Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
gpg works on the principals of pki where you have a public key and private key. which in a watered down explanation is what one key does it must be undone by the other
If something is open source, it doesn't mean it's insecure. Most of the time the other way round: think Telegram, ProtonMail, OpenBSD at the end of the day. Cryptography, randomisation and passwords are what makes things secure, apart from end user skills.
The reason why people can't crack strong GPGP is because of the way it is implemented, its not really a problem that can be solved quickly, RSA (at least) works because in order to factor a 4096+ bit key it would take more computering power then any one has and a very long time. The numbers it produces are just too big to factor. If you could factor a key that large then it would be easy to look at the source and do basic substitution. You could try to brute force it, but that would take somewhere around 20 lifetimes of the entire universe.
RSA and EC are great when you need the information to be hidden for a finite amount of time. These types of cyphers are not so great against theoretical quantum computers how ever AES might be (know one knows for sure because non exist yet)
It is highly(!) debatable whether "security agencies" can crack a system like GPG: they probably can ("your tax dollars at work™ ..."), but you won't know about it.
But, really, what you're interested in, is not "the NSA," but simply, "Eve." Your "eavesdropper," who wants to know what Alice is saying to Bob. Neither Alice nor Bob are criminals: they are honest people whose communications "are nobody's business but theirs."
GPG is a carefully thought-out suite of related cryptographic tools which provide three important services:
Concealment:(Of course.) Only Alice and Bob can read the message.
Provenance: The message did come from Alice or Bob.
Message Integrity: The message received isexactly the one that was sent.
What's really significant about these technologies is the way in which they accomplish their aims. There are no "secrets" as to how the entire system operates. (There is, specifically, no "security through obscurity.") You have the full source-code to everything. Many "white hat" experts (including, by the way, delegates from NSA and other National Security agencies throughout the world) participate in open discussions about the system and all of its components. (In some cases, we have even benefited from closed discussions. We now know that the original DES algorithm was equipped with safeguards against attacks that had not yet been publicly discovered.)
GPG, like various other systems such as OpenSSL and VPNs, is equipped to incorporate advances in crypto as they become available. We also know that some military cipher systems use portions of these same protocols, even though they use (of course) proprietary algorithms and certain other "enhancements."
It's important to remember that "the strongest point in any system is the weakest link," and that, "what you don't know can hurt you very badly." This is why these systems offer "soup-to-nuts" solutions to the total secure-communications problem: all three of the bullet-points listed above are extremely important, even when the text of the message is not concealed.
Knowing how the cryptography is implemented does not give you the key to decrypt anything. You really need to do a lot of reading on cryptography and learn more about it before anyone could even begin to explain it to you. It's not a simple subject. But the reality is that even though the source code is available to anyone, the cryptography is secure. Without the key that encrypted a file, no one, not even the person who wrote the source code, can break it.
The reason why people can't crack strong GPGP is because of the way it is implemented, its not really a problem that can be solved quickly, RSA (at least) works because in order to factor a 4096+ bit key it would take more computering power then any one has and a very long time. The numbers it produces are just too big to factor. If you could factor a key that large then it would be easy to look at the source and do basic substitution. You could try to brute force it, but that would take somewhere around 20 lifetimes of the entire universe.
RSA and EC are great when you need the information to be hidden for a finite amount of time. These types of cyphers are not so great against theoretical quantum computers how ever AES might be (know one knows for sure because non exist yet)
What I am curious about is what kind of passwords is strong enough against a brute force attempts in the trillions?
When police tried to access his encrypted hard drives, they spent five days using a “brute force attack” of more than three trillion password attempts and were unsuccessful.
I generate passwords that mix A-Z, a-z, 0-9 and symbols <>/,." ..etc
Don't care that the article is about child porn, it's just nerd curiousity about at what point do passwords become statistically impossible to find?
For example, for 96 possible characters (26 upper, 26 lower, 10 digits, 34 symbols) a password of 8 random characters = 96^8 = 7200 trillion passwords. However most people don't choose random characters in their passwords, so they are typically much easier to guess.
The last password I made for a website was 12 chars based on two random words. Not sure how well the crackers work on horse-battery-staple passwords. What's weird is that the website put a 15-character UPPER limit on password length. Why? They don't store the password (hopefully). They just store a hash, so they shouldn't care if it is 1000 characters.
A cryptologist would probably say that any "password" is insufficient. Information should be protected by digital certificates. (These certificates, in turn, can be password-protected ... that is to say, encrypted.)
A password has very little actual "entropy," because it must be remembered and typed-in on a keyboard. Furthermore, anyone who possesses a password cannot be distinguished from anyone else who knows the same password.
A digital certificate, on the other hand, contains thousands of truly unpredictable bits. It is "one of a kind," and it can therefore be used to validate message sources (digital signing). If the certificate is lost or stolen, it can be immediately revoked, affecting only that certificate.
When a certificate is encrypted with a password, it only renders the certificate useless to anyone who doesn't know the word. It doesn't alter the random content of the (decrypted) certificate itself.
Last edited by sundialsvcs; 04-15-2016 at 07:36 PM.
Good cryptological systems work even if the entire process used to encrypt is known. Q.v., Kerckhoff's Principle -- i.e., "the enemy knows the system."
Last edited by sneakyimp; 04-22-2016 at 05:59 PM.
Reason: typo
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.