is encryption safe?
 

About ten years ago the general view was that encryption was safe and not easily "crackable" if at all (taking a very long processing time on "super computer"). The latest reported "attacks" by the Russians on the Democratic Party in the US seems to raise the proposition that these government agencies now have the "tools" necessary to easily decipher encrypted data like encrypted Emails.

Can anyone give an experienced view on the subject? I suspect the views will still be varied but if there is a majority for a particular view, that is the important thing since these agencies keep their ability or the lack of it secret.

Thank you for your help

I think it's not so much if encryption is safe but what kind of encryption you use and how strong that encryption is. Cipher and length of the key are both important parts and if you use a strong cipher and large key. Most things that are broken are from week ciphers and short/week keys. For example most people use week passwords thus making it easy for their encryption to be broken.

Mind you I'm not an expert but believe this is the reason why encryption is broken.

This is not a bad short summary.
There is a lot(!) of info on the web about this.
I would also highly recommend learning the difference between 'encryption' and 'hashing'.
Passwords are (usually) stored via hashing not encryption...

You may well come across refs to 'gpg'; the manual is here https://www.gnupg.org/documentation/manuals/gnupg/

This is a very readable book on the history of encryption http://simonsingh.net/books/the-code-book/the-book/

HTH

The spooks have always had the means. Now any dogsbody can spin up a 50,000 core image from amazon (or google, or M$oft, or IBM, or ...) and have at attacking.
Encryption is no longer a bank vault, but merely a locked gate.

Unless you are talking about keys based on weak passwords, this is false. Brute forcing an AES 128 key requires more energy than boiling all the water on the planet. http://eprint.iacr.org/2013/635.pdf

I'm always confused by people wanting encryption that the government can't crack. In the UK there is now a law which effectively means life in prison if encryption keys, passwords or whatever are not handed over and the US government has this place they call "Gitmo" for people who do things like encrypting data and wearing Casio watches.
Then there's keeping things safe from corporations. Are your holiday snaps really worth $20K of computing time to a corporation?
Encryption, like locking one's front door, is a mix of symbolism, practicality and the backing of the rule of law. Movie studios, for example, use CSS because it allows them to have the government prosecute anybody breaking it and force them to pay millions in restitution yet CSS is barely encryption.

So, that out of the way, as above it depends upon key length -- the various prime-number based encryption algorithms still prove largely uncrackable with current technology and means but the devil is in the detail of how they're used.

The ciphers and digest-algorithms and related security infrastructures, such as OpenVPN, ipsec, TLS (formerly SSL), SSH, GPG/PGP, OpenSSL, and so on that we use are entirely open, public, and thoroughly understood. They are fairly-constantly being "peer reviewed" by experts – including the NSA – to understand precisely how secure they might be. It is a world-wide, international effort.

(The NSA contributed to the design of the original "DES" algorithm by supplying the "S-box" tables. They said it was important to use them but didn't say why. Some people suspected that it might be part of a "back door." But later civilian research "discovered" differential cryptography, and from this they understood the reason for NSA's design: it was a defense. Once the technique became public knowledge, the NSA acknowledged that this was the secret that they had been keeping, and they contributed some of what they knew and had known about the attack.)

Although we do not know everything that "spooks" know about crypto algorithms, it is understood that even the general public needs, and is entitled to have, "strong encryption." And the algorithms and infrastructures we use "are believed to be" very strong. (You'll never hear a cryptologist saying that any such thing is certain.)

I flatly recommend that you use a publicly available, well-known infrastructure, and be very careful to use it in the right way. These packages take care of the entire process: encryption, certificate/key management, pseudo-random number generation, message integrity, sender verification, and so on. "The whole shinola," and we know that they work. You won't get "better security" by rolling your own solution, much less by trying to create your own cipher algorithm. Encryption is only as strong as its weakest link, and these packages provide all the links.

Yes, "use GPG." The right way. For secure communication, "use OpenVPN." The right way. Trust these packages to take care of the technology side of it, while you focus on the human side of it.

most-common-passwords-of-2016
How much confidence does that give anyone re the general level of pass{word,phrase} strength ?.

That confirms that humans are horrible at choosing passphrases. You don't need 50,000 cores to crack "123456". This is not really about encryption.

wow.
that list is really appalling.
i know that a large part of it is factory-preset, so the user never actually chose that password, but i never heard of a factory preset "qwerty" password.
people are 1D10Ts.
also nr. 21 - wtf?

but, how did nr.s 20 and 22 get in there?:scratch:

May a make a guess that you're not from a predominantly English speaking country?
They're from the qwerty keyboard layout so popular amongst English typing countries.

my bad, i can reproduce nr. 22, but nr. 20:where does that come from?

Read the notes at the beginning of the article.

This article speculates that they are from the accounts of automated forum spam-bots:
https://www.tripwire.com/state-of-se...ular-password/

Seems plausible.

Pragmatically speaking, if you [merely] encrypt your data with any sort of "password," that data is not adequately protected. There is simply not enough entropy in a password. We already have pre-computed rainbow tables for every word in the Oxford English Dictionary, and hundreds of other word-collections, 1nc1ud1ng 3v3ry "l33t-sp34k" v4r14t10n th3r30f.

You need to safeguard it with a truly random key, thousands of bits long. (4096 bits is the current suggestion.)

You can then, if you wish, encrypt the key to make it more difficult to use the key if stolen.

Remember that the German Enigma machine appeared to be impregnable, and, if you tried to roll through all possible combinations even today, it would take a very long time. But the system was broken – rapidly enough and regularly enough to provide timely operational intelligence – using no [known ...] computing equipment; only tabulators and Rube Goldberg devices. They cracked the indicator system, and exploited both operator error and human nature.

Hence, my recommendation to use a well-known encryption suite, taking care to use it in the "right" way. The source code has been studied to death; the algorithms and methods are well-studied and understood; there are no secrets. "We believe that" they are more-than secure enough for any civilian application (and, quite a few low-grade military ones) when used in the "right" way.

But ... you are the weak link ... you, and everyone else who rightfully touches that data and/or legitimately uses that system. And your perception that the system is secure – if that perception is unfounded – is the weakest link of all. Security is a process, of which strong encryption suites are only one small but vital part.