Welcome to Solomon!

Enter the Access Code below

Access code is invalid

Solomon Logo

For assistance, problems or questions, please email us.

solomon@reliant.org

Versions Compared

Old Version 4

changes.mady.by.user John Abassian

Saved on

compared with

New Version 5

changes.mady.by.user John Abassian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Consider the following two passwords: "yM&Lqg4?SzS" and "atone long pod wordy calve", we've been led to believe that the first one is the more secure password, in fact the second password would fail most "password strength" tests for not containing numbers or special characters, but in reality the first password is more difficult for us to memorize, and far easier for the computer to guess. 

Choose a password that's easy to remember, sufficiently long, and introduce easy to remember typos or letter substitutions to make it more difficult for a computer to guess. 

Info
titleTechno-babel

There are two types attacks to break into a password protected system by attempting to guess the password, brute-force and dictionary; these attacks are effectively useless against online systems, even if not secured properly, the latency alone makes them impractical. However, these attacks are very effective against local encrypted files (like your password database, or any other file you encrypt for privacy).

Let's compare the two attacks against our two passwords. Let's assume the attacker is using an array of modern processors that is capable of going through

Brute Force

This technique relies on trying every possible combination of characters until the correct one is guessguessed, hence the name brute force. If we consider

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Dual Factor Authentication

...

a typical brute force algorithm that attempts to guess the password with the 26 characters of the English alphabet in both upper and lower case, 10 numerical digits, and 33 special characters easily found on a qwerty keyboard, we find:

  • For the password "yM&Lqg4?S": The program must guess every possible permutation starting with 1 characters and increasing until a match is found. That means it'll take a between between (6.3695419 x 10^17) + 1 and 6.0510648 x 10^19 guesses.

    Total search space: 95 + 95^2 + 95^3 + 95^4 + 95^5 + 95^6 + 95^7 + 95^8 + 95^9 = 636,954,190,679,126,495
    Assuming the attacker is using a large botnet capable of making one hundred trillion guesses per second, it would take less than 2 hours to guess this password.
    An attacker with relatively inexpensive off-the-shelf hardware could break it in approximately two and a half months.
  • For the password "atone long pod wordy calve", despite the fact that it contains no numbers, upper case letters, or special characters:

    Total search space: 95 + 95^2 + ... + 95^26 = 2,663,234,997,260,162,196,476,097,223,547,872,948,519,727,017,017,120 
    Assuming the same large botnet, it would take the attacker approximately 8.47 thousand trillion trillion centuries to guess this password.
    An attacker with relatively inexpensive off-the-shelf hardware would need 8.47 million trillion trillion centuries to guess it.


Dictionary Attack:

A dictionary attack aims to address the slowness of a brute force attack by taking advantage of people's tendency to use simple words as their passwords, this relies on the password consisting of a word or two, or it becomes a brute force attack. We'll consider a typical diceware dictionary for this attack, which consists of 6^5 (7,776) unique words (note that the bigger the dictionary, the more likely it is to produce a successful guess, and the slower it is).

  • The password "yM&Lqg4?S" is not susceptible to a dictionary attack, a dictionary attack will never be able to break it.
  • For the password "atone long pod wordy calve":
    Think of this password as a password 5 characters long, but being composed with an alphabet consisting of 7,777 characters (dicware dictionary + a space)
    Total search space = 7,777 + 7,777^2 + ... +7,777^5 = 2.8452232 x 10^19
    A large botnet attack that is lucky enough to be using the same dictionary set would be able to guess this password in just under 2 days, but it would take an attacker with off-the-shelf hardware just over 3.5 years.

    Now consider doing a miner change to our password: "at0ne l0ng p0d w0rdy calve!"
    Our password is still easy to remember, but it is now no longer susceptible to this dictionary attack (remember the larger the dictionary, the slower the attack is). Furthermore, by adding an additional character ('!'), we've increased the possible number of permutations by 2.5034409 x 10^53, bringing our estimated brute force crack time to 8.04 hundred million trillion trillion centuries.

 

Dual Factor Authentication

...

 

Anti Virus

 

...


Encryption

We'll describe three types of encryption technologies/algorithms we recommend, and go into detail on how and when to utilize each. 

AESRSA/OpenPGPSignal Protocol

Advantages:

  • Easy to use
  • Does not rely on trusting a third party
  • Suitable for encrypting data for secure storage

Disadvantages:

  • Not suitable for sharing sensitive information

Technology overview:

Advanced Encryption Standard (AES) is a symmetric key algorithm ratified as a standard by the National Institute of Standards and Technology of the United States; AES-256 is currently labeled as sufficient to use in the US government for the transmission of TOP SECRET information.

At present, there is no known practical attack that would allow someone without knowledge of the key to read data encrypted by AES when correctly implemented. As far as we know, intelligence organizations such as the NSA are not able to break it.

A symmetric block cipher uses a single encryption key to encrypt and to decrypt a file, making it useful to encrypt personal documents but useless for sharing sensitive information with a third party.

It's relatively easier to encrypt personal files with AES, and is recommended for encrypting your personal files, especially if uploading to cloud-storage providers (Google Drive, Dropbox, etc).

Advantages:

  • Suitable for sharing private information
  • Suitable for encrypting data for secure storage
  • Depending on implementation:
    • Does not rely on trusting a third party with decryption keys - with manual implementation (as described in this write-up)
    • Easy to use - with delegated implementation (with services like protonmail.com)

Disadvantages:

  • Depending on implementation:
    • Difficult to learn, tedious to use - with manual implementation (as described in this write-up)
    • Relies on trusting a third party - with delegated implementation (with services like protonmail.com)

 Technology overview:

RSA is a public-key cryptosystem, which uses an asymmetric key algorithm. The most important concept to understand about asymmetric key encryption is that it uses a public-private key pair, the public key is used to encrypt data, and the private key is used to decrypt it.

This allows you to share the public key freely, which a sender would use to enrypt their data before sending to you, and only you can decrypt the data with your private key. In contrast, when you want to send sensitive data to another person, you must use their public key to encrypt it.

At present, there is no known practical attack that would allow someone without knowledge of the private key to read data encrypted by RSA when correctly implemented. As far as we know, intelligence organizations such as the NSA are not able to break it.

Advantages:

  • Easy to use
  • Suitable for sharing private information
  • Does not rely on trusting a third party
  • For some implementations, can be used to easily send private messages without leaving any traces of them anywhere.

Disadvantages:

  • Not suitable for encrypting data for secure storage
  • Tied to phone number, phone line must be active and capable of receiving incoming messages to reinstall application
  • Does not keep encrypted backup, either relies on external unencrypted backup or loses all past communications.


Technology Overview:

Signal is similar to

Simplified Example of symmetric cryptography in practice:
Taken from https://wordtothewise.com/2014/09/cryptography-alice-bob/

 

 

This is a story about Alice and Bob.

Alice wants to send a private message to Bob, and the only easy way they have to communicate is via postal mail.

closedletterImage Modified

Unfortunately, Alice is pretty sure that the postman is reading the mail she sends.

openletterImage Modified

That makes Alice sad, so she decides to find a way to send messages to Bob without anyone else being able to read them.

 

Alice decides to put the message inside a lockbox, then mail the box to Bob. She buys a lockbox and two identical keys to open it. But then she realizes she can’t send the key to open the box to Bob via mail, as the mailman might open that package and take a copy of the key.

Instead, Alice arranges to meet Bob at a nearby bar to give him one of the keys. It’s inconvenient, but she only has to do it once.

lockstoreImage Modified

After Alice gets home she uses her key to lock her message into the lockbox.

shared1Image Modified

Then she sends the lockbox to Bob. The mailman could look at the outside, or even throw the box away so Bob doesn’t get the message – but there’s no way he can read the message, as he has no way of opening the lockbox.

shared2Image Modified

Bob can use his identical key to unlock the lockbox and read the message.

shared3Image Modified

This works well, and now that Alice and Bob have identical keys Bob can use the same method to securely reply.

Meeting at a bar to exchange keys is inconvenient, though. It gets even more inconvenient when Alice and Bob are on opposite sides of an ocean.


Simplified Example of asymmetric cryptography in practice:
Taken from https://wordtothewise.com/2014/09/cryptography-alice-bob/

 

 

This is a story about Alice and Bob.

Alice wants to send a private message to Bob, and the only easy way they have to communicate is via postal mail.

closedletterImage Modified

Unfortunately, Alice is pretty sure that the postman is reading the mail she sends.

openletterImage Modified

That makes Alice sad, so she decides to find a way to send messages to Bob without anyone else being able to read them.

 

This time, Alice and Bob don’t ever need to meet. First Bob buys a padlock and matching key.

public1Image Modified

Then Bob mails the (unlocked) padlock to Alice, keeping the key safe.

public2Image Modified

Alice buys a simple lockbox that closes with a padlock, and puts her message in it.

public3Image Modified

Then she locks it with Bob’s padlock, and mails it to Bob.

public4Image Modified

She knows that the mailman can’t read the message, as he has no way of opening the padlock. When Bob receives the lockbox he can open it with his key, and read the message.

public5Image Modified

This only works to send messages in one direction, but Alice could buy a blue padlock and key and mail the padlock to Bob so that he can reply.

Or, instead of sending a message in the padlock-secured lockbox, Alice could send Bob one of a pair of identical keys.

publicharedImage Modified

Then Alice and Bob can send messages back and forth in their symmetric-key lockbox, as they did in the first example.

shared2Image Modified

 

When to use AES:

To encrypt your whole computer, or to encrypt files on the computer, which you don't intend to share with anyone.

When to use RSA:

To encrypt sensitive information for sharing with a third party, primarily through email. You can also use your own public key to encrypt your own files as you would with AES, but it adds a few steps to the process.

 


A concise guide on using the recommended tools will be added soon, but a more detail tutorial for using each tool can be found on their respective websites. 

AES

Once properly encrypted, the files can safely be duplicated for off-site backups or removal from local device. 

The tool I recommend using for encrypting personal files is 7-zip (https://www.7-zip.org/). 7-Zip is a free and open source compression and packaging program with a strong implementation of AES-256 encryption.
For MacOS X, Keka (https://www.keka.io/en/) is a port of 7-zip that offers the same level of encryption. A guide for using Keka can be found here: https://github.com/aonez/Keka/wiki/Compressing-with-Keka

What's great about 7-zip is that it's a very popular archiving tool, and it doesn't scream "I'm encrypting files!", satisfying the Security-through-obscurity principal. 

For a more convenient - but less obscure - experience, I recommend VeraCrypt (https://www.veracrypt.fr/en/Home.html). It allows you to mount a logical drive (think a USB drive plugged into your computer), where everything you save to the drive is encrypted. You can then safely upload the whole volume (or "drive" file). 

 

RSA

When sharing sensitive information, such as passwords or private encryption keys, always insure the data is encrypted end-to-end; that is, encrypted on the sender's local device, and encrypted on the receiver's local device. The use of public-key encryption is most commonly used  not limited to