Film-Tech Cinema Systems
Film-Tech Forum


Post New Topic  Post A Reply
my profile | my password | register | search | faq & rules | forum home
  next oldest topic   next newest topic
» Film-Tech Forum   » Community   » Film-Yak   » Is Encryption this Difficult to Break? (Page 1)

 
This topic comprises 2 pages: 1  2 
 
Author Topic: Is Encryption this Difficult to Break?
Bill Enos
Film God

Posts: 2081
From: Richmond, Virginia, USA
Registered: Apr 2000


 - posted 06-23-2005 08:42 AM      Profile for Bill Enos   Email Bill Enos   Send New Private Message       Edit/Delete Post 
I have a friend who runs Linux as well as XP on his Toshiba laptop. He keeps his personal financial info under Linux and uses an encryption that he downloaded for free. He only, or so he believes has the key to opening the system. He says that it would take several computers running very sophisticated, expensive and difficult to obtain software thousands of hours to crack his system. Though I have little knowledge on this subject, I tend to think he is deluding himself. Any thoughts from those who would know??

 |  IP: Logged

Dave Williams
Wet nipple scene

Posts: 1836
From: Salt Lake City, UT, USA
Registered: Jan 2000


 - posted 06-23-2005 09:59 AM      Profile for Dave Williams   Author's Homepage   Email Dave Williams   Send New Private Message       Edit/Delete Post 
It all depends on the encryption algorythyms used. Most really good encrytion takes about three weeks to bust. Most of the standard stuff is already broken by hackers, so even if you change the encryption keys, chances are you are open to attack through the back door and won't even know when it happens.

I tend to use the 128 bit encryption that is out there now for financial transactions on the net, and to cover my own stuff here at home, and I rotate the encryption key randomly to keep it fresh. However it is not perfect and is breakable. Luckily no one cares about little ol' me.

At work however, we use a proprietary encryption algorythym that is stronger than any government database. No one has ever been able to break it, and they have people constantly monitoring the incoming end, and others actually trying to break it, just to keep them on thier toes.

So as for your friends encryption, hard to say. Depends on what it is and if it has been beaten in the past in any significant way.

Ciao

 |  IP: Logged

Randy Stankey
Film God

Posts: 6440
From: Erie, Pennsylvania
Registered: Jun 99


 - posted 06-23-2005 12:09 PM      Profile for Randy Stankey   Email Randy Stankey   Send New Private Message       Edit/Delete Post 
All depends on what encryption algorighm he used, how secure the passphrase is and how well he guards the passphrase.

1) Some algorithms are simple to crack, even with a laptop. Others (DES3 with a long key) can take weeks and weeks to crack even with a supercomputer even if they can be cracked at all.

2) Do you use a passphrase that anybody who knows you could guess? I use nonsense words for the passwords like "googoodoggy" that I don't wany anybody to guess. (No, that's not one of my real passwords.) I think most people know the rules for making good passwords by now.

3) You could have the most secure password in the world but, if you write it down where anybody else could see it, you might as well just shout it from the rooftops.

If he really wants to keep his financial data secure the best way is to make sure nobody can even get access to the data in the first place, let alone decrypt it.

Go get an external hard drive and store all your sensitive data on there and nowhere else. At night when you finish your work shut the computer down, disconnect the drive and lock it up in a safe place like a fireproof safe.

Cripes! You can get a 1/2 decent external drive at Circuit city, et. al., for $100 - $200.

Wanna' know the best way to keep people from finding out your secrets? Don't even admit that you HAVE secrets! [Wink] If you tell people that you have sensitive information somebody's BOUND to get nosy and try to find out what you're hiding just for the principle of it! (Like putting up a "Wet Paint" sign, doncha' know! [Big Grin] )

So, the best way to keep your data safe is to encrypt it with a good algorithm, use a good key, store it in a physically secure location and then shut up about it! [Smile]

 |  IP: Logged

Dieter Depypere
Master Film Handler

Posts: 343
From: Deutsch-Wagram, Lower Austria, Austria
Registered: May 2005


 - posted 06-23-2005 12:22 PM      Profile for Dieter Depypere   Email Dieter Depypere   Send New Private Message       Edit/Delete Post 
ahhh the file encryption systems... I think every algorithm is crackable, it is only a matter of time. Of course the better the encryption, the longer does it take to crack it. Though, I would never rely absolutely totally 100% on that. Maybe 99.9% (if it is really bitchin' good) or something like that...

 |  IP: Logged

Mark J. Marshall
Film God

Posts: 3184
From: New Castle, DE, USA
Registered: Aug 2002


 - posted 06-23-2005 12:34 PM      Profile for Mark J. Marshall     Send New Private Message       Edit/Delete Post 
No encryption system is absolutely "unbreakable" (except for a one way hash - which by definition is... well... one way). To break any encryption requires you to solve very complicated math problems to obtain the "key" to unlock the encrypted data.

The idea is to make the math problem itself (meaning the encryption "algorithm") more and more complicated and make the problem harder to work with by making the solution to the problem (the encryption key) a larger and larger number.

When they say that a particular type of encryption is "broken", it means that either a) computer work horse power has sufficiently caught up to allow a brute force attack on the math problem to not take as long as it used to, or b) someone has discovered a shortcut to the math problem that didn't exist before.

Technology is always changing though, both in the computer field and the math & science field. It's possible that whatever is secure today may very well not be secure tomorrow. Hope that helps.

 |  IP: Logged

Monte L Fullmer
Film God

Posts: 8353
From: Nampa, Idaho, USA
Registered: Nov 2004


 - posted 06-23-2005 12:37 PM      Profile for Monte L Fullmer   Email Monte L Fullmer   Send New Private Message       Edit/Delete Post 
I go out to a wrecking yard and write down a few VIN numbers from old cars, then change the alpha/numeric order around some to really scramble things up.

One can use their current vehicles and scamble those characters around some as well.

-Monte

 |  IP: Logged

Dave Macaulay
Film God

Posts: 2168
From: Toronto, Canada
Registered: Apr 2001


 - posted 06-23-2005 03:31 PM      Profile for Dave Macaulay   Email Dave Macaulay   Send New Private Message       Edit/Delete Post 
quote: Dave Williams
a proprietary encryption algorythym that is stronger than any government database
These are the unmistakeable words of a snake-oil salesman.

"Proprietary" commercial encryption algorithms are universally regarded by cryptographers as total bunkum.

Government cryptography methods are secret, true, but in the US the NSA has a large staff of reputable scientists designing and testing their systems and they should be excused for the "proprietary" nature. Note that US government crypto is almost universally secret; no commercial entity can claim their product is more secure than a secret algorithm from Virginia because they cannot know how secure the NSA stuff is.

Public crypto algorithms are not less secure from being well known, they're much more trustworthy and secure. The algorithms are studied and tested for weakness by the "good guys" as well as "hackers", and there are cash prize contests for breaking several public algorithms. The security is not from obscurity, it's from the cryptographic design - essentially how random and rare the code's internal factors are. Several accepted public codes have been disused because the factors could be found by non-random approaches or because their rare and random key factors could be brute-force searched in a reasonably short time by computers faster than was imagined when the code was developed.

There are dozens (if not more) shady companies selling "super" crypto using "proprietary" algorithms. Don't buy their bullsh*t. They're hiding how their product works because it's crap.

 |  IP: Logged

Louis Bornwasser
Film God

Posts: 4435
From: prospect ky usa
Registered: Mar 2005


 - posted 06-23-2005 08:55 PM      Profile for Louis Bornwasser   Author's Homepage   Email Louis Bornwasser   Send New Private Message       Edit/Delete Post 
Encription is like a "lock." Bigger lock needs bigger key. Fancier encription needs fancier Cray Supercomputer. No problem, just time.

Louis

 |  IP: Logged

John Walsh
Film God

Posts: 2490
From: Connecticut, USA, Earth, Milky Way
Registered: Oct 1999


 - posted 06-24-2005 07:52 AM      Profile for John Walsh   Email John Walsh   Send New Private Message       Edit/Delete Post 
My experience generally agrees with others here ... Louis' comment about time=security. There are a few free encryption programs, such as PGP (Pretty Good Privacy) from the famous RSA guys. As far as securing a regular person's personal financial data, almost anything would be good enough. I especially agree with Dave about publishing encryption algorithms. Everyone, from math professors to bored teenagers will beat on that algorithm. You couldn't buy that kind of testing.

Most entities dealing with US federal government, like banks, are required to use the DES encryption algorithm. There are many people (myself included) that feel there is a 'back door' in the DES algorithm. Of course, I don't have access to the algorithm, and my math sucks, but when I worked on an encryption system years ago I just got 'a feeling' about it.

 |  IP: Logged

Dave Williams
Wet nipple scene

Posts: 1836
From: Salt Lake City, UT, USA
Registered: Jan 2000


 - posted 06-24-2005 06:29 PM      Profile for Dave Williams   Author's Homepage   Email Dave Williams   Send New Private Message       Edit/Delete Post 
quote: Dave Macaulay
These are the unmistakeable words of a snake-oil salesman.

Well I never did say that we SELL encryption. In fact we don't sell anything that has much to do with computers at all, unless you use one of our products to purchase a computer.

Our "proprietary" only means that it was designed "IN HOUSE" and not by anyone else, and is constantly changed and rotated and updated, much like any government database, however we have not ever been broken into.

Yes the possibility exists that it could happen, but not likely. We have a very expert staff that handles that area 24 hours a day and is always looking for that.

Our database has been secure since the dawn of the database, and it is our most guarded precious item. No one has access to it from outside sources, we do not sell or transfer it to anyone, and only those with thorough background checks can access it. We are audited on EVERY KEYSTROKE we do, including this one, which is why I cannot speak officially for my firm, nor can I even state who I work for.

So as for the BS and Snake Oil, we don't sell either of that. We sell quality, convenience, success, and overall, um.... lots of goodies and things....

Ciao

 |  IP: Logged

Dave Macaulay
Film God

Posts: 2168
From: Toronto, Canada
Registered: Apr 2001


 - posted 06-24-2005 07:38 PM      Profile for Dave Macaulay   Email Dave Macaulay   Send New Private Message       Edit/Delete Post 
I didn't think you were selling this, I figured you were repeating someone else's marketing nonsense.
Security for a private database is not really a cryptography problem; it's a security matter. Everything you describe is good security practice.
However, should that database get out in the wild, I would trust an established public cryptographic system way more than any in-house "secret" code.
Regardless of the code used you have to assume it can be broken, and if it's worthwhile for someone with the time and resources to break it... it will be.

 |  IP: Logged

Tao Yue
Expert Film Handler

Posts: 209
From: Princeton, NJ
Registered: Apr 2001


 - posted 06-24-2005 09:27 PM      Profile for Tao Yue   Author's Homepage   Email Tao Yue   Send New Private Message       Edit/Delete Post 
quote: John Walsh

Most entities dealing with US federal government, like banks, are required to use the DES encryption algorithm. There are many people (myself included) that feel there is a 'back door' in the DES algorithm. Of course, I don't have access to the algorithm, and my math sucks, but when I worked on an encryption system years ago I just got 'a feeling' about it.

Actually, DES is so simple to break with the computing power available nowadays that anybody using a DES variant uses triple-DES.

There's a fun story in Bruce Schneier's book Applied Crytography about DES. Back in the 1970s IBM was working on a proposed national standard for encryption called Lucifer, and sent it to the NSA for review. When it came back, they found that NSA actually approved a slightly different system. IBM ran their tests on modified-Lucifer and it was OK, so that was what became DES. The conspiracy theory is that the NSA took this opportunity to insert a back door.

DES is weak because computing power has caught up with it. The back door story is generally considered to be just a rumor, albeit more likely than most conspiracy theories due to NSA's secrecy.

 |  IP: Logged

Bobby Henderson
"Ask me about Trajan."

Posts: 10727
From: Lawton, OK, USA
Registered: Apr 2001


 - posted 06-24-2005 10:25 PM      Profile for Bobby Henderson   Email Bobby Henderson   Send New Private Message       Edit/Delete Post 
I'm currently a bit disillusioned by encryption systems. Considering how so many millions of credit card numbers and bank accounts have been compromised either by outside hackers or thieves working on the inside, I feel our entire financial industry is highly vulnerable. It almost feels like a "Fight Club" style climax is due to hit.

Aside from broad sweeping feelings, I'm a little pissed about data encryption in regards to my day job, designing signs (as well as my freelance graphics work). I use the PDF format to allow customers to proof designs without the need of having an expensive graphics program installed on their machine.

In the past, I have taken a number of manual steps to protect the artwork. That involves converting vector-based logos into low-rez bitmaps and then pockmarking the bitmaps with repeating patterns and such. The method is effective at giving a big FU to any thieves looking to extract or autotrace any good artwork. But the process takes time. If you have a bunch of PDFs to make, then you can wind up spending a bunch of time creating anti-theft PDFs.

I recently purchased the new Adobe Creative Suite 2 Premium upgrade, which includes Acrobat 7 Professional. I figured this app and its security features would eliminate the need for all those steps to protect artwork I just described. Not really.

There's a couple utilities you can buy online for as little as $30 that will defeat the 40-bit and 128-bit encryption methods and password blocks used by Acrobat 7 Professional and Acrobat Distiller 7. The only security feature in Acrobat that stands up to these utilities is optional password block on opening the file. But if the user has the open file password, then all the other permissions topple like dominoes.

The situation pisses me off from the standpoint that customers, particularly sign customers in my day job, don't like overt security stuff hammering them in the face. It would seem easier to just have password blocks on being able to open the PDF in Illustrator or copy stuff to the clipboard.

In the end, I'm stuck with doing all my manual rasterizing crap to protect my vector art. But I'll still apply password permissions to those PDFs anyway. That way when some bastard runs the PDF through his crack utility to get the password, he'll think he will have accomplished something. Then he'll load the PDF into his stolen copy of Illustrator and get SHIT quality bitmaps instead of art he can take directly to a vinyl cutter.
[fu]

 |  IP: Logged

Mark J. Marshall
Film God

Posts: 3184
From: New Castle, DE, USA
Registered: Aug 2002


 - posted 06-25-2005 05:05 PM      Profile for Mark J. Marshall     Send New Private Message       Edit/Delete Post 
quote: Dave Williams
"proprietary" only means that it was designed "IN HOUSE" and not by anyone else, and is constantly changed and rotated and updated
quote: Dave Macaulay
Security for a private database is not really a cryptography problem; it's a security matter. ... I would trust an established public cryptographic system way more than any in-house "secret" code.
Agreed 100%. If the algorythm is good enough, there's no need to keep changing it. Unless you're talking about rotating the keys to the encrypted database - which is actually not always a good idea. One of the ways to attack an encryption system is to start with multiple copies of the same data encrypted with different keys. Of course I'm guessing based on what you've said, and I know you can't say much more, so I'll just leave it as a guess.

quote: Paraphrasing from Applied Cryptography:
If I lock a document in a safe, hide the safe in New York, and tell you to go find it, that's not security, that's obscurity. On the other hand, if I lock a document in a safe, then give you the safe, along with the schematics of the safe, and a hundred other identical safes along with their combinations so that you and the best lock smiths in the world can study the locking mechanism, and you still can't get to the document, THAT is security.
When choosing a reliable encryption system, one that uses published algorythms, which is also open source (like PGP) is the way to go. History has shown over and over again that "proprietary" closed source encryption systems generally end up being very weak. CSS comes to mind.

 |  IP: Logged

Dave Williams
Wet nipple scene

Posts: 1836
From: Salt Lake City, UT, USA
Registered: Jan 2000


 - posted 06-26-2005 02:27 AM      Profile for Dave Williams   Author's Homepage   Email Dave Williams   Send New Private Message       Edit/Delete Post 
I think I should just use a new term here instead of proprietary..

Keep in mind I am sure that no one here is trying to insinuate that I am full of crap or something, but the mere fact I brought it up leads me to believe that I need to clarify this word...

REPHRASE...

Yep... maybe a rephrase is in order. I should have used a differnt word or phrase.

We don't sell or offer encryption, so since proprietary is often used by people selling something, it was innapropriate to use it in this instance.

What we do have is a massive database that is protected by extraordinary means. We do not use commercially available means to secure this database.

Imagine 52 decks of cards. you place them all face down. Somewhere in there is the 52 cards you need to win the prize. All the while you are trying to figure out the right combination without actualy bieng able to see the combination, someone else keeps changing the combination for each right card you choose. No matter how far you think you get, you always end up back in square one.

Keep in mind that we don't just sit on it and hope for the best either. Our data is our most prized and protected possesion. Other firms may not keep thier data as secure, but it is who we are and our reputation is all we sell. Whatever the exercise may be, it is undertaken to ensure complete protection.

We also do not sell anything from our database. It is not up for public access in anyway shape or form. The only people who have access to it are authorized employees who are audited on every key stroke and computer event, and government auditors to check for legal compliances on a very rather frequent basis.

Unlike many firms you see lately that have lost information to hackers and other people unauthorized, we do not do any business that would give anyone access at any time to our information. It is just not an avenue that we go down.

While it is true that some of our clients information has been compromised, it was done by outside sources who did not gain access to our systems, but rather to other entities who collected on many occasions identical information files for thier own use, but did so on their own valition and without access to our database.

We are secure, and will continue to be secure. If there is ever an attempted breach that cannot be shut down or steered out, the systems will be shut down without warning to protect the data, and the lines cleared and the security measures changed.

the number of times our systems have gone down for this reason... none.

So I apologize for even bringing up proprietary. I just wanted to make sure and very clear that where I work and the company I work for takes very careful precautions to secure our data, and that we work very hard to not be a victim, but instead be the leader when it comes to data protection, even though that is not our business.

Ciao

 |  IP: Logged



All times are Central (GMT -6:00)
This topic comprises 2 pages: 1  2 
 
Post New Topic  Post A Reply Close Topic    Move Topic    Delete Topic    next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:



Powered by Infopop Corporation
UBB.classicTM 6.3.1.2

The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion and agrees to release the authors from any and all liability.

© 1999-2018 Film-Tech Cinema Systems, LLC. All rights reserved.