General discussion

Locked

Software Encryption Validation

By pkiefer ·
I was recently asked by the VP of Finance to evaluate file encryption software for sending confidential documents via public internet e-mail. After testing several options with him, we found a software package that meets all of his needs.

The problem is that he is looking for some validation or guarantee that the software is actually encrypting the file as specified.

I spoke with the manufacturer who could only give me verbal reassurances that the software worked in accordance with the prescribed encryption algorithms. This isn't enough proof, however. I asked the manufacturer if their software was ever validated by an outside lab and the answer was no.

Does anybody have any ideas on how I can go about "proving" that this or any other encyrption software is actually working.

Thanks.

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by mrafrohead In reply to Software Encryption Valid ...

I'm not a cryptogropher, but I work with encrypted files a little bit. Best example to show the person is to take a file and leave it normal. Open it and show the person how it looks/works. Then encrypt it and do the same thing. IF you can open the file, it should all just be complete gibberish. That should be proof enough. Just use a text file and open it in a few different programs to show the person the end results each time. I would assume that should be convincing enough:)

Mrafrohead

Collapse -

Good Encryption

by LordInfidel In reply to

Should not even let you get to that point of opening it up.

His best bet in this area would be to go with PGP.

Once you encrypt with PGP, you need the key pair to and the password to de-crypt it.

And if you do not have PGP installed on yoursystem. The file will not even open. You can try to open it in notepad, but it will be gibberish as mrafrohead suggested.

Collapse -

Gibberish Test

by pkiefer In reply to

Unfortunately, proving that a file is encrypted by demonstrating that it appears as gibberish with various programs isn't a convincing test. For example, a pdf file opened in notepad appears as gibberish.

I'm afraid that I need more convincing evidence.

Collapse -

by mrafrohead In reply to Gibberish Test

How about this...

What exactly are you looking to accomplish and maybe I can help to recommend some software for you. If you are looking to strictly encrypt files ONLY, then yes, PGP hands down!

If you are looking for an encrypted Container, use SafeHouse.

If you want a completely encrypted drive: SecureDOC.

I know of no utility that will disassemble an encrypted file and be able to tell you IF it's encrypted and with what method.

Pretty much, if you look at the file with any method possible, if it's encrypted you will not be able to read it at all. You won't know the size of the file, or even what the file is. Whether it be a file, folder, executable, etc...

Best thing you can do to show the person the file is encrypted, is run the program and then give them the encrypted file and tell them to open it. When they are unable to do that, that should be proof enough.

Unfortunately, I think that you're thinking a little more along the lines as I do about things and you want hard facts to do it, but other than the fact that you can't access the file, I don't know what else to tell you.

Hope that this helps you out a little bit more.

Mrafrohead

Collapse -

A sure fire way

by LordInfidel In reply to Gibberish Test

Take a unencrypted text document from your local machine and copy it to the file server.

While you are doing that, have a packet sniffer running. You will be able to see and read the contents of the txt document.

Take that same file, encrypt it and do the same thing.

You will be unable to read it.

Other than that, there is not "magic encryption reader" that will tell you if a file is encrypted or not.

If there was, it would defeat the purpose of encryption. Because the reader would have the ability to read into the files encryption properties.

In short, you need a appropoiate de-crypter to strip the encryption off a file before you can read it.

Get PGPFreeware and you will soon realize what I am talking about.

Collapse -

Question...

by LordInfidel In reply to Software Encryption Valid ...

<snip>I asked the manufacturer if their software was ever validated by an outside lab and the answer was no. </snip>

What software was this?

The tried and true encrytion is PGP.
You can encrypt files, disks, e-mail.

PGP is how people digitally sign their e-mail.

It usually will look like
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8

iQA/AwUBPdugInDFo+eSdQxNEQKwdACeJyIQPVLT7WdpqfXtGWxaVEB0HdYAoPLn
CO9l3RYO4B0qQI2juuinCuSg
=CKTo
-----END PGP SIGNATURE-----

Collapse -

Disk encryption???

by mrafrohead In reply to Question...

Other than floppy disk, I thought that PGP will only encrypt files, e-mail or use Container cryptography.

When I read disk encryption, I am thinking sector 0 - XXXXXXXXX sector.

If you would, please clarify so I understand fully what you are saying LordInfidel.

I just didn't think that PGP did full disk encryption. At least when I checked into it in the past they did not. Unless I was sloppy about it, though I believe I was quite thorough.

But I do have to agree. All reports thatI have ever read about PGP have been outstanding. It is an extremely secure and effective type of encryption and I would recommend it to anyone.

Another thing though to keep in mind about making these files secure. In a digital world, there is NOTHING and I mean NOTHING at all that is truly secure. Remember, if there's a way to make it, there's a way to break it. I am willing to point out a bunch of examples if you need it. But if you need something truly secure, meet in the middle of the woods and talk face to face.

Encryption only makes it to where script kiddies and petty theives will not attempt to break it. It's just a deterrant as cracking it is more difficult. But it is NEVER impossible.

Mrafrohead

Collapse -

PGP-Disk

by LordInfidel In reply to Disk encryption???

With the commercial version of PGP from NAI.

You can actually take a segment of a disk, let's say 100 megs, and encrypt it. Then in order to store files in that area you have to first mount the disk as a drive by suppling a valid passphrase.

Another approach is to use 2K's native encryption. Which is Very secure. I actually use this for my sensitive files.

Make a folder, right click, properties, advanced and encrypt the folder.

This is important, never copy files into the secure area. To preserve the encryption, the files *must* be created in the secure area. If you move them into it or copy the file in there, they are no longer as secure.

Collapse -

Container

by mrafrohead In reply to PGP-Disk

Alright... I'm trying to figure out where to start.

The 100Meg example above. That's the Container software I was speaking of earlier. It makes an encrypted container for you. Which the container is very secure, but ANYTIME you create/modify/access a file, a second insecure copy is created in your swapfile. So if you ARE using container software, you HAVE to make sure that you are securely wiping your swapfile on shutdown EVERYTIME! Or else your precautions are being defeated.

EFS is the same thing. I actually like EFS and it does work very well, but there are some hacks that will port it out and bypass security. I'm still grasping the technical data about it, but Bugtraq has the postings for further reference the the EFS.Please remember though. Just because you are creating the file in the container, it also creates another copy outside of the container, so you HAVE to make sure the copy outside of the container is wiped. Also you want a memory scrubber.

As to your profile, what's BOFH??? I see it all the time, and can't figure it out.

Mrafrohead

Collapse -

The BOFH!

by LordInfidel In reply to Container

I am not going to tell you what it is per se.

So I will just send you here:

http://bofh.ntk.net/*******.html

I expect you to read the entire site in one sitting. Do not stop reading it for anything, especially to help users.

Back to Security Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums