future proof file encryption

Robert J. Hansen rjh at sixdemonbag.org
Sat Feb 28 01:22:56 CET 2009


Christopher J. Walters wrote:
> I did, later in my message.

I didn't see it.  Looking over it, I still don't.

> I come from the early days of Fidonet, and BBS's.  It is possible for
> a CRC32c checksum to show "OK" when there have been changes.  Has
> always been this way. If you use an archiver to "archive" 200 files
> around 2 mb in length, then encrypt the archive, you could easily
> lose all 200 files, if the session key is lost.  Keeping the files
> separate and hashing them, would be a way to tell if there are any
> problems.

There are a lot of different kinds of CRC32 -- some designed in an ad
hoc manner and others designed to the standards of engineering.  You're
using one right now, probably: Ethernet frames incorporate a CRC32.  If
it's good enough for Ethernet, it's good enough for me.

You're also missing the part about how GnuPG includes a hash of the data
in its symmetric encryption.  You don't need public key encryption to
get a hash on the data.

> The F.B.I. could recover data from your hard drive, as well - even if
> it crashes.  Hard drive can crash within 1 or 2 years, especially if
> they get too hot.

Hard drives tend not to crash or overheat when they're powered down,
properly mothballed, and put in long-term storage.

> And just why is it overkill?  With the costs of hard drives coming
> down, as they are, you can call it an upgrade.

If you're seriously advocating spending $300 for hard drives alone to
back up your data, then you've just priced your scheme beyond the reach
of most people.  I make good money at my day job and let me tell you, I
wouldn't /think/ of spending $300 on backups.  What happens in two
years?  You think I should be out another $300 in backups alone?  An
amortized cost of $150/year for backups is probably about 150 times too
much.

My suggestion is, IMO, at the edge of practicability -- and it costs
under $100 of outlay for enough equipment to do about 100 long-term
nitrogen-purged backups.  ($50 for a 10 cu. ft. cylinder of argon, $20
for 100 antistat heat-sealable bags, $20 for a big stack of DVD-Rs.)

As a rule of thumb, the more complex and expensive your backup system
becomes, the less likely it is that anyone will actually follow the
protocol.

> Actually JPEG is older than 10 years, IIRC

I said 'about'.  JPEG was standardized in 1994; PNG in 1996; SVG in 2001.

> So tell me, what compression software are *you* talking about?

Wavelets.  Fractals.  Arithmetic coding.  The data compression field is
alive and well and constantly getting better.  Check out the literature.

Some of these have already been incorporated into newer graphics
standards.  E.g., JPEG has no support for wavelet encoding, but JPEG2000
does.





More information about the Gnupg-users mailing list