Jump to content

Which encryption is best?


Recommended Posts

I've been reading up on encryption a bit. I'm probably still not on the level to have an educated conversation on the subject. But I wanted to ask a question about encryption programs.

What is the a recommended program for encrypting a file or folder for secure storage?

It's been mentioned that truecrypt is no longer secure. People are recommending using veracrypt? There's another program I've seen called zulucrypt but that also looks a lot like truecrypt?

In your opinion what is the best encryption program? Why?

Also was curious about which block ciphers are the hardest to crack? Have you cracked a truecrypt file? How long did it take? What cracker did you use?

Link to comment
Share on other sites

Truecrypt is still for the most part secure. It's just no longer maintained.


No one has ever cracked a truecrypt container that I know of. Yes, there are memory exploits, but that will work with any encryption scheme.

Personally I use dm-crypt luks full disk containers. It only works in linux at the moment, but that's okay with me.

Edited by barry99705
Link to comment
Share on other sites

Here is an excerpt from "Java Network Programming" by Elliotte Rusty Harold;

"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is believed to be reasonably secure against all known attacks. TLS_ECDHE_ECD-SA_WITH_AES_256_CBC_SHA256 is even better if you've enabled it. In general, any suite that begins with TLS_ECDHE and ends with SHA256 or SHA384 is the strongest possible encryption widely available today. Most others are subject to attacks of varying levels of severity. "

Apparently when he says this, he is referring to socket communications, which would be using symmetric encryption to transfer data, and some sort of signing so that you know the message has not been influenced by malicious Mallory. Java cypher suites are separated into several parts, protocol, key exchange algorithm, encryption algorithim, and check sum, in that order I believe. So since you are not doing any handshakes with another computer you only need the Symmetric algorithm part, ex... AES 128 with CBC, and AES 256 with CBC. CBC stands for cypher block chaining (probably only need cypher block chaining for text files), so for example if you are encrypting a bunch of textual data, you don't want people to be able to crack your encryption based on the number of spaces, or any repeating text in the crypto file (if I am not mistaken this is how we finally got the first Turing machine to work, repeat/predictable messages). Cypher block chaining alters the next block of cypher text based on the last one. Apparently AES 256 will be more secure than AES 128. You also need to figure out a baseline number of characters your pass phrase needs to be, The longer it is the better (within reason). None of this describes an encryption program, but it does describe encryption algorithms. From some of the sources I have read, Truecrypt has been broken for a while, and is basically completely open to being unlocked by the government via some sort of flaw in the program implementation. I am unaware of any faults in the AES algorithms, but by all means if you all can find articles concerning any feel free to share, it can sometimes be hard to determine which algorithms to use, because the majority are influenced by the NSA (and we have seen the NSA intentionally put faults in the encryption algorithms), and open source isn't necessarily better due to the fact that they do not have all the cryptologists who are paid the big bucks to implement an algorithm. There is something to be said for having enough resources to devote to implementing good crypto algorithims, and the NSA does by far have the majority of the history to know how to build something (getting them not to shaft you when they help you is another story). As soon as something is found to have faults in it's implementation people usually move on from that algorithm to newer, and therefore less tried and true methods of encryption.

On another note, by god do not wrap encryption algorithms, ex send output from one algorithm to another, this is terrible according to "C# Data Security Practical .NET Cryptography Handbook" by Matthew MacDonald, and Erik Johansson, and can in fact make it easier to crack the cypher text. I have also heard in some of my college classes that this type of operation can have a "deflationary" effect on the cypher text.

Edited by overwraith
Link to comment
Share on other sites

Okay, I'm going to fuck this up but Jim Manico did a talk at AppSecEU this year about HTTPS and he had a nice slide in his (as yet unpublished) deck that identifies each part. Bottom line: If I say A and he says B, it's B.


TLS - It's part of this. If your thing isn't in TLS 1.2 it's officially crap.

ECDHE - The key exchange algorithm used, in this case Elliptic Curve Diffie Hellman and specifically the Ephemeral version of it. You should prefer the ephemeral version since that is what provides "perfect forward security". PFE is good because if you operate a secure server and it somehow gets popped, someone could wiretap the connection. That same someone could go to work or may even have already succeeded in gaining access to your private key. Once your private key is known to the attacker, he or she can now decrypt ALL the previously logged traffic unless you were using PFE because it doesn't communicate the session key in a way that can be recovered from the communicated data.

ECDSA_WITH_AES_128 - Elliptic Curve Digital Signature Algorithm along with AES cryptography with the given key length. The DSA part is throwing me off a bit here, but this is the actual encryption algorithm.

CBC - Cipher Block Chaining which is a block cipher mode of operation that requires you to have successfully decrypted the preceding block of the message to be able to decrypt the current block of the message. As a result, you don't gain an advantage by starting your attack in the middle of the message, where you, say, know a lot of whitespace exists.

SHA256 - The hash to use, and its bitlength.

You can pretty much replace each chunk with something else which is kind of the point - if someone breaks ECDHE you can use regular DHE. If AES_128 is deemed insufficient you can use AES_256, or something other than AES that I'm too lazy to look up.

Also note that you can't reference a quote like above without defining when "today" is. There was a time when people would write that MD5 was the most secure thing known to man. We (should) all know better by now.

Edited by Cooper
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...