Uses of Encryption
There are two main uses for encryption:
Encryption algorithm work on blocks, usually of some power of 2, e.g.
256 bits. If your message is not a multiple of that size,
you need to pad it and when you decrypt it, discard the excess. That is handled
automatically when you select a JCE
padding algorithm such as: ISO10126Padding, PKCS1Padding, PKCS5Padding…
- Encrypting your files to prevent snoops from looking at them. Snoops can look
at your files without knowing your login password by booting with an Ubuntu Linux CD (Compact Disc) and examining your files, bypassing Windows and its
passwords. Possible tools to encrypt (scramble) your files include:
Beware! If you lose your password, there is no way ever to get your files
- Microsoft Encrypt available in right click properties.
- Bundled encryption software such as Acer e-Protect.
- Commercial file encryption software. There are dozens of choices. I have
no experience with them. Keep in mind none of them will stop the
IRS (Internal Revenue Service), FBI (Federal Bureau of Investigation)
CIA (Central Intelligence Agency), KGB (Komitet Gosudarstvennoy Bezopasnosti (Russian CIA))
, Mosad etc. These are designed to stop
- Encoding messages in ways so that people snooping on them won’t be able
to make sense of them. Depending on who the spies are that you are trying to
defeat, you use increasing strength of encryption. The
stronger the encryption the more onerous it is to use and the more computing power
it requires to encode and decode the messages. Ways of encrypting include:
These techniques are often combined, e.g. public/private key (which is slow)
used to exchange a fast DES, or HMAC-SHA1 for authentication combined with
- XORing with a key phrase. This is relatively trivial to crack, but keeps
out casual prying eyes.
- DES (Data Encryption Standard). This is fast, but can be easily cracked by
all US government agencies.
- RSA (Rivest, Shamir and Adelman). 40-bit can be fairly easily cracked. 1024-bit
or higher would require secret special-purpose hardware that presumably the
has. The Transporter supports up to 4096-bit encryption, but is suitable only for short messages
because it is so slow at decrypting.
- One time pad. This is in theory uncrackable, but has the problem of needing
to distribute one-use-only keys just as large as the messages ahead of time. I
have written a Pascal
implementation. If you are working at this level of security, you must
write your own program to be sure it contains no Trojans. See the One time pad uncrackable
encryption student project.
- JCE (Java Cryptography Extension) supports a number
of different algorithms from 40 to 2048 bits. The
more bits, the more secure, but the more CPU (Central Processing Unit)
time needed to encrypt and decrypt. You use the generic javax.crypto.Cipher class both to encrypt and decrypt the
message. You use the javax.crypto.KeyGenerator
class to generate random numbers to use as keys.
- AES (Advanced Encryption Standard) : Advanced Encryption Standard as specified by
NIST (National Institute of Standards and Technology) in a draft FIPS (Federal Information Processing Standard)
. Based on the
Rijndael algorithm by Joan Daemen and Vincent Rijmen,
is a 128-bit block cipher supporting keys of 128, 192 and 256 bits.
- Blowfish: 56 bits. The block cipher designed by
- DES : 56 bits. The Digital
Encryption Standard as described in FIPS
- DESede: 112 bits. Triple
- PBE (Password Based Encryption) : PBE
algorithm (defined as part of the PKCS (Public-Key Cryptography Standards)
#5 standard), defines how some other algorithm can get its key. It derives
the encryption key from a passphrase. It is not an encryption algorithm on
- RC2, RC4 and RC5: Variable-key-size (32 .. 160-bit) encryption algorithms developed by Ron Rivest for
Data Security, Inc.
- RSA: The RSA
encryption algorithm as defined in PKCS
#1. Public/private key.
- HMAC-MD5, HMAC-SHA1 : 64 bits.
- Diffie-Hellman : 1024 bits.
- HTTPS/SSL : a way of encrypting a binary TCP/IP (Transmission Control Protocol/Internet Protocol)
stream over the Internet. I have noticed that server after server is
converting from HTTP (Hypertext Transfer Protocol)
to HTTPS (Hypertext Transfer Protocol over SSL (Secure Socket Layer)).
It requires the server to buy a certificate. Typically 256 bits to 2048 bit keys.
For email signing and encryption, the two most common schemes are PGP often used with Thunderbird and SMIME often used with MS
The blocking algorithm handles breaking the messages into fixed size pieces for
encryption and joining the pieces again on decryption such as:
CBC (Cipher Block Chaining mode), PCBC,
CFB (Cipher Feedback mode), OFB…
For data that only has to be protected until 2010,
1024 bits should suffice. For data that has to remain
secret after that, you need 2048 bits.
The Downside of Any Encryption
Quantum computers can solve try all possibilities
problems by using Quantum Mechanics to explore all possibilities simultaneously. I
suspect encryption, except one-time pads will have to be revamped or abandoned to
stay ahead. This is going to create a massive social problem and open astounding
Using any sort of encryption flags to the attention of snoopers that you are
trying to hide something. They can then bring in their experts and computers to crack
the code. There is a whole field called steganography about how to hide information
in images, e.g. porn, which gets lost in the torrents of images flying over the net.
Even the tiniest error in the program or use of it greatly simplifies their task. The
security of Windows is so weak, it is trivial for criminal or government agencies to
install a keystroke logger than looks at everything you type before you encrypt it.
Today, with massive wiretapping by the government, your only hope is in sending
messages that have perfectly innocuous meaning that don’t trip any filters.
You should be thinking of encryption as a way of deterring non-Fortune
500 competitors, wives, children and employees. You will
probably just give yourself a false sense of security and raise
he-might-be-a-terrorist flags with militaries and governments. The cleverer your
security, the bigger the alarm you set off.
Circa 1985, a company gave a presentation to our Apples
BC Computer club on some encryption software. They explained how it would take
hundreds of thousands of years to crack the lock. I broke it in a few minutes by
going around the lock and using the fact that deleted files on the
Apple ][ were not really deleted, something the programmers had inadvertently
overlooked. No matter how strong your lock is, clever people will find ways to bypass
it. There is not much point in building ever stronger locks without simultaneously
studying the devious ways to bypass them.
Techniques for cracking encryption include:
- Guessing passwords, passions, pets, relatives.
- Guessing from a popular password list.
- Looking for passwords on slips of paper in a desk or in books.
- Look for passwords in files.
- Look in the swap file or hibernate file. The OS (Operating System)
copies RAM (Random Access Memory)
to disk and does not erase it when an encryption program finishes.
- Rig the computer with a hardware or software keystroke logger.
- Analyse a video and sound of the user keying the password. People type
different letters at different speeds.
- Write a counterfeit encryption program that solicits the password then
crashes, hiding the password away for the cracker or
sending it to him over the net.
- Using a supercomputer or large bank of conscripted PCs (Personal Computers)
to crack the code.
- Don’t bother to crack the code. Use a hidden camera or digital logger to
record the sensitive data displayed on the screen.
- Use a Trojan to commandeer the webcam and spy.
Vernam one-time-pads of true random numbers XORed with messages are provable
uncrackable, at least by examining the exchanged messages. I will be releasing an
implementation suitable for dummies soon, with source so you can check yourself for
There are coming quantum techniques for detecting eavesdroppers on optical
Nothing else is uncrackable, just difficult or time-consuming to crack. If you are
doing something you don’t want the FBI
Pentagon, NSA (National Security Agency)
etc. to see, you should not be using crackable encryption techniques such as
Even uncrackable software is vulnerable to hacking into either the sending or
receiving computer, or to snooping on the clear text version of the data.
It gets a bit annoying knowing that Obama, Harper and the CEO (Chief Executive Officer) of nearly every
corporation believe that it is completely proper for them to spy on ordinary citizens
who pose no security risk, mostly people who merely disagree with them.
What can you do to make life awkward for them, but not miserable enough for them
to torture or assassinate you?
- Encrypt all email, especially email that is not in the least secret. If they
must spy, make them work to find what they want.
- Use long encryption key lengths, or even better, one-time pad encryption.
- Avoid the most popular OSes, namely Windows and Ubuntu. Because they are so
well studied, these are easiest for spies to corrupt.
- Do anything that deserves to be kept secret on a machine without an Internet attachment,
without WiFi (Wireless Fidelity) and without any other sort of communications
- Put that computer with peripherals in a Faraday cage.
Oracle’s Technote Guide on AlgorithmParameterGenerator names
Oracle’s Technote Guide on CertificateFactory names
Oracle’s Technote Guide on CertPathBuilder Algorithm names
Oracle’s Technote Guide on CertPathEncodings names
Oracle’s Technote Guide on CertPathValidator names
Oracle’s Technote Guide on CertStore Type names
Oracle’s Technote Guide on Cipher Blocking Algorithm names
Oracle’s Technote Guide on Cipher Padding Algorithm names
Oracle’s Technote Guide on KeyAgreement Algorithm names
Oracle’s Technote Guide on KeyFactory Algorithm names
Oracle’s Technote Guide on KeyGenerator Algorithm names
Oracle’s Technote Guide on KeyPairGenerator Algorithm names
Oracle’s Technote Guide on KeyStore Type names
Oracle’s Technote Guide on Mac Algorithm names
Oracle’s Technote Guide on MessageDigest Algorithm names
Oracle’s Technote Guide on Signature Algorithm names
Oracle’s Technote Guide on XMLSignature Algorithm names
Oracle’s Technote Guide on Other JCE