Tech Sense: Encryption Tools by John Bell
Updated: Aug 28, 2020
Last month’s column discussed encryption. This month, the column looks at tools used to encrypt data for everyday use. For example; the HTTPS Anywhere is a plug-in that be added to most web browsers to make certain the secure, encrypted HTTPS protocol is used when viewing a website. The HTTPS protocol uses public encryption keys exchanged between the website and the browser. These keys and their private key counterparts allow a secret synchronous key to be exchanged and used to encrypt the data exchanged between the browser and web server. When a secure HTTPS connection has been made, the browser normally shows a lock or other symbol on the left of the address bar so the user knows the connection is secure.
Sometimes it is important to protect an individual file. The free compression program 7-Zip can be used to create a zip archive where the files inside are encrypted and can only be decrypted if someone knows the password. This allows the file to be stored securely on your disk or sent to another person. Imagine the file is a spreadsheet with Alice’s financial data that she needs to share with Bob, her accountant. Alice can send the file to Bob using email and then call Bob on the phone and give him the password to decrypt the file. WinZip is a commercial product that supports the same encryption feature.
Email is in general not secure. Modern email protocols provide a secure means to send messages between email servers and clients like Outlook. However, when email messages are stored on email servers the messages are frequently stored insecurely. The goal of secure email is to provide an envelope that can be read to know how to deliver the mail while protecting the contents of the email message itself. This is where the Open PGP (“PGP” means pretty good privacy) standards come in. The Open PGP specifications allow a combination of asymmetric and symmetric keys to be used to encrypt email messages and files and send them securely through an insecure email system. The Gnu project has created the free GPG (Gnu Privacy Guard) implementation of the Open PGP specifications for Linux and Windows including plug-ins for Outlook, Firebird, and several other email clients.
Sometimes you need to encrypt an entire disk drive. Windows 10 Pro provides BitLocker, but this isn’t available for Windows 10 Home. The free and open source program VeraCrypt regularly audits its software to make certain there are no known and undocumented vulnerabilities. VeraCrypt encrypts data as it is written to the hard drive and dynamically decrypts the data as the drive is read. The drive can even be a bootable drive, a hidden volume, or a file container (like a zip file). Accessing the file system requires entry of the password. On a bootable disk the password is prompted during the boot process. If the drive is removed from the system, the data can’t be recovered without providing the password.
The following URLs are for the free and open source products discussed in this month’s column;
Attacking our Right to Protect our Data
There are well established principals in the US Constitution for us to be able to “secure our personal papers and effects.”¬ Encryption is the technology used to protect our data as we store it on disks and in files and when we transmit it over the Internet. Encryption technology is currently being attacked by those in our government.
The US Attorney General’s office is trying to get vendors of secure applications that use encryption to weaken the encryption and provide back-doors so government organizations can access our private documents and communications. The EARN-IT bill currently winding its way through Congress is attempting to force companies to weaken encryption technologies under the guise of protection against child pornography.
The newly proposed “Lawful Access to Encrypted Data Act,” if enacted, would openly force manufacturers to compromise the security of the devices they manufacture and sell like phones, tablets, and personal computers by including back-doors into the security of the devices. These lawmakers do not seem to understand that if you provide a back-door for the government, it won’t be long until that back-door is open to everyone. It has been clearly shown by the overwhelming majority of security researchers that providing back-doors will severely reduce our ability to protect our personal information and privacy. Please reach out to your representatives and ask them to protect our privacy.