Page History
...
Consider the following two passwords: "yM&Lqg4?SzS" and "atone long pod wordy calve", we've been led to believe that the first one is the more secure password, in fact the second password would fail most "password strength" tests for not containing numbers or special characters, but in reality the first password is more difficult for us to memorize, and far easier for the computer to guess.
Choose a password that's easy to remember, sufficiently long, and introduce easy to remember typos or letter substitutions to make it more difficult for a computer to guess.
Info | ||
---|---|---|
| ||
There are two types attacks to break into a password protected system by attempting to guess the password, brute-force and dictionary; these attacks are effectively useless against online systems, even if not secured properly, the latency alone makes them impractical. However, these attacks are very effective against local encrypted files (like your password database, or any other file you encrypt for privacy). Let's compare the two attacks against our two passwords. Let's assume the attacker is using an array of modern processors that is capable of going through Brute Force This technique relies on trying every possible combination of characters until the correct one is guessguessed, hence the name brute force. If we consider |
Dual Factor Authentication
...
a typical brute force algorithm that attempts to guess the password with the 26 characters of the English alphabet in both upper and lower case, 10 numerical digits, and 33 special characters easily found on a qwerty keyboard, we find:
Dictionary Attack: A dictionary attack aims to address the slowness of a brute force attack by taking advantage of people's tendency to use simple words as their passwords, this relies on the password consisting of a word or two, or it becomes a brute force attack. We'll consider a typical diceware dictionary for this attack, which consists of 6^5 (7,776) unique words (note that the bigger the dictionary, the more likely it is to produce a successful guess, and the slower it is).
|
Dual Factor Authentication
...
Anti Virus
...
Encryption
We'll describe three types of encryption technologies/algorithms we recommend, and go into detail on how and when to utilize each.
AES | RSA/OpenPGP | Signal Protocol |
---|---|---|
Advantages:
Disadvantages:
Technology overview: Advanced Encryption Standard (AES) is a symmetric key algorithm ratified as a standard by the National Institute of Standards and Technology of the United States; AES-256 is currently labeled as sufficient to use in the US government for the transmission of TOP SECRET information. At present, there is no known practical attack that would allow someone without knowledge of the key to read data encrypted by AES when correctly implemented. As far as we know, intelligence organizations such as the NSA are not able to break it. A symmetric block cipher uses a single encryption key to encrypt and to decrypt a file, making it useful to encrypt personal documents but useless for sharing sensitive information with a third party. It's relatively easier to encrypt personal files with AES, and is recommended for encrypting your personal files, especially if uploading to cloud-storage providers (Google Drive, Dropbox, etc). | Advantages:
Disadvantages:
Technology overview: RSA is a public-key cryptosystem, which uses an asymmetric key algorithm. The most important concept to understand about asymmetric key encryption is that it uses a public-private key pair, the public key is used to encrypt data, and the private key is used to decrypt it. This allows you to share the public key freely, which a sender would use to enrypt their data before sending to you, and only you can decrypt the data with your private key. In contrast, when you want to send sensitive data to another person, you must use their public key to encrypt it. At present, there is no known practical attack that would allow someone without knowledge of the private key to read data encrypted by RSA when correctly implemented. As far as we know, intelligence organizations such as the NSA are not able to break it. | Advantages:
Disadvantages:
Technology Overview: Signal is similar to |
Simplified Example of symmetric cryptography in practice:
This is a story about Alice and Bob. Alice wants to send a private message to Bob, and the only easy way they have to communicate is via postal mail. Unfortunately, Alice is pretty sure that the postman is reading the mail she sends. That makes Alice sad, so she decides to find a way to send messages to Bob without anyone else being able to read them.
Alice decides to put the message inside a lockbox, then mail the box to Bob. She buys a lockbox and two identical keys to open it. But then she realizes she can’t send the key to open the box to Bob via mail, as the mailman might open that package and take a copy of the key. Instead, Alice arranges to meet Bob at a nearby bar to give him one of the keys. It’s inconvenient, but she only has to do it once. After Alice gets home she uses her key to lock her message into the lockbox. Then she sends the lockbox to Bob. The mailman could look at the outside, or even throw the box away so Bob doesn’t get the message – but there’s no way he can read the message, as he has no way of opening the lockbox. Bob can use his identical key to unlock the lockbox and read the message. This works well, and now that Alice and Bob have identical keys Bob can use the same method to securely reply. Meeting at a bar to exchange keys is inconvenient, though. It gets even more inconvenient when Alice and Bob are on opposite sides of an ocean. | Simplified Example of asymmetric cryptography in practice:
This is a story about Alice and Bob. Alice wants to send a private message to Bob, and the only easy way they have to communicate is via postal mail. Unfortunately, Alice is pretty sure that the postman is reading the mail she sends. That makes Alice sad, so she decides to find a way to send messages to Bob without anyone else being able to read them.
This time, Alice and Bob don’t ever need to meet. First Bob buys a padlock and matching key. Then Bob mails the (unlocked) padlock to Alice, keeping the key safe. Alice buys a simple lockbox that closes with a padlock, and puts her message in it. Then she locks it with Bob’s padlock, and mails it to Bob. She knows that the mailman can’t read the message, as he has no way of opening the padlock. When Bob receives the lockbox he can open it with his key, and read the message. This only works to send messages in one direction, but Alice could buy a blue padlock and key and mail the padlock to Bob so that he can reply. Or, instead of sending a message in the padlock-secured lockbox, Alice could send Bob one of a pair of identical keys. Then Alice and Bob can send messages back and forth in their symmetric-key lockbox, as they did in the first example. | |
When to use AES: To encrypt your whole computer, or to encrypt files on the computer, which you don't intend to share with anyone. | When to use RSA: To encrypt sensitive information for sharing with a third party, primarily through email. You can also use your own public key to encrypt your own files as you would with AES, but it adds a few steps to the process. |
A concise guide on using the recommended tools will be added soon, but a more detail tutorial for using each tool can be found on their respective websites.
AES
Once properly encrypted, the files can safely be duplicated for off-site backups or removal from local device.
The tool I recommend using for encrypting personal files is 7-zip (https://www.7-zip.org/). 7-Zip is a free and open source compression and packaging program with a strong implementation of AES-256 encryption.
For MacOS X, Keka (https://www.keka.io/en/) is a port of 7-zip that offers the same level of encryption. A guide for using Keka can be found here: https://github.com/aonez/Keka/wiki/Compressing-with-Keka
What's great about 7-zip is that it's a very popular archiving tool, and it doesn't scream "I'm encrypting files!", satisfying the Security-through-obscurity principal.
For a more convenient - but less obscure - experience, I recommend VeraCrypt (https://www.veracrypt.fr/en/Home.html). It allows you to mount a logical drive (think a USB drive plugged into your computer), where everything you save to the drive is encrypted. You can then safely upload the whole volume (or "drive" file).
RSA
When sharing sensitive information, such as passwords or private encryption keys, always insure the data is encrypted end-to-end; that is, encrypted on the sender's local device, and encrypted on the receiver's local device. The use of public-key encryption is most commonly used not limited to