abc123, encryption your worst nightmare
Updated: Aug 8, 2019
Encryption, the word indicates security, assurance, and trust. But encryption really means making information unavailable, so why are we so gullable on using encryption? In the light of the new data legislation, GDPR, encryption is the silver bullet for sending sensitive information around. There are tools to download that will help you to encrypt a file before sending it over e-mail or whatever. Many of these tools use password-based encryption, i.e. you provide the tool with a password and then press "encrypt". To be technical, this is PKCS #5/RFC 8018, password-based cryptography. In the specifications, you are instructed on how to program the tools to actually provide security. But the security of a file protected with password-based cryptography is never more secure than the security of the password. Consider a file encrypted with state-of-the-art cryptography with 512-bit encryption key...generated by the password "abc123". How secure is that? So if you get the file you can create a small piece of software generating passwords to decrypt the file. Regardless of the choice of encryption algorithm or length of the encryption key, this file is not secure. But using the tool will provide the user with a false sense of security. On the other hand, if you provide the tool with a 60 characters long string of ASCII characters the encryption will be more secure. But how could you ever remember such a password? Encryption in this sense is too secure, you have essentially lost the file.
So either a false sense of security or too much security resulting in lost information. This is a set of tips to chose good habits when you use password-based encryption:
1. Check the tool you use. Be sure that it is really doing what it should, it might be a Trojan.
2. Use a good-enough password. Consider the time the file must be protected, is it 20 days, 20 months or 20 years? The password should match these requirements.
2.1. Low requirements of confidentiality (but high enough for using encryption!): use at least 20 characters
2.2 Medium requirements on confidentiality: use at least 30 characters
2.3 High requirements on confidentiality: use at least 40 characters
3. Always distribute the password to the receiver in a secure manner, this should also reflect the above gradings; high requirements on confidentiality results in high requirements for distributing the password etc.
4. Consider the Key Escrow problem; how should you behave in case of a lost password? Maybe you have a clear text copy of the file, or you store the password in a safe?
5. If your requirements are high enough, consider implementing a more reliable and secure cryptographic solution.
6. Ask the experts!
So, go ahead and secure your files with cryptography, but do it in a safe and sound way!
-- Anders Fristedt, Innovate Security