How to use encryption

Another short blog-entry which isn’t really for software producers, but aimed at everyday software users:  I found it more difficult then necessary to setup encryption.  Here is what I did, maybe this can help somebody.

Encryption is a really big deal.  If you already do this and worry about real classified stuff, don’t read on.  You already know how to handle encryption and these simple instructions may be useless for you.Data-Encryption-300x225

If you simply load your security certificates into your browser and are happy, you can also stop wasting your time reading this blog.  That is probably good enough for many users.

People inbetween (like me) just think the standard processes to use encryption are too complex.  The system may be foolproof, but it for sure fails to convince me that the stuff I’m sending around doesn’t contain my private keys. I may have an ultra secure certificate, but why should I think my computer keeps it really secret?  Some unknown code in my browser somehow uses a certificate, paints nicely closed locks on the monitor and what not.  But I know my normal desktop computer is not safe.   I know my virus checking program does safely catch about 60% of the simpler viruses (and secretly deletes binaries of tamper-proofed test program which it usually assumes to be malicious.)

Getting concrete:  a few programs which are really simple to use, so simple you might avoid making mistakes of your own.  So simple that their code is self contained and far away from most malware already having attacked your computer.

1) Encrypting or decrypting any file.   That program creates a window.  You give it the password and simply drag and drop files into it.
http://spi.dod.mil/ewizard.htm  In the middle of the page it says “Download EW-Public”.  Unzip the file you download and create a directory.  No installation is required.  The directory contains simple instructions.

2) To encrypt or decrypt just lines of text, e.g. within an email message.  The recommended program creates a window with a form-field for the password.  To use that program, use drag and drop as with the other program, only this time use lines of text, instead of complete files.
http://www.fourmilab.ch/javascrypt/  Use what they call the “Lean” version. The simpler a program is, the less chances you have of making errors.  You can make a local copy.  No installation is required.  The directory contains the full program and simple instructions.

3) When security really matters, there exists a program which can be used to make an otherwise unsafe computer safe.  How?  Use is simple: you reboot your computer into that program.  You get a “desktop” which is safe and completely separated from your file system.  Among other security tools, this program already contains both encryption applications mentioned above.
http://spi.dod.mil/lipose.htm  Get one of the “LPS-Public ISO Images”.

lock

 

And now for the grand finale:  Watch the short movie:  “Signs that your software needs better protection.”
http://spi.dod.mil/docs/Top_Ten_640x360.wmv

Should the user add decoys for tamper-proofing ?

Just because users use White Hawk Software tools does not prevent them from adding some protection code of their own.

Decoys are among the best defenses. However, use of decoys can become dangerous and may be tricky.45-OIMP28-M

Consider a decoy having been introduced. What are the possibilities?

  • The decoy is not detected.
    Nothing happens; no good, no bad. It still is there for possible later detection.
  • The decoy is detected, but confused with the real thing.
    The best possible outcome. Attacker stops searching because he thought he got the result.
  • The decoy is detected and recognized to be a decoy.
    The worst possible outcome. Any attacker is reinforced that there must be something worth hiding. Attacker will multiply efforts to search for the real thing.

Use of decoys is a strategic decision which can be made only after evaluating the possible outcomes and their consequences.

Should decoys be protected?  Of course. If a decoy is not protected doesn’t that just scream this code is intended for viewing?  On the other side: don’t protect it too well, or an attacker has no clue of the decoy and won’t waste his time.
So, how well should decoys be protected?  That is a difficult question; maybe protect it just a tiny bit less then the real code. Or, have several decoys and protect them at different levels.

When time permits I plan on blogging how NestX86 itself takes advantage of decoys at different levels.    …Here it is