Friday, August 11, 2006

A concise guide to getting started with encryption.

Find a word that rhymes with "Month"

Presenting the UJ guide to encryption.

Step 1: Why is encryption important?

Encryption has become increasingly important in society, yet very rarely implemented. I find this rather odd considering the high value attached to data today and also the advances in surveillance which make it easier to intercept information.

Head over to http://www.philzimmermann.com. He created PGP (a popular public/private key based encryption program) and fought a legal battle with the US government over it. I recommend reading the section on "Phil's Background" and "Why I wrote PGP" under "Writings on PGP". Unfortunately because his site uses frames it is rather less useful if I link directly to the pages so you'll have to navigate around, but that won't be to difficult for you if your reading this site now will it.

Back to the question, Encryption was created in response to threats of surveillance. It is the result of people not trusting each other (often with good reason) and wanting to keep their communications with specific individuals private.

Governments have great need for such measures and all security is checked very vigorously to prevent, for example, terrorists discovering defence plans. Companies have great need to prevent other corporations discovering their latest innovations. The British Royal Family have need for security, or nosy journalists might hack their phones. As for you and me, we're not terrorists, nor do I suppose your a big shot making millions as the Godfather of some crime syndicate. Yet you may still have a need for encryption.

What would happen if you came across a small email company on the web, created an account and sent a message to a friend with your address or phone number or any other personal details and the person running the site looked at it? Probably nothing, but do they have the right to look? Would you switch services if you knew it was happening? What about if you use spreadsheets or budgeting software and your computer is used by a friend or gets hacked into? What if you want to send an email about who you might vote for?

Encryption is about protecting any data you don't believe is for public eyes.
Here is a quote from Phil Zimmermann's site:

"Perhaps you think your email is legitimate enough that encryption is unwarranted. If you really are a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards? Why not submit to drug testing on demand? Why require a warrant for police searches of your house? Are you trying to hide something? If you hide your mail inside envelopes, does that mean you must be a subversive or a drug dealer, or maybe a paranoid nut? Do law-abiding citizens have any need to encrypt their email?"

One of the key problems with encryption is its limited usage and the difficulty involved in setting it up and educating others how to decrypt messages and files. But remember: 90% of the population still use IE because it comes with Windows. Democracy works best when people are well education and not apathetic.

The other side to the argument for encryption is that the (UK) government has the power to intercept emails, phone calls, all websites visited, letters and so on.
Encryption allows you to prevent the government from (easily) accessing your private data (which becomes particularly important if you are living under a tyrant or in a place with very few freedoms such as China.)

Step 2: How does encryption work?

Essentially it is the process of altering data to an unrecognisable form whilst allowing the information to be decrypted later.

An excellent explanation is offered here.

It may sound good in principle, but getting it working is slightly harder.

Step 3: What practical uses are there for encryption?

If you've been diligent and followed all the links you will already have some answers.

Here are a few ideas of mine but I'm sure there are others:

  • Email
  • IM security
  • Secure website connections (such as online banking or shopping)
  • Connecting wirelessly to a network
  • Storing confidential information
  • Preventing fraud/phising and so on


I will mostly focus on securing email, instant messaging and confidential information from this point forwards as these are the primary functions of encryption software and the mostly likely tasks for home users. The other uses often require additional hardware, custom built software and more expertise.

Step 4: What software is available for home users and what can it accomplish?

PGP and its non-commerical counterpart GNUPG are very popular and believed to be amongst the most secure encyrption available. This is because they both allow review of the source code and both use trusted alogorithms.

Most other encryption programs are closed source and whilst you may think this offers security, in reality because the code has not been exposed to as many threats, it is often less secure.

The freeware version of PGP (the trialware version reverts to freeware after 30 days)allows individual files, emails and text to be encrypted and is fine for regular usage.

http://www.freebyte.com/security/ has a large list of available alternatives for specific needs (file, disk or email encryption).

I have also found hushmail to be pretty good (however the free service is limited to just 2mb storage). It encrypts and decrpyts all messages using OPEN PGP keys without the user having to do anything.

It isn't only limited to other hushmail users either. Anyone with a (GNU)PGP key can communicate with others using different email services.

Additionally Hushmail has developed an IM client which also uses PGP keys, allowing people to communicate securely. The downside is that only people using Hush messenger can talk to each other.

However if you use GAIM (an open source IM program which supports the MSN, Yahoo, AIM, Jabber, IRC services and a few others), you can download a plugin to encrypt communications between only people who have that same plugin.

At one point there was a project called gaim-e, which was designed to allow OPEN PGP encryption. Sadly the site no longer appears to be maintained.

An alternative plugin is called Gaim Encryption(very original), but it is a solution.

Step 5: So when should I really bother with encryption

Go to any encryption website and they will invariably say "all the time" or "as often as possible". My view is that it is still very inaccessible to normal users and this makes it difficult to use frequently. Projects like Skype have tried to address this by building encryption into the program, however it is closed source.

My advice is to use it as often as you can, but as part of an overall security program. The strength of the encryption is rarely the weakness. Normally a machine is compromised by a keylogger or trojan of some kind, or in very severe cases the equipment is ceased and the hard drives analysed for data. Using a good browser, complex passwords written down somewhere safe, firewall and anti-virus program should keep you protected from most threats. Lastly remember to keep all software up to date and change any default passwords.

Answer: Impossible! No other words in the English language rhyme with it! Another example is "Orange".

Labels:


0 Comments:

Post a Comment

<< Home