Encryption/decryption

Hello,
I had a bit of an argument with a friend of mine last night.

He claims that encryption doesn't really work since the one (or they) who came up with the specific encryption standard would know how to decipher it since they programmed it.

Now, this doesn't make a whole lot of sense to me since this would render the whole thing meaningless.
I also mentioned the private/public key system, but he kept saying that "it wasn't private because the one who invented the standard would know the key" which, to me, infers that he doesn't really understand how it works.

In specific we were arguing about a VPN solution. My question is:
How does in fact a VPN solution work? What is the key used? Is it the current date or time and if so, does this change for each request?

I suppose the actual IP address of the servers/routers you are going through wouldn't be encrypted because otherwise the client/server wouldn't know where to send the request?

Let's just say, if they made it, they can break it. The normal person who doesn't know how to decrypt it, won't have a clue how to decrypt it. But, given to the right person can be cracked within minutes. That's the whole point of security. Oh, and they do have decryption software out there. Won't be that hard to decrypt.

Unless you have coded weak crypto or put some kind of intentional backdoor into a encryption scheme the creator shouldn't be able to magically crack anything encrypted with it, to think so is uninformed foolishness. That being said there is always the traditional brute force approach which is seriously time and resource intensive when dealing with bigtime encryption like AES, on the order of thousands of years to brute force.

Originally posted by Helig
Unless you have coded weak crypto or put some kind of intentional backdoor into a encryption scheme the creator shouldn't be able to magically crack anything encrypted with it, to think so is uninformed foolishness. That being said there is always the traditional brute force approach which is seriously time and resource intensive when dealing with bigtime encryption like AES, on the order of thousands of years to brute force.

Even brute force techniques are far from being able to break modern encryption, 128bit takes about one month to break a single key. By the time one key had been broke they would have use at least 28 different keys over the month (assuming the key is changed once per day), in most cases each transmission uses a unique key so the possibility of breaking the key for a series of encryptions (as in multiple E-mails) increases exponentially.

I suppose the actual IP address of the servers/routers you are going through wouldn't be encrypted because otherwise the client/server wouldn't know where to send the request?

Somewhat correct, the header section of each packet is not encrypted but the data contained is. This allows the Information to passed along traditional means (ie not dedicated secure lines) the cloud aka the "internet". This is commonly refereed to as "tunneling" as the receiver and sender use the common internet but the data contained is tunneled through the internet using the encrypted tunnel tech.

Even the military uses the tunneling tech on the regular internet for TOPSECRET/SCI information....it really is that secure. The military does not use public/private key although, they use 256bit predetermined shared keys, only available to those who should be privy to the information being passed, known as cryptography keys , which are very carefully guarded and accounted for.

How do I know this...well I was a EKMS (electronic key management system) manager for the military, nothing I have said here here however is clasiffied.

Lets not let bit-size get confused with overall strength because it would be a disservice to everyone to let that kind of myth be perpetuated. WEP (Wired Equivalent Privacy) even at 128 bit can be compromised with readily available tools in under 2.5 minutes provided a good enough signal to the target Access point. The real strength of any encryption standards is in the math going on behind the scenes, not the number associated with it.

reply to post by Taz2122


What your friend is talking about is a backdoor.

If encryption was programmed like your friend thinks it is, then yes, they would be right. The problem is, that's not how good encryption programs are made. That's only how bad ones are made, and your friend would be right about those and would be smart not to use them.

But how are the good ones made? The first thing to realize is they're not made by just one person. You typically have a couple thousand people working on it to make sure there's no flaw. If someone finds one, they'll toss the algorithm and make another one.

Hardly ever does a single person sit down and write a good encryption program. It just doesn't happen and it's just too hard for a single person to do well. You need many smart people to attack the problem different ways to make sure it's safe. Unless they're just copying what someone else has already done before.

Good encryption programs are based on well known math equations that are well understood years before anyone ever sits down and starts coding the encryption program itself. In other words, they usually don't even start coding it until they're sure it'll be safe as long as they code it a certain way.

Only then do they start coding the encryption program. This is called the implementation. But with that many people working on it, how do you keep the secret, secret?

It's actually easier than you think. They use a trick. They just leave the secret out of the program entirely. In other words, they basically never finish the program. They leave the most important part, undone. There is no secret.

The key is the secret, and the key fills in that blank spot in the program and modifies how the encryption program works. It isn't generated until after the program has been created. Then the user, once he has the program generates his key. This makes his program work differently than everyone else's version of the program.

So, you could say abstractly that everyone is actually using a different program. So the only one that knows the secret is you.

Once the program is finished you'll have thousands of people running billions or even trillions of tests against the "implementation" with different keys to see if there's a flaw. Basically what they're looking for is a flaw that could give away the secret somehow. Sometimes there is a flaw and they have to fix it or start over.

But encryption has been around a long time and that means there's lots of implementations out there that have been fixed and heavily stressed tested and held up against attacks for years and years and years. So, you can generally trust those to a high degree.

But remember, basically the trick is, the program was never really finished. The program doesn't have the last piece it needs to work. You, the user, generate a random key and then finish the program yourself. You do this by plugging the key in and the rest of the program is generated from that. Then yours will work different than everyone else's does.

That's why the guy that made it can't guess your secret. Because he leaves it up to you to finish how the program works and he has no idea what key you used to finish it.

Each VPN has its own key that's generated randomly by whoever owns the VPN.

He claims that encryption doesn't really work since the one (or they) who came up with the specific encryption standard would know how to decipher it since they programmed it.

True, in a sense. If the algorithm is closed-source.. meaning only the creator has the source code available to view, then who knows what kind of automagic decryption backdoor has been added.

On the other hand, most of the best encryption/hashing implementations are in fact open-source, which means the code is published under a public license (most likely BSD or GPL).

When a program is open-source, anyone can view and inspect the source code. While it is possible to add backdoors into plain sight code. Its a very complex one to achieve. And almost got pulled off in the OpenBSD project by supposed ex/fbi employee: www.theregister.co.uk...

Just think how small of a community OpenBSD (you might not even have heard of it before :lol is when compared to operating systems such as GNU/Linux, FreeBSD, Windows, OS X... you'd wonder why they would target one of the smallest distros out there?

However, OpenBSD is still very much secure than popular OS such as windows or mac osx will ever be. God knows what windows contains in terms of hidden backdoors.

It goes the same for all software, whether its an encryption tool or not. If their is no public source code available, it is very hard to understand if the program is actually doing what it says. This is the general rule.

But as far as encryption goes, if its possible to smuggle complex/obfuscated code in plain sight, IN AN OPEN SOURCE PROJECT! in order to create a backdoor... who's to say it can't be done in something as strong/popular as the AES algorithm.

Personally when it comes to disk/file encryption, if you want to play it safe... then crypt your disks with '512-bit aes-cbc-essiv' which is basically military grade encryption, and use blowfish passwords for user accounts. I can guarantee nobody will crack it within your lifetime unless of course, AES has a weakness built into it (hint hint, NSA).

I have come to like using JPEG's with a pixel or two with encrypted data within them....

on the surface nobody can tell there is anything else but the picture.,..

Originally posted by Taz2122

In specific we were arguing about a VPN solution. My question is:
How does in fact a VPN solution work? What is the key used? Is it the current date or time and if so, does this change for each request?

I suppose the actual IP address of the servers/routers you are going through wouldn't be encrypted because otherwise the client/server wouldn't know where to send the request?

Have a look at this: en.wikipedia.org...

I'll admit i don't know the full process of securing a VPN tunnel, but it does involve authentication via password/username (most of the time), followed by some form of handshake in which only you can connect to the VPN, rather than your ISP also connect, and monitor/decrypt your traffic.

Traffic is encrypted, before being sent to your ISP, in turn it creates a tunnel between the VPN server, and your computer (which your ISP cannot know what data is being sent/recieved). Thus the VPN relays data between you, and a web server.

The only data your ISP could see is a garbled (encrypted) spam of random text with a destination being your VPN.

Google can help you a lot you know.

MD5 Encryption Wiki Link

Read the link and you will know more, your friend thinks every letter will get there own unique string? That would be hacked within a week!

Test, encrypt thye same file (copy) twice and compare the strings, there not even the same

reply to post by Chamberf=6


what does that accomplish?

how would you use something like this?

About 20 years back, law enforcement people and all those 3 letter agencies were starting to have major problems intercepting and monitoring web-based communications between 'persons of interest' like drug & weapons traffickers, terrorist cells and the like due to the evolution of publicly available encryption software (eg PGP, Blowfish etc) which could be freely and anonymously downloaded by anyone on the planet. It led to a campaign at the highest levels of those agencies and government for all such software schemes to be legally required to build in a 'law enforcement backdoor' to free up resources that were being employed to brute-force those ever stronger cyphers.

I've never seen any public announcement indicating that they got what they wanted but their silence on the subject and abrupt change of posture suggests they did ultimately get what they campaigned for IE a backdoor into any downloadable scheme plus a restriction on the 'export' of encryption software beyond nominated cypher strengths. Maybe ensuring they could use Crays or whatever to brute-force their way into communications of interest to them in the absence of backdoors which would be the case with weaker versions of encryption software released prior to the campaign for easy access.

I'm not really into conspiracies but my view is 'if it can be made, it can be broken' so it's just a matter of resources and determination to circumvent any encryption. Not that I have any communications worthy of encryption which is the main reason I don't use any.

reply to post by Spiramirabilis


Embedding data or text into digital picture files has been around for quite some time and it's called 'Steganography', done by 'modulating' pixels of an existing picture file to store a binary representation of the 'secret' data which can be encrypted before embedding to make it even more secure. If done right the embedded data can be made to look like random noise making it virtually undetectable to all but the most determined investigator but the major give-away can be the size of the picture file vs the resolution if too much is hidden in there.

A good example of 'hidden in plain sight'

Originally posted by Pilgrum
About 20 years back, law enforcement people and all those 3 letter agencies were starting to have major problems intercepting and monitoring web-based communications between 'persons of interest' like drug & weapons traffickers, terrorist cells and the like due to the evolution of publicly available encryption software (eg PGP, Blowfish etc) which could be freely and anonymously downloaded by anyone on the planet. It led to a campaign at the highest levels of those agencies and government for all such software schemes to be legally required to build in a 'law enforcement backdoor' to free up resources that were being employed to brute-force those ever stronger cyphers.

I've never seen any public announcement indicating that they got what they wanted but their silence on the subject and abrupt change of posture suggests they did ultimately get what they campaigned for IE a backdoor into any downloadable scheme plus a restriction on the 'export' of encryption software beyond nominated cypher strengths. Maybe ensuring they could use Crays or whatever to brute-force their way into communications of interest to them in the absence of backdoors which would be the case with weaker versions of encryption software released prior to the campaign for easy access.

I'm not really into conspiracies but my view is 'if it can be made, it can be broken' so it's just a matter of resources and determination to circumvent any encryption. Not that I have any communications worthy of encryption which is the main reason I don't use any.

They never really got what they wanted because the coders just said, nope not doing it. And anyone that did add it, everyone stopped using it and started using ones that didn't have a backdoor. If you're really worried about it, I can recode another AES implementation or whatever just for you if you want, with no backdoor in it.

If you're even more paranoid than that, you could eventually learn how to do it yourself. That's why it never worked. These encryption methods are standardized. Anyone can turn around and just make their own based on the standard and that doesn't have the backdoor in it.

I'll give you an analogy to cars. It's like if they added a tracking GPS to every single car at the factory. So, I said, well screw that, I'll just build my own car then, the way I want it. That's what the programmers did. They just said F it, we'll write our own versions then with no back doors. You can do that with software. It's harder to build your own car, and even if you did, would they let you drive it?

But they're trying to stop that too. That's why all the new devices like tablets have #ty keyboards so you can't easily learn to code on em and what they call "app" stores. Instead of getting software from wherever you want or making it yourself, you have to buy their software from their "app store" and companies like Apple say what's allowed in their store and then they can mandate that everything has a backdoor.

Same thing with this cloud storage service. Bascially what a "cloud" is, is just someone else's hard drive. Instead of storing stuff on your computer, you store it on theirs on the network. Now you can access your files anywhere? Great right? Just one problem, it's not your drive. It's theirs. That means they have control now.

They can censor you by saying what you can and can't upload to your cloud if they want, spy on everything you upload, and who knows what. My advise is just get your own hard drive.

reply to post by Pilgrum


:-)

Pilgrum - thank you much

that was a perfect explanation

I have questions - but it's late and I'm too stupid to ask them correctly

so I'll be back

thanks again - and goodnight

But they're trying to stop that too. That's why all the new devices like tablets have #ty keyboards so you can't easily learn to code on em and what they call "app" stores. Instead of getting software from wherever you want or making it yourself, you have to buy their software from their "app store" and companies like Apple say what's allowed in their store and then they can mandate that everything has a backdoor.

That is the most bizarre conspiracy theory I've read on here. Crab keyboards to stop people programming? AppStore conspiracies? What the hell?

For every encryption system out there there is a team at NSA working to break it.(Signals Intelligence Directorate (SID)

The NSA even has teams working to break US government encryption codes to make sure no one else can break them.(Information Assurance Directorate (IAD)

en.wikipedia.org...

NSA by law can not spy on Americans in the US BUT if the Americans are out side the US or communicating with someone out side the US they can and do spy on them.

The NSA also by law can do code decryption on americans for other agencies like the FBI or homeland security.

If you try to bring into or take out of the US a computer with encrypted data homeland security can seize the computer and turn the encrypted data over to the NSA to break.
If the FBI seizes a computer during a arrest or investigation and it has encrypted data they also can turn the data over to NSA for breaking.

The DEA can turn any encrypted data found during a investigation over to the NSA no mater if its found in or out side the US. the NSA routinely does taps and ELINT on the Mexican drug cartels.in and outside of Mexico(US???) you will never hear about most of this in any US court as coming from the NSA, but some DEA agent will in court claim he got the information by other means.(the mexican cartels likely have shot more then a few of there own as informers not knowing that it was NSA ELINT that was the source.)
In some cases just using a encryption system from a unusual place in mexico may trigger a look by the DEA.

Thanks guys/gals fer clearing up this issue for me.

Incidently, I checked out TrueCrypt mentioned in this thread. Marvellous piece of software, highly recommended.

*back to the lab*

reply to post by Pilgrum

Embedding data or text into digital picture files has been around for quite some time and it's called 'Steganography...

wonderful - I love this - I have an almost unnatural love of Photoshop. I'm an artist - and the idea of art and messages being hidden inside art and messages is almost enough to give me a creative seizure

what I was initially wondering was - is this something that can be used for more nefarious purposes? Trojan horses - key-loggers? Having been on the receiving end of this sort of thing - and not really understanding how all this works - I was reading through the thread and several people mentioned creating backdoors - kinda got me thinking