Pages:
Author

Topic: Sending REALLY sensitive information (Read 3403 times)

legendary
Activity: 1400
Merit: 1005
April 11, 2013, 03:16:57 PM
#48
.RAR - seems like it would work offline?  I took a look at some .rar password crackers, and even a 10-char address said it would take "too long" to crack.  Would it be reasonable to expect the .rar encryption to hold with a sufficient length password (say, 20 chars?), at least until quantum computing becomes a thing?  As long as the .rar and password were sent through different channels (email + bitmessage, for instance), it seems as though it'd be very difficult to crack.
you do not want to to use a closed format for encryption.

gpg can be used to encrypt files too.
Thanks, and good point.

I suppose the big difference I see between the two is that GPG requires a public key to encrypt with, whereas a .rar can be encrypted with anything of my choosing, provided I give the password to the party through an alternate channel.  Is there something .rar style that uses an open format?

gpg can do symmetric encryption only, if you ask it to.
see the "-c" switch in man gpg
Oh, that's good to know!  I am looking for GUI options, but perhaps one of the GUI's available for general GPG encryption would also support symmetric encryption.  Thanks!
legendary
Activity: 1050
Merit: 1000
You are WRONG!
April 11, 2013, 03:10:15 PM
#47
.RAR - seems like it would work offline?  I took a look at some .rar password crackers, and even a 10-char address said it would take "too long" to crack.  Would it be reasonable to expect the .rar encryption to hold with a sufficient length password (say, 20 chars?), at least until quantum computing becomes a thing?  As long as the .rar and password were sent through different channels (email + bitmessage, for instance), it seems as though it'd be very difficult to crack.
you do not want to to use a closed format for encryption.

gpg can be used to encrypt files too.
Thanks, and good point.

I suppose the big difference I see between the two is that GPG requires a public key to encrypt with, whereas a .rar can be encrypted with anything of my choosing, provided I give the password to the party through an alternate channel.  Is there something .rar style that uses an open format?

gpg can do symmetric encryption only, if you ask it to.
see the "-c" switch in man gpg
legendary
Activity: 1400
Merit: 1005
April 11, 2013, 03:07:48 PM
#46
Quote
Is there something .rar style that uses an open format?
7-zip can do that. 10-char password is not enough. I will go with 20+ random password.

Almost everything requires for computer to be online. Being online is all what the internet is all about. Next time search for possible ways to encrypt and send information when computer is both offline and turned off Wink
Thanks, I'll check out 7-zip.  And yes, I was thinking 20-char.  Maybe 25 or 30 char would be even safer, but that might be overkill.

I understand that almost everything requires for the computer to be online.  But I'd like multiple methods that do not involve putting the private information on a computer that could potentially be compromised unless that information is otherwise secured (i.e. encrypted).  It seems the only real way to do this is to encrypt the information on the offline machine prior to bring it to the online machine.  Or, potentially, physical delivery (via postal service).  I guess that gives me 3 options.  I am satisfied with these results then.  Thanks to all who have participated in this thread!
legendary
Activity: 1470
Merit: 1029
Show middle finger to system and then destroy it!
April 11, 2013, 02:47:52 PM
#45
Quote
Is there something .rar style that uses an open format?
7-zip can do that. 10-char password is not enough. I will go with 20+ random password.

Almost everything requires for computer to be online. Being online is all what the internet is all about. Next time search for possible ways to encrypt and send information when computer is both offline and turned off Wink
legendary
Activity: 1400
Merit: 1005
April 11, 2013, 02:25:22 PM
#44
.RAR - seems like it would work offline?  I took a look at some .rar password crackers, and even a 10-char address said it would take "too long" to crack.  Would it be reasonable to expect the .rar encryption to hold with a sufficient length password (say, 20 chars?), at least until quantum computing becomes a thing?  As long as the .rar and password were sent through different channels (email + bitmessage, for instance), it seems as though it'd be very difficult to crack.
you do not want to to use a closed format for encryption.

gpg can be used to encrypt files too.
Thanks, and good point.

I suppose the big difference I see between the two is that GPG requires a public key to encrypt with, whereas a .rar can be encrypted with anything of my choosing, provided I give the password to the party through an alternate channel.  Is there something .rar style that uses an open format?
legendary
Activity: 1050
Merit: 1000
You are WRONG!
April 11, 2013, 02:21:41 PM
#43
.RAR - seems like it would work offline?  I took a look at some .rar password crackers, and even a 10-char address said it would take "too long" to crack.  Would it be reasonable to expect the .rar encryption to hold with a sufficient length password (say, 20 chars?), at least until quantum computing becomes a thing?  As long as the .rar and password were sent through different channels (email + bitmessage, for instance), it seems as though it'd be very difficult to crack.
you do not want to to use a closed format for encryption.

gpg can be used to encrypt files too.
legendary
Activity: 1400
Merit: 1005
April 11, 2013, 02:10:34 PM
#42
Reviving this thread...

I got to thinking about it more, and most of these solutions rely on the machine in question being online at some point in time.

Bitmessage requires a connection to send out (Unless there is a way to create a transaction on an offline computer, then transfer the tx to an online computer to be broadcast? That would be awesome!)

GPG mail seems to require an online connection as well (connect to your email host).  I wish there was an easy method to use someone's PGP key and encrypt a message offline, but the only solution I can find for that is via command line.  It's an option, I suppose, but I don't like it much.

OTR IM Chat/Tor Chat - obviously requires the machine to be online.

readthenburn - again, obviously requires the machine to be online.

.RAR - seems like it would work offline?  I took a look at some .rar password crackers, and even a 10-char address said it would take "too long" to crack.  Would it be reasonable to expect the .rar encryption to hold with a sufficient length password (say, 20 chars?), at least until quantum computing becomes a thing?  As long as the .rar and password were sent through different channels (email + bitmessage, for instance), it seems as though it'd be very difficult to crack.

Let's leave the MITM argument alone for the time being.

EDIT:  Just found a plethora of GUIs for GPG though - nice!  http://www.gnupg.org/related_software/frontends.en.html
full member
Activity: 140
Merit: 100
March 30, 2013, 08:37:34 AM
#41
Obligatory: http://xkcd.com/538/
legendary
Activity: 966
Merit: 1004
CryptoTalk.Org - Get Paid for every Post!
March 30, 2013, 07:59:54 AM
#40
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/

Can you hear me now? How about now? A lil louder .. Ok good..





Dad said to go ahead and give him a ...
https://www.youtube.com/watch?v=w-tr0pVynJs

The look on his face at the end of the video is what happens after you send what ever youre thinking about sending!

lolz





The US said go ahead and send the dam 5 BTC just stop talking about it.. in fact they will give you 5 BTC just to stfu..

(  ok so i got jokes.. thought i would try to lighten the mood )
Cheers Smiley
legendary
Activity: 1050
Merit: 1000
You are WRONG!
March 29, 2013, 09:33:51 PM
#39
the attacker in man in middle attack can also be passive observer. He is not required to modify the plaintext messages, just decrypt, store and resend encrypted with his own key. The security question will go trough as without MITM attack.

Now we are talking about authentication rather than encrypted channel security. They are different animals.
they are different, but if you can't authenticate, encryption does not really matter.
legendary
Activity: 1470
Merit: 1029
Show middle finger to system and then destroy it!
March 29, 2013, 02:53:53 PM
#38
the attacker in man in middle attack can also be passive observer. He is not required to modify the plaintext messages, just decrypt, store and resend encrypted with his own key. The security question will go trough as without MITM attack.

Now we are talking about authentication rather than encrypted channel security. They are different animals.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
March 29, 2013, 01:59:41 PM
#37
Even if all your computers are so virus infested they're a biohazard, the chances of the SAME attacker having control over ALL of your communications lines are ridiculously low.
NSA, go look it up you don't know what it is.

no one is talking about vira, you should really go read some more about basic cryptografi, as you cleary don't understand.
Yeah, because the NSA has people being paid to listen to your phone lines, read your email and IMs, and intercept and read your regular mail.  Roll Eyes
if the information is sensitive enough, then Yeah! tap all the stuff.

but the only hard thing to do here is the phone, the rest is text based and can easily be faked.

the only impossible thing is pre-distributed public keys(gpg or similar), but that would require the two parties of the communication to meet at least once.

Text based communication is not easily faked if you ask a question that very few people would know.
simple example:
Alice to Attacker: answer this question _, and i will believe you are bob.
Attacker to Bob:  answer this question _, and i will believe you are bob.
Bob to Attacker: this is the answer to the question: _.
Attacker to Alice: this is the answer to the question: _.
Alice to Attacker: hello, bob!
Attacker to Bob: kthxbye.

and the Attacker and Alice continues the conversation. It is really that simple, and security would not be any better even with public-key cryptography(unless they where pre-distributed).

now, please STFU and go learn some basic cryptography.

Delay, idiot. I don't ask the question then go get something to eat. If it takes them too long, it becomes suspicious.
have you heard about computers?

(btw. you are ignored now, have a nice and ignorant life)
legendary
Activity: 1050
Merit: 1000
You are WRONG!
March 29, 2013, 12:00:33 PM
#36
Even if all your computers are so virus infested they're a biohazard, the chances of the SAME attacker having control over ALL of your communications lines are ridiculously low.
NSA, go look it up you don't know what it is.

no one is talking about vira, you should really go read some more about basic cryptografi, as you cleary don't understand.
Yeah, because the NSA has people being paid to listen to your phone lines, read your email and IMs, and intercept and read your regular mail.  Roll Eyes
if the information is sensitive enough, then Yeah! tap all the stuff.

but the only hard thing to do here is the phone, the rest is text based and can easily be faked.

the only impossible thing is pre-distributed public keys(gpg or similar), but that would require the two parties of the communication to meet at least once.

Text based communication is not easily faked if you ask a question that very few people would know.
simple example:
Alice to Attacker: answer this question _, and i will believe you are bob.
Attacker to Bob:  answer this question _, and i will believe you are bob.
Bob to Attacker: this is the answer to the question: _.
Attacker to Alice: this is the answer to the question: _.
Alice to Attacker: hello, bob!
Attacker to Bob: kthxbye.

and the Attacker and Alice continues the conversation. It is really that simple, and security would not be any better even with public-key cryptography(unless they where pre-distributed).

now, please STFU and go learn some basic cryptography.
legendary
Activity: 2436
Merit: 2119
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
March 29, 2013, 11:59:27 AM
#35

Yeah, because the NSA has people being paid to listen to your phone lines, read your email and IMs, and intercept and read your regular mail.  Roll Eyes

I hear there's a thing called computers which can replace many people for a lot of repetitive tasks. Could be just a fad though.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
March 29, 2013, 05:42:32 AM
#34
Even if all your computers are so virus infested they're a biohazard, the chances of the SAME attacker having control over ALL of your communications lines are ridiculously low.
NSA, go look it up you don't know what it is.

no one is talking about vira, you should really go read some more about basic cryptografi, as you cleary don't understand.
Yeah, because the NSA has people being paid to listen to your phone lines, read your email and IMs, and intercept and read your regular mail.  Roll Eyes
if the information is sensitive enough, then Yeah! tap all the stuff.

but the only hard thing to do here is the phone, the rest is text based and can easily be faked.

the only impossible thing is pre-distributed public keys(gpg or similar), but that would require the two parties of the communication to meet at least once.
legendary
Activity: 3318
Merit: 1958
First Exclusion Ever
legendary
Activity: 896
Merit: 1000
March 28, 2013, 05:53:33 AM
#32
whatever you do, NOT privnote
legendary
Activity: 1050
Merit: 1000
You are WRONG!
March 28, 2013, 04:37:56 AM
#31
Even if all your computers are so virus infested they're a biohazard, the chances of the SAME attacker having control over ALL of your communications lines are ridiculously low.
NSA, go look it up you don't know what it is.

no one is talking about vira, you should really go read some more about basic cryptografi, as you cleary don't understand.

sr. member
Activity: 374
Merit: 250
Tune in to Neocash Radio
March 27, 2013, 09:34:06 PM
#30

Send the person a picture of a cat to use as a one time pad.   Grin

Mail them a CD with the picture of the cat that you take yourself.  Email the OTP encrypted file.  

I'm being a little silly this is probably overkill.  
LOL.

What about just mailing a password (plaintext), and then emailing a .rar encrypted file?  I don't know what OTP is or how a cat picture could be used as a pad, and yes, that might be overkill for my purposes anyway.  Tongue

In case you're interested.  This is an encryption technique that is very secure as long as the pad is secret.  Even if your picture of a cat was your pad and public I still feel that no one is going to  XOR your message with that picture of a cat. 

http://en.wikipedia.org/wiki/One-time_pad
legendary
Activity: 1610
Merit: 1004
March 27, 2013, 12:49:35 PM
#29
https://www.readthenburn.com seems like a relatively ok option if you're dealing with someone that won't be bothered to learn how to use PGP. 
And who prevents the page from storing the message forever? Promise not to do so? I call it a trap! Set up such page, then wait for all sorts of secret and confidential information + IP addresses come in such as passwords and login data, links to child porn and so on.

I am skeptical as well but they say that your message is encrypted client-side using a random 256 bit AES key stored in the URL and the cleartext message and secret key is never sent to them.  Source code is available but I am still learning to analyse crypto primitives so I can't confidently say this is safe. 
Pages:
Jump to: