Encryption


J

Joe John

Andrew DeFaria said:
Any encryption scheme is crackable given enough resources. I've heard
that if you lost your keys then you might as well kiss your data
goodbye because decrypting it is very difficult. Hell even you seem to
contradict yourself in your next post:
Hi:

Contradiction? QED as above.

The importance of the passphrase or key, is fundamental to cryptography.
There are guidelines to insure a password is secure, and truecrypt docs
describe the process.
Quicken filenames, locations etc., are well known and thus, easily
located [ thus copied] even by ActiveX scripts in websites or worse,
trojans.
Quicken files can be located in different places. For example, mine
are not in the standard place. Still this provides little to no
security.
As you write below, locating the files requires additional code, and thus
increases the trojan's payload. Its a simple security manouver rather
than using default locations but its not secure like using a lock. If
you can't find me you can't get me, and moving it does not make it easy.
What?!? It does no such thing! I wrote and posted a simple Perl script
to not only find where Firefox or Mozilla store their directory
structure (AKA profile) and grep through the address book extracting
email addresses. Having a slt component of the path to the profile
does nothing, one can easily traverse the users file system once they
are code running on the users machine. It's the file system itself
that tells you where things are and supplies any missing directory
names. Trivial to do and not secure at all!
How Mozilla's uses directory structures is open software yet, like moving
your Quicken files from default locations, an increase level of security
over IE or default. If your script as you say has located _all_ Mozilla
files with you as superuser, its possible but its not complete. I wont'
detail were all files are or what they are called or how they are
structured, suffice to say that secure files are assembled only in memory
at runtime so individually the files are not useful.
 
Ad

Advertisements

A

Andrew DeFaria

Joe said:
Quicken filenames, locations etc., are well known and thus, easily
located [ thus copied] even by ActiveX scripts in websites or worse,
trojans.
Quicken files can be located in different places. For example, mine
are not in the standard place. Still this provides little to no security.
As you write below, locating the files requires additional code, and
thus increases the trojan's payload.
So what? It provides little security and is easily defeated. Instead of
finding it in the default spot you have to look around a little bit. Big
deal
Its a simple security manouver rather than using default locations but
its not secure like using a lock. If you can't find me you can't get
me, and moving it does not make it easy.
Exactly, it's really no security.
How Mozilla's uses directory structures is open software yet, like
moving your Quicken files from default locations, an increase level
of security over IE or default. If your script as you say has located
_all_ Mozilla files with you as superuser, its possible but its not
complete. I wont' detail were all files are or what they are called
or how they are structured, suffice to say that secure files are
assembled only in memory at runtime so individually the files are not
useful.
The point is inserting a slt folder in the path to the profile does
nothing to keep things secure as any programmer with 1/2 a brain can
simply scan for the files. The slt folder does nothing. It's akin to
saying "I left my car keys on my desk instead of hanging up on the key
rack therefore my car is secure".
 
M

Mark Hood

bjn said:
One thing about Windows NTFS encryption - only the exact user account that
created the files can access them. If you delete your user account, and
recreate the account with the exactly same username, you will not be able
to see your encrypted files because your new account was not the exact
account that created them.
I don't think that's true (I haven't tested it however).

EFS creates a personal security certificate based on the user account.
You can copy this certificate onto removable media (mine is on a thumb
drive, protected with a password), remove it from Windows, and then
nobody can read the encrypted files (including yourself) until you
import the certificate again and supply the password.

Presumably, if you have the certificate and password, you can import
it into another account and read the encrypted files (I'll try this
tonight).

To get access to your encryption certificate, enable EFS, go to
Internet Options in the Control Panel, select the Content tab, and
then select Certificates -- you should then see your personal
certificate in the next pane. From there you can export it to
anywhere you want, and remove it if you like. To re-import it, double
click on its icon from wherever you copied it.

I use EFS because it's convenient and transparent, but it probably
isn't as strong as I would like.

-- Mark
 
A

Andrew DeFaria

Mark said:
I don't think that's true (I haven't tested it however).

EFS creates a personal security certificate based on the user account.
You can copy this certificate onto removable media (mine is on a thumb
drive, protected with a password), remove it from Windows, and then
nobody can read the encrypted files (including yourself) until you
import the certificate again and supply the password.

Presumably, if you have the certificate and password, you can import
it into another account and read the encrypted files (I'll try this
tonight).

To get access to your encryption certificate, enable EFS, go to
Internet Options in the Control Panel, select the Content tab, and
then select Certificates -- you should then see your personal
certificate in the next pane. From there you can export it to anywhere
you want, and remove it if you like. To re-import it, double click on
its icon from wherever you copied it.

I use EFS because it's convenient and transparent, but it probably
isn't as strong as I would like.
IIRC in a domain environment, domain admins also have the ability to
unlock your EFS files for you. This is probably a last resort if users
of a domain lose their certs. Then again, I think it probably very rare
the number of home users who have bothered to set up a domain! I know I
haven't.

So that adds a vulnerability as well as a method of recovery...
 
Ad

Advertisements

M

Mark Hood

Mark Hood said:
Presumably, if you have the certificate and password, you can import
it into another account and read the encrypted files (I'll try this
tonight).
Yep, it works as expected.

-- Mark
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Encryption? 2
encryption? 1
Encryption - unable encrypt the data at the required level 1
2003 Encryption 0
Encryption Type 1
Encryption Level 2
Encryption error 1
quicken's encryption 9

Top