symmetric algorithm in history has established as much trust as DES. While at 56 bits of key DES is too weak for anything serious, TripleDES (at somewhere between 112 and 168 bits of key, depending on who you believe) is solid as a rock.

Of course, it's slower than hell and rekeying takes forever. But hey. If you want only the best, most secure, most-trusted, nothing else even comes close.

Dangerous, ill-considered and wrong.

[rjh]

This is no different from running a cipher in OFB8 mode. Which also happens to generate a long stream of pseudorandom values. Which also happens to be susceptible to cryptanalysis.

The reason why? Collisions. If the numbers were totally random, you'd expect any given group to repeat itself after a random interval. You don't see that with the output of pseudorandom number generators, or ciphers running in OFB8.

That tells a cryptanalyst that you're not using random numbers, which means the data wasn't encrypted with a one-time pad.

And that, my friend, means it's 100% breakable encryption.

Using a good pseudorandom number generator like YARROW-160 will provide you with 160 bits of entropy. Using a bad pseudorandom number generator, like, say, a cipher in OFB8 mode, is tempting but wrong.

The reason why is that people naievely believe that "well, if I seed my Blowfish key with 448 bits of entropy--its maximum--then my output will have 448 bits of entropy." Which is true, as far as it goes... but it goes periodic after only 2^32 bits. Or about 512 Mb.

That means if you fill a CD-ROM with the random-seeming output of Blowfish in OFB8 mode, you'll wind up repeating your output for the last 140Mb or so. And at that point, it's trivial cryptanalysis to recover the original plaintext.

Short version: if you want to use a one-time pad, you ABSOLUTELY MUST USE REAL RANDOM VALUES, NOT GENERATED PSEUDORANDUM VALUES. If you don't do this, then it's not a one-time pad and it doesn't enjoy the unbreakable nature of a one-time pad.