Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
About ten years ago the general view was that encryption was safe and not easily "crackable" if at all (taking a very long processing time on "super computer"). The latest reported "attacks" by the Russians on the Democratic Party in the US seems to raise the proposition that these government agencies now have the "tools" necessary to easily decipher encrypted data like encrypted Emails.
Can anyone give an experienced view on the subject? I suspect the views will still be varied but if there is a majority for a particular view, that is the important thing since these agencies keep their ability or the lack of it secret.
I think it's not so much if encryption is safe but what kind of encryption you use and how strong that encryption is. Cipher and length of the key are both important parts and if you use a strong cipher and large key. Most things that are broken are from week ciphers and short/week keys. For example most people use week passwords thus making it easy for their encryption to be broken.
Mind you I'm not an expert but believe this is the reason why encryption is broken.
it's not so much if encryption is safe but what kind of encryption you use and how strong that encryption is. Cipher and length of the key are both important parts and if you use a strong cipher and large key
This is not a bad short summary.
There is a lot(!) of info on the web about this.
I would also highly recommend learning the difference between 'encryption' and 'hashing'.
Passwords are (usually) stored via hashing not encryption...
The spooks have always had the means. Now any dogsbody can spin up a 50,000 core image from amazon (or google, or M$oft, or IBM, or ...) and have at attacking.
Encryption is no longer a bank vault, but merely a locked gate.
Now any dogsbody can spin up a 50,000 core image from amazon (or google, or M$oft, or IBM, or ...) and have at attacking.
Encryption is no longer a bank vault, but merely a locked gate.
Unless you are talking about keys based on weak passwords, this is false. Brute forcing an AES 128 key requires more energy than boiling all the water on the planet. http://eprint.iacr.org/2013/635.pdf
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I'm always confused by people wanting encryption that the government can't crack. In the UK there is now a law which effectively means life in prison if encryption keys, passwords or whatever are not handed over and the US government has this place they call "Gitmo" for people who do things like encrypting data and wearing Casio watches.
Then there's keeping things safe from corporations. Are your holiday snaps really worth $20K of computing time to a corporation?
Encryption, like locking one's front door, is a mix of symbolism, practicality and the backing of the rule of law. Movie studios, for example, use CSS because it allows them to have the government prosecute anybody breaking it and force them to pay millions in restitution yet CSS is barely encryption.
So, that out of the way, as above it depends upon key length -- the various prime-number based encryption algorithms still prove largely uncrackable with current technology and means but the devil is in the detail of how they're used.
Last edited by 273; 03-24-2017 at 08:58 AM.
Reason: auto"correct" issues.
The ciphers and digest-algorithms and related security infrastructures, such as OpenVPN, ipsec, TLS (formerly SSL), SSH, GPG/PGP, OpenSSL, and so on that we use are entirely open, public, and thoroughly understood. They are fairly-constantly being "peer reviewed" by experts – including the NSA – to understand precisely how secure they might be. It is a world-wide, international effort.
(The NSA contributed to the design of the original "DES" algorithm by supplying the "S-box" tables. They said it was important to use them but didn't say why. Some people suspected that it might be part of a "back door." But later civilian research "discovered" differential cryptography, and from this they understood the reason for NSA's design: it was a defense. Once the technique became public knowledge, the NSA acknowledged that this was the secret that they had been keeping, and they contributed some of what they knew and had known about the attack.)
Although we do not know everything that "spooks" know about crypto algorithms, it is understood that even the general public needs, and is entitled to have, "strong encryption." And the algorithms and infrastructures we use "are believed to be" very strong. (You'll never hear a cryptologist saying that any such thing is certain.)
I flatly recommend that you use a publicly available, well-known infrastructure, and be very careful to use it in the right way. These packages take care of the entire process: encryption, certificate/key management, pseudo-random number generation, message integrity, sender verification, and so on. "The whole shinola," and we know that they work. You won't get "better security" by rolling your own solution, much less by trying to create your own cipher algorithm. Encryption is only as strong as its weakest link, and these packages provide all the links.
Yes, "use GPG." The right way. For secure communication, "use OpenVPN." The right way. Trust these packages to take care of the technology side of it, while you focus on the human side of it.
Last edited by sundialsvcs; 03-24-2017 at 09:17 AM.
wow.
that list is really appalling.
i know that a large part of it is factory-preset, so the user never actually chose that password, but i never heard of a factory preset "qwerty" password.
people are 1D10Ts.
also nr. 21 - wtf?
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by ondoho
but, how did nr.s 20 and 22 get in there?
May a make a guess that you're not from a predominantly English speaking country?
They're from the qwerty keyboard layout so popular amongst English typing countries.
May a make a guess that you're not from a predominantly English speaking country?
They're from the qwerty keyboard layout so popular amongst English typing countries.
Pragmatically speaking, if you [merely] encrypt your data with any sort of "password," that data is not adequately protected. There is simply not enough entropy in a password. We already have pre-computed rainbow tables for every word in the Oxford English Dictionary, and hundreds of other word-collections, 1nc1ud1ng 3v3ry "l33t-sp34k" v4r14t10n th3r30f.
You need to safeguard it with a truly random key, thousands of bits long. (4096 bits is the current suggestion.)
You can then, if you wish, encrypt the key to make it more difficult to use the key if stolen.
Remember that the German Enigma machine appeared to be impregnable, and, if you tried to roll through all possible combinations even today, it would take a very long time. But the system was broken – rapidly enough and regularly enough to provide timely operational intelligence – using no [known ...] computing equipment; only tabulators and Rube Goldberg devices. They cracked the indicator system, and exploited both operator error and human nature.
Hence, my recommendation to use a well-known encryption suite, taking care to use it in the "right" way. The source code has been studied to death; the algorithms and methods are well-studied and understood; there are no secrets. "We believe that" they are more-than secure enough for any civilian application (and, quite a few low-grade military ones) when used in the "right" way.
But ... you are the weak link ... you, and everyone else who rightfully touches that data and/or legitimately uses that system. And your perception that the system is secure – if that perception is unfounded – is the weakest link of all. Security is a process, of which strong encryption suites are only one small but vital part.
Last edited by sundialsvcs; 03-25-2017 at 10:28 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
