[X4U] Macintosh security (How to protect files and Applications for stolen computers)

David Ledger dledger at ivdcs.demon.co.uk
Tue Nov 22 14:44:26 PST 2005 

>From: Richard Gilmore <rgilmor at uwo.ca>
>On 20/11/05 10:28 AM, "David Ledger" <dledger at ivdcs.demon.co.uk> wrote:
>
>>  With public/private there are two keys.......The potential weakness of
>>  public/private keys is that if anyone ever discoverers a way to
>>  generate the private key from the public one, it will be dead.

>  Is this likely?

No-one knows. It's thought, but not proven, that the only way to do 
this is to work out which two large prime numbers have their product 
in the key. There may be a way to do this other than brute force, but 
there may not.

>So this kind of encryption is for all practical reasons unbreakable? Even
>though it's theoretically breakable?

Yes

>  Do websites that you enter credit card
>info use this kind of encryption?

The lock icon on your browser shows that SSL (Secure Socket Layer) 
security is being used. This is an encrypted authenticated link using 
public/private keys. * The padlock tells you that you have a safe 
secure session with whoever owns the certificate that the browser has 
set up the session with. Unless you manually check, _you_ cannot be 
sure that that really is the bank/shop/website that you believe it to 
be. If you start the session by typing in the URL of you bank, you 
can be pretty sure that the certificate belongs to the bank. If you 
follow some link in some email it probably won't be. Your session 
with the crook will be safe and secure :-)

* - information from Secrets & Lies.

>How are Visa numbers etc...protected?

Different merchants will use different methods. Some better than others.

>Not that I'll ever need one but are there Mac/PC encryption programs out
>there that encrypt this way that average people can use?

The main use would be for encrypted and/or digitally signed emails. 
The compexity of what these terms mean and the possible combinations 
make it non-trivial for the average user. If you can get your mind 
round what you actually want to do there's :-

PGP - Pretty Good Privacy. Complex legalese means that this now 
commercial product can only be used in the US.

GPG - Gnu Privacy Guard. Free work-alike of PGP. Not developed in the 
US and so is available anywhere. (The US government considers 
encryption technology to be a munition). I've only used the command 
line version, but some GUI assist is available.. The number of 
command line options is enormous and you need to understand what it's 
doing in order to drive it. I think there are GPG plugins for some 
emailers to help send/receive encrypted email.

Encrypting a file that's just going to stay on your drive is a minor 
option to these two.

There are free to use key servers out there, which will give out any 
public key registered with them.

>I wonder if we have something like a quantum computer if they will ever
>become powerful enough to crack ciphers with brute force?

Then we will also have quantum encryption which is provably unbreakable.

>I find this subject totally fascinating.

Ditto.

Check out:
<http://www.gnupg.org/>
<http://macgpg.sourceforge.net/>

Secrets & Lies - Bruce Schneier - Wiley (very readable)

Applied Cryptography - Bruce Schneier - Wiley (more academic, but not 
dry. Interesting scenarios explained in words (easily followable) and 
in maths (sometimes less so)).

The Code Book - Simon Singh - Fourth Estate (London) (popular writer 
- also wrote Fermat's last Theorem)

In Code - Sarah Flannery - Profile Books (insight into the world of 
cryptography by a newcomer)

David


-- 
David Ledger - Freelance Unix Sysadmin in the UK.
Chair of HPUX SysAdmin SIG of hpUG technical user group (www.hpug.org.uk)
david.ledger at ivdcs.co.uk
www.ivdcs.co.uk

More information about the X4U mailing list