There are two main uses for encryption:
- Encrypting your files to prevent snoops from looking at them. Snoops can look at your files without knowing
your login password by booting with an Ubuntu Linux CD (Compact Disk) and
examining your files, bypassing Windows and its passwords. Possible tools to encrypt (scramble) your files
include:
- Microsoft Encrypt available in right click properties.
- Bundled encryption software such as Acer e-Protect.
- Commercial file encryption software. There are dozens of choices. I have no experience with them.
Keep in mind none of them will stop the IRS (Internal Revenue Service), FBI (Federal Bureau of Investigation), CIA (Central Intelligence Agency), KGB (Komitet Gosudarstvennoy Bezopasnosti (Russian CIA)), Mosad etc. These are designed to stop
individual snoops.
Beware! If you lose your password, there is no way ever to get your files back.
- Encoding messages in ways so that people snooping on them won’t be able to make sense of them.
Depending on who the spies are that you are trying to defeat, you use increasing strength of encryption. The stronger the encryption the more onerous it is to use, and the more
computing power it requires to encode and decode the messages. Ways of encrypting include:
- XORing with a key phrase. This is relatively trivial to crack, but keeps out casual prying eyes.
- DES (Data Encryption Standard). This is fast, but can be easily cracked by all US government agencies.
- RSA (Rivest, Shamir and Adelman). 40-bit can be fairly easily cracked. 1024-bit or higher would require secret special-purpose
hardware that presumably the CIA has. The Transporter supports
up to 4096-bit enryption, but is suitable only for short messages because it
is so slow at decrypting.
- One time pad. This is in theory uncrackable, but has the problem of needing to distribute one-use-only
keys just as large as the messages ahead of time. I have written a Pascal implementation. If you are working at this level of security, you
must write your own program to be sure it contains no trojans.See the
One time pad uncrackable encryption student project.
- JCE (Java Cryptography Extension) supports a number of different algorithms from 40 to 2048 bits. The
more bits, the more secure, but the more CPU (Central Processing Unit) time needed to encryt and decrypt. You use the generic
javax.crypto.Cipher class both to encrypt and decrypt the message. You use the
javax.crypto.KeyGenerator class to generate random numbers to use as keys.
- AES (Advanced Encryption Standard) : Advanced Encryption Standard as specified by NIST (National Institute of Standards and Technology) in a draft FIPS (Federal Information Processing Standard). Based on the Rijndael algorithm
by Joan Daemen and Vincent Rijmen, AES is a 128-bit block cipher supporting keys of 128, 192, and
256 bits.
- Blowfish: 56 bits. The block cipher designed by Bruce Schneier.
- DES : 56 bits. The Digital Encryption Standard as described in FIPS PUB
46-2.
- DESede: 112 bits. Triple DES Encryption (DES-EDE).
- PBE (Password Based Encryption) : PBE algorithm (defined as part of the PKCS (Public-Key Cryptography Standards) #5 standard), defines how some other alogrithm can get its its key.
It derives the encryption key from a passphrase. It is not an enryption algorithm on its own.
- RC2, RC4, and RC5: Variable-key-size (32 .. 160-bit) encryption
algorithms developed by Ron Rivest for RSA Data Security, Inc.
- RSA: The RSA encryption algorithm as defined in PKCS #1. Public/private key.
- HMAC-MD5, HMAC-SHA1 : 64 bits.
- Diffie-Hellman : 1024 bits.
These techniques are often combined, e.g. public/private key (which is slow) used to exchange a fast DES, or
HMAC-SHA1 for authentication combined with AES for encryption.
For email signing and encryption, the two most common schemes are PGP often used
with Eudora, and smime often used with MS Outlook.
Encryption algorithm work on blocks, usually of some power of 2, e.g. 256 bits. If
your message is not a multiple of that size, you need to pad it, and when you decrypt it, discard the excess.
That is handled automatically when you select a JCE padding algorithm such as: ISO10126Padding, PKCS1Padding,
PKCS5Padding…
The blocking algorithm handles breaking the messages into fixed size pieces for encryption and joining the
pieces again on decryption such as: CBC (Cipher Block Chaining mode), PCBC, CFB (Cipher Feedback mode), OFB…
For data that only has to be protected until 2010, 1024 bits should suffice. For data that has to remain secret after that, you need 2048 bits.
The Downside of Any Encryption
Using any sort of encryption flags to the attention of snoopers that you
are trying to hide something. They can then bring in their experts and
computers to crack the code. There is a whole field called steganography
about how to hide information in images, e.g. porn, which gets lost in
the torrents of images flying over the net. Even the tiniest error in the
program or use of it greatly simplifies their task. The security of
Windows is so weak, it is trivial for criminal or government agencies to install a
keystroke logger than looks at everything you type before you encrypt it.
Today, with massive wiretapping by the government, your only hope is in sending messages that
have perfectly innocuous meaning that don’t trip any filters.
You should be thinking of encryption as a way of deterring non-Fortune 500 competitors, wives, children and
employees. You will probably just give yourself a false sense of security and raise he-might-be-a-terrorist flags with militaries and governments.
The cleverer your security, the bigger the alarm you set off.
Circa 1985, a company gave a presentation
to our Apples BC Computer club on some encryption software. They
explained how it would take hundreds of thousands of years to crack the
lock. I broke it in a few minutes by going around the lock and
using the fact that deleted files on the Apple ][ were not really deleted,
something the programmers had inadvertently overlooked. No matter how strong your lock
is, clever people will find ways to bypass it. There is not much point in
building ever stronger locks without simultaneously studying the devious
ways to bypass them.
Learning More
Oracle’s Technote Guide on
AlgorithmParameterGenerator names : available:
Oracle’s Technote Guide on
CertificateFactory names : available:
Oracle’s Technote Guide on
CertPathBuilder Algorithm names : available:
Oracle’s Technote Guide on
CertPathEncodings names : available:
Oracle’s Technote Guide on
CertPathValidator names : available:
Oracle’s Technote Guide on
CertStore Type names : available:
Oracle’s Technote Guide on
Cipher Blocking Algorithm names : available:
Oracle’s Technote Guide on
Cipher Padding Algorithm names : available:
Oracle’s Technote Guide on
KeyAgreement Algorithm names : available:
Oracle’s Technote Guide on
KeyFactory Algorithm names : available:
Oracle’s Technote Guide on
KeyGenerator Algorithm names : available:
Oracle’s Technote Guide on
KeyPairGenerator Algorithm names : available:
Oracle’s Technote Guide on
KeyStore Type names : available:
Oracle’s Technote Guide on
Mac Algorithm names : available:
Oracle’s Technote Guide on
MessageDigest Algorithm names : available:
Oracle’s Technote Guide on
Signature Algorithm names : available:
Oracle’s Technote Guide on
XMLSignature Algorithm names : available:
Oracle’s Technote Guide on
Other JCE : available: