log in | register | forums
Show:
Go:
Forums
Username:

Password:

User accounts
Register new account
Forgot password
Forum stats
List of members
Search the forums

Advanced search
Recent discussions
- Updated RISC OS Git client sent to beta testers (News:9)
- Rougol September 2023 meeting is an informal chat (News:)
- Elesar releases an Econet adapter for RiscPC (News:3)
- London Show 2023 cancelled (News:)
- WROCC September 2023 meeting - Mark Moxon on Elite (News:3)
- WROCC September meeting is very Elite (News:)
- August 2023 News Summary (News:)
- WROCC August Newsletter Volume 41:5 reviewed (News:)
- Rougol August 2023 meeting is an informal chat (News:1)
- New Rogue game from Jereon Vermeulen (News:)
Related articles
- An arbitrary number of possibly influential RISC OS things
- FFS.
- RISC OS - the week in comments; episode 2
- The Vigay will never abandon RISC OS [Updated]
- It's Acorn, but not as we know them...
- RISC OS - 24 bits
- Rounding Up February
- Your Early February Catch-up Linkfest
- VigayWatch (tm)
- Happy New Year!
Latest postings RSS Feeds
RSS 2.0 | 1.0 | 0.9
Atom 0.3
Misc RDF | CDF
Site Search
 
Article archives
The Icon Bar: News and features: Beware the friendly stranger
 

Beware the friendly stranger

Posted by Phil Mellor on 01:25, 4/1/2004 | ,
 
Security eh? Easy, just fiddle with your bits to encrypt them and you'll be safe. Unfortunately it's not that easy. Nat Queen has published his latest article aimed at RISC OS users discussing the general principles of modern cryptography and describing some of the warning signs for snake oil... Encryption? Snake oil? Huh?

You might consider encryption unnecessary for your basic needs. If you worry that the US government will be reading every e-mail, you'll want to use encryption. You might find it embarrassing if your e-mail is read by your system administrator or employer, or even an unknown hacker. If you use e-mail to transmit confidential information, it also might be worth taking an interest. It's not just about protecting yourself: you can also use cryptography techniques to guarantee the authenticity of an email or file, so that the receiver can be confident it's from the true source. Perhaps even the RISC OS package management system will use some form of digital certificate.

If you deal with encrypted data, you need a secure algorithm and security policy. Otherwise how do you know your private messages remain so or that the data you trust has not been tampered with? One method, PGP, provides pretty good privacy (that's what its name stands for) and you can use it on RISC OS. But how can you be sure the encryption is safe? Snake oil, a term also used to refer to hoax medicine, describes dodgy or flawed cryptography products - and Nat's latest article discusses this. It's also benefical to read his earlier articles if this topic interests you.

Links:
Modern cryptography
Nat's older articles:
PGP for secure e-mail, Beginner's guide to PGP..., ...and GnuPG, A GnuPG tutorial
 

  Beware the friendly stranger
  SparkY (01:35 4/1/2004)
  monkeyson2 (01:46 4/1/2004)
    SparkY (01:54 4/1/2004)
      Indi (11:46 4/1/2004)
        andrew (13:41 4/1/2004)
          monkeyson2 (13:46 4/1/2004)
            mavhc (14:08 4/1/2004)
              AW (14:28 4/1/2004)
                illudium (14:38 4/1/2004)
                  monkeyson2 (14:40 4/1/2004)
                    jmb (14:47 4/1/2004)
                      rich (09:37 5/1/2004)
                        AJW (13:00 6/1/2004)
                          monkeyson2 (14:11 6/1/2004)
                            AJW (13:35 7/1/2004)
                              monkeyson2 (14:03 7/1/2004)
                                andrew (12:25 8/1/2004)
 
Gavin Smith Message #92657, posted by SparkY at 01:35, 4/1/2004
Danger! Danger! High Voltage!
Posts: 696 		Are all these updates to try and undermine my reasons for starting AE? :)
  ^[ Log in to reply ]
 
Phil Mellor Message #92658, posted by monkeyson2 at 01:46, 4/1/2004, in reply to message #92657
monkeyson2Please don't let them make me be a monkey butler

Posts: 12380 		It's my new year's resolution. Don't worry, I go back to work on Monday so I'll be too busy to carry on ;)

Free champagne and chocolates* to anyone who knows where the headline comes from

*not really
  ^[ Log in to reply ]
 
Gavin Smith Message #92659, posted by SparkY at 01:54, 4/1/2004, in reply to message #92658
Danger! Danger! High Voltage!
Posts: 696 		Ah, it's good to see really :)
  ^[ Log in to reply ]
 
Indi Message #92660, posted at 11:46, 4/1/2004, in reply to message #92659
Unregistered user Unfortunately, the author is quite clearly mad and paranoid. He links to a site which claims that: "The United States Government
Committed the September 11 Attacks"
  ^[ Log in to reply ]
 
Andrew Message #92661, posted by andrew at 13:41, 4/1/2004, in reply to message #92660
HandbagHandbag Boi
Posts: 3439 		I've looked into PGP and the problem is tha it seems to depend on the other person not distributing the public key irresponsibly. Also you can't use PGP routinely of course only if somebody else is known to use it. Thus you can'thave privacy all the time.
I wonder if the monitoring systems routinely look for squashed draw files for example. This seems a lot simpler for RISC OS users at least.
  ^[ Log in to reply ]
 
Phil Mellor Message #92662, posted by monkeyson2 at 13:46, 4/1/2004, in reply to message #92661
monkeyson2Please don't let them make me be a monkey butler

Posts: 12380 		The US gov. link is to a site created by good old Paul Vigay. He's an expert on UFOs and Fresco too, you know. ;)
  ^[ Log in to reply ]
 
Mark Scholes Message #92663, posted by mavhc at 14:08, 4/1/2004, in reply to message #92662
Member
Posts: 660 		> I've looked into PGP and the problem is tha it seems to depend on the other person not distributing the public key irresponsibly.

Why would that matter?, it's a public key, anyone can have it.
  ^[ Log in to reply ]
 
AW Message #92664, posted at 14:28, 4/1/2004, in reply to message #92663
Unregistered user I thought that was the key with which you encrypted the message. If the other person spreads it around then what is the point as anybody could decrypt it?
  ^[ Log in to reply ]
 
David Marston Message #92665, posted by illudium at 14:38, 4/1/2004, in reply to message #92664
Member
Posts: 19 		You encrypt it to a specific person using their public key (which can be freely distributed). Only that person can decrypt it, using their private key (which has to be kept secure).
  ^[ Log in to reply ]
 
Phil Mellor Message #92666, posted by monkeyson2 at 14:40, 4/1/2004, in reply to message #92665
monkeyson2Please don't let them make me be a monkey butler

Posts: 12380 		You misunderstand the nature of public/private key encryption. Public</i> keys decrypt data that has been encrypted with a <i>private key, and vice versa.

You encrypt with your private key; the recipient decrypts with your public key. Of course, so can anyone else.

If they have a message they want only you to read, they can encrypt it with your public key, and only you with your private key will be able decrypt it.

To transfer data securely between two people, you encrypt things twice: you encrypt the data to send with your private key (to prove it's from you), and their public key (to ensure it's for them); at the other end they can decrypt with their private key (proving they're entitled to have it) and your public key (verifying it came from you). Nobody else can interefere with the process without being noticed, nor can they completely decrypt the data because they lack one or both of the private keys.
  ^[ Log in to reply ]
 
JMB Message #92667, posted by jmb at 14:47, 4/1/2004, in reply to message #92666
Member
Posts: 467 		or not, as the case may be ;)

The public key is just that, anyone can have access to it. They encrypt the data with the public key and send it to you. You then decrypt the data with your private key.

Simple example:

You generate a public key (which is the product of two large primes)

Your private key is one of the two prime factors of the public key.

ie:

k = n * m

where k is the public key and n or m are the private key.

It works due to the fact that, it takes a long (ie years) time to find the prime factors of the public key.

Obviously, most cryptosystems are more involved than that and require much more maths to explain.
  ^[ Log in to reply ]
 
Richard Goodwin Message #92668, posted by rich at 09:37, 5/1/2004, in reply to message #92667
Rich
Dictator for life
Posts: 6821
Free champagne and chocolates* to anyone who knows where the headline comes from
Sounds like a drugs reference to me
  ^[ Log in to reply ]
 
AJW Message #92669, posted at 13:00, 6/1/2004, in reply to message #92668
Unregistered user Monkeyson - I checked, it definitely said the other way around.
How does the recipient know what one of the factors is unless the sender gives it to him/her?
  ^[ Log in to reply ]
 
Phil Mellor Message #92670, posted by monkeyson2 at 14:11, 6/1/2004, in reply to message #92669
monkeyson2Please don't let them make me be a monkey butler

Posts: 12380 		Can you give a reference?

From http://www.andrebacard.com/pgp.html :

How does PGP work?
PGP is a type of "public key cryptography." When you start using PGP, the program generates two "keys" that belong uniquely to you. Think of these keys as computer counterparts of the keys in your pocket. One PGP key is SECRET and stays in your computer. The other key is PUBLIC. You give this second key to your correspondents. Here is a sample PUBLIC KEY:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 5.0

mQCNAi44C30AAAEEAL1r6ByIvuSAvOKIk9ze9yCK+ZPPbRZrpXIRFBbe+U8dGPMb
9XdJS4L/cy1fXr9R9j4EfFsK/rgHV6i2rE83LjOrmsDPRPSaizz+EQTIZi4AN99j
iBomfLLZyUzmHMoUoE4shrYgOnkc0u101ikhieAFje77j/F3596pT6nCx/9/AAUR
tCRBbmRyZSBCYWNhcmQgPGFiYWNhcmRAd2VsbC5zZi5jYS51cz6JAFUCBRAuOA6O
7zYZz1mqos8BAXr9AgCxCu8CwGZRdpfSs65r6mb4MccXvvfxO4TmPi1DKQj2FYHY
jwYONk8vzA7XnE5aJmk5J/dChdvfIU7NvVifV6AF
=GQv9
-----END PGP PUBLIC KEY BLOCK-----

Suppose the PUBLIC KEY listed above belongs to you and that you e-mail it to me. I can store your PUBLIC KEY in my PGP program and use your PUBLIC KEY to encrypt a message that only you can read. One beauty of PGP is that you can advertise your PUBLIC KEY the same way that you can give out your telephone number. If I have your telephone number, I can call your telephone; however, I cannot answer your telephone. Similarly, if I have your PUBLIC KEY, I can send you mail; however, I cannot read your mail. This PUBLIC KEY concept might sound a bit mysterious at first. However, it becomes very clear when you play with PGP for a while.
  ^[ Log in to reply ]
 
AJW Message #92671, posted at 13:35, 7/1/2004, in reply to message #92670
Unregistered user I get it, I come up with the public key but you use it to encrypt it for me. That way I can decrypt it as my private key is based on it.
However if I want to send you one encrpyted you must send me your private key first.

I wish it had said this more clearly in the GnuPGP documentation (the reference). Programmers don't always make great documenters I suppose.
  ^[ Log in to reply ]
 
Phil Mellor Message #92672, posted by monkeyson2 at 14:03, 7/1/2004, in reply to message #92671
monkeyson2Please don't let them make me be a monkey butler

Posts: 12380 		Nearly!

AW > "However if I want to send you one encrpyted you must send me your private key first."

I think you mean "your public key". Private keys are just that - private.
  ^[ Log in to reply ]
 
Andrew Message #92673, posted by andrew at 12:25, 8/1/2004, in reply to message #92672
HandbagHandbag Boi
Posts: 3439 		Yep.
  ^[ Log in to reply ]
 

The Icon Bar: News and features: Beware the friendly stranger