Many problems exist with Internet and computer technology regarding trust and security. Given all the details that have come out in 2013 about security breaches with the Internet, Web, E-mail, and Cloud technologies, there is a question that might be on the minds on a good number of people. How can we trust this stuff? Today, we will talk about some solutions.
A Multitude of Security, Privacy, and Trust Problems
Hundreds of articles in the year 2013 litter the Web about core trust issues with cloud and Web services. A flaw called a Zero-Day vulnerability has some part to play in much of this. I took a quick look at Zero-Day issues in an earlier post with links to a few other security concerns. The bottom line is that many of the default setups of computer services and systems are not designed well for trust, privacy, and security. What can be done?
Password Security in a Few Words
On your computer or web browser, you see a data entry form that asks for a password. All the security form has done is ask you for code words. Based on the logic in the security form, you are shown information you are authorized to see.
That authorization only exists in software program or connected programs that use the same security decision processes and user account data. There is an entire world that exists outside those programs in which those same data files and database records are fully independent of the software programs.
The software programs are just one way to access the data. If you have access to the computer itself where the files or database resides, you can access those data items independent of the software program. You will not get a password pop-up in most cases in that other world called file systems and database tables. That is the limitations of password security.
Locked Into Passwords
We instinctively trust passwords. When you can keep people off the computer itself and just limit them to a predefined software program with a security form, then passwords seem to work well. Problem is, there are persons who may not limit themselves to the security form and will go for direct access to the system. In that case, if they succeed in getting into that part of the system where files and data are actually stored, then all that password security effort will be completely useless.
Passwords are short sequences of letters, numbers and special symbols that can be as small as 1 character or may be as much as 30 characters or more. Thirty characters might sound like a lot, but when put up against the calculation power of the computer itself, it is trivial. Passwords are good when you have nothing else, but there are many other alternatives.
There is a better way than passwords.
Your Public Key
The better way is through public keys. A system that uses public keys is termed is abbreviated PKI, short for Public Key Cryptography. PKI is the answer. Properly used, you gain universal encryption of data using a public key. Universally, anyone can encrypt data they will send to you.
When I say public key, I mean a very public key. Just like you have public web addresses like http://michaelgautier.wordpress.com, and you have public email addresses like email@example.com you also would have your public key. Just like a free email service hosts email today, a free public key hosting service could be used.
PKI In General Use
People would use your public key to encrypt data intended for you. When you receive the information, you decrypt it using your private key. It is that simple. At least in concept. To keep the concept simple, the notice accompanying the public key should refer to the encryption algorithm preferred when using the public key so that the recipient of messages can make proper assumptions regarding the decryption of the message.
This is better than passwords because only the true owner has the private key. The private key is just a piece of data and it can be stored in a file. It can be a small file that stays on a hard drive, though I don’t recommend that, or it can be a really large file that sits on a CD-ROM or DVD that you pop into a computer when you need to decrypt something. Or it can be a code on a credit card that you swipe on a card reader to decrypt. The Square card reader might prove useful for such a purpose if they got into the public key/private key processing arena.
PKI is well established and is a well established process in certain areas of business. However, it is generally used in specific areas and not as broadly as I am suggesting here. The next step is to use PKI on hard drives, data files, database records, and to such a level that nearly every level of the computer is locked with a PKI key mechanism.
Applying PKI Extensively
When you transmit e-mail, it is encoded with the receiving party’s public key. Only they can decode it. When you store a file in the cloud, it is automatically encoded with your public key before it is transmitted. Only you can decode the information.
When you install Windows, MacOs X, Linux, or Android, the entire hard drive is default encoded with your public key with a one-way irreversible hash of your private key so you can use your master private key to reset the substitute public-private keys based on your master versions.
Computer operating systems would then only log you in based on your private key but would use substitute keys so you don’t have to keep the real private key connected longer than necessary. This setup would be used to show you files and folders and enable the system to function from an overall encrypted environment perhaps using IBM’s technology released earlier in 2013.
Extensive PKI Can Be Problematic
First, despite their protections, encrypted systems runs much slower and sometimes, this slowdown is unacceptable. Data traffic on the Internet would swell up maybe back to dial up levels. Perhaps bandwidth and equipment on the Internet will improve enough to maintain acceptable transmit times. Common computer systems themselves would have to be more capable than they are today in terms of computer processors, motherboards, memory and hard drive capacities. Persons favoring security, privacy, and trust over higher run-time efficiency may still find the benefits worth any trade off.
Second, such a solution would make computer systems far more difficult to troubleshoot, build, and support. If you tied together today’s PKI solutions, even the simpler ones, the boundaries between different parts of a system would be come sharper and more difficult to cross. The flow of data within a system would be far, far less smooth.
Third, if you lose your key, you lose everything. The data is still there, but if the encryption is super solid, you can never access it again. It would be the same as if someone deleted all your information. Except, in this case, the information is still there but you can never hope to decode it in your lifetime. You would have to make sure to properly backup your private key. That is the easy part. The difficult part is making sure the backups are secure enough for you to be sure that no one else has a copy of the private key.
Fourth, and most obviously, a public key registry does not exist similar to an email address. It has to be easy enough to use that it works as obviously as email and web addresses work today. The concept of PKI has to be more easily explained and a simple and streamlined method for using it across the board has to be developed. There is a huge opportunity for this to occur.
Fifth, you simply cannot check for viruses and malware with this approach. On one side, you might end up getting fewer infections as the file would have to be decrypted in order to infect it in the first place. Except, in some cases, you may receive what looks like a trusted, encrypted file, but it contained malware and the encrypted nature of the file blocks inspection by Internet security software. The good news is that once the file is decrypted, if the Internet security software is worth it’s salt, it will catch any infections anyway. As long as Internet security can keep pace, this might be okay.
Sixth, this approach can take things to a dark place. While today’s tech might under serve people in terms of security, privacy, and trust, the complete opposite situation could be just a bad. The burden of tech development may increase substantially and engender stagnation to a higher level. Information that could be open and benefit the many could enter into a permanently locked condition. You would end up with networks of exclusive information might undermine truth. That may be a cost to bear.
A Step Towards Privacy, Security, and Trust
As mentioned before, the idea of PKI is well established, but the extent of its application may be what is new here. The overall solution has not been sufficiently packaged up yet. Some people, like Silent Circle, are working on things near this area of application. A more wide reaching solution though may be the right approach.
Intentionally Applying Encryption In Your Own Life
Rather than wait for the arrival of such a seamless service, there are things that anyone can do now.
Allow me to warn you before you read any further.
If you do these things you will need discipline and you will have to accept that if something goes wrong, you could lose everything.
If your philosophy is that it is better for sensitive information to be inaccessible to everyone including yourself than to have it prematurely disclosed, then the following approach is for you.
A General Tool for Secure Messages
- Learn how to use PGP.
- Post your public key on the web somewhere like Google Drive.
- Use it and have your friends use it.
Secure E-mail Technique
- Works with almost any email service, including the un-secure ones.
- Rather than write the body of your e-mail, all your e-mail contents exist in attachments.
- The attachments are secure versions of documents you send for secure delivery.
- Always write you secure emails in Microsoft Word or LibreOffice.
- Save the document to a file.
- Encrypt the document file using your recipient’s public key.
- Attached the encrypted file to an email and send.
- The recipient will decode the attachments using their private key.
- If you are the recipient, you will do the same.
- One caveat, be sure to read; Why can’t email be secure by Louis Kowolowski
Secure Cloud Storage Technique
- Don’t just upload to the cloud.
- Encrypt everything first using your public key.
- Now you can upload.
- If you need to download those files later, you can decrypt them with your private key.
- Learn about a program by the name of Truecrypt.
- It provides a convenient way to store files privately in an encrypted format.
- You can use it to automate the storage and retrieval of encrypted files.
Whole Disk Encryption
- Learn about whole disk encryption.
- Microsoft Windows has BitLocker.
- Mac OS X has FileVault.
- There is also PGP whole disk encryption and Truecrypt has a version as well.
- A few Linux distributions apply whole disk using LUKS and directory encryption at multiple levels.
- Wikipedia lists all the known disk encryption processes.
Do I Use This Stuff?
No I don’t. I don’t have secrets and I found security like this to be too high maintenance. Certain things I have like photos are not sensitive and by keeping them in standard formats, backed up, I probably won’t loose them. Though I found out recently that some of the photos and graphics I created 10 and 15 years ago are unreadable now. I may have a data recovery do it yourself project sometime in the future. Anyway, due to life circumstances, I have grown much more accepting of transparency and a lack of privacy.
Others however may have a legitimate need to achieve greater privacy, security, and trust. A time might come when something must be created on a computer and then secured as well as possible. The solutions presented here describe the general processes that may benefit those that require them.
Codes are the Truth for Digital Security
Codes as in encryption codes are a substantial starting point for digital data protection. Imagine a new way of doing systems in which you move away from user accounts based on passwords and simply have a universal account based on a public key. It is actually the same thing but you end up upgrading from simple passwords to much more powerful key sequences based on much better encoding and decoding principles.
Systems of cryptography can be broken, have been broken, and are showing weaknesses in some areas. A positive aspect of cryptography is that it is a system far more advanced than passwords. It can be tuned into a much better profile for more highly secure use. Real secrets are either stored on a private hard drive, private optical disk, or flash media, fully encrypted, and kept in a locked box like paper secrets. You would never really store a true secret on the cloud or send by email. Except maybe in emergencies or under somewhat critical circumstances. Whatever the reasons, you might find encryption as the first best method to preserve privacy, security, and trust.
- Simple solutions for message encryption (1riskmanager.wordpress.com)
- How HTTPS Stops Attackers: What Every Web Dev Should Know (hartleybrody.com)
- Encrypt Your Emails on OS X (timothyandrew.net)
- Encryption is easy – sharing is hard (nospiesallowed.wordpress.com)
- How to change an encrypted volume’s password in OS X (reviews.cnet.com)
- FileVault 2 easily decrypted, warns Passware (reviews.cnet.com)
- Encrypt Email On Android (uf82.wordpress.com)
- Mailvelope: use OpenPGP encryption on Gmail, Yahoo, Hotmail and other webmail services (ghacks.net)
- PKI for Authenticating Remote Access VPNs: How Government Agencies Ensure Secure Communications (vpnhaus.ncp-e.com)