|
First of all, I would avoid PGP, as in the commercial product. My concerns with it are based on suspicion, not fact, so you can take it for what it's worth. Years ago, when PGP was basically free, there was a big hoo-ha about it being "exported" to foreign countries because this interfered with the US's ability to gather information that had been encrypted. The public argument about it was, imo, essentially bogus. The exporting wasn't the problem really because that assumes that no one outside the US could ever create the same kind of program or the cyphers used, which is stupid. It's even more stupid when one realizes the code had *already* been exported, and the cyphers are used all over the world. But what happened to PGP afterward hints at the possibility a "back door" was installed that authorities can use to break any key easily. The people who own PGP deny this, but the code is closed, so no one can examine it to make sure.
The open source version, GPG, is trustworthy, but how secure it is depends on several factors, including, but not limited to, the cypher you use and the strength of your pass-phrase. Some old cyphers are easy to crack with the appropriate computing power. Also, a proof-of-concept has been published showing that some of the more common cyphers, notably SHA1, can be cracked within a semi-reasonable amount of time -- still a long time, but not the billion years once advertised. At this point, the only thing you have to worry about in the latter case, though, is if you are a high priority target for which authorities are willing to spend a lot of time and money to track.
OTOH, the strength of your pass-phrase is often a big issue and the one most easily exploited. If such a thing existed, you could use a cypher that is literally impossible to break within the lifetime of the planet, but if your pass-phrase sucks, it means nothing. The first thing people trying to break encryption do is run a dictionary based "brute force" attack on it. If your pass-phrase is something like "This one is my pass phrase," that will be broken easily because it uses real words in a logical pattern. A better phrase would be something like "dis(1)!IZ.mI,paSss-fraZe." All the words are mis-spelled, it contains both capital and lower-case letters, it has numbers, and it has "special" characters, i.e. the punctuation. Adding length is good as well. My personal GPG pass-phrase is a nonsense phrase over 200 characters long that contains numerous special characters, numbers, massive mis-spelling, and has the real words that inspired it rearranged in non-logical ways. The trick was memorizing the damn thing.
If you go to these lengths, no one is going to crack your encryption in any reasonable amount of time unless you are, perhaps, the bearded one himself, and authorities decide to turn every bit of processing power they can muster loose on your encryption.
Now, having said all that, the mere fact of having an encrypted file on a computer has been used as "probable cause" to get a search warrant. One current case of which I am aware is also using the fact a person did a DOD-strength wipe of his hard drive as evidence that he had illegal materials on it at one time -- after all, why would an innocent person want to go to such lengths to clean data? :sarcasm: The guy is most likely guilty of what he is accused of having, based on other material found in his home after a search warrant was granted under the probable cause terms mentioned previously, but the use of the *lack* of evidence *as* evidence is appalling because that can be used to detain or just harass perfectly innocent individuals.
The real key here is convincing as many as people as possible to start using encryption. Most of my e-mails to people I know are encrypted, and if they aren't, the contents of the e-mail contain no personal information other than my name. I tell people up front if they want to receive e-mail from me beyond the first initial exchanges, they must install and use encryption. The more people using it, the harder it is to mess with any single individual, sort of the same theory behind mass protest. You need large crowds to protect yourself.
|