This article deals with dangers the software programs ensuring your security are exposed to. These are your media encryption programs.
Let’s assume you have purchased media encryption software, encrypted all your files and having an easy quiet night sleep since the idea of yours is that the information on your PC is safe. Actually that’s not entirely true. There are plenty of ways to decrypt that information and get an access to it. There is no software ensuring 100 percent of security.
Options for data encryption software choice are enormous: they are of various types, designed for different operational systems, created by various programmers having different skills. Is your chosen software good? Are you using it properly? Has it been created by a professional using well known encryption algorithms? Haven’t you been leaving any security “holes”? Differently from food, clothing or car manufacturing, quality of software design is not governed by any kind of regulatory authorities, it is you who has to make a decision on purchasing a good, reliable program. It definitely won’t be enough crossing your fingers and hoping for the best. In case of you being some company’s administrator – security of the entire company lies in your hands.
There are hundreds of programs on the market. How do you choose the right one?
First of all you should get rid of all garbage. All programs claiming 100 percent security in most cases have been created by the people that are completely unaware of what security is all about. We might be repeating ourselves, but yet we would like to state that there is no 100 percent sure security. Why? You’ll find details further in the article.
Make sure that the program you are about to use is based on well-known time proven algorithm, though one should have in mind that there is no sure way to try out reliability of the encryption algorithm. Performance of such kind of testing in a laboratory over the short time period is impossible. Just the plain fact that nobody before tried to break down the algorithm doesn’t mean that it is safe. It might take years to do so. Some of the acknowledged safe encryption algorithms include Triple DES, AES, RSA, IDEA, Twofish, Blowfish, but even they cannot grant you absolute security. Basically, a hacker doesn’t necessarily need to break down the algorithm in order to break down the encryption software.
Here we go, we have excluded from the list evidently unreliable programs, but still there are plenty of secure programs using strong encryption algorithms left. Which one of them to choose?
As we have mentioned earlier it might be very difficult testing security of these programs. A programmer might create encryption software and present it for testing to hundreds of people. Does this indicate the program being safe? Definitely not. Most likely all of the 100 program testers won’t find any mistakes in it. Firstly, due to the fact that none of these 100 people doesn’t have sufficient knowledge of a solid hacker. That is why our suggestion would be to go for a known popular software. It won’t grant you absolute security, just a greater probability of your information being kept safe.
Once we have chosen a known, popular and using good encryption algorithm software designed by skilled programmers, can we opt now for calm and sweet dreams? Not yet. Even the best software providing security has its weak spots. Further on we are going to present a few most often used ways of attacking.
Brute force. By using this type of attack the only thing done is basically trying out every possible key till there is the exact one defined. This is an easy method to use and it can be operating with any kind of algorithm. Computer is capable of checking thousands of options per second and could be defining the right key for data decryption pretty quickly. The only effective way of protecting yourselves from this kind of attack is using a 128 bit key. That doesn’t mean that the key cannot be found, simply the number of potential key options increases that much that even for a computer it would take TOO long to decrypt this. Some of the encryption algorithms supporting 128 bit keys are: Triple DES, Blowfish, Twofish, RSA. In case of public algorithms such as RSA there is a need of using even longer keys. There are programs allowing the use of 2048 bit key (for example PGP).
Properly used 128 bit encryption should be enough protecting the system from Brute force. For that you just need to make sure that the key you are using is not shorter than 16 characters (i.e. 128 bit), thus if one uses a short key there is no need in applying a strong encryption algorithm.
Dictionary attack. This type of attack is similar to the use of brute force but instead of trying out all possible options the program tries out only words from the dictionary suggested. This method may be successfully applied unless you are using not only 128 bit long key, but also words that are not listed in the dictionary, i.e. non standard ones by using not only words and numbers but special characters as well (such as !@#$^&*()_+|). Some of the encryption programs when trying to protect themselves from attacks include random bit into the key. That does not protect from the attacks but slows down their work. Such programs that are not including random bit should be avoided. Of course the best way of protection is a use of complex key/password. For example: “hello_my_name_is_john” isn’t the best password, it would be better using HeLLo45_m47y_nA678me_is_jOHn69. Here one faces a challenge of remembering such long and complex password. For easing your own life you could be deploying software for storage of complex keys/passwords (Password/Key Manager). That means all of your passwords/keys would be stored in one encrypted file and the only thing you would be needing is remembering one password for that program. The only disadvantage of such programs is – in case of somebody should “break down” into the file, guess or some other way find out that only password he would get the access to all of your passwords/keys.
Finally, let’s assume that we have protected ourselves with the help of a complex encryption algorithm, have been using long at first sight having “no sense” password, may we state at that point that we are safe yet? No, not quite.
Let’s not forget Trojans with the help of which one can find your passwords at the moment you’re actually typing them into the system. As well as viruses that are capable of altering, deleting or in any other way corrupting important information of yours.
Programming weaknesses. According to Carnegie Mellon University research there are from 5 to 15 mistakes in the key of 1000 lines and that is already after the program had been tested. One can get paranoia finding out that Windows system has a million line code. A persistent hacker sooner or later will find a weak spot in the system, although most people use already well known programs, thus make sure you have downloaded lopes and updated your system. Based on the statistic figures 90 percent of the breaks into the system could have been avoided if responsible people had updated their software.
Physical attacks. It’s clear that in such cases there is no use of the software you have but such possibility always exists. Most of the people do not take measures of securing their own work place. It might be that everything you’re typing onto your computer is being recorder with secret camera. It might also happen that it is not actually your keyboard you are using but a changed one in order to record every push of the button. There are thousands of such options.
Other attacks. This sounds like something from the fantasy series, but maybe somebody is trying to record radiation changes your PC or/and display emits. Such technology actually exists but as long as you’re not trying to hide anything from the government there is no need for worrying.