Re: Security

In article news:<11g6qe712kfpf10@xxxxxxxxxxxxxxxxxx>, Roy Lewallen wrote:
> There are a number of encryption products out there -- does anyone
> have any feeling for how secure or insecure they might be ...

This question keeps coming up ... and it's very difficult to answer without
carrying out a fairly rigorous examination of the packages available (and
there are a lot of them ...).

A lot depends on *what* you want to encrypt, and how you want to use the
data. Some people (like you) just want to encrypt a few short pieces of
text data, while others want to encrypt whole databases or (say)
spreadsheets. There's a big difference in ease of programming between
writing a little application that manages an encrypted text file and
decrypts it on the fly for display and/or editing, and something that
allows encryption to be used with other apps -- the former is much easier
to do, and so much easier to do well.

> For really sensitive data, I'd want something that would be pretty
> resistant to even a skilled, determined, and patient hacker.

It's really difficult to make a meaningful assessment of the strength of
applications of this type, as the risk depends so much on what the
application does and the way in which it used ... and there are so many
applications, many of which don't advertise exactly how they work.

If you lose your Palm and someone else gets hold of it they can attack it
in several different ways.

They can try to use the security app itself to read your data. The app
probably protects the data with a key derived from some password, which an
attacker would have to guess. The problem here is to choose a password that
is not easy to guess. Entering a password with Graffiti is hard enough that
an attacker will probably not have the patience to try very many passwords
before giving up -- but you should choose as long and as complicated a
password as you can bear the thought of entering each time you want to
access your data.

If the attacker knows the security app you use, and has been able to
determine what sort of encryption it uses and in what format the encrypted
data are stored, then he can try to guess the key. This generally means
trying keys in turn until decryption of the data produces a result that
"looks right". This sort of key-search attack may just try all possible key
values, or may try all possible passwords and derive keys from them (unless
the password is very long there will be fewer passwords than possible keys,
so the password-based search may be much quicker).

This sort of attack could be carried out on the Palm itself (by loading a
key-cracker program onto the Palm) or on a PC. Modern PCs are fast enough
that password-cracking programs can find a result quite quickly (from a few
minutes to a few weeks, depending on the speed of the PC and the complexity
of the password) ... but someone would have to have written a cracker
program specifically to crack keys or passwords for the security app you
were using in order to carry out this sort of attack.

Have a look at the GNU Keyring app for Palm - the comments there about
security and crypto are quite informative. I haven't used the app itself,
so I can't recommend it, but it seems to be the sort of thing you're
looking for -- and the website has some interesting discussion of its
weaknesses, andthe weaknesses of this sort of app in general.

http://gnukeyring.sourceforge.net/index.html

Cheers,
Daniel.


.