Re: Not a bad idea anyway

Author	All Replies
verolom join:2002-03-23 Reston, VA	reply to nixen Re: Not a bad idea anyway There is such a notion of security through obscurity. If it takes time to decrypt a bunch of files and only few of them are of interest, it will be hard to find them and the entity looking might lose interest or not be able to look at that many files. Now, without an encryption, it is very easy to find them.
	to forum · permalink · 2006-02-19 14:59:54 ·
nixen Rockin' the Boxen Premium join:2002-10-04 Alexandria, VA	said by verolom: There is such a notion of security through obscurity. Technically, not really "security through obscurity". said by verolom: If it takes time to decrypt a bunch of files and only few of them are of interest, it will be hard to find them and the entity looking might lose interest or not be able to look at that many files. Now, without an encryption, it is very easy to find them. The computers at the disposal of those who have access to your records can make relatively short work of your encryption. This is particularly so if you don't use a unique encryption per file. That is, once they break your encryption key(s), busting the rest of your data is relatively trivial. -tom -- "Some people have morals, standards and ideals about quality, but I'm an American: I couldn't care less." --Tony Pierce (paraphrased)
	to forum · permalink · 2006-02-19 15:16:09 ·
vpoko Premium join:2003-07-03 Boston, MA	said by nixen: said by verolom: There is such a notion of security through obscurity. Technically, not really "security through obscurity". said by verolom: If it takes time to decrypt a bunch of files and only few of them are of interest, it will be hard to find them and the entity looking might lose interest or not be able to look at that many files. Now, without an encryption, it is very easy to find them. The computers at the disposal of those who have access to your records can make relatively short work of your encryption. This is particularly so if you don't use a unique encryption per file. That is, once they break your encryption key(s), busting the rest of your data is relatively trivial. -tom Are you saying that commercial, strong-key encryption is trivial to break? I'm not challenging you, I only have cursory knowledge of cryptology, but I thought we have algorithms that are (at least today) pretty secure.
	to forum · permalink · 2006-02-19 16:51:43 ·
firefox Premium join:2000-12-03 San Jose, CA	reply to verolom said by verolom: There is such a notion of security through obscurity.... I thought "security through obscurity" was one of the tenants of what not to follow. I'm sure I heard that from a seminar a few years back.
	to forum · permalink · 2006-02-19 16:55:02 ·
vpoko Premium join:2003-07-03 Boston, MA	said by firefox: said by verolom: There is such a notion of security through obscurity.... I thought "security through obscurity" was one of the tenants of what not to follow. I'm sure I heard that from a seminar a few years back. I think it's the only security you can hope for against the government's ever-prying eyes.
	to forum · permalink · 2006-02-19 16:56:39 ·
nixen Rockin' the Boxen Premium join:2002-10-04 Alexandria, VA	reply to vpoko said by vpoko: Are you saying that commercial, strong-key encryption is trivial to break? I'm not challenging you, I only have cursory knowledge of cryptology, but I thought we have algorithms that are (at least today) pretty secure. No, what I am saying is, if you use the same set of encryption keys/algorithms to protect all of your files, once that set of keys is broken, unlocking the rest of your files is relatively trivial (relative to breaking the original key). As to the "pretty secure", you gotta realize just how much computing horsepower that the government lets the public know about (just look at the "top 500", some time, and see how many are .gov or .mil owned or sponsored sites). It's fairly safe to assume, given the huge black budgets there are, that more exists (and is kept secret for a reason). -tom -- "Some people have morals, standards and ideals about quality, but I'm an American: I couldn't care less." --Tony Pierce (paraphrased)
	to forum · permalink · 2006-02-19 16:59:21 ·

cbiggers join:2000-08-10 San Luis Obispo, CA	said by nixen: As to the "pretty secure", you gotta realize just how much computing horsepower that the government lets the public know about (just look at the "top 500", some time, and see how many are .gov or .mil owned or sponsored sites). It's fairly safe to assume, given the huge black budgets there are, that more exists (and is kept secret for a reason). -tom However, as long as you use a security model that is not flawed to begin with, not even the government can brute force it at this time. It's just not plausible. Here is a quote about AES, which is what the US Government currently uses for the most part: Some cryptographers worry about the security of AES. They feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small for comfort. The risk is that some way to improve these attacks might be found and that, if so, the cipher could be broken. In this meaning, a cryptographic "break" is anything faster than an exhaustive search, so an attack against 128-bit key AES requiring 'only' 2120 operations would be considered a break even though it would be, now, quite infeasible. In practical application, any break of AES which is only this 'good' would be irrelevant. For the moment, such concerns can be ignored. The largest publicly-known brute-force attack has been against a 64 bit RC5 key by distributed.net (finishing in 2002; Moore's Law implies that this is roughly equivalent to an attack on a 66-bit key today). So yeah, I wouldn't worry about encryption being broken yet.
	to forum · permalink · 2006-02-19 18:15:17 ·

Azureus Creators on End-to-End Encryption > Not a bad idea anyway