Silk Road forums

Discussion => Newbie discussion => Topic started by: Copycats on January 23, 2013, 03:02 am

Title: Cryptography question
Post by: Copycats on January 23, 2013, 03:02 am
Now onto a serious question, I understand that 512 to 1024 encryption is easily cracked now and not full proof while 2048 should be more easily broken into in the next few years. All of that is conjecture because i don't know enough about cryptography yet. Can someone come in and confirm this for me. For the new people learning PGP this might be useful. Any explanations about the different encryption protocols would also be appreciated, since I have no idea what RSA or triple cascading or any of that is. Again I can do my own research and I am constantly brushing up my IT knowledge but I thought this would be a good post instead of spam.
Title: Re: Cryptography question
Post by: trippylizard on January 23, 2013, 03:30 am
Oooh, cryptography is a fascinating topic. Very heavy on maths, which I can't even pretend to understand. But the basics are easy enough to grasp.

The first rule of any encryption algorithm is that the security of it should be entirely based on the secrecy of the key, and that knowledge of the algorithm itself shouldn't aid an attacker in any way. All the most widely-used algorithms have been published - that's the best way of ensuring they're secure, by letting anyone who wants to have a crack at breaking them (by which I mean exposing a flaw in the way they work would that would allow an attacker to determine the message or key in a less than exhaustive search of all possible keys).

There's two main classes of encryption algorithms - symmetric, and public/private key. The first uses the same key to encrypt and decrypt a message, which means the key needs to be exchanged securely in the first place. DES (the earlier one) used a key length that was way too short, and the triple-chaining was a bodge to try to make it better. But modern algorithms like AES with 256 bit key lengths are as reliable as anything can be said to be, and really fast.

Public/private ones do something different. By using clever (but very time-consuming) maths, they generate a pair of keys - the public one can be used to encrypt a message, which can be shared freely, but that message can only be decrypted by the private key, which should be kept secure. They use a much longer key than symmetric encryption, which is where the 2048 and 4096 bit key lengths of RSA and DH comes in. They're also very slow compared to symmetric ones. What usually happens is a random key will be generated to use with AES, but that'll itself be encrypted with the recipients public key, making the best of both worlds.

As it stands right now, with just the encrypted message and no-other information, it's infeasible for an attacker to decrypt a message before the universe ends. The way encryption usually fails is because the secrecy of the key is compromised (your computer is seized, or secretly bugged when you type in a passphrase, or it's coerced out of you, or you use the same passphrase in multiple places, or it's too weak to protect your key from a dictionary attack) or someone leaves a decrypted version of the message laying around.

There are more complicated ways to attack encryption algorithms, that rely on tricking a person into encrypting something different twice with the same key, or encrypting something the attacker can choose for them, which allows the attacker to short-cut the exhaustive search through all possible keys, but it's really unlikely anyone would go to the effort for anything short of international espionage type stuff.
Title: Re: Cryptography question
Post by: Copycats on January 23, 2013, 03:48 am
that was an excellent fucking post will someone please  +1 this helpful man. Anyway an SR vet just told me  4096 bit encryption is the way to go, and i am naturally paranoid so i am going to agree that it is not overkill, again better to be safe even if it the chances of cracking a 2046 bit encryption are slim. but thanks again trippylizard for elaborating vulnerabilities and ways to help attain someones private key, hopes this helps everyone, stay safe.
Title: Re: Cryptography question
Post by: Kupla420 on January 23, 2013, 04:13 am
This whole thing I'm just lost on. I downloaded it and it gave me a private key but I can't figure out how to get the public one. Then I tried decrypting someone's message they posted for practice and it just gave me an error message. I have a feeling I'm going to be making these orders not fully protected...
Title: Re: Cryptography question
Post by: raynardine on January 23, 2013, 04:15 am
Now onto a serious question, I understand that 512 to 1024 encryption is easily cracked now and not full proof while 2048 should be more easily broken into in the next few years.
What you are referring to is RSA key strength.

While it is true that short RSA keys below 2048 bits in length are vulnerable to cryptanalysis, please keep in mind that not all cryptography is the same. RSA is getting a bit long in the tooth, and the new hotness is called ECC, which stands for Elliptic Curve Cryptography.

Most of the latest and greatest cryptography is based on elliptic curves, rather than prime numbers, like RSA is.

Though powerful quantum computers will make all of this cryptography obsolete, at least in theory, quantum computers wont be coming out very soon, as it is a very experimental technology.

All of that is conjecture because i don't know enough about cryptography yet.

Wikipedia can be a great starter course, and you can, of course, PM me for free lessons, I don't mind.

Can someone come in and confirm this for me. For the new people learning PGP this might be useful.


Easiest way to practice PGP (and cryptography in general) is to practice sending PGP email to each other. Use Tormail.org to do this. If you need assistance setting any of this up, you are free to PM me.

Any explanations about the different encryption protocols would also be appreciated, since I have no idea what RSA or triple cascading or any of that is. Again I can do my own research and I am constantly brushing up my IT knowledge but I thought this would be a good post instead of spam.

Well, the very first thing you need to know about cryptography is the difference between public key cryptography such as PGP, and symmetric (aka shared key) cryptography, such as SSL/TLS.

PGP is based on the idea of the secret key being composed of two parts, two halves.

One half is the half you give to friends in order to contact you, also called a certificate. It acts as your online identity.

The other half is the secret key, which is the certificate's twin. That is as precious as the key to your house or car. you must keep is safe, keep it hidden.

When people use the public half, which you give out freely, to encrypt it, only the secret twin key can decrypt it.

When you use your private key half to encrypt it, it's the same as writing your signature on something, and can be decrypted with your public half, the twin of the private key.

If you understand and follow so far, you're very bright.

The second thing you need to understand, is that public key cryptography, where there are two twinned halves to a key pair are actually used in most forms of modern cryptography to exchange the other form, sometimes called "pre-shared key cryptography" where there is only one key, which all parties to a conversation can be used to decrypt messages.

Also called symmetric key cryptography, "pre-shared key" does not involve a twinned key pair, just one key for both encrypting and decrypting. SSL relies heavily on this, and the protocol is called AES - "advanced encryption standard."

public key ("asymmetric") key cryptography is often used in combination with symmetric ("pre-shared key") because one provides authenticity, while the other is cheaper and faster.

public key cryptography, which uses the twinned key pair, is slightly slower and more expensive, in terms of memory space and cpu difficulty to calculate. symmetric shared key cryptography is faster and cheaper, so the slower algorithm is often used to establish a connection in order to share a secret key between just the immediately participating parties, then you switch to the faster and cheaper algorithm.

If this makes sense so far, you're probably smarter than I am. Congratulations.
Title: Re: Cryptography question
Post by: Copycats on January 23, 2013, 04:33 am
Excellent posts you guys I've been wanting these answers for a long time know. Ok for everyone else completely stumped by the Egyptian that just took place I HIGHLY SUGGEST STARTING HERE

GPG (Step-by-Step: Windows Pictorial)
http://dkn255hz262ypmii.onion/index.php?topic=131.0

this is where i began my first lessons on encryption before I switched to a linux OS. Hope this helps those who are dumbfounded by PGP, the pictorial was a life saver for me START THERE
Title: Re: Cryptography question
Post by: vorvon on January 23, 2013, 04:56 am
This is very helpful.  PGP finally clicked for me when I had to figure it out for SR, but I knew barely grasping it wasn't enough for things I wanted to keep truly secret.
Title: Re: Cryptography question
Post by: surmer on March 29, 2013, 03:38 pm
Bump.

Take national security, for instance. It is a dynamic evolution of security protocol. If you use a static key, then it with CERTAINLY be n-secure.