Encryption

For this reason, governments often tried to limit or otherwise weaken encryption available to the public (in pre-2000 era, encryption algorithms were legally considered as military weapons, now most of these legal limitations have been removed but there are still ongoing off-the-records efforts like shown in the Dual_EC_DRBG case).

An interesting reading on the subject is the RFC 1984 (strange number, isn’t it?) which milits in favor of a widespread availability of strong cryptography and explains why weakening security tools is counter-productive.

However, without even mentioning the prerequisites that it must be properly implemented and that the endpoints must be secured, I encourage you to stay on earth and keep in mind what real threats are.

You may encrypt your disk, data and communication, you may use highly technologic deniable, obfuscated and anti-forensic encryption methods, but never forget it may require no more than a $5 wrench to access your data:

Always define what threats you are protecting from and use appropriate measures. Don’t roll your own cryptography. Do not forget that security first goal is to ensure safety: using inapropriate measures may be counter-productive (this is particularly true for deniable encryption).

At last, encryption usually plays tightly with privacy: encryption mean nothing if the software which encrypts the data or manipulate the data in clear form cannot be trusted. You may therefore want to also check the privacy part of this website.

RSA key lengths, elliptic curve cryptography and quantum computing

Some tools, like PGP, are still stuck¹ to legacy cryptography, mainly the RSA algorithm. For such tools, RSA-2048 is often described as strong enough for any foreseeable future, anything above being overkill The GnuPG official documentation in particular even goes this far as considering that using RSA-3027 or RSA-4096 constitutes “an improvement so marginal that it’s really not worth mentioning”, adding that “the way to go would be to switch to elliptical curve cryptography”.

The assertion that this improvement is “marginal” is debatable, as is the trust in the elliptical curves to protect us in the future.

Longer RSA keys

While the NIST considers RSA-2048 to be safe for commercial use up to 2030, it still advises the use of at least a RSA-3072 key for beyond (see BlueKrypt’s Keylength website to get an overview of various recommendations).

Read quickly, such recommendation …

Continue

What is the difference between HTTP and HTTPS with a self-signed certificate?

Security difference

First, let’s talk about SSL (now called TLS by the way), which adds the ‘S’ at the end of HTTPS and is in charge of “securing the communication“. The clue to answer this question is indeed to fully understand what we mean by “securing the communication”.

SSL, no matter if it is a self-signed certificate which is being used or one signed by a trusted CA, will ensure that the communication between you and the remote host remains confidential and that no one can tamper with any data exchanged.

The warning message shown by browser about self-signed certificates is therefore not about that.

But, how can you be sure that the remote host answering to your requests is really the one you expect? With public websites, for which you have no direct way to authenticate the certificate by yourself, this is just impossible. Here comes external …

Continue

Popular tags ^{see all}

WhiteWinterWolf Practical IT security, *nix systems & networking

Latest articles in ‘Encryption’

RSA key lengths, elliptic curve cryptography and quantum computing

Longer RSA keys

What is the difference between HTTP and HTTPS with a self-signed certificate?

Security difference

Popular tags ^{see all}

Website

Author

Follow

Latest articles in ‘Encryption’

Longer RSA keys

Security difference

Popular tags see all

Website

Author

Follow

Popular tags ^{see all}