What's Now State of the Art in Encryption Technology?

With the events of September 11, 2001 still vividly etched into our conscious minds, it was only a matter of time before the US Government would paint the crosshairs on their next target after Bin Laden: encryption. With Ashcroft's declaration of computers as tools of terrorism, and law-enforcement pushing for enhanced surveillance, it appears that one of the first victims of America's new war may be the privacy of her citizens. Of course, if you are concerned about privacy, you're probably wondering how to improve what protections you have in place, if any. So what are the leading-edge innovations on the encryption front right now, and how easily can such tech be adapted to everyday communications? C :In an interesting display of synchronicity, Timothy posted this article, earlier today, which notes that Steganography use isn't as wide-spread as previously thought. Deagol asks: "With the Feds pushing for encryption back-doors, and even more domestic surveillance, how can we resist this? I mean in a practical way, but at the same time taking a stand for our rights to privacy and assembly. What's the current state of the art in hard disk encryption? Email encryption? Steganography? There are many tools out there, as well as many link-farms, (I looked at many today), but many pages seem dated, and it's hard to tell who's using what in a useful implementation. So, who is using PGP or GPG? Who is using BestCrypt or Loopback Encryption, Freenet or Steganography? A privacy weenie wants to know what your daily-use setup is!"

One thing about encryption: the easier it is to do, the more people there will be using it. For the non-tech user, encrypting messages on a day-to-day should be no more complex than 3 steps.

JPMH asks:"First journalists and now even relatively clued-up politicians in the UK are talking about making it an offence to use strong encryption in email and web-pages. An obvious counter is that this won't work, because the messages can easily be hidden using Steganography (Slashdot Jan 2, May 8). But that assumes that the steganography itself is good enough not to be detected. Is this true? How good is the state of the art?

To be undetectable, the properties of the 'message' bits you are putting in must be statistically indistinguishable from the 'image' bits you are overwriting. According to a paper by Neils Provos and Peter Honeyman of U. Michigan (highlighted today in the Register) the simplest common programs, such as JSteg and JPHide, fail this test badly and are easily detected. But they failed to nail any confirmed steganographic content in 2 million images on EBay.

Other programs (eg Provos's Outguess 0.2) are more sophisticated at hiding the messages (and other media eg MP3s give a bigger haystack to hide them in); but on the other hand, more sophisticated statistical models of images (eg Slashdot 16 Aug) may be better at making the 'hidden' content stand out.

So, can messages reliably be hidden? Or will people trying to hide their messages in a reliable manner get caught?"

PGP, Privacy and Activism

[Paradox+!-)]

Well, the best stand you can make for your rights to privacy and assembly is probably two fold:

1. Exercise them, by encrypting everything you send until they either make it illegal or engage in the debate effectively and attending assemblies of like minded citizens lawfully petitioning their government for redress.

2. Write a check to the ACLU or your favorite civil-rights group (EFF, whatever). Face it folks, Dollars Vote . Nothing expresses your opinion like purchasing power. So I would recommend, in effect, "purchasing" more advocacy and voice in the system. This is not to say this system is right, it is to say this system is reality. We can complain that it shouldn't be this way all we want, but unless we show a force (read: $$) that those with power respect, we're pissing in the wind.

Personally, I use PGP and have been for a while now. (My Public Key) I probably don't use it as much as I should, but it's definitely used for some conversations at work I wouldn't otherwise want seen. So far, none of my employers have had an issue. I don't - yet - encrypt everything on my home computer, but I'll probably buy something to do that in the near future. (Recommendations welcome!)

My company actually mandated everyone get encryption (in our case, Entrust) on our laptops before we went on a project in Asia last year. Turns out, the clients we were doing the work for would attempt to hack into our computers while we we're using their network. They dove into some folks' laptops and read/copied email, files, etc. and then used the information when negotiating with us! We started encrypting everything related to the project before going on site and the client became a bit easier to deal with. (No comments on why they remained our client, please, I still don't know the answer to that one! Decision not in my hands.)

I mention this because I think there's a possibility to make privacy at an personal level a common cause between corporations and individuals. We just need to make the case loudly and effectively. (which brings me back to my support your local civil rights organization point :)

Steganography and Crypto

[DaveHowe]

Best application for StegCrypto I know of is Scramdisk - it only supports 16 bit WAV files (for now) but for ease of use it is unbeatable. the lower four bits of each sample are "formatted" to form a virtual disk drive (a bit like a floppy disk).
To open this virtual disk, you drag and drop the wav file on top of the scramdisk app (there are other ways, but that is the simplest) and type in your password. unless you know the password, the volume won't open, and if you examine the file you can't even prove the scramdisk is there (yes, the file's lower four bits will be statistically at random, but this is true of anything but a pure CD rip anyhow - sound cards just can't sample accurately enough to get a clean lower four bits) Scramdisk is free (with source) from www.scramdisk.clara.net

"State-of-the-art"?

There's always new stuff going on in cryptography, but the state-of-the-art is hard to define...

Best algorithm? Take your pick. AES/Rijndael, Serpent, Twofish, RC6, Blowfish, MARS, Triple-DES-- all of them are good algorithms.

Best implementation? OpenSSL has done a great job of implementing most of these algorithms (maybe a few have been left out due to patent considerations) into a simple-to-use library with both high-level and low-level interfaces to the encryption and decryption routines (i.e., you can simply encrypt blocks of memory, or you can have the library format and encrypt the data according to various standards, like SSL).

Best personal encryption tool? GPG/PGP. I like GPG more, mainly because the source is going to remain available-- NAI is closing up the PGP source. Either one, though, should offer adequate security for e-mail or personal file encryption.

Best hard-disk encryption system? I'm familiar with encrypted loop-back-- under Linux and OpenBSD. I think that it has some advantages-- it's simple and easy to understand, and it works with ANY filesystem supported by the operating system. However, lots of known header information in file allocation tables and such can give an attacker a lot of information to work with.

I haven't tried TCFS yet. The OpenBSD support for it is still very young, and is a developers-only sort of thing. I'm thinking that TCFS will be a VERY good choice, once the support for it is stable in most operating systems (I don't know what the status of tcfs is in Linux-- anybody care to let me know?)

What else? Oh, there's steganography. Still not a lot of stuff out there, but one choice DOES stick out above the rest: OutGuess. OutGuess isn't based simply on a half-baked implementation of a simplistic steganographic algorithm-- it's based on actual research by a respected scientist in the field. OutGuess has a lot of thought put into it, and if you really need steganography (which, I'll admit, is rare), that's the program to use.

Huh? please say something.

[Karmageddon]

you're getting all sorts of plaudits for what you wrote, but it's a piece of crap. you clearly support the majority opinion on slashdot, that's why the slashbots modded you up, but I'm not clear on what exactly is your point. Aircraft, plastic explosives, and several of the other "inanimate objects" on your list are currently heavily regulated, precisely because they are believed by legislative majorities to be unsafe if used improperly. What are you saying?

• Are you saying these things should have no regulation?
• or are you saying that encryption should be regulated the way these things are?
• or are you saying that everything is just fine the way it is with a mix of regulated and unregulated.

I ask because you didn't actually say anything at all as it applies to reality. "Starting down the road of outlawing inanimate objects that can be used for multiple purposes"... is exactly where we've been for hundreds of years, and I kind of like living here so I'm finding it a very satisfying experience. Sure, I don't agree with all regulations, but I can't figure out what you are proposing...

Very low tech "encryption" now in use by mobsters

[SysKoll]

Back in the '80s, a young police officer (with whom I used to play D&D when we were teens, and no, he wasn't a lawful good ranger) once told me he was facing a ring of drug traffickers. He was bitter about not able to keep up with them. These mobsters knew that they were under constant phonetap surveillance. This didn't stop them from using the (tapped) phone lines for setting up appointments and deliveries. And the law enforcement agencies never knew about these dug deals until way too late.

Their trick? The mobsters had imported a few natives from a remote North-African village, speaking a dialect that nobody else on Earth spoke. One of these guys on each end of a phone, and even tapped phones become secure! Of course, they used code words for street name and subway stations.

The Navajo code speakers used by the US transmissions during WWII also used the same principle. Not high-tech at all, but very efficient.

So I strongly suggest that all these laws against cryptography include an article mandating the use of a State-approved language on a phone line. Just like in the former Eastern European countries. Why, anything less stringent would put freedom itself at risk, right?

-- SysKoll