A field guide to crypto

I'll huff, and I'll puff, and I'll Blowfish your house down

Now that we've gone over some of the basics of how encryption works, it's time to look at a few of the specific types, or algorithms. Rather than go into tremendous detail on each of these, I'll just give a short summary of how old, who uses it, and its relative safety level. The rest you can look up on your own - but I'll throw out a Mythbusters-like "Science warning" for good measure. Don't say I didn't warn you.

• AES 256 - AES stands for "Advanced Encryption Standard", and is actually more of an award than a proper name - the algorithm is actually Rijndael. AES is not only easier to say, it's also very accurate. It's been approved for use in top-level classified info for both the NSA and MI6 at 192-bit level, though it's now up to 256-bit (a bit superfluous, but hey...). It is the most common "strong" encryption available, mostly because of a balance between speed and security. It was created in 1998, along with its two competitors, Serpent and Twofish.
  
  
• Serpent - Serpent was in the running to be what we call AES now, and in some respects it's more secure. It uses a key that's double the size of the blocks it protects, creating a rolling key that is effectively impossible without knowing the algorithm intricately. It's a bit slower than AES "on the fly," but considerably less used and takes more than twice as long to break.
  
  
• Twofish - Twofish was the other AES finalist, and also uses a double-sized key. However, unlike Serpent, it creates a predictable pattern for how it unravels the blocks. Though this does little to help obtain the key in the first place, once done it is considerably easier to determine the original contents. Therefore, it's the weakest of the three "strong" standards.
  
  
• Blowfish - Blowfish is a bit of an old standard - it's been kicking since 1993. Modern computing power has made it crackable, though someone would certainly have to work at it. It uses up to 448-bit keys, but the encryption itself is a little weak, particularly compared to AES or Serpent. What it lacks in strength, though, it makes up in speed - Blowfish easily decrypts "on the fly," making it excellent for less-sensitive data that you use often.
  
  
• RSA - RSA is a very commonly used but very old (1977) public-key encryption. It's not something you'd trust your more sensitive documents to, but it is the commercial standard for internet-business. Most E-commerce sites make use of it, despite its lower security.
  
  
• RC4 - RC4, much like RSA, is old but still usable. For the most part, it's used for its incredible speed compared to "stronger" methods. It forms the base for streaming data like SSL protocol in web use or TKIP for wireless internet use where any one packet most likely won't be around long enough to analyze with its brethren enough to make sense. We'll cover TKIP in more detail in a minute.

A Legal Matter...

Before we get into the specific tools for encrypting your data, there's a bit of a legal concern. First of all, not all software featured on this list is legal or even available in all countries. France had outlawed the use of personal encryption up until as recently as 1999, and China still requires a government license for its use.

Both the US and the UK (home to many of the engineers of this software) have extremely strong export restrictions on them. That's because these (very) powerful encryption algorithms also happen to be the same ones our governments use. The time needed to decrypt AES or Serpent encryptions can be years, and that's with government-scale computing (not our little boxes). In the US, laws relaxed greatly by around the year 2000 (allowing the distribution of products that can use SSL and MIME), but the situation is still far from ideal.

As well, some of the suggestions I'm about to offer may be in violation of your local laws or corporate employment guidelines. The tools, tips and tricks in the pages that follow are designed to enlighten you as to some of the methods of retaining your privacy no matter where you are, but that isn't always appreciated. In fact, often times it really isn't, particularly in a work environment. So, if you get caught and fired, please don't say that I told you that since your boss can't see what you're doing, you should be safe.

Remember, crypto is about protecting the privacy of information, not denying its existence. For that, you need four or more years at a prestigious college for Political Science.