Going overboard on data security

  • (2 Pages)
  • +
  • 1
  • 2

17 Replies - 1965 Views - Last Post: 24 February 2014 - 08:17 AM

#1 The_Programmer-  Icon User is offline

  • Death Scythe
  • member icon

Reputation: 24
  • View blog
  • Posts: 593
  • Joined: 24-October 11

Going overboard on data security

Posted 30 January 2014 - 01:44 PM

Does anyone tend to overdo it when it comes to securing your data? I have a 16GB flash drive and I made an encrypted file with a 50 character long password with random words and numbers. I won't tell you how it was encrypted, but it is encrypted with three algorithms. I then use 3 key files on top of that... I definitely went overboard...
Is This A Good Question/Topic? 0
  • +

Replies To: Going overboard on data security

#2 no2pencil  Icon User is offline

  • Admiral Fancy Pants
  • member icon

Reputation: 5365
  • View blog
  • Posts: 27,329
  • Joined: 10-May 07

Re: Going overboard on data security

Posted 30 January 2014 - 01:45 PM

*
POPULAR

I don't. I use default passwords in production.
Was This Post Helpful? 5
  • +
  • -

#3 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 9426
  • View blog
  • Posts: 35,422
  • Joined: 12-June 08

Re: Going overboard on data security

Posted 30 January 2014 - 01:47 PM

It depends on the data which, in turns, determines how lopsided the pyramid is.

Posted Image
Was This Post Helpful? 1
  • +
  • -

#4 supersloth  Icon User is offline

  • serial frotteur - RUDEST MEMBER ON D.I.C.
  • member icon


Reputation: 4508
  • View blog
  • Posts: 28,413
  • Joined: 21-March 01

Re: Going overboard on data security

Posted 30 January 2014 - 04:47 PM

*
POPULAR

that's a lot of work to hide your hentai from mom.
Was This Post Helpful? 11
  • +
  • -

#5 The_Programmer-  Icon User is offline

  • Death Scythe
  • member icon

Reputation: 24
  • View blog
  • Posts: 593
  • Joined: 24-October 11

Re: Going overboard on data security

Posted 30 January 2014 - 04:55 PM

Lol. I store my programming projects and random anime episodes on it :P
Was This Post Helpful? 0
  • +
  • -

#6 supersloth  Icon User is offline

  • serial frotteur - RUDEST MEMBER ON D.I.C.
  • member icon


Reputation: 4508
  • View blog
  • Posts: 28,413
  • Joined: 21-March 01

Re: Going overboard on data security

Posted 30 January 2014 - 05:00 PM

*
POPULAR

"random anime episodes"
Was This Post Helpful? 11
  • +
  • -

#7 laytonsdad  Icon User is offline

  • Cheese and Sprinkles
  • member icon

Reputation: 444
  • View blog
  • Posts: 1,899
  • Joined: 30-April 10

Re: Going overboard on data security

Posted 30 January 2014 - 05:16 PM

Quote

I have a 16GB flash drive and I made an encrypted file with a 50 character long password with random words and numbers. I won't tell you how it was encrypted, but it is encrypted with three algorithms. I then use 3 key files on top of that

I expected some vital military coordinace with this one.
Was This Post Helpful? 0
  • +
  • -

#8 no2pencil  Icon User is offline

  • Admiral Fancy Pants
  • member icon

Reputation: 5365
  • View blog
  • Posts: 27,329
  • Joined: 10-May 07

Re: Going overboard on data security

Posted 30 January 2014 - 05:29 PM

View Postsupersloth, on 30 January 2014 - 07:00 PM, said:

"random anime episodes"


Posted Image
Was This Post Helpful? 1
  • +
  • -

#9 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7895
  • View blog
  • Posts: 13,424
  • Joined: 19-March 11

Re: Going overboard on data security

Posted 31 January 2014 - 04:16 PM

Quote

I won't tell you how it was encrypted, but it is encrypted with three algorithms


Word to the wise: if you're not comfortable revealing the mode(s) of encyption, you're probably doing it wrong.
Was This Post Helpful? 2
  • +
  • -

#10 The_Programmer-  Icon User is offline

  • Death Scythe
  • member icon

Reputation: 24
  • View blog
  • Posts: 593
  • Joined: 24-October 11

Re: Going overboard on data security

Posted 31 January 2014 - 06:29 PM

View Postjon.kiparsky, on 31 January 2014 - 03:16 PM, said:

Quote

I won't tell you how it was encrypted, but it is encrypted with three algorithms


Word to the wise: if you're not comfortable revealing the mode(s) of encyption, you're probably doing it wrong.

How is that so? If they know the algorithms I use, shouldn't it be easier to decrypt?
Was This Post Helpful? 0
  • +
  • -

#11 Ticon  Icon User is offline

  • D.I.C Regular

Reputation: 28
  • View blog
  • Posts: 320
  • Joined: 20-August 09

Re: Going overboard on data security

Posted 31 January 2014 - 07:40 PM

Don't quote me on this because i'm not a security expert, but I believe AES is currently uncrackable. To brute force it is the only known way that i'm aware of, and that would take far too long.

I do remember something about a weakness found in AES that allowed brute forcing to go faster by about 30%, but the time it takes to brute force it is still way too long.
Was This Post Helpful? 0
  • +
  • -

#12 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7895
  • View blog
  • Posts: 13,424
  • Joined: 19-March 11

Re: Going overboard on data security

Posted 31 January 2014 - 09:39 PM

View PostThe_Programmer-, on 31 January 2014 - 08:29 PM, said:

View Postjon.kiparsky, on 31 January 2014 - 03:16 PM, said:

Quote

I won't tell you how it was encrypted, but it is encrypted with three algorithms


Word to the wise: if you're not comfortable revealing the mode(s) of encyption, you're probably doing it wrong.

How is that so? If they know the algorithms I use, shouldn't it be easier to decrypt?



No. The first and most fundamental rule of cryptography is, never rely on obscurity. You should assume that your attacker knows how the material was encrypted, and the only thing that you should rely on keeping secret is the key used to encrypt it. (or, in a public-key system, the key that can be used to decrypt it). There are a few good reasons for this. The simplest one to get your head around is simply that it's very easy to discover what your encryption technique was. This is quite hard to hide - I suppose if you're in your room encrypting one thing one time (say, hiding your prons from your mum) then it's a little tricky, but most of the time you have to make the information public so that people can use your software.
Good encryption depends on strong math. If you use a credible algorithm, and you deploy it correctly, then breaking it depends on someone having a lot of computing resources to devote to the problem.

Interestingly, one of the issues in deploying an algorithm correctly is that it's possible for some combinations of algorithm to find that you actually make it easier to crack by applying encryption over encrpytion. This would come about if your encryption techniques created regularities that the cracker could detect.

The math here is beastly complicated, and I'm very much a novice at it myself, but it's actually something you can understand with a bit of work. A lot of it is number theory, which is itself wicked cool. There's an interesting book from Springer called Elementary Number Theory, Cryptography, and Codes. It'll probably be a little over your head, but that's cool: it'll show you which way is up, which is a start. The more fundamental elements of number theory are covered in any number of Discrete Math textbooks, and there are also a number of good introductory books on number theory out there, both in print and on line. If you're actually interested in the topic of crypto, follow some of these leads and then work through Dan Boneh's course on Coursera. It won't be easy, but you'll learn a lot, which is always fun.

View PostTicon, on 31 January 2014 - 09:40 PM, said:

Don't quote me on this because i'm not a security expert, but I believe AES is currently uncrackable. To brute force it is the only known way that i'm aware of, and that would take far too long.

I do remember something about a weakness found in AES that allowed brute forcing to go faster by about 30%, but the time it takes to brute force it is still way too long.


Nothing is uncrackable except an actual one-time pad, which is not used (for the simple reason that your key is as long as the text, so you need to be able to transmit key securely to the other party - and if you can do that, you might as well just hand them your secret messages at the same time) The question is, how long does it take to crack it? The analogy to use is a bicycle lock: you want to make it more difficult than it's worth to crack your stuff. More than that is a waste of resources. It's also useful to park your bike near similarly valuable bikes with weaker locks on them. :)
Was This Post Helpful? 2
  • +
  • -

#13 macosxnerd101  Icon User is online

  • Self-Trained Economist
  • member icon




Reputation: 10693
  • View blog
  • Posts: 39,793
  • Joined: 27-December 08

Re: Going overboard on data security

Posted 31 January 2014 - 10:30 PM

Quote

Don't quote me on this because i'm not a security expert, but I believe AES is currently uncrackable. To brute force it is the only known way that i'm aware of, and that would take far too long.

AES is powerful, but still breakable. It's a symmetric key cryptosystem rather than a public-key cryptosystem. RSA is the current standard. Elliptic curve cryptosystems are stronger, but patents are one barrier preventing them from replacing RSA. Actually, RSA is patented, but the patent owners opened it up to the public.

Really, the creators of RSA patented Fermat's Little Theorem and the Euclidean Algorithm.

Quote

The math here is beastly complicated

RSA is actually quite simple. ECC on the other hand, is more complicated. And actually, AES is a lot more complicated than RSA. It's interesting that such a simple cryptosystem as RSA is so powerful.
Was This Post Helpful? 0
  • +
  • -

#14 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3631
  • View blog
  • Posts: 11,327
  • Joined: 05-May 12

Re: Going overboard on data security

Posted 02 February 2014 - 07:23 PM

View Postjon.kiparsky, on 31 January 2014 - 11:39 PM, said:

Nothing is uncrackable except an actual one-time pad, which is not used (for the simple reason that your key is as long as the text, so you need to be able to transmit key securely to the other party - and if you can do that, you might as well just hand them your secret messages at the same time) The question is, how long does it take to crack it? The analogy to use is a bicycle lock: you want to make it more difficult than it's worth to crack your stuff. More than that is a waste of resources. It's also useful to park your bike near similarly valuable bikes with weaker locks on them. :)/>


Off topic:

A pair of bolt cutters, or a thermos full of liquid nitrogen and a big hammer make great cracking tools because they attack the crypto system by thinking outside the box, and are a lot less suspicious than somebody standing around spending a lot of time fiddling with bike locks. Then, there is also rubber hose cryptanalysis... :)

Back on topic:
jon.kiparsky actual makes a good point, that you shouldn't rely on obscurity for the strength of your crypto system. What is strange, though, is that even though the security community accepts this truism, notice that most organizations still consider it a mistake to even give away that information to the enemy. You want the enemy to first waste time and resources figuring out which cryptosystem is being used before they spend time focusing on attacks on that system.
Was This Post Helpful? 0
  • +
  • -

#15 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3631
  • View blog
  • Posts: 11,327
  • Joined: 05-May 12

Re: Going overboard on data security

Posted 02 February 2014 - 07:37 PM

And on ECCs: Are the NIST Standard Elliptic Curves Back-doored?
Was This Post Helpful? 1
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2