Password Protecting files

Password Protecting files

[zzapper]

Hi,
I would like to password protect a few of my files, and realise I know very 
little about security.
From man zip I learn

Encrypt  the  contents of the zip archive using a password which
is entered on the terminal in response to a  prompt  (this  will
not  be  echoed;  if  standard error is not a tty, zip will exit
with an error).  The password prompt is  repeated  to  save  the
user  from typing errors.  Note that this encrypts with standard
pkzip encryption which is considered weak.

I am not trying to protect state secrets so is pkzip encryption adequate?
What other choices do I have?

-- 
zzapper
http://www.rayninfo.co.uk/vimtips.html

RE: Password Protecting files

[Dave Korn]

On 19 August 2007 11:09, zzapper wrote:

> Hi,
> I would like to password protect a few of my files, and realise I know very
> little about security.
> From man zip I learn
> 
> Encrypt  the  contents of the zip archive using a password which
> is entered on the terminal in response to a  prompt  (this  will
> not  be  echoed;  if  standard error is not a tty, zip will exit
> with an error).  The password prompt is  repeated  to  save  the
> user  from typing errors.  Note that this encrypts with standard
> pkzip encryption which is considered weak.
> 
> I am not trying to protect state secrets so is pkzip encryption adequate?

  Well, it's trivially defeated by lots of easily downloadable software, so
it's the kind of level of protection that would stop anyone casually browsing
through your file but wouldn't stop anyone who actually wanted to read it.

> What other choices do I have?

  gpg seems like a good choice, since it's open source and there's a cygwin
port.  Proper crypto done right.  Choose a nice long high-entropy passphrase
for your keyfiles and it's as close to unbreakable as makes no odds.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Re: Password Protecting files

[Brian Dessent]

zzapper wrote:

> I am not trying to protect state secrets so is pkzip encryption adequate?
> What other choices do I have?

Firstly, don't confuse the file format with a particular implementation
of software to manipulate it.  While Phil Katz may have invented the
original file format, the PKzip program is only one of probably hundreds
that exist to read and write the format.  And PKzip is not Free
software, so it is not distributed by Cygwin or by any *nix distro, as
far as I know.  So if you are talking about the zip program that is part
of Cygwin, you aren't talking about PKzip, you're talking about
Info-Zip.

The original encryption that the zip format supported was very weak.  It
used a key that was only 96 bits and suffered from such weakness that
even in 1994 could be broken in only a few hours of PC time if a few
hundred bytes of plaintext was known:
<http://www.svn.net/mycal/junk/attack.htm>. 

Various vendors have implemented extensions to the zip format to support
stronger encryption, such as WinZip and PKware's SecureZIP.  However
these remain ad-hoc vendor extensions, AFAIK, and Info-Zip still only
supports the original weak zip encryption.  This means if you want to
use strong encryption with Zip you are potentially locked into a vendor
of non-Free software, and you produce zip files that can't be read from
standard command line tools on *nix and Cygwin systems that have
Info-Zip installed.

If you just have a file and you want to encrypt its contents there is no
need to use any particular container file format such as zip; you can
simply encrypt it directly.  gpg works well for this, you can just run
"gpg -c <infile >outfile" to encrypt and similarly with -d to decrypt. 
Note that when invoked this way gpg uses a symmetric cipher, as opposed
to the more complicated asymmetric kind which involes public and private
keypairs, webs of trust, etc.  Symmetric is much simpler: input plus
passphrase equals output, and vice versa.  Openssl also has a command
line utility that works in a similar way, see man enc.

The only real question is what cipher (algorithm) to use.  There are a
number to choose from.  When dealing with cryptography one of the main
guiding principles is that you should only use well-known and
well-studied algorithms.  If a program uses "secret sauce" or isn't
up-front about exactly what cipher is used, it should be avoided, as it
is very easy to implement a cipher that seems secure to the amateur but
is in fact weaker than a wet noodle.  Fortunately there are a number of
publicly scrutinized ciphers with multiple free implementations.

For symmetric ciphers, a very safe choice is AES although there are many
secure alternatives such as Blowfish and IDEA.  Most of these modern
ciphers were designed as replacements for the old DES, which you should
avoid.  You probably want to avoid RC2 and RC4 as well.  But most all of
these ciphers can be modulated by their key size and/or number of
rounds, so it is hard to make an absolute list of what's secure and not
secure.

Brian

Re: Password Protecting files

[zzapper]

zzapper <david@tvis.co.uk> wrote in
news:Xns99917147CB10Czzappergmailcom@80.91.229.5: 

 on cygwin you need to download the package gnupg to get gpg


-- 
zzapper
http://www.rayninfo.co.uk/vimtips.html

Re: Password Protecting files

[zzapper]

zzapper <david@tvis.co.uk> wrote in
news:Xns99917147CB10Czzappergmailcom@80.91.229.5: 

> use gpg

Hey that was not very painful at all

download gnupg from cygwin setup
start with
>gpg --gen-key

then encrypt

>gpg -e test.txt

then decrypt
>gpg -d test.txt.gpg > out.txt


Thanks

-- 
zzapper
http://www.rayninfo.co.uk/vimtips.html

Re: Password Protecting files

[Igor Peshansky]

On Sun, 19 Aug 2007, zzapper wrote:

> zzapper <david@XXXX.XX.XX> wrote in
> news:Xns99917147CB10Czzappergmailcom@80.91.229.5:
>
> > use gpg
>
> Hey that was not very painful at all
>
> download gnupg from cygwin setup
> start with
> >gpg --gen-key
>
> then encrypt
>
> >gpg -e test.txt
>
> then decrypt
> >gpg -d test.txt.gpg > out.txt

Of course, for a thoroughly secure way of protecting your data you could
run it through a hippo (i.e., let the hippo chomp down on your data, and
use the output).  This is so secure that nobody will ever be able to make
heads or tails of your data again.  Be aware, however, that the cipher is
completely asymmetric -- even knowing the passphrase you used to convince
the hippo to chomp down on your data will not allow the adversary to
decrypt the result.
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha@cs.nyu.edu | igor@watson.ibm.com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Belief can be manipulated.  Only knowledge is dangerous.  -- Frank Herbert

RE: Password Protecting files

[Dave Korn]

On 20 August 2007 16:38, Igor Peshansky wrote:

> On Sun, 19 Aug 2007, zzapper wrote:
> 
>> zzapper <david@XXXX.XX.XX> wrote in
>> news:Xns99917147CB10Czzappergmailcom@80.91.229.5:
>> 
>>> use gpg
>> 
>> Hey that was not very painful at all
>> 
>> download gnupg from cygwin setup
>> start with
>>> gpg --gen-key
>> 
>> then encrypt
>> 
>>> gpg -e test.txt
>> 
>> then decrypt
>>> gpg -d test.txt.gpg > out.txt
> 
> Of course, for a thoroughly secure way of protecting your data you could
> run it through a hippo (i.e., let the hippo chomp down on your data, and
> use the output).  This is so secure that nobody will ever be able to make
> heads or tails of your data again.  Be aware, however, that the cipher is
> completely asymmetric -- even knowing the passphrase you used to convince
> the hippo to chomp down on your data will not allow the adversary to
> decrypt the result.
> 	Igor

  But they *will* be able to /shovel/ it.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

RE: Password Protecting files

[Igor Peshansky]

On Mon, 20 Aug 2007, Dave Korn wrote:

> On 20 August 2007 16:38, Igor Peshansky wrote:
>
> > On Sun, 19 Aug 2007, zzapper wrote:
> >
> >> zzapper <david@XXXX.XX.XX> wrote in
> >> news:Xns99917147CB10Czzappergmailcom@80.91.229.5:
> >>
> >>> use gpg
> >>
> >> Hey that was not very painful at all
> >>
> >> download gnupg from cygwin setup
> >> start with
> >>> gpg --gen-key
> >>
> >> then encrypt
> >>
> >>> gpg -e test.txt
> >>
> >> then decrypt
> >>> gpg -d test.txt.gpg > out.txt
> >
> > Of course, for a thoroughly secure way of protecting your data you could
> > run it through a hippo (i.e., let the hippo chomp down on your data, and
> > use the output).  This is so secure that nobody will ever be able to make
> > heads or tails of your data again.  Be aware, however, that the cipher is
> > completely asymmetric -- even knowing the passphrase you used to convince
> > the hippo to chomp down on your data will not allow the adversary to
> > decrypt the result.
> > 	Igor
>
>   But they *will* be able to /shovel/ it.

Sure, but transmission has never been a problem... ;-)
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha@cs.nyu.edu | igor@watson.ibm.com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Belief can be manipulated.  Only knowledge is dangerous.  -- Frank Herbert

RE: Password Protecting files

[Dave Korn]

On 20 August 2007 17:09, Igor Peshansky wrote:

> On Mon, 20 Aug 2007, Dave Korn wrote:
> 
>> On 20 August 2007 16:38, Igor Peshansky wrote:
>> 
>>> On Sun, 19 Aug 2007, zzapper wrote:
>>> 
>>>> zzapper <david@XXXX.XX.XX> wrote in
>>>> news:Xns99917147CB10Czzappergmailcom@80.91.229.5:
>>>> 
>>>>> use gpg
>>>> 
>>>> Hey that was not very painful at all
>>>> 
>>>> download gnupg from cygwin setup
>>>> start with
>>>>> gpg --gen-key
>>>> 
>>>> then encrypt
>>>> 
>>>>> gpg -e test.txt
>>>> 
>>>> then decrypt
>>>>> gpg -d test.txt.gpg > out.txt
>>> 
>>> Of course, for a thoroughly secure way of protecting your data you could
>>> run it through a hippo (i.e., let the hippo chomp down on your data, and
>>> use the output).  This is so secure that nobody will ever be able to make
>>> heads or tails of your data again.  Be aware, however, that the cipher is
>>> completely asymmetric -- even knowing the passphrase you used to convince
>>> the hippo to chomp down on your data will not allow the adversary to
>>> 	decrypt the result. Igor
>> 
>>   But they *will* be able to /shovel/ it.
> 
> Sure, but transmission has never been a problem... ;-)
> 	Igor


  Never underestimate the bandwidth of a bucket full of hippo-dung being flung
across a river!


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

RE: Password Protecting files

[Igor Peshansky]

On Mon, 20 Aug 2007, Dave Korn wrote:

> On 20 August 2007 17:09, Igor Peshansky wrote:
>
> > On Mon, 20 Aug 2007, Dave Korn wrote:
> >
> >> On 20 August 2007 16:38, Igor Peshansky wrote:
> >>
> >>> On Sun, 19 Aug 2007, zzapper wrote:
> >>>
> >>>> zzapper <david@XXXX.XX.XX> wrote in
> >>>> news:Xns99917147CB10Czzappergmailcom@80.91.229.5:
> >>>>
> >>>>> use gpg
> >>>>
> >>>> Hey that was not very painful at all
> >>>>
> >>>> download gnupg from cygwin setup
> >>>> start with
> >>>>> gpg --gen-key
> >>>>
> >>>> then encrypt
> >>>>
> >>>>> gpg -e test.txt
> >>>>
> >>>> then decrypt
> >>>>> gpg -d test.txt.gpg > out.txt
> >>>
> >>> Of course, for a thoroughly secure way of protecting your data you could
> >>> run it through a hippo (i.e., let the hippo chomp down on your data, and
> >>> use the output).  This is so secure that nobody will ever be able to make
> >>> heads or tails of your data again.  Be aware, however, that the cipher is
> >>> completely asymmetric -- even knowing the passphrase you used to convince
> >>> the hippo to chomp down on your data will not allow the adversary to
> >>> 	decrypt the result. Igor
> >>
> >>   But they *will* be able to /shovel/ it.
> >
> > Sure, but transmission has never been a problem... ;-)
> > 	Igor
>
>   Never underestimate the bandwidth of a bucket full of hippo-dung being
> flung across a river!

Well, I suppose flooding the router *could* be a problem of sorts...
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha@cs.nyu.edu | igor@watson.ibm.com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Belief can be manipulated.  Only knowledge is dangerous.  -- Frank Herbert

RE: Password Protecting files

[Dave Korn]

On 20 August 2007 17:25, Igor Peshansky wrote:

> On Mon, 20 Aug 2007, Dave Korn wrote:
> 
>> On 20 August 2007 17:09, Igor Peshansky wrote:
>> 
>>> On Mon, 20 Aug 2007, Dave Korn wrote:
>>> 
>>>> On 20 August 2007 16:38, Igor Peshansky wrote:
>>>> 
>>>>> On Sun, 19 Aug 2007, zzapper wrote:
>>>>> 
>>>>>> zzapper <david@XXXX.XX.XX> wrote in
>>>>>> news:Xns99917147CB10Czzappergmailcom@80.91.229.5:
>>>>>> 
>>>>>>> use gpg
>>>>>> 
>>>>>> Hey that was not very painful at all
>>>>>> 
>>>>>> download gnupg from cygwin setup
>>>>>> start with
>>>>>>> gpg --gen-key
>>>>>> 
>>>>>> then encrypt
>>>>>> 
>>>>>>> gpg -e test.txt
>>>>>> 
>>>>>> then decrypt
>>>>>>> gpg -d test.txt.gpg > out.txt
>>>>> 
>>>>> Of course, for a thoroughly secure way of protecting your data you could
>>>>> run it through a hippo (i.e., let the hippo chomp down on your data, and
>>>>> use the output).  This is so secure that nobody will ever be able to
>>>>> make heads or tails of your data again.  Be aware, however, that the
>>>>> cipher is completely asymmetric -- even knowing the passphrase you used
>>>>> to convince the hippo to chomp down on your data will not allow the
>>>>> 	adversary to decrypt the result. Igor
>>>> 
>>>>   But they *will* be able to /shovel/ it.
>>> 
>>> Sure, but transmission has never been a problem... ;-)
>>> 	Igor
>> 
>>   Never underestimate the bandwidth of a bucket full of hippo-dung being
>> flung across a river!
> 
> Well, I suppose flooding the router *could* be a problem of sorts...
> 	Igor


  No, sorry, slight typo there.  What I mean is, never underestimate *how far
back to stand from* ....

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

RE: Password Protecting files

[Igor Peshansky]

On Mon, 20 Aug 2007, Dave Korn wrote:

> On 20 August 2007 17:25, Igor Peshansky wrote:
>
> > On Mon, 20 Aug 2007, Dave Korn wrote:
> >
> >> On 20 August 2007 17:09, Igor Peshansky wrote:
> >>
> >>> On Mon, 20 Aug 2007, Dave Korn wrote:
> >>>
> >>>> On 20 August 2007 16:38, Igor Peshansky wrote:
> >>>>
> >>>>> On Sun, 19 Aug 2007, zzapper wrote:
> >>>>>
> >>>>>> zzapper <david@XXXX.XX.XX> wrote in
> >>>>>> news:Xns99917147CB10Czzappergmailcom@80.91.229.5:
> >>>>>>
> >>>>>>> use gpg
> >>>>>>
> >>>>>> Hey that was not very painful at all
> >>>>>>
> >>>>>> download gnupg from cygwin setup
> >>>>>> start with
> >>>>>>> gpg --gen-key
> >>>>>>
> >>>>>> then encrypt
> >>>>>>
> >>>>>>> gpg -e test.txt
> >>>>>>
> >>>>>> then decrypt
> >>>>>>> gpg -d test.txt.gpg > out.txt
> >>>>>
> >>>>> Of course, for a thoroughly secure way of protecting your data you
> >>>>> could run it through a hippo (i.e., let the hippo chomp down on
> >>>>> your data, and use the output).  This is so secure that nobody
> >>>>> will ever be able to make heads or tails of your data again.  Be
> >>>>> aware, however, that the cipher is completely asymmetric -- even
> >>>>> knowing the passphrase you used to convince the hippo to chomp
> >>>>> down on your data will not allow the adversary to decrypt the
> >>>>> result. Igor
> >>>>
> >>>>   But they *will* be able to /shovel/ it.
> >>>
> >>> Sure, but transmission has never been a problem... ;-)
> >>> 	Igor
> >>
> >>   Never underestimate the bandwidth of a bucket full of hippo-dung
> >> being flung across a river!
> >
> > Well, I suppose flooding the router *could* be a problem of sorts...
> > 	Igor
>
>   No, sorry, slight typo there.  What I mean is, never underestimate
> *how far back to stand from* ....

That depends entirely on the gesture.  There are issues of coverage,
recoil, etc.  I'm sure some network theorist properly itches for applying
his hypotheses and theorems to this case...

A full-scale physics simulation of the phenomenon would probably be
cleaner, though...
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha@cs.nyu.edu | igor@watson.ibm.com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Belief can be manipulated.  Only knowledge is dangerous.  -- Frank Herbert

Re: Password Protecting files

[Warren Young]

Igor Peshansky wrote:
> 
> Of course, for a thoroughly secure way of protecting your data you could
> run it through a hippo 

Hippo is a *hash* algorithm, you twit, not an encryption algorithm. 
It's obvious to anyone who looks at it that it's a one-way function.

Re: Password Protecting files

[Michael Schaap]

On 20-Aug-2007 21:25, Warren Young wrote:
> Igor Peshansky wrote:
>>
>> Of course, for a thoroughly secure way of protecting your data you could
>> run it through a hippo 
>
> Hippo is a *hash* algorithm, you twit, not an encryption algorithm. 
> It's obvious to anyone who looks at it that it's a one-way function.
>
You mean, all that time I've spent trying to decrypt Hippo dung has been 
wasted?  Sheesh, you could've mentioned that a bit earlier...

 - Michael

Re: Password Protecting files

[Warren Young]

Warren Young wrote:
> 
> it's a one-way function.

Specifically a message *digest* function.






























Thanks folks, I'll be here all week.  Try the crocodile.

Re: Password Protecting files

[One Angry User]

On a drizzly Monday, the 20th day of August, 2007, Warren Young's computer deigned to emit the following stream of bytes:

> Warren Young wrote:
>
> > it's a one-way function.
>
> Specifically a message *digest* function.

EPIPHANY: So *that*'s where all the messages from this list go?!

OAU

RE: Password Protecting files

[Dave Korn]

On 20 August 2007 20:36, Michael Schaap wrote:

> On 20-Aug-2007 21:25, Warren Young wrote:
>> Igor Peshansky wrote:
>>> 
>>> Of course, for a thoroughly secure way of protecting your data you could
>>> run it through a hippo
>> 
>> Hippo is a *hash* algorithm, you twit, not an encryption algorithm.
>> It's obvious to anyone who looks at it that it's a one-way function.
>> 
> You mean, all that time I've spent trying to decrypt Hippo dung has been
> wasted?  Sheesh, you could've mentioned that a bit earlier...
> 
>  - Michael


  <looks up, arms up to elbows in pile of hippo dung>

  You mean we were meant to be decrypting this?  I thought we were just playing
in the dirt for fun!



    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

RE: Password Protecting files

[One Angry User]

On a rainy Tuesday, the 21st day of August, 2007, Dave Korn's computer deigned to emit the following stream of bytes:

> On 20 August 2007 20:36, Michael Schaap wrote:
>
> > On 20-Aug-2007 21:25, Warren Young wrote:
> >> Igor Peshansky wrote:
> >>>
> >>> Of course, for a thoroughly secure way of protecting your data you could
> >>> run it through a hippo
> >>
> >> Hippo is a *hash* algorithm, you twit, not an encryption algorithm.
> >> It's obvious to anyone who looks at it that it's a one-way function.
> >>
> > You mean, all that time I've spent trying to decrypt Hippo dung has been
> > wasted?  Sheesh, you could've mentioned that a bit earlier...
> >
> >  - Michael
>
>   <looks up, arms up to elbows in pile of hippo dung>
>
>   You mean we were meant to be decrypting this?  I thought we were just
> playing in the dirt for fun!

And that, folks, is the sorry state of the cryptography industry today.

OAU