On Tuesday 18 February 2003 12:46, Tom Eastman wrote: > Hey all, > > This is not a gentoo-specific question, but I figure there's probably > people knowledgeable enough in the subject for me to ask the question here. > > Here's the situation: I have a lot of private, important information (i.e. > CVS repositories for projects, documents etc) which are sitting on my > computer. I want to back these up securely to another location where I > don't want them to be readable. I figure the best way would be to put it > all into a tarball and then use GPG to encrypt the tarball. > > Well, If I were to say, encrypt it to myself, then only I could decrypt it > later on if the need arose (i.e. I lose the hard drive in my server or > something). However, then I run the risk of losing my private key along > with my hard drive, or have to keep it on a floppy. > > GPG allows you to have symmetrical encryption (not public key, but > encrypted to a passphrase). It seems to me that using this would probably > be better, because I wouldn't need to take special precautions to protect > the key because it would be in my head (losing my head would probably make > the information less relevant anyway). > > But would it be less secure? I don't think so, because my understanding is > that the assymetrical encryption is only used for key distribution anyway. > Since I have no need to distribute the key, it's not necessary. > > I'm sure there's people out here who know a lot more about this stuff than > I do. Any thoughts? Suggestions?
Symetric encryption is in general better than asymetric encryption in
encrypting large amounts of data. It also is faster. It has as a disadvantage
that the person encrypting data needs to know the same key as the decrypting
person. This means electronic signatures are not possible as anyone able to
verify them can also forge them. Also asymetric encryption can not run in
chaining modes. This means that equal plaintext blocks result in equal cipher
blocks. Symetric encryption algorithms can use such methods.
Tools like ssh which provides secure shell basically work as follows (note
that ssh can be used with encryption to make it hard to determine wether the
tested key is the right one):
client: send public key to the server
server: send public key to client encrypted by
clients public key
client: verify that the public key equals
the stored public key for that
server
client: generate a "session key"
encrypt the session key with the
server's public key, encrypt this
with client's private key, and
send this to the server
server: decrypt the session key, and do whatever
would be done unencrypted over the
compressed and encrypted channel
eiter: once in a while create a new session key and send it to the other
Basically you use asymetric encryption to encrypt the key for the symetric
encryption. With pgp the asymetric key is then encrypted with a symetric
cypher using the passphrase as key (indirectly, actually a hash of the
passphrase is used)
Paul
--
Paul de Vrieze
Researcher
Mail: [EMAIL PROTECTED]
Homepage: http://www.cs.kun.nl/~pauldv
msg01666/pgp00000.pgp
Description: signature
