We're used to getting a hundred or so responses from the mini-polls we run, but the 383 responses to our recent encryption survey were indicative of just how important this area is to people. In it, we wanted to gauge the gap between aspiration and reality when it comes to encryption – what you think is necessary, versus what …
Perhaps a bit optimistic
In terms of 'Encryption of Data stored on Removable Media' - I'm sure there are policies to do so but I'm equally sure that policing of those policies isn't thorough.
From BBS days to now my thoughts.
I remember back in the days when pgp and encryption seemed to be actively developed and everyone had bluewave and pgp gorilla or the CKT (cyber knight templars) version of pgp. Able to generate 16k RSA/idea keys. Then folks poo pooed the key size. But I am not convinced.
Along comes Y2K And bbs's became scary to operate. Lots of software was laid to waste, and development of encryption was kind of depressed I'd have to say.
Then along comes 911 and now it's clear strong encryption is on the run, from decrypting dvd's to military, to whatever, it's clear the old crap we are using is CRAP.
Where's the 16K AES keys? Moors law on hold thanks to unconstitutional BS targeting American citizens, tapping their comm shops, banks and other private data.
the world has gone to hell in a hand basket, and the even more egregious laws are the final nails in the coffin.
It's long overdue for encryption to be back in the devel target window.
It seems like not even unclassified financial data can't be protected.
There's too may fucking snoops thanks to the oath breakers.
Don't compare Symmetric and Asymmetric Key Lengths
RSA is an asymmetric cipher, AES is symmetric. The keylengths are therefore not directly comparable. NIST guidelines indicate that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.
Mobile crypto a must
I've always been pretty paranoid on the matter of strong crypto, and have used PGP to encrypt anything slightly sensitive since 2002, and every single Blackberry I've owned since 2008 has had the Content Protection and SD card crypto enabled. Lots of my IT colleagues have called me as a very paranoid person, and some other people point out that "everything can be cracked" so that it's useless to encrypt stuff at all. Of course, most of the latter have no idea about real crypto, and wouldn't understand why my AES-256 and RSA-4096 keys are not as vulnerable as the standard DVD CSS key, or the "secure" Excel passwords.
However, in the last year and a half, I've been vindicated twice because of serious breaches outside of my control. The first one was a snooping lady who was unable to open my private files, as they were all encrypted. The second one could've been worse had I not used crypto: my Blackberry was stolen. I had a zillion personal files inside it, my whole contact list, and a good load of, er ... "private" pictures I would not want to be floating around the net. Most of that stuff was encrypted, so my stuff is safe.
Same thing has applied to my laptop, which hasn't been stolen yet. But I know that if someone snags it, they won't get anything useful. Keep on the crypto!
...or is it the same one?
1.) The ( portable) encryption programmes I've tried can't be used on the computers with the data to be transferred. because those machines' owners/IT dept have set policies that prevent software running.
2.) Different programmes can't open each other's encrypted files.
But it's the same problem really. If there was portability and/or encryption software as standard I could encrypt with software installed on one computer and decrypt on another.
But I can't so I don't
Not sure they are the same problems
... but both of them are very real. A lot of IT departments do think that 'security' means "don't allow any other programs" and so prevent the user from installing encryption. Especially (shock horror) Free Software like GPG, they seem to be terrified that having any GPL software will cause all of their own data to be made Open Source and worthless. Or something like that.
Portability: GPG and PGP and products based on them are compatible, at least at some levels. I don't know of any standard which is implemented at the disk or memory stick level though, except for TrueCrypt which is a de facto standard (Open Source, although several Linux distributions regard it as non-free due to the licence conditions). But in general it is true that there is a lot of non-compatibility in such products.
I'm with pengwyn
Larger keys are a must. My preference is TrulyMail Portable (for email) which uses 4096 bit one-time symmetric key wrapped in an asymmetric key. I don't understand why PGP limits users to 1024 bits in their keys? Are they trying to make it easier for the snoops?
- Crawling from the Wreckage Want a more fuel efficient car? Then redesign it – here's how
- TV Review Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
- Downrange Are you a gun owner? Let us in OR ELSE, say Blighty's top cops
- Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
- Human spaceships dodge ALIEN BODY skimming Mars