1

Another thread addresses the question of what can count as "military-grade encryption." In this case, I see that CyberLink Power2Go software boasts "advanced military-grade 256-bit encryption." TechRadar clarifies that Power2Go uses AES-256.

The Power2Go webpage says that the software is useful for "movie disc authoring" and for burning data discs. The page refers to encryption only in connection with data discs, not movie discs.

I am interested in burning data files to Blu-ray disc. My question is whether I would achieve comparable practical security by encrypting data files via Power2Go instead of encrypting them before burning, using something like 7-Zip or WinRAR.

The latter have some advantages. They seem more dedicated to security. In the case of 7-Zip, I could include a working portable copy on the disc, as a precaution against the day when relevant software is no longer available. I haven't used Power2Go, but I assume 7-Zip and WinRAR would offer more compression options. The files would be encrypted even when they weren't on the Blu-ray disc. I wouldn't have to bring the unfamiliar Power2Go software into the mix. I'm not sure whether I could retrieve the files from the disc if, say, Power2Go failed to work on some hardware, or in some future version of Windows.

My primary concern is whether encryption in disc-burning software can be legitimate. The Power2Go webpage seems to say that data on a BD-R can be protected, when movies on a BD-R are vulnerable to ripping. I don't believe the disc-burning software I've used offers encryption - which leads me to wonder whether this is something of a gimmick. Certainly it could be convenient to use a one-step Power2Go solution when burning a stack of BD-Rs, so as to eliminate a separate (7-Zip or WinRAR) encryption phase.

Ray Woodcock
  • 113
  • 4
  • What exactly is the use-case and threat model here? –  May 14 '22 at 19:04
  • 2
    Also unrelated, but some of the claims the software makes are just laughable, such as "utilizing unused space by increasing bit rate". This makes no sense, as the software can't just create information that wasn't there before. And while that doesn't in itself invalidate other claims, a *general* rule-of-thumb is that reputable software doesn't need to resort to nonsensical claims to woo their customers - the actual software should be able to do that just fine. –  May 14 '22 at 19:08
  • Usually military-grade encryption is a marketing term assigned to products that are developed by people that don't really understand what they are doing. To my experience this Marketing term is a big warning sign to avoid the product unless you are a hacker want to have some fun reversing a software that leaves you ROTFL. – Robert May 14 '22 at 20:54
  • Are you planning to create a reader that plays encrypted videos? – kelalaka May 15 '22 at 18:51
  • The purpose is to store data securely on BD-Rs. The discs will will sit on a shelf. Since they have a lifespan of some years, I'm not sure who might have access to them at one time or another. – Ray Woodcock May 15 '22 at 20:43

1 Answers1

2

BD-Rs do not natively support strong password-based encryption. They are merely a medium that data can be stored on. DRM in video is the closest you'd get to encryption, and it is designed simply to make it more difficult to play licensed videos on a device that doesn't support DRM.

Treat recordable optical discs the same way you would treat a flash drive. If you want the data on it to only be recoverable by someone with a password, you need to encrypt it first. I would very strongly recommend you avoid "Power2Go". Even if they do use strong algorithms, it's unlikely that they've implemented everything correctly. It would be much better to use a dedicated encryption utility like VeraCrypt, or a utility with a known-good encryption, such as 7zip.

There's a lot more to encryption than picking a strong cipher alone. You need to use a good mode of operation. You need to use key stretching, ideally with a memory-hard algorithm. You should use authentication if possible. Because Power2Go doesn't report what it uses besides the fact that it uses AES-256, you should assume that the authors don't know how to implement strong cryptography.

Here is an example of a digital image encrypted with "military-grade AES-256":

ecb tux

Can you tell what that's an image of? Yes, it's a cartoon penguin, and yes, it is encrypted, but it is encrypted using a mode of operation called ECB, which is not safe for this purpose. This is a famous way of illustrating that much more goes into designing secure encryption than the algorithm choice.

forest
  • 64,616
  • 20
  • 206
  • 257