Hacker News new | ask | show | jobs
by CarolineW 3342 days ago
It depends. Here are the questions that came to my mind in under 30 seconds:

* For how long must it be secure?

* Against whom must it be secured?

* What are your potential losses if it's broken?

* How can you be sure you've used a secure implementation?

* What do you think the "strongest available crypto" currently is?

* Can you be sure that the key will never be compromised?

* Where will you store the key?

* Do you need to send the key to someone else?

* Where will the encryption happen?

... and there's more.
1 comments
vrypan 3341 days ago
* For how long must it be secure? let's say for 10 years

* Against whom must it be secured? Everyone, including national agencies and organised crime.

* What are your potential losses if it's broken? A lot of money.

* How can you be sure you've used a secure implementation? No idea

* What do you think the "strongest available crypto" currently is? No idea, but I would guess someone has this answer

* Can you be sure that the key will never be compromised? No, but this is a separate problem, I assume here that the key is not compromised.

* Where will you store the key? Off-line

* Do you need to send the key to someone else? No.

* Where will the encryption happen? Locally.

link
tallship 3341 days ago
Considering that you don't know whether you can be sure that you've used a secure implementation, then the answer is a resounding, NO! It is not, by your own admission, 'safe' to publish any data that needs to remain secure in a publicly available setting.

Once you can answer yes to:

<snip> How can you be sure you've used a secure implementation? No idea </snip>

Then you will be able to ascertain for yourself whether your encrypted data, placed in a publicly available location, is "Safe Enough", "Secure Enough" for your needs.

It would be naive to assume that any data placed somewhere, encrypted or not, is stored with a completely invulnerable method.

That having been said, one must rise to the occasion of determining how secure something needs to be, and then availing oneself of the means to achieve that level of security.

I hope that helps, but in reality, there really isn't a cut and dried YES|NO answer - only relative levels of reasonable assurance in securing your data and communications.

link
CarolineW 3341 days ago
>> What are your potential losses if it's broken?

> A lot of money.

What is the potential gain to your adversaries?

The other question is: Why would you do this?

The answer is: You can publish things that are encrypted, but the level of confidence is tied up with knowing that the encryption is secure against all attack vectors as applied by your most determined and well-resourced adversary for ten years, during which time advances in attacks will be made.

If you think no one will really care, if your adversaries have little or nothing to gain, then you're probably fine.

If they stand to gain a lot, you're probably not.

But I'm not an expert, I'm just trying to highlight some of the issues for you.

link
sova 3341 days ago
Elliptic Curve Cryptography
link
CarolineW 3341 days ago
One Time Pad!
link