Hello.
How GPG work and why security agencies can't crack it?
It is Open source and they can read the Source Code and find how it work and then...

Please tell me your ideas.

Tnx.

gpg works on the principals of pki where you have a public key and private key. which in a watered down explanation is what one key does it must be undone by the other

If something is open source, it doesn't mean it's insecure. Most of the time the other way round: think Telegram, ProtonMail, OpenBSD at the end of the day. Cryptography, randomisation and passwords are what makes things secure, apart from end user skills.

The reason why people can't crack strong GPGP is because of the way it is implemented, its not really a problem that can be solved quickly, RSA (at least) works because in order to factor a 4096+ bit key it would take more computering power then any one has and a very long time. The numbers it produces are just too big to factor. If you could factor a key that large then it would be easy to look at the source and do basic substitution. You could try to brute force it, but that would take somewhere around 20 lifetimes of the entire universe.

RSA and EC are great when you need the information to be hidden for a finite amount of time. These types of cyphers are not so great against theoretical quantum computers how ever AES might be (know one knows for sure because non exist yet)

It is highly(!) debatable whether "security agencies" can crack a system like GPG: they probably can ("your tax dollars at work™ ..."), but you won't know about it.

But, really, what you're interested in, is not "the NSA," but simply, "Eve." Your "eavesdropper," who wants to know what Alice is saying to Bob. Neither Alice nor Bob are criminals: they are honest people whose communications "are nobody's business but theirs."

GPG is a carefully thought-out suite of related cryptographic tools which provide three important services:

1. Concealment: (Of course.) Only Alice and Bob can read the message.
2. Provenance: The message did come from Alice or Bob.
3. Message Integrity: The message received is exactly the one that was sent.

What's really significant about these technologies is the way in which they accomplish their aims. There are no "secrets" as to how the entire system operates. (There is, specifically, no "security through obscurity.") You have the full source-code to everything. Many "white hat" experts (including, by the way, delegates from NSA and other National Security agencies throughout the world) participate in open discussions about the system and all of its components. (In some cases, we have even benefited from closed discussions. We now know that the original DES algorithm was equipped with safeguards against attacks that had not yet been publicly discovered.)

GPG, like various other systems such as OpenSSL and VPNs, is equipped to incorporate advances in crypto as they become available. We also know that some military cipher systems use portions of these same protocols, even though they use (of course) proprietary algorithms and certain other "enhancements."

It's important to remember that "the strongest point in any system is the weakest link," and that, "what you don't know can hurt you very badly." This is why these systems offer "soup-to-nuts" solutions to the total secure-communications problem: all three of the bullet-points listed above are extremely important, even when the text of the message is not concealed.

Knowing how the cryptography is implemented does not give you the key to decrypt anything. You really need to do a lot of reading on cryptography and learn more about it before anyone could even begin to explain it to you. It's not a simple subject. But the reality is that even though the source code is available to anyone, the cryptography is secure. Without the key that encrypted a file, no one, not even the person who wrote the source code, can break it.

What I am curious about is what kind of passwords is strong enough against a brute force attempts in the trillions?

http://news.nationalpost.com/news/ca...ypted-computer

I generate passwords that mix A-Z, a-z, 0-9 and symbols <>/,." ..etc

Don't care that the article is about child porn, it's just nerd curiousity about at what point do passwords become statistically impossible to find?

For example, for 96 possible characters (26 upper, 26 lower, 10 digits, 34 symbols) a password of 8 random characters = 96^8 = 7200 trillion passwords. However most people don't choose random characters in their passwords, so they are typically much easier to guess.

The last password I made for a website was 12 chars based on two random words. Not sure how well the crackers work on horse-battery-staple passwords. What's weird is that the website put a 15-character UPPER limit on password length. Why? They don't store the password (hopefully). They just store a hash, so they shouldn't care if it is 1000 characters.

1 members found this post helpful.

A cryptologist would probably say that any "password" is insufficient. Information should be protected by digital certificates. (These certificates, in turn, can be password-protected ... that is to say, encrypted.)

A password has very little actual "entropy," because it must be remembered and typed-in on a keyboard. Furthermore, anyone who possesses a password cannot be distinguished from anyone else who knows the same password.

A digital certificate, on the other hand, contains thousands of truly unpredictable bits. It is "one of a kind," and it can therefore be used to validate message sources (digital signing). If the certificate is lost or stolen, it can be immediately revoked, affecting only that certificate.

When a certificate is encrypted with a password, it only renders the certificate useless to anyone who doesn't know the word. It doesn't alter the random content of the (decrypted) certificate itself.

You'll want to look at the standard for OpenPGP, which is what GnuPG and the others use:

https://tools.ietf.org/html/rfc4880

Good cryptological systems work even if the entire process used to encrypt is known. Q.v., Kerckhoff's Principle -- i.e., "the enemy knows the system."