I am writing this guide to provide a basic understanding of encryption, its uses, and why you should implement encryption, if not already having done so. I hope this guide helps militia members to communicate securely and helps in protecting confidential information.
What is encryption?
Encryption is the process of sending relevant data through a mathematical algorithm in order to obfuscate the data. Data can be encrypted both at REST (Stored on a hard drive, USB drive, CD, etc.) or in TRANSIT (being sent over a potentially compromised media, IE internet, radio, cellular network, etc.). Furthermore, two types of encryption exist, both symmetric encryption and asymmetric encryption.
Symmetric encryption involves the a pre-shared key that is used to unencrypt the data. Both parties must agree on a key before communicating. This proves a fatal flaw in secure communications because if the key is intercepted during transit, the spying party can then decrypt any communications using that exact key. Symmetric encryption is still very useful if extra precautions are taken during the key transfer both technologically (SSH, SCP, HTTPS, PKI, etc) and human (Couriers, physical messages).
Asymmetric encryption involves the use of a "Virtual mailbox if you will". Two keys are generated, a private and a public key. This key pair will only work with each other! First, the private key must be kept SECURE, NEVER DISCLOSE THE PRIVATE KEY!!! Next, the public key is then disclosed to the public. What I mean by this is, your public key should be placed on whichever medium you are using for communicating. A message is then encrypted with the public key and sent to the recipient who then uses the private key to decrypt and read the message. This solves the issue of key sharing and allows for a secure communication system. NOTE: A spying party can still use time correlation to show when two parties are communicating. They may not be able to see what the message says, but they can still determine who is in contact with each other and how often.
You can generate a key pair for free using PGP. Here is a link - https://wp2pgpmail.com/pgp-key-generator/
Understanding Key Size.
Many different encryption methods and sizes exist. A Key Size is represented in bits and usually ranges in sizes like 128, 256, 512, etc. The higher the key or "bit" size, the more data is added to scramble the message. You should only use 256 bit encryption and above. It is also important to note that the higher the key size, the longer it can take to encrypt/decrypt the data.
Different ways of scrambling data exist like Block Ciphers - DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), and the most secure AES (advanced Encryption Standard). And Stream Ciphers like RC4. I will not bore you with the differences, one encrypts data using a block and the other encrypts one bit after another like a “stream”, just know that AES 256 and above should be used.
Data Encryption Programs.
Many different data encryption programs are available to you. The most common of these are
Bitlocker - https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
You can use Veracrypt to encrypt a USB drive - https://www.esecurityplanet.com/open-source-security/how-to-encrypt-flash-drive-using-veracrypt.html
Understanding Proper Password Policy.
I know…passwords…. really. If you made it this far I applaud you. I know that this is a lot of information to take in and please realize that these concepts take time. However, we must discuss good password policy. It would be a shame for a very secure, very expensive and well thought out system to be compromised by a poor password. Unfortunately, this happens ALL THE TIME! I will provide you with some basic rules to follow when making and managing passwords.
First, a password must be 12 characters and above. A password that is only about 7 characters for instance can be cracked within about 1 second. Yes…One second! A password that is 12 characters however will take over a hundred years! This is because as you add more characters to a password the possible combinations grow exponentially.
Second, never include the words password, your name, name of your organization, date of birth, name of your kids or wife, etc. These can easily be guessed or exploited with social engineering.
The most common passwords believe it or not are
You see the trend…avoid this.
Third, passwords should include a special character and not be allowed to persist past a specific period of time. Do not use the same password for long period of time!
Hashing and Integrity.
The last portion of this guide will explain hashing and its uses. Hashing is very valuable as it provides the ability to tell if something has been modified and when combined with encryption, provides true communication confidentiality and integrity. A hash is a mathematical computation that returns a unique string of numbers and letters. If any information is changed, the hash will produce a different string of numbers and letters. For example, the message “Hello World” would return a hash of f57dr98ekj3qn. If I was to change any portion of the message to let’s say “Hello Worlds”, the hash would produce a completely separate string like jdu73npejd90. Even though only one letter was added, the entire hash changed. Use hashes to prove that a message has not been modified in transit. Also, use hashing to prove that data at rest has not been modified. Create a hash of the data, store it, and then compare the generated hash to the data to determine if it has been changed.
Alright, you made it to the end. I know that this was a lot of info and please realize that this is just the basics. Much more documentation exists on encryption, its uses, and hashing. I recommend you also explore social engineering, its uses, and how to combat it. Many “secure” systems are compromised by a single person who voluntarily gives up sensitive information. Be aware that a smooth talker is just as dangerous as your basement dwelling hacker…god I hate that Hollywood image.
Thank you for reading this basic guide to encryption.
Stay safe, stay anonymous.