subject:"Re\: Encryption protection"

Re: Encryption protection

2001-03-02 Thread Kevin M. Myer

On Wed, 28 Feb 2001, Todd Reed wrote:

> I understand from the replies here that SimpleCrypt isn't secure, at
> least in the sense that with enough time the encryption scheme can be
> defeated. That's true for any scheme if you have infinite amounts of
> time and computers.
>
> What I'd like to know is a realistic assessment of its insecurity.
> Dantz is saying it is secure enough for the majority of commercial
> uses. Is the average script kiddie going to find SimpleCrypt easy t

I wouldn't believe that claim unless I saw the source for their algorithm
(not that I could review it but a thorough peer review would be necessary
to say the least to backup the claim - no pun intended).  Since 56-bit DES
is pretty easy to crack (it took all of three days on distributed.net a
few years ago and dedicated hardware is now available for that job), and
SimpleCrypt is an unpublished proprietary algorithm, it logically follows
that SimpleCrypt is also simpler to crack.

I'm curious about the DES encryption actually - it doesn't seem to matter
if I have encryption turned on or off - backups seem to take approximately
the same amount of time.  What exactly is being backed up:  the data
stream between client and server, the contents on the tape, the catalog
(on disk) or the header on the tape (or any combination thereof)?

> >>>  Basically, Retrospect's SimpleCrypt encryption method is faster than DES,
> >>>  but the tradeoff for speed yields a less robust encryption scheme.

Which basically says, to me, that its not very strong at all :)

Kevin
-- 
Kevin M. Myer
Systems Administrator
Lancaster-Lebanon Intermediate Unit 13
(717)-560-6140

--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:
Search:  

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-28 Thread Jon Stevens

on 2/28/01 11:30 AM, "Todd Reed" <[EMAIL PROTECTED]> wrote:

> I understand from the replies here that SimpleCrypt isn't secure, at least in
> the sense that with enough time the encryption scheme can be defeated. That's
> true for any scheme if you have infinite amounts of time and computers.
> 
> What I'd like to know is a realistic assessment of its insecurity. Dantz is
> saying it is secure enough for the majority of commercial uses. Is the average
> script kiddie going to find SimpleCrypt easy to crack? Really I'm trying to
> make a risk assessment. Of course I restrict access to my tapes, but in one
> location I run backups, that's impractical.
> 
> If SimpleCrypt's encryption is defeatable by an expert in 24 hours, I'm
> definitely going to alter my security practices. That's the kind of risk
> assessment I'd like to find out. How easy is it to beat SimpleCrypt and/or
> DES?
> 
> Todd

#1. Turn off sending HTML email. It sucks.

#2. I would say that both DES and SimpleCrypt can be broken in less than 24
hours. Don't assume that some methodology that Dantz came up (when did they
get into the encryption business?) with is unbreakable in anything more than
that. I would guess that SimpleCrypt is just some weak XOR or something.

Also, security through obscurity is a terrible thing.

The right thing to do here is to have pluggable security. End of story.

-jon

--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:
Search:  

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-28 Thread Todd Reed

Title: Re: Encryption protection

I understand from the replies here that SimpleCrypt isn't secure,
at least in the sense that with enough time the encryption scheme can
be defeated. That's true for any scheme if you have infinite amounts
of time and computers.

What I'd like to know is a realistic assessment of its
insecurity. Dantz is saying it is secure enough for the majority of
commercial uses. Is the average script kiddie going to find
SimpleCrypt easy to crack? Really I'm trying to make a risk
assessment. Of course I restrict access to my tapes, but in one
location I run backups, that's impractical.

If SimpleCrypt's encryption is defeatable by an expert in 24
hours, I'm definitely going to alter my security practices. That's the
kind of risk assessment I'd like to find out. How easy is it to beat
SimpleCrypt and/or DES?

Todd

On 2/27/01, Douglas K Wyman  emailed about  "Re:
Encryption protection":
You're kidding, aren't you...? Better to
think about moving away
from the canal and up to some high
ground...or to a state that isn't
sliding into the ocean so
soon...

Seriously, physical security should
always be your first priority.
Suppose someone decides they don't like
you, or gets curious, or
notices what a raging success you are and
takes the tapes hostage
etc, etc, etc. Belt and braces,
that's my policy.

Regards,
Doug.

Eric,

Thanks for your reply. What I would like to know is what kind of
computing
horsepower is necessary to crack SimpleCrypt's encryption
protection?

If someone acquired a tape from me that was encrypted, what kind
of
resources would it take to get into the data? What about DES?

Everyone on this list is probably familiar with some of the
distributed
computing attempts to crack advanced encryption algorithms. What would
it
take to crack SimpleCrypt?

If it turns out that the data is fairly easily accessible to someone
with
advanced hacking skills, I'll start locking my tapes up and taking
other
security measures.

Todd Reed

> From: Eric Ullman <[EMAIL PROTECTED]>
> Reply-To: "retro-talk"
<[EMAIL PROTECTED]>
> Date: Mon, 26 Feb 2001 07:51:00 -0800
> To: retro-talk <[EMAIL PROTECTED]>
> Subject: Re: Encryption protection
>
> Good question, Todd.
>
> Basically, Retrospect's SimpleCrypt encryption method is faster
than DES,
> but the tradeoff for speed yields a less robust encryption
scheme.
> Conceivably, it would take less time to decipher data that had
been encoded
> with SimpleCrypt than with DES (or some other strong encryption
method).
>
> Encryption should never be relied on as the sole means of keeping
your data
> from unwanted access. It should always be used in conjunction
with physical
> security measures. Any data important enough to worry about
someone cracking
> its encryption method is important enough to restrict access
to.
>
> One benefit of backing up computer data to compact, removable
media is that
> it is relatively easy to collect and store in a secure location.
Don't
> dismiss this advantage.
>
> I hope this helps.
>
> Eric Ullman
> Dantz Development
>
>
> Todd Reed <[EMAIL PROTECTED]> wrote:
>
>> On a mailing list I inhabit, the quality of Retrospect's
encryption
>> was challenged as being inadequate.  The comment was
that neither DES
>> or Dantz' proprietary  Vernam cipher would be secure
from a serious
>> attempt to retrieve stolen backup data.
>>
>> What's the scoop here? I've been running on the assumption
that if I
>> lost a tape under mysterious
circumstances that the information would
>> be unrecoverable.
>>
>> How does SimpleCrypt compare to
DES and how hard would someone have
>> to try to break the encryption?
>
>
>
> --
> --
> To subscribe:    [EMAIL PROTECTED]
> To unsubscribe:  [EMAIL PROTECTED]
> Archives:   

> Search: 

>
> For urgent issues, please contact
Dantz technical support directly at
> [EMAIL PROTECTED] or
925.253.3050.

--
--
To subscribe:    [EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:   

Search: 

For urgent issues, please contact Dantz technical support directly
at
[EMAIL PROTECTED] or 925.253.3050.

[Fwd: Re: Encryption protection]

2001-02-28 Thread ilyes


ditto!  USERS RULE! plug-in encryption modules, hiphip!

  - ilyes


 Original Message 
From: Eric Ullman <[EMAIL PROTECTED]>
Subject: Re: Encryption protection
To: retro-talk <[EMAIL PROTECTED]>

Jon Stevens <[EMAIL PROTECTED]> wrote:

> The *right* way to implement this is to let the USERS choose which
> encryption scheme THEY want to use. Dantz shouldn't be the one who chooses
> this. It could be as simple as a popup menu on the server that would decide
> which scheme to use. If I want DES, Blowfish, SSL, AES or whatever, then I
> should be able to use it. In fact, I could see this as a marketing
> opportunity for Dantz and/or Third Party's to provide "plugins" that provide
> different encryption scheme's as extra products. If someone wants more
> security, buy this product and put this plugin in the plugin's directory.

Very good ideas, Jon. You're not alone in your thinking, either.

Eric Ullman
Dantz Development




--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:<http://list.working-dogs.com/lists/retro-talk/>
Search:  <http://www.mail-archive.com/retro-talk%40latchkey.com/>

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.


--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:<http://list.working-dogs.com/lists/retro-talk/>
Search:  <http://www.mail-archive.com/retro-talk%40latchkey.com/>

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-27 Thread Jon Stevens

on 2/27/01 10:31 PM, "Eric Ullman" <[EMAIL PROTECTED]> wrote:

> This is definitely an issue with encryption. Cracking various encryption
> methods is really only a question of time, computing power, and some luck.
> Heck, I thought DES was cracked in 1998!

I'm not sure the exact date it was cracked, but the AES (next generation
replacement for DES) proposals have already been decided.

http://csrc.nist.gov/encryption/aes/

RIJNDAEL won.

thanks,

-jon

--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:
Search:  

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-27 Thread Eric Ullman

Todd Reed <[EMAIL PROTECTED]> wrote:

> Thanks for your reply. What I would like to know is what kind of computing
> horsepower is necessary to crack SimpleCrypt's encryption protection?
> 
> If someone acquired a tape from me that was encrypted, what kind of
> resources would it take to get into the data? What about DES?
> 
> Everyone on this list is probably familiar with some of the distributed
> computing attempts to crack advanced encryption algorithms. What would it
> take to crack SimpleCrypt?

This is definitely an issue with encryption. Cracking various encryption
methods is really only a question of time, computing power, and some luck.
Heck, I thought DES was cracked in 1998!

So, yes, Dantz is investigating other encryption options, but, in the
meantime, definitely restrict access to your data!

Eric Ullman
Dantz Development

--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:
Search:  

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-27 Thread Eric Ullman


Jon Stevens <[EMAIL PROTECTED]> wrote:

> The *right* way to implement this is to let the USERS choose which
> encryption scheme THEY want to use. Dantz shouldn't be the one who chooses
> this. It could be as simple as a popup menu on the server that would decide
> which scheme to use. If I want DES, Blowfish, SSL, AES or whatever, then I
> should be able to use it. In fact, I could see this as a marketing
> opportunity for Dantz and/or Third Party's to provide "plugins" that provide
> different encryption scheme's as extra products. If someone wants more
> security, buy this product and put this plugin in the plugin's directory.

Very good ideas, Jon. You're not alone in your thinking, either.

Eric Ullman
Dantz Development




--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:
Search:  

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-27 Thread Douglas K Wyman

Title: Re: Encryption protection

You're kidding, aren't you...? Better to think about moving
away
from the canal and up to some high ground...or to a state that
isn't
sliding into the ocean so soon...

Seriously, physical security should always be your first
priority.
Suppose someone decides they don't like you, or gets curious,
or
notices what a raging success you are and takes the tapes
hostage
etc, etc, etc. Belt and braces, that's my policy.

Regards,
Doug.

Eric,

Thanks for your reply. What I would like to know is what kind of
computing
horsepower is necessary to crack SimpleCrypt's encryption
protection?

If someone acquired a tape from me that was encrypted, what kind
of
resources would it take to get into the data? What about DES?

Everyone on this list is probably familiar with some of the
distributed
computing attempts to crack advanced encryption algorithms. What would
it
take to crack SimpleCrypt?

If it turns out that the data is fairly easily accessible to someone
with
advanced hacking skills, I'll start locking my tapes up and taking
other
security measures.

Todd Reed

> From: Eric Ullman <[EMAIL PROTECTED]>
> Reply-To: "retro-talk"
<[EMAIL PROTECTED]>
> Date: Mon, 26 Feb 2001 07:51:00 -0800
> To: retro-talk <[EMAIL PROTECTED]>
> Subject: Re: Encryption protection
>
> Good question, Todd.
>
> Basically, Retrospect's SimpleCrypt encryption method is faster
than DES,
> but the tradeoff for speed yields a less robust encryption
scheme.
> Conceivably, it would take less time to decipher data that had
been encoded
> with SimpleCrypt than with DES (or some other strong encryption
method).
>
> Encryption should never be relied on as the sole means of keeping
your data
> from unwanted access. It should always be used in conjunction
with physical
> security measures. Any data important enough to worry about
someone cracking
> its encryption method is important enough to restrict access
to.
>
> One benefit of backing up computer data to compact, removable
media is that
> it is relatively easy to collect and store in a secure location.
Don't
> dismiss this advantage.
>
> I hope this helps.
>
> Eric Ullman
> Dantz Development
>
>
> Todd Reed <[EMAIL PROTECTED]> wrote:
>
>> On a mailing list I inhabit, the quality of Retrospect's
encryption
>> was challenged as being inadequate.  The comment was
that neither DES
>> or Dantz' proprietary  Vernam cipher would be secure
from a serious
>> attempt to retrieve stolen backup data.
>>
>> What's the scoop here? I've been running on the assumption
that if I
>> lost a tape under mysterious circumstances that the
information would
>> be unrecoverable.
>>
>> How does SimpleCrypt compare to DES and how hard would
someone have
>> to try to break the encryption?
>
>
>
> --
> --
> To subscribe:    [EMAIL PROTECTED]
> To unsubscribe:  [EMAIL PROTECTED]
> Archives:   

> Search: 

>
> For urgent issues, please contact Dantz
technical support directly at
> [EMAIL PROTECTED] or
925.253.3050.

--
--
To subscribe:    [EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:   

Search: 

For urgent issues, please contact Dantz technical support directly
at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-27 Thread Jon Stevens

on 2/27/01 7:11 AM, "Todd Reed" <[EMAIL PROTECTED]> wrote:

> Eric,
> 
> Thanks for your reply. What I would like to know is what kind of computing
> horsepower is necessary to crack SimpleCrypt's encryption protection?
> 
> If someone acquired a tape from me that was encrypted, what kind of
> resources would it take to get into the data? What about DES?
> 
> Everyone on this list is probably familiar with some of the distributed
> computing attempts to crack advanced encryption algorithms. What would it
> take to crack SimpleCrypt?
> 
> If it turns out that the datap is fairly easily accessible to someone with
> advanced hacking skills, I'll start locking my tapes up and taking other
> security measures.
> 
> Todd Reed

The *right* way to implement this is to let the USERS choose which
encryption scheme THEY want to use. Dantz shouldn't be the one who chooses
this. It could be as simple as a popup menu on the server that would decide
which scheme to use. If I want DES, Blowfish, SSL, AES or whatever, then I
should be able to use it. In fact, I could see this as a marketing
opportunity for Dantz and/or Third Party's to provide "plugins" that provide
different encryption scheme's as extra products. If someone wants more
security, buy this product and put this plugin in the plugin's directory.

This isn't rocket science.

-jon

--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:
Search:  

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-27 Thread Todd Reed


Eric,

Thanks for your reply. What I would like to know is what kind of computing
horsepower is necessary to crack SimpleCrypt's encryption protection?

If someone acquired a tape from me that was encrypted, what kind of
resources would it take to get into the data? What about DES?

Everyone on this list is probably familiar with some of the distributed
computing attempts to crack advanced encryption algorithms. What would it
take to crack SimpleCrypt?

If it turns out that the data is fairly easily accessible to someone with
advanced hacking skills, I'll start locking my tapes up and taking other
security measures.

Todd Reed



> From: Eric Ullman <[EMAIL PROTECTED]>
> Reply-To: "retro-talk" <[EMAIL PROTECTED]>
> Date: Mon, 26 Feb 2001 07:51:00 -0800
> To: retro-talk <[EMAIL PROTECTED]>
> Subject: Re: Encryption protection
> 
> Good question, Todd.
> 
> Basically, Retrospect's SimpleCrypt encryption method is faster than DES,
> but the tradeoff for speed yields a less robust encryption scheme.
> Conceivably, it would take less time to decipher data that had been encoded
> with SimpleCrypt than with DES (or some other strong encryption method).
> 
> Encryption should never be relied on as the sole means of keeping your data
> from unwanted access. It should always be used in conjunction with physical
> security measures. Any data important enough to worry about someone cracking
> its encryption method is important enough to restrict access to.
> 
> One benefit of backing up computer data to compact, removable media is that
> it is relatively easy to collect and store in a secure location. Don't
> dismiss this advantage.
> 
> I hope this helps.
> 
> Eric Ullman
> Dantz Development
> 
> 
> Todd Reed <[EMAIL PROTECTED]> wrote:
> 
>> On a mailing list I inhabit, the quality of Retrospect's encryption
>> was challenged as being inadequate.  The comment was that neither DES
>> or Dantz' proprietary  Vernam cipher would be secure from a serious
>> attempt to retrieve stolen backup data.
>> 
>> What's the scoop here? I've been running on the assumption that if I
>> lost a tape under mysterious circumstances that the information would
>> be unrecoverable.
>> 
>> How does SimpleCrypt compare to DES and how hard would someone have
>> to try to break the encryption?
> 
> 
> 
> --
> --
> To subscribe:[EMAIL PROTECTED]
> To unsubscribe:  [EMAIL PROTECTED]
> Archives:<http://list.working-dogs.com/lists/retro-talk/>
> Search:  <http://www.mail-archive.com/retro-talk%40latchkey.com/>
> 
> For urgent issues, please contact Dantz technical support directly at
> [EMAIL PROTECTED] or 925.253.3050.



--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:<http://list.working-dogs.com/lists/retro-talk/>
Search:  <http://www.mail-archive.com/retro-talk%40latchkey.com/>

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-26 Thread Eric Ullman

Good question, Todd.

Basically, Retrospect's SimpleCrypt encryption method is faster than DES,
but the tradeoff for speed yields a less robust encryption scheme.
Conceivably, it would take less time to decipher data that had been encoded
with SimpleCrypt than with DES (or some other strong encryption method).

Encryption should never be relied on as the sole means of keeping your data
from unwanted access. It should always be used in conjunction with physical
security measures. Any data important enough to worry about someone cracking
its encryption method is important enough to restrict access to.

One benefit of backing up computer data to compact, removable media is that
it is relatively easy to collect and store in a secure location. Don't
dismiss this advantage.

I hope this helps.

Eric Ullman
Dantz Development

Todd Reed <[EMAIL PROTECTED]> wrote:

> On a mailing list I inhabit, the quality of Retrospect's encryption
> was challenged as being inadequate.  The comment was that neither DES
> or Dantz' proprietary  Vernam cipher would be secure from a serious
> attempt to retrieve stolen backup data.
> 
> What's the scoop here? I've been running on the assumption that if I
> lost a tape under mysterious circumstances that the information would
> be unrecoverable.
> 
> How does SimpleCrypt compare to DES and how hard would someone have
> to try to break the encryption?

--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:
Search:  

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-24 Thread Todd Reed


That's what I'd like to know. How tough is SimpleCrypt's encryption 
scheme compared to the amount of resources it would take to crack it?

Todd Reed




On 2/23/01, David Ross  emailed about  "Re: Encryption protection":
>  > What's the scoop here? I've been running on the assumption that if I
>>  lost a tape under mysterious circumstances that the information would
>>  be unrecoverable.
>
>Nothing is unrecoverable if you have enough time. So the real question
>is how long would the various choices take to crack.
>
>
>--
>--
>To subscribe:[EMAIL PROTECTED]
>To unsubscribe:  [EMAIL PROTECTED]
>Archives:<http://list.working-dogs.com/lists/retro-talk/>
>Search:  <http://www.mail-archive.com/retro-talk%40latchkey.com/>
>
>For urgent issues, please contact Dantz technical support directly at
>[EMAIL PROTECTED] or 925.253.3050.



--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:<http://list.working-dogs.com/lists/retro-talk/>
Search:  <http://www.mail-archive.com/retro-talk%40latchkey.com/>

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

2001-02-23 Thread David Ross


> What's the scoop here? I've been running on the assumption that if I
> lost a tape under mysterious circumstances that the information would
> be unrecoverable.

Nothing is unrecoverable if you have enough time. So the real question
is how long would the various choices take to crack.


--
--
To subscribe:[EMAIL PROTECTED]
To unsubscribe:  [EMAIL PROTECTED]
Archives:
Search:  

For urgent issues, please contact Dantz technical support directly at
[EMAIL PROTECTED] or 925.253.3050.

Re: Encryption protection

Re: Encryption protection

Re: Encryption protection

[Fwd: Re: Encryption protection]

Re: Encryption protection

Re: Encryption protection

Re: Encryption protection

Re: Encryption protection

Re: Encryption protection

Re: Encryption protection

Re: Encryption protection

Re: Encryption protection

Re: Encryption protection

13 matches

Site Navigation

Mail list logo

Footer information