Silk Road forums
Discussion => Security => Topic started by: caesarshift on October 11, 2012, 07:07 pm
-
I know very little about electronic cryptography and online security... I understand the responsibility a free-thinking person has today to protect their identity and preserve anonymity online. I have been diligently reading posts in the security subsection, but I haven't seemed to find a solid footing or foundation that I can use to begin studying and gain some concrete understanding on the subject.
Basically I would like to understand electronic communications encryption, and hard-drive encryption better, but I don't know how to speak in the technical tongue of the programmer tribe. I would appreciate if someone might point me in the right direction and recommend some reading material or tutorials, not so much on umbrella subjects that require a wide range of understanding in different fields, but start me from the ground up so I can learn things that I can actually remember and utilize later.
I have read a bit about cryptography in general and I know how to create some ciphers, but the moment you take cryptography and put it in terms of a computer's methodology, I am in the dark. What learning suggestions can you provide me with, so hopefully in time, I might see the light?
-
<removed>
-
Ask more specific questions (but search for the answers first!). Your question is too broad to answer without writing a novel.
To use the SR safely you should understand how TOR works, and how PGP works. Keep reading.
-
Definitely. Here's a very quick and dirty introduction.
There are basically two types of encryption.
There is 'regular' symmetric encryption. You use this to encrypt a piece of data with a secret password. To get the data back, you have to use that password again.
A nice program to (symmetrically) encrypt files is TrueCrypt. You can download it for free from the truecrypt foundation website. There are a few good youtube tutorials out there on how to use it.
Then there also is asymmetric encryption. This is also called: public key cryptography. Asymmetric encryption is used in PGP to encrypt email. The sender encrypts a piece of text with the recipients public key, and then sends it to him. Then the recipient can decrypt the encrypted text with his private key.
This one might be a bit more complicated, but nothing overly complicated. There is good material out there.
So those will be your research assignments for today: TrueCrypt and PGP (Also called GPG). Learn to use those two pieces of software and you'll have a good start.
Good luck and if you have questions, do not hesitate to ask them.
-
<removed>
-
<removed>
-
caesarshift, I think I have exactly what you're looking for: Bruce Schneier's Applied Cryptography. Schneier is the cryptographer who designed Blowfish, which was one of five finalists in the AES competition (that is to say, his algorithm had a decent shot at becoming what we now call AES; Rijndael won instead). Blowfish is also one of three algorithms supported by the current version of Truecrypt. In the past decade or so, Schneier has focused on writing about security for a broader audience. He is one of the most vocal critics of the TSA and coined the wonderful term "security theater."
Applied Cryptography was written in 1996, but the concepts of course remain the same. It can be found here in neatly formatted HTML:
***CLEARNET***: Table of Contents: http://een.iust.ac.ir/profs/Falahati/Cryptography/CrytoBooks/B_Schneier%20-%20Applied%20Cryptography/ewtoc.html
One of the sexiest passages is found in Chapter 7 ("Key Length") in the section "Thermodynamic Limitations." Here are the last couple of paragraphs:
"[...] A typical supernova releases something like 1051 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space."
***CLEARNET*** http://een.iust.ac.ir/profs/Falahati/Cryptography/CrytoBooks/B_Schneier%20-%20Applied%20Cryptography/ch07/07-04.html
Pretty reassuring, though as we all know, 256-bit keys won't keep you from forgetting to unmount your Truecrypt container. ;)
Another article that I consider essential reading is entitled "Can Intelligence Agencies Read Overwritten Data? A response to Gutmann." It's short, just check it out:
***CLEARNET*** http://www.nber.org/sys-admin/overwritten-data-gutmann.html
Hope this helps!
-
Definitely. Here's a very quick and dirty introduction.
There are basically two types of encryption.
There is 'regular' symmetric encryption. You use this to encrypt a piece of data with a secret password. To get the data back, you have to use that password again.
A nice program to (symmetrically) encrypt files is TrueCrypt. You can download it for free from the truecrypt foundation website. There are a few good youtube tutorials out there on how to use it.
Then there also is asymmetric encryption. This is also called: public key cryptography. Asymmetric encryption is used in PGP to encrypt email. The sender encrypts a piece of text with the recipients public key, and then sends it to him. Then the recipient can decrypt the encrypted text with his private key.
This one might be a bit more complicated, but nothing overly complicated. There is good material out there.
So those will be your research assignments for today: TrueCrypt and PGP (Also called GPG). Learn to use those two pieces of software and you'll have a good start.
Good luck and if you have questions, do not hesitate to ask them.
You don't actually encrypt or decrypt emails with asymmetric cryptography. You encrypt and decrypt session keys with asymmetric cryptography. The session keys are used to symmetrically decrypt the communication payload.
-
You don't actually encrypt or decrypt emails with asymmetric cryptography. You encrypt and decrypt session keys with asymmetric cryptography. The session keys are used to symmetrically decrypt the communication payload.
This is very true. When you send a message encrypted with GPG, it isn't actually encrypted with asymmetric encryption. It is symmetrically encrypted (default algorithm: AES) and the password is asymmetrically encrypted with the recipients public key.
The reason for this is that with RSA (the asymmetric algorithm), the ciphertext has a fixed length. I believe the ciphertext cannot be longer than the key length. So with a 2048bit key, your maximum message length is also 2048bit, which is roughly 250 characters.
If you'd only use that, GPG would be like twitter. That's why the message is symmetrically encrypted, and the password (session key) is encrypted with RSA. That is also the reason why no two GPG messages are ever the same, even if the content is identical; the session key is always different.
Also when you sign a message, not the text itself, but rather the messages cryptographic hash (default SHA-1) is encrypted with the signer's private key.
So again, yes you are completely right. But I didn't want to get too technical, because I wasn't sure how much background the OP had.