144. Encryption on the go
By Andrew D. Wright
The idea of scrambling a message so it can't be read by strangers is as
old as writing itself. Everyone's got secrets and these days there are so
many ways for them to slip out.
Encryption is privacy's best friend.
Most modern encryption schemes use numerical keys, large randomly
generated numbers, to scramble data. Without knowing this secret key, the
only way to break into the encrypted data is to try every possible key.
When you visit a secure web site with a web browser, either 128 or 256 bit
keys are used to scramble the connection. With a 128 bit key, there are
2 to the power of 128, also written as 2128,
possible keys (a 39 digit number) to try for a
force attack to succeed, well outside of the abilities of any known
computer technology. A 256 bit key means there are 2256
possible keys to try, a 78 digit number.
It's a very, very good idea to use encryption wherever possible to protect
your login passwords and other personal information. Both POP3 and IMAP
email access support SSL and TLS encryption; it's included with every
modern email program, though not necessarily in use at all Internet
Service Providers. If you use a webmail service, check if it uses secure
logins and secure mailbox access. Some will securely log you in then send
everything else to you unsecurely.
If you regularly carry around sensitive information on a USB flash drive
or laptop computer, you should seriously look at reducing possible
liability from information being leaked or stolen by using some kind of
Open Source encryption software is the best choice. Since the source code,
the basic instructions, are open for all to read and inspect, it's
unlikely there are hidden back doors or other sneakiness that may be
present in closed, proprietary software.
The grand-daddy of all Open Source encryption software is GnuPG or GPG for
short. With GPG you can create your own personal public and secret key for
encrypting and signing files. You can post your public key to online
key-servers so others can use it to encrypt information for you alone.
Unfortunately for many users, GPG is primarily a command line program.
Powerful, but sometimes cryptic to use. There are graphical shell programs
available that make it much easier to use but the initial setup can be
intimidating for some. There are step by step instructions in a previous
Mousepad, below, on setting up GPG.
An easier encryption solution for many is TrueCrypt, a popular Open Source
program that can encrypt individual files or whole hard drives. TrueCrypt
can encrypt USB flash drives, setting them as encrypted volumes openable
by TrueCrypt on any computer or as self-contained traveller's keys with
everything needed to open the drive pass-phrase protected on the USB drive
itself. TrueCrypt can even create hidden volumes on a hard drive that
cannot be detected, hosting an invisible bootable operating system and
files. TrueCrypt has an extensive tutorial telling how to use its many
features and is available for Windows, Macintosh OS X and Linux.
Of course, as with any security measure, encryption is only as powerful as
its weakest link, which is usually the pass-phrase protecting the secret
key. You want to have something that mixes up lower and upper case letters
and punctuation marks and runs to 20 characters or so. Pick a few verses
from a song you know and mess them up in some particular way you'll
remember for example. You do not want to have a written record of this
particular pass-phrase however you do want it to be something you'll
remember or you'll forever lock yourself out of your own files.
GnuPG Shell (graphical interface for GnuPG)(free):
Mousepad column on GPG setup:
The Mousepad runs every two weeks. It's a service of Chebucto Community
Net, a community-owned Internet provider. If you have a question about
computing, email firstname.lastname@example.org or
click here. If we use your question
in a column, we'll send you a free mousepad.
Originally published 5 December 2008