23

I know nothing about cryptography. How does one encrypt a file in the strongest possible way, such that it can be accessed some years later? I prefer that it should be fairly resistant from brute force and other possible ways attacks.

I need some direction only.

Vikki
  • 265
  • 1
  • 3
  • 10
dave09963
  • 239
  • 2
  • 3
  • 9
    This could be better answered on the Cryptography SE site. – mentallurg Jun 19 '20 at 08:28
  • 6
    Also recommend moving to Cryptography SE. I feel OP also needs to further explain his threat model. If he just does AES-GCM with a single key the contents of files can swapped with eachother without it being detectable... and without such a model from OP, it's impossible to actually answer this question – karimkorun Jun 19 '20 at 16:34
  • 39
    The strongest encryption is to have the fastest computer you can find continuing to encrypt the data until about half the time before you require the data has elapsed. You would then use the same computer and begin decryption - if it took six months of computer time to encrypt, it will then take six months to decrypt - even with the key. Clearly this is foolish, so the answer is that, whatever your threat model is, the "strongest" achievable encryption is not going to be either sensible or practical. You need to first define your threat model and then design the encryption strategy to match. – J... Jun 19 '20 at 18:17
  • 5
    @J... Clearly you're joking, but I'll take you seriously just to say: Remember that if the lights go off while your super-fast computer is encrypting the only copy of your data... you had better have a recovery plan. – Michael Jun 19 '20 at 20:17
  • 14
    Technically a "one time pad" is unbeatable (and that's the strongest you're going to get!), but if OP can store a key as long as the file securely, then why not store the file there instead? As has been said before, we need a threat model to answer the question. – Cyclic3 Jun 19 '20 at 20:27
  • 1
    The encryption is probably not gonna be the weak link in any system. Your handling of the key material will be the weak link. Don't focus on strongest, focus on what suits your needs best. – vidarlo Jun 19 '20 at 20:58
  • If there was a strongest, why would weaker cryptos be used? – pipe Jun 20 '20 at 06:34
  • 1
    @pipe time and processing power. The stronger the encryption, the longer it takes to encrypt and decrypt, and exponentially increase time needed for brute-force attacks. – Nelson Jun 20 '20 at 16:18
  • @Nelson And since the time needed for brute-force increases exponentially, the number of bits we've used the last decade(s) has been more than enough to outlast the life of the solar system in the time it takes to brute force. Even small microcontrollers can do this. So again, why would you use a weaker crypto? To make sure it _can_ be bruteforced if you forget the key? – pipe Jun 20 '20 at 18:44
  • @pipe to be honest I can't tell you why people make illogical and bad decisions. Why did Microsoft use MD5 crypto up to 2012 when it was advised against in 1996, full SIXTEEN years earlier? I have no idea. Why do people think they can beat an entire world of scientists, researchers, and engineers with their own crypto engine? Probably pride and ignorance, but I really don't know either. The reasons for stupid decisions are generally stupid, and is highly unsatisfying when the answer is discovered, so there's really no point. – Nelson Jun 20 '20 at 19:16
  • @Cyclic3 You're definitely right about the one time pad, but it does at least have the benefit that an attacker needs two separate pieces of information to recover the original content. One might imagine using a hundred one-time pads, stored in a variety of different ways (different technologies, locations, and caretakers), to harden the system against compromise of any one piece of secure storage. – David Z Jun 21 '20 at 04:51
  • @DavidZ That scheme is better known as "Secret sharing", and the information theoretically secure nature can actually be extended to systems where you only need some k out of the n parties to share their part: https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing. If security is merely a question of needing all the data, then an All-or-nothing transform, combined with a randomised padding scheme, is your best bet: https://en.wikipedia.org/wiki/All-or-nothing_transform – Cyclic3 Jun 21 '20 at 09:59
  • @Cyclic3 Yes, I'm familiar with secret sharing. I thought I could make my point without having to use the term, but maybe I was wrong... anyway, the point was that even though the one-time pad is unbeatable when the attacker has the ciphertext but not the key, in practice you have to consider weaknesses in the key storage. That's a reason why a person might want to use a one-time pad (combined with a secret-sharing scheme, of course) even if they think they have a secure way to store something the size of the original file. – David Z Jun 21 '20 at 10:23
  • preventing physcial access is also a very strong form of encryption. – Avin Kavish Jun 21 '20 at 10:44
  • @DavidZ sorry for my rather condescending comment! You and Avin are absolutely right, physical security is an integral part of securing data, and one I overlooked. – Cyclic3 Jun 21 '20 at 11:10
  • @Michael-Where'sClayShirky Indeed, but if you're going for the Guinness book nobody said it would be easy. ;) – J... Jun 21 '20 at 11:49
  • @Cyclic3 Thanks, but I should apologize as well: I overreacted and posted a comment that was harsher than appropriate. I was a bit frustrated at the time, but looking back on it, your comment was very sensible given the context. – David Z Jun 22 '20 at 02:39
  • @AvinKavish i also thought about launching the file to space into orbit so that it could be picked up later. – Askar Kalykov Jun 23 '20 at 15:35

6 Answers6

52

The strongest possible way to encrypt data is to start with a threat model. What sort of adversary are you trying to protect your data from? What are they willing to do to get it? All reasonable approaches to cryptography start with one. If you start with one, you stand a chance of finding "the strongest" for your particular situation.

I recommend this approach because, as you start thinking about threat models and researching them, you'll start to realize that security is far more about the human element. Then you can worry about things like how you will secure your key.

XKCD commic on security

source: https://xkcd.com/538/

Once you have decided whether you are trying to outwit a state actor while committing treason, or just merely trying to protect your diary from the prying eyes of your little sister, you can decide what the best algorithm is.

Failing that, go with the flow. Rather than finding out what is the "strongest" encryption, look for what is "recommend" by the security experts for someone who knows nothing of cryptography. Currently AES comes highly recommended. We're quite confident that nobody short of a state actor can break it, and we are reasonably confident that no state actor can break it either.

But better yet, don't look for encryption algortihms, look for tried and true packages which are recommended. The application of an algorithm is as important as the algorithm itself. Highly reputable implementations are worth their weight in gold.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
Cort Ammon
  • 9,206
  • 3
  • 25
  • 26
32

If you want the strongest, I’d suggest a one-time pad to encrypt the file.

If you want realistic, I suggest you rather expand on what your threat model is and take advice as to the actual level of encryption that you need is.

Gwyn Evans
  • 429
  • 3
  • 3
  • 16
    And then put the one-time-pad in a tiny titanium capsule and embed it subcutaneously in your hip. – Michael Jun 19 '20 at 20:20
  • 8
    That could easily be detected and extracted. Keep the entire thing in your head. – bytepusher Jun 20 '20 at 13:31
  • 3
    @bytepusher you could be tricked into revealing it. Burn it. – PyRulez Jun 20 '20 at 14:54
  • 5
    Or they might extract it [with a wrench](https://xkcd.com/538/). – Jacob Bundgaard Jun 20 '20 at 16:25
  • 5
    If you already have the data, then the utility of a one time pad becomes *negative*: you now have to secure *twice* the amount of data. OTPs are __only__ useful when you know you will need some secure channel in the future **and** have access to a secure channel that you will not have access to later (hence their history in espionage). – Cyclic3 Jun 21 '20 at 09:56
  • 3
    @Cyclic3: I disagree: The OTP adds a second factor. Neither the encrypted data alone nor the OTP key alone will yield useful information to an attacker. If one of them is on a USB stick in your bank vault and the other one on your PC, the attacker will have to break into your PC *and* into your vault. – Heinzi Jun 21 '20 at 10:18
  • 1
    @Heinzi that is a very good point! However, there is a flipside to that: now everyone who has access to the vault AND everyone has access to your PC can flip arbitrary bits in your data, doubling the risk. This all falls back to what everyone is saying: what is the threat model? – Cyclic3 Jun 21 '20 at 10:25
  • 1
    Not a good idea. The problem with the OTP is securely storing the key. That carries the same problem into another name. – kelalaka Jun 21 '20 at 18:23
16

I know nothing about cryptography. How do we encrypt a file in strongest (emphasis added) possible way such that we can access them some years later. I prefer that it should be fairly resistant from brute force and other possible ways attacks. I need some direction only.

Use AES-256 in GCM mode.

hft
  • 4,910
  • 17
  • 32
  • 3
    This. Yes, the many other comments are right, about threat models and OTPs, but this simple answer will cover at least 99.99% of cases quite well. – Tom Jun 21 '20 at 20:06
10

This isn't a problem with an obvious solution. You need to plan in advance how you are going to handle and safely store your key material as well as your encrypted material. The strength and type of encryption is also part of that plan. If you lose your key, you can't decrypt your data. If someone grabs a copy of your key, they can decrypt the data. If you lose the encrypted data, you can't recover it. And so on...

I suggest you take a look at GnuPG which implements a hybrid encryption scheme, whereby data is encrypted with a one-time session key (symmetric crypto) protected by the recipient's public keys. There are userland tools ready to be used to generate and handle key pairs and to encrypt/decrypt using this mechanism.

I'm not aware of the top of my head of which tools can do symmetric encryption using AES-256/GCM, although it is likely that openssl and libressl can. You need to be careful with generating properly random encryption keys, since at this level you may not have the support of a userland tool to ensure your keys have enough entropy.

Pedro
  • 3,911
  • 11
  • 25
  • The Windows API will do AES/GCM for you – hft Jun 19 '20 at 20:51
  • 8
    I doubt any tool encrypts files with asymmetric cipher directly; that's too computationally expensive. Instead they just encrypt a random key and encrypt the actual data with a symmetric cipher. It is also possible to create the symmetric key using a key derivation function (pbkdf2) from a passphrase. Openssl (1.1.1g) does not support GCM in `enc` though. – Jan Hudec Jun 19 '20 at 21:48
  • 2
    What would be the advantage of using asymmetric encryption in this scenario, where we have just a single user? – Paŭlo Ebermann Jun 20 '20 at 08:42
  • @janHudec gnuog does exactly that, asymmetric cryptography. Being computationally expensive is not necessarily a problem if the solution does not need to scale. – Pedro Jun 20 '20 at 22:37
  • 3
    @Pedro GnuPG uses symmetric encryption for it's data just like all other tools do. The public key encryption just encrypts the key for the symmetric encryption. It's not just computationally expensive to use public key cryptography, it mathematically doesn't work. Public key encryption can't encrypt arbitrarily-sized data on it's own, only something smaller than the key size. – penguin359 Jun 22 '20 at 00:12
  • @penguin359 there's nothing broken about encrypting files with asymmetric crypto, padding is used everywhere including in symmetric crypto. But I'll give you the benefit of the doubt and will look deeper into gnupg before debating further about whether what it is actually capable of doing. – Pedro Jun 22 '20 at 09:00
  • @penguin359 you are right, gnupg uses a hybrid encryption scheme which encrypts data using a one-time session key that is then protected with the recipient's public key. therefore the asymmetric element is just a way to handle encryption keys - an added leyer. I'll tweak my answer too. – Pedro Jun 22 '20 at 09:12
0

There are issues on the stored data, it may be corrupted and altered. That can be detected with integrity and authentication and solved with data protection methods.

Another issue is how one stores a cryptographic key. This can be solved with a good password to remember with high entropy and Key Derivation Functions.

  1. Choose a good password with diceware so that it has an entropy equal with the desired key size like 128,192,256, etc.
  2. Use password-based key derivation function like PBKDF2, Scrypt, or Argon2id to derive a cryptographic key, for example, 128-bit for AES128 or 256 bits for AES256. In the case of multiple files, additional data can be used to derive different keys for each file.
  3. Encrypt the file with AES-GCM or ChaCha20-Poly1305 both are Authenticated Encryption that provides confidentiality, integrity, and authentication.

Notes:

  1. You may need to keep multiple copies of the file since integrity only detects errors. It is not an error correction code.
  2. The key size up to you. If you fear the multiple target attacks and possible quantum computers use a key size 256.
  3. The IV of GCM or ChaCHa20 should not be repeated. A counter combined with random is advised.
kelalaka
  • 5,409
  • 4
  • 24
  • 47
-10

I'd say to use 4096 bit encryption. I use this when generating ssh keys. I've read that even quantum computers are a good 30 years away from cracking current encryption techniques and I don't think that the NSA can crack it because the articles I've read from such sources as the ACLU blog indicate that the government is using malware to spy because they can't crack current encryption standards although sha1 was recently cracked. Congress has been trying to rush through legislation to require back doors in encryption but I believe this is ill advised. The mathematical formulas behind the encryption algorithms used today are ubiquitous and they cannot be wiped from the public domain. They tried outlawing the exportation of encryption in the 90s when pgp was developed and it proved unenforceable because the internet is global.

Michael Lazin
  • 3
  • 1
  • 30
    Your expression "4096 bit encryption" is meaningless in this context. It only describes the size of the key. It is the encryption *technique* or algorithm that matters. A crude encryption with a 4096 bit key could be cracked with a pencil and paper in a few hours. – Chenmunka Jun 19 '20 at 17:00
  • 4
    Note that because far from any number is a valid RSA key, a 3072-bit RSA key is only about as good as a 256-bit key of a suitable elliptic-curve DSA. – Jan Hudec Jun 19 '20 at 21:59
  • 1
    @JanHudec Is that really the reason? (I thought the reason is good factoring algorithms) As far as google answers, there are around $\frac{n \log \log n}{\log n}$ semiprimes (and I don't think so many of them are invalid), and also with that logic generating valid RSA keys should be 2^2816 times as hard as generating keys for other algorithms, but all programs somehow do that quickly. – the default. Jun 20 '20 at 14:04