With all the hype and hooplah surrounding the US government's tapping of everything under the sun, I have seen an influx of articles related to security. "This is how you encrypt!", "this is how you secure!", "this is how... You're doing it wrong." Having been around security for much longer than I care to admit nowadays, I often see many confuse the "concept of security," with the technological capabilities, and application of security. Meaning: actually securing communications. Be it via way of system level encryption (disk based), and network based encryption (SSL, TLS, VPNs), many in the industry are missing the fundamentals. Horribly at that. This confusion is beginning to worry me, because I have been seeing some well known, and respected security professionals, evangelists, and "experts" making the same mistakes repeatedly. Not only via way of the processes involved with security, but pounding the pulpit with "this is how you secure your data/network/traffic."
While I don't want this to be a technical write up filled with Visio diagrams, RFC references, I need to add some to clarify my statement - "You're doing it wrong... still!" Let's begin with the fundamentals of disk based encryption, which WILL include message encryption. Message encryption could be anything you choose, PGP, steganography, it could be Pig Latin. The gist is, encrypting (scrambling) data before it leaves your computer, or is stored on your computer, so that the message cannot be understood by anyone else, who doesn't have a "key", "password", or any other means to decrypt the message. Forget Alice and Bob nonsense, its ancient.
Encryption caveman style: You create a "key" and encrypt a message using someone else's "key" only they can read it.
Five Deadly Venoms of Encryption
1) You chose / recipient chose a weak password (PGP, SSL, TLS, Truecrypt, etc)
2) Your key is compromised (PGP, SSL, TLS, Truecrypt, etc)
3) The recipient's key is compromised (PGP, SSL, TLS, Truecrypt, etc)
4) Your operating system is compromised
5) Recipient's operating system is compromised
"You chose / recipient chose a weak password" and now with the influx of millions of passwords that were stolen , attackers have created wordlists which can crack your password in seconds. PEBKAC fail.
"Your key is compromised." With the current state of malware, viruses, and worms, do not think for a second, an adversary is not capable of obtaining your private key. As someone who has reverse engineered malware professionally, and as a hobby, I cannot tell you how many keys and certificates I have come across.
"The recipient's key is compromised." So you jumped through hoops and hurdles to ensure your key was secure. Doesn't mean the recipient did the same. It is simple as day and night.
"Your operating system is compromised." This statement is a loaded gun. From the onset, you would likely assume I meant: "a hacker got on your system somehow..." and you would be wrong. History has shown that...