LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Can I trust GPG? (http://www.linuxquestions.org/questions/linux-security-4/can-i-trust-gpg-474075/)

crashsystems 08-15-2006 11:07 AM

Can I trust GPG?
 
I work for an organization that has a need to communicate with our employees around the world securely via the internet. I have been reading up on gpg encryption for linux, and was wondering how difficult it is to crack. It looks like it would probably be rather hard for an individual to crack, but what about, for example, someone with the resources of a large communist government? Is GPG secure enough, and why or why not?

crashsystems

b0uncer 08-15-2006 11:23 AM

Quote:

It looks like it would probably be rather hard for an individual to crack, but what about, for example, someone with the resources of a large communist government? Is GPG secure enough, and why or why not?
Surely, anything can be cracked with enough effort. The only point is, how difficult it is, or rather, how long it takes (which depends on the resources again -- enough resources and anything is cracked).

If you're worried about governments, GPG is not for you. This is where you create your own enigma. And how valuable information would you be transferring, if you were scared of governments? Such an information should not be transferred via cables nor on-air..use humans to transfer it. GPG is for normal people.

crashsystems 08-15-2006 12:03 PM

I understand that there is always some risk involved with any form of electronic communication, so I know better than to ask something like "how can I make my encryption un-crackable". Perhaps a better question would be what is the most secure encryption option, withought spending a lot of money?

crashsystems

mrkawphy 08-21-2006 01:45 PM

I think it is safe to say that the best answer is What you spend will determine the quality of what you get. As the above have stated with enough time and resources it will be cracked. I am sure there are some high end commercial encryptions available but the higher the quality the more expensive it WILL be. You have not really been overly specific as too who you think will be interested in stealing the information you are going to be sending so it makes it hard to give a rough base of how strong you should go. But once again if it is something like a gov't you are trying to protect it from I seriously doubt any level of encryption can compete with the funding of a gov't if they really want your information. As stated human to human transfer may be the best form of sending if you are that concerned of how sensitive it is. And of course if it really comes down to being that sensitive I would assume money would be no object if it is that important.

crashsystems 08-21-2006 02:24 PM

Ok, I guess I can be a little more specific about what I need the encryption for. My orginization has a need to communicate to missionaries in various nations that are not too friendly with our line of work (such as communist/islamic countries). The kind of stuff our field workers are doing is rather low-key, so though I do not believe that cracking encrypted email is going to our people wouldn't be real high on a government's priority list in the grand scale of things, security is rather important to us. Also, in addition to giving your opinions on the security of gpg or other recommended solutions, if you could mention a good book or other related learning resources on cryptology, that would be quite helpful.


crashsystems

tuubaaku 08-21-2006 08:18 PM

I think gpg would be a very good option. Another option for you might be to use ssl for all in-house email (obviously doesn't help for email that goes through other servers, but I know of an organization that uses ssl on all email that goes through own their servers). You can always combine both options. At that point you might want to consider security in other parts of the process, because transferring the email may not be the weakest link anymore.:)

rickh 08-21-2006 09:22 PM

I always felt that if I had such a need, I'd study Steganography. Understand that if a large enough organization already has reason to suspect you of something, they'll decrypt your best efforts. Sending obviously encrypted mail is a good way to attract suspicion.

Emerson 08-21-2006 09:39 PM

Actually encryption algorithms are better than you seem to think. A friend of mine was in satellite cracking business, 8 byte DES key is practically uncrackable, add two more bytes and even future supercomputers are toothless against it. Weakest link here is "the human factor", if this information really is valuable they will find a way to leak it.

crashsystems 08-22-2006 09:31 AM

Thanks to everyone who has given input with this. As with quite a few things security related, I feel like I'm in a bit over my head when it comes to the finer details of encryption. Does anyone know of a good book I could purchase on the topic? Preferably something that is useful for beginners, but then goes on into the more detailed parts of the topic?

crashsystems

win32sux 08-22-2006 06:36 PM

Quote:

Originally Posted by crashsystems
Thanks to everyone who has given input with this. As with quite a few things security related, I feel like I'm in a bit over my head when it comes to the finer details of encryption. Does anyone know of a good book I could purchase on the topic? Preferably something that is useful for beginners, but then goes on into the more detailed parts of the topic?

crashsystems

Cryptography Demystified (by John Hershey) has gotten five stars at Amazon.com:

http://www.amazon.com/gp/product/007...lance&n=283155

ErrorBound 08-22-2006 06:54 PM

Quote:

Originally Posted by crashsystems
Thanks to everyone who has given input with this. As with quite a few things security related, I feel like I'm in a bit over my head when it comes to the finer details of encryption. Does anyone know of a good book I could purchase on the topic? Preferably something that is useful for beginners, but then goes on into the more detailed parts of the topic?

crashsystems

Try looking at Wikipedia if you're looking for some introduction to cryptography. You could start by looking up the caesar cipher which is the simplest, and then look at more and more involved (and secure) types like the vigenere and autokey ciphers, and then stream ciphers for a good introduction. I find it's an interesting topic in itself. You will gain a much deeper understanding my implementing them yourself in code, and get a better idea of how their respective strengths and weaknesses work. I know because I did it myself! (broken link)


All times are GMT -5. The time now is 06:29 AM.