Security - Encryption vs Password Protection

spyderccp · June 10th, 2010, 04:08 AM

Hi,

I'm just curious if any of you have any thoughts about file security using encryption, e.g. PGP, versus Password Protected RAR files.

For example, is a file encrypted using say a 64 character string in PGP
any more (or less) secure than a RAR file with a 64 character password.

**the real McCoy** · June 10th, 2010, 10:58 PM

Howdy,

There are probably hundreds of versions of PGP, with different levels of security.

As I understand RAR uses AES for encryption algorithm.

Personally I prefer to keep the archieving program (RAR, ZIP, tar) separate from the encryption program. The simpler or weaker a program is the harder it is to break or manipulate.

In the end it also matters who you are protecting the files from.

/trm

**groovesection** · June 11th, 2010, 12:07 AM

Both are susceptible to brute force hacks, but to be honest cracking a 64 character password Rar is easier than decrypting an 64bit encrypted file

**the real McCoy** · June 23rd, 2010, 09:10 PM

Quote:

For example, is a file encrypted using say a 64 character string in PGP
any more (or less) secure than a RAR file with a 64 character password.

Hmmm..maybe there is some confusion here, that needs to be addressed.

The length of the password is not the same as the length of the encryption key. Maybe you already know this. Apologies, all around.

As far as I know, a 64 character string is going to be equally hard to guess. It's just a 64 character string, whether you use PGP or some other program. The numbers of possible passwords are the same.

If we are talking encryption key length, I don't think that any PGP version ships with a 64 bit key length. That's very short.
As I remember there were a 512, 1024 and a 2048 bit encryption key length available in my Open Source version of PGP.

The algorithm in AES doesn't need as long encryption keys as PGP. Thus a 64 bit AES key would be harder to crack then a 64 bit PGP key. However, neither AES does ship with such short keys. As far as I know the shortest encryption key length is 128 bit in AES. (Ok, I had to Google that one).

/trm

**svga** · June 24th, 2010, 09:55 PM

Your are comparing apples with oranges and here is my complicated answer:

1. RAR encryption is used to encrypt data for all users which share a secret (i.e. the password). The password is used to generate an encryption key which in turn is used to encrypt the data. This is called symmetric cryptology because the sender and the recipient share the same secret.

2. PGP (or its free GNU pedant GPG) is mainly intended for encrypting data for certain recipient(s). The sender uses the public key(s) of the recipient(s) to encrypt the data. For this the recipients must have communicated their public key(s) to the sender. The recipient uses the matching private key (which is his personal secret which he doesn't share with anyone) to decrypt the data. Nobody who doesn't knows the private key of one of the recipient(s) should be able to decrypt the data (even not the sender if he doesn't is also one of the recipients himself). This is called asymmetric cryptography because sender and recipient don't share a secret. PGP usually protects the private key with a passphrase. Nobody who doesn't knows the passphrase should be able to use the private key to decrypt data which was encrypted for the recipient. I assume you meant the passphrase when you talked about the 64 character string in PGP. And here are you comparing apples with oranges again, the passphrase is not used to encrypt the data (or to derive a key for encryption), it only protects your private key

But to make it more complicated PGP has also a symmetric mode (for GPG the command line option is `-c' or `--symmetric'). In this case a password is requested which in turn is used to generate a key that is used to encrypt the data by using a certain algorithm, e.g. AES. The length of the generated key depends on the algorithm. And this is more or less the same what RAR makes, both programs use different (default) algorithms (DES, AES CAST5, whatever) in different program versions.

And here is a more practical answer under the assumption that you want to use symmetrical cryptography (i.e. share your data with all of us ):

Recent versions of RAR use AES for encryption, my actual version of GPG use CAST5 by default. Which algorithm is better is beyond my knowledge.

But a practical approach: The key which is used is derived from your password. Using common, short passwords like "qwerty" makes it easy to guess the password (dictionary attack). The attacker may also assume short passwords (e.g. up to 8 characters) which make it easier to guess the password by trying all possibilities (brute-force attack) in a reasonable time.

There may also still be some programs which uses "weak" algorithms for encryption which make it easy to decrypt data. But as far as I know neither PGP nor (recent versions of) RAR do this.

June 10th, 2010, 04:08 AM	#1
spyderccp Senior Member Join Date: Feb 2009 Posts: 241 Thanks: 973 Thanked 2,813 Times in 233 Posts	Security - Encryption vs Password Protection Hi, I'm just curious if any of you have any thoughts about file security using encryption, e.g. PGP, versus Password Protected RAR files. For example, is a file encrypted using say a 64 character string in PGP any more (or less) secure than a RAR file with a 64 character password. __________________ Dear Aunt Em, Hate you, hate Kansas, taking the dog. Dot.

June 11th, 2010, 12:07 AM	#3
groovesection Vintage Member Join Date: Jun 2008 Location: Behind the Decks Posts: 1,902 Thanks: 5,342 Thanked 45,319 Times in 1,892 Posts	Both are susceptible to brute force hacks, but to be honest cracking a 64 character password Rar is easier than decrypting an 64bit encrypted file __________________ Please read the Forum To view links or images in signatures your post count must be 0 or greater. You currently have 0 posts.

June 24th, 2010, 09:55 PM	#5
svga Former Staff Join Date: Aug 2008 Location: Germany - Tripping the Rift Posts: 1,427 Thanks: 16,756 Thanked 39,593 Times in 1,329 Posts	Your are comparing apples with oranges and here is my complicated answer: 1. RAR encryption is used to encrypt data for all users which share a secret (i.e. the password). The password is used to generate an encryption key which in turn is used to encrypt the data. This is called symmetric cryptology because the sender and the recipient share the same secret. 2. PGP (or its free GNU pedant GPG) is mainly intended for encrypting data for certain recipient(s). The sender uses the public key(s) of the recipient(s) to encrypt the data. For this the recipients must have communicated their public key(s) to the sender. The recipient uses the matching private key (which is his personal secret which he doesn't share with anyone) to decrypt the data. Nobody who doesn't knows the private key of one of the recipient(s) should be able to decrypt the data (even not the sender if he doesn't is also one of the recipients himself). This is called asymmetric cryptography because sender and recipient don't share a secret. PGP usually protects the private key with a passphrase. Nobody who doesn't knows the passphrase should be able to use the private key to decrypt data which was encrypted for the recipient. I assume you meant the passphrase when you talked about the 64 character string in PGP. And here are you comparing apples with oranges again, the passphrase is not used to encrypt the data (or to derive a key for encryption), it only protects your private key But to make it more complicated PGP has also a symmetric mode (for GPG the command line option is `-c' or `--symmetric'). In this case a password is requested which in turn is used to generate a key that is used to encrypt the data by using a certain algorithm, e.g. AES. The length of the generated key depends on the algorithm. And this is more or less the same what RAR makes, both programs use different (default) algorithms (DES, AES CAST5, whatever) in different program versions. And here is a more practical answer under the assumption that you want to use symmetrical cryptography (i.e. share your data with all of us ): Recent versions of RAR use AES for encryption, my actual version of GPG use CAST5 by default. Which algorithm is better is beyond my knowledge. But a practical approach: The key which is used is derived from your password. Using common, short passwords like "qwerty" makes it easy to guess the password (dictionary attack). The attacker may also assume short passwords (e.g. up to 8 characters) which make it easier to guess the password by trying all possibilities (brute-force attack) in a reasonable time. There may also still be some programs which uses "weak" algorithms for encryption which make it easy to decrypt data. But as far as I know neither PGP nor (recent versions of) RAR do this. __________________ PM me if my uploads are no longer available, I will re-upload them Last edited by svga; June 24th, 2010 at 10:29 PM.. Reason: additional info

June 10th, 2010, 10:58 PM	#2
the real McCoy Vintage Member Join Date: Jul 2007 Posts: 443 Thanks: 2,727 Thanked 21,496 Times in 536 Posts	Howdy, There are probably hundreds of versions of PGP, with different levels of security. As I understand RAR uses AES for encryption algorithm. Personally I prefer to keep the archieving program (RAR, ZIP, tar) separate from the encryption program. The simpler or weaker a program is the harder it is to break or manipulate. In the end it also matters who you are protecting the files from. /trm