# What is encrypting?

What is encrypting in networking? What does it mean if unencrypted information is sent across the net? What are the implications if this happens?

dduardo
Staff Emeritus
Encrypting in networking is a difficult goal in comparison local encrypting! There are two parties that may not know each other and need to communicate in the presence of hackers that pose man-in-the middle attacks. That's why public key cryptography is essential in networks, but combined with authentication services from Key Distribution Centers like Kerberos to protect from man-in-the-middle attacks.

basically encrypting is taking a set of data and changing it, then forming an algorythm that can change it back, giving said algorythm to the reciever so that the reciever can then decrypt the algorythm and view the data - a message M, is transfered into a ciphertext C by an encryption E, which is then sent to the user and then decrypted D - thus $$M:M->E=C$$ so that then when sent to the user $$C:C->D=M$$

if you want more information on cryptography(encryption/decryption and algorythm developement for security purposes) PM me

Hi TsunamiJoe

I use Mozilla Firefox as my browser. What happens is, whenever I type in my login ID and password and register I get a message box saying "The information you are sending is unencrypted and could be viewed by a third party". I usually click on 'OK'. But my fear is, is there a possibility my account could be hacked if I sent unencrypted information?
P.S. I get the same message box whenever I post a thread.

chroot
Staff Emeritus
Gold Member
This site does not use encryption; it is therefore possible for someone experienced to get your password if they monitor the initial traffic between the site and your computer. It's really not worth worrying about.

- Warren

Thanks. Problem solved!

chroot said:
This site does not use encryption; it is therefore possible for someone experienced to get your password if they monitor the initial traffic between the site and your computer. It's really not worth worrying about.

- Warren

If I am not wrong it is the case that this site would need a certificate from a trusted Certification Authority in order to get a public key to be used for encrypting the information.
Encryption in a network is like a nightmare, because it is vulnerable to attacks.

dduardo
Staff Emeritus
You don't need to buy a certificate from an authority, you can create your own. The user will be prompted to accept the certificate since the it is not signed by an authority supported by the browser. Data will still be encrypted.

yep he is completely correct (^_^) but yah there are alot of sites that arent encrypted, and most often its nothing to worry about, unless your somewhere you know you shouldnt be (^_-) - but if your worried about hacks and viruses just read articles from symantec(i love the company hate the software) about security, the most important thing to protecting yourself is personal know-how

chroot
Staff Emeritus
Gold Member
TsunamiJoe,

This topic (encryption) has nothing to do with malware like viruses. As far as I'm aware, Symantec is not involved in cryptography. Encryption just keeps your information private.

- Warren

his reason for worrying about encryption was a fear of a third party stealing his information, which is something symantec does deal with, most often a third party breaks your encryption with a hack and/or a virus to bypass it, thus needing more/better encryption and additional protection against said dangers of viewing already unencrypted data. As of late alot of the viruses being massively spread are ones that are not downloaded on there own, but ones that find unencrypted sources and put there coding into that source so that when it is viewed the user without protection catches the virus, thus showing why you can merely view a website and recieve a virus due to a lack of encryption on pages and a lack of encryption between the user and the server

chroot
Staff Emeritus
Gold Member
TsunamiJoe,

That might as well have been word salad; you seem to have a very poor understanding of how computers work. The simple fact is that encryption and malware are two very different things, and they are only rarely related. You can't break encryption with a hack, though you can break programs which use encryption. Futhermore, an encrypted page (say, via SSL) can certainly still be used to transfer a virus. SSL encryption just encrypts the contents of HTTP traffic as it moves across the 'net; it has nothing to do with what's contained in that HTTP traffic.

- Warren

So what is the best way to maintain security of your account in an unencrypted site?

TsunamiJoe said:
his reason for worrying about encryption was a fear of a third party stealing his information,

BTW, it is her :grumpy:

Reshma said:
So what is the best way to maintain security of your account in an unencrypted site?

You can't. If the website isn't particularly interested in security, there isn't really anything you can do on your end to compensate for that. Just don't entrust private information to such a site.

That might as well have been word salad; you seem to have a very poor understanding of how computers work.

how dare you assume you know my extent of computer knowlage,

In order to break encryption you need a hacking program to do so, I have created and tested algorythms by using hacks to brute force them, the ONLY way to break encryption is to have another program run a series of tests(not neccisarely brute forcing, occasionaly your lucky enough to know the type of algorythm being tested so that you can narrow your testing down to fewer methods) on the encryption in order to find the key to it in order to decrypt the file and read it/edit it or stop it. Secondly NOONE manualy breaks encryptions and most often never manualy hack through a security program, encryption and malware are polar opposites, yes, but they are always related in the fact you cant sent anyone malware without either a) breaking encryption or b) bypassing it, of which we are daily developing new methods to not allow said programs to merely bypass our encryption protocols

also to help prevent being hijacked by unsecure sites dont ever say yes to those boxes that pop up asking if so and so's company can be trusted - unless your on microsoft.com and similiar sites and the company of which is asking permission is microsoft

graphic7
Gold Member
TsunamiJoe said:
also to help prevent being hijacked by unsecure sites dont ever say yes to those boxes that pop up asking if so and so's company can be trusted - unless your on microsoft.com and similiar sites and the company of which is asking permission is microsoft

I never get those boxes.

chroot
Staff Emeritus
Gold Member
TsunamiJoe said:
how dare you assume you know my extent of computer knowlage,
I'm not assuming it. You're making it obvious.
In order to break encryption you need a hacking program to do so, I have created and tested algorythms by using hacks to brute force them, the ONLY way to break encryption is to have another program run a series of tests(not neccisarely brute forcing, occasionaly your lucky enough to know the type of algorythm being tested so that you can narrow your testing down to fewer methods) on the encryption in order to find the key to it in order to decrypt the file and read it/edit it or stop it.
I'm aware of breaking a cryptosystem via brute force, and by making use of weaknesses in the algorithm to narrow the keyspace. This is not my concern.

My concern is that you claim people break encryption with viruses and malware -- something that, to my knowledge, has never been done. I have yet to learn of a virus that contains within it cracking code.

The simple fact is that it's easier to break a program and read the message out of a memory buffer before encryption than it is to mount an attack on the cipertext itself. It's also easier to drive over to the person's house and confiscate their computer equipment. No one is writing viruses or other malware which break cryptosystems. If you believe such things exist, please provide a reference. Otherwise, please stop making such silly claims.
the fact you cant sent anyone malware without either a) breaking encryption or b) bypassing it, of which we are daily developing new methods to not allow said programs to merely bypass our encryption protocols
I can send someone malware over plaintext email. Most malware programs are downloaded unwittingly through unsecure browsers by people who thoughtlessly press the "OK" button. The vast majority of websites don't use any encryption, and the vast majority of malware delivery doesn't involve any kind of encryption. I have no idea why you keep repeating yourself, but you're wrong.

- Warren

I've suddenly come to the conclusion that we're argueing the same side of a story, but with a misunderstanding between us.

My concern is that you claim people break encryption with viruses and malware -- something that, to my knowledge, has never been done. I have yet to learn of a virus that contains within it cracking code.

It appears as though my interpretation of malware is much broader than your own, which is causing the confusion, I interpret malware as anything that tampers with another program. So that anything to break encryption classifies to me as malware

I can send someone malware over plaintext email. Most malware programs are downloaded unwittingly through unsecure browsers by people who thoughtlessly press the "OK" button.
That would be called bypassing the security by convincing an unsuspecting user to click on something so that you dont have to deal with the security measures otherwise, its as if you walk up to a door, and instead of burning it down, you knock on it to get the other person to open it.

Most virus' such as trojan horses and less powerfull tracking codes more often bypass security by hiding itself within the code of another file, which is one of the major security issues of alot of todays filesharing programs, that when you download a file, say a calculator, somewhere along the line a virus has essentialy broken the encryption using the computers decrypting devices and hides itself in the file.

So no I'm not saying a file itself has a full encryption breaking program in itself, but most often has simple lines of code that access your own computers decryption certificates.

chroot
Staff Emeritus
Gold Member
TsunamiJoe,

Yes, it appears to be a disagreement on terminology. I can accept that you consider the word "malware" to include programs which can break cryptosystems. That isn't my definition, but that's okay. As far as I know, there have never been any self-replicating viruses, trojans, worms, or other programs that actually do cryptanalysis, however.

I also think we're in disagreement about the scope of the words "encryption" and "decryption." You said:
that when you download a file, say a calculator, somewhere along the line a virus has essentialy broken the encryption using the computers decrypting devices and hides itself in the file.
Neither the filesharing program nor the calculator program uses any kind of cryptography. A cryptosystem is defined by an algorithm (DES, IDEA, RSA, TwoFish, etc.), and a set of (usually rigid) protocols by which two parties communicate securely. A cryptanalysis program examines a piece ciphertext and tries to recover the corresponding plaintext. That's breaking encryption.

When a virus infects an executable, that's not "breaking encryption." When a trojan horse installs something in the Windows registry, that's not "breaking encryption."

- Warren

When a virus infects an executable, that's not "breaking encryption." When a trojan horse installs something in the Windows registry, that's not "breaking encryption."

I am in complete agreement with that statement. But what I was trying to express was, when you code something then make it an executable it is essentialy encrypted into a certain format(hexidecimal etc etc) which, personaly, I don't believe either of us can read, nor translate in efficient time.

There are programs which are encrypted and need to be decrypted before executing, same goes for messages(which are most common, the only programs I know that are encrypted are programs made by a single person whom is also trying to test algorythms or a certification program), also most filesharing programs will essential "encrypt the stream" of data, so that while in progress of being recieved, the data persay isnt being encrypted, but the stream is, for instance cars drive through a tunnel, the cars are the data, being completely unchanged, yet theres the tunnel which protects the cars from something falling on top of them to destroy them, malware. Now granted these streams are very rarely secure enough to prevent third party breakage when a person is trying to attain the information, but they are most often secure enough to prevent any computerised automatic viruses from infecting said files before they reach you.

chroot
Staff Emeritus
Gold Member
TsunamiJoe said:
I am in complete agreement with that statement. But what I was trying to express was, when you code something then make it an executable it is essentialy encrypted into a certain format(hexidecimal etc etc) which, personaly, I don't believe either of us can read, nor translate in efficient time.
That is not encryption! Machine code is definitely readable -- all you need is a table of the opcodes!
also most filesharing programs will essential "encrypt the stream" of data
I don't believe this is true. Please provide a reference.
so that while in progress of being recieved, the data persay isnt being encrypted, but the stream is, for instance cars drive through a tunnel, the cars are the data, being completely unchanged, yet theres the tunnel which protects the cars from something falling on top of them to destroy them, malware.
This is a very poor analogy. How can you encrypt a stream of data without encrypting the data? That doesn't even make any sense.
Now granted these streams are very rarely secure enough to prevent third party breakage when a person is trying to attain the information, but they are most often secure enough to prevent any computerised automatic viruses from infecting said files before they reach you.
How is a virus going to infect a stream of bytes going across the network? That would involve a very sophisticated attack on the TCP/IP protocol itself, which, again, I don't think has ever been done. If you think it has been done, please provide a reference.

- Warren

That is not encryption! Machine code is definitely readable -- all you need is a table of the opcodes!
as i said you cannot translate it efficiently, and secondly you can form a cryptographic algorithym to translate them into machine code, which is what the machine does

This is a very poor analogy. How can you encrypt a stream of data without encrypting the data? That doesn't even make any sense.
for instance when sending data through the ports, you can protect the port by not allowing access into it, which is done often through authorization strictly between machines without users knowing it
How is a virus going to infect a stream of bytes going across the network?
Could you perhaps reiterate this? But if your saying what I think you are, then its the same way that someone would intercept an encrypted message before it gets to one of the users, just its done by more or less random from a person's computer which he has initiated a program in to spread a virus. But again I could just be reading that wrong, and just to declare a network to me is a connection between any 2 or more machines whether it be person to server, person to person, or sever to person.

TsunamiJoe said:
as i said you cannot translate it efficiently, and secondly you can form a cryptographic algorithym to translate them into machine code, which is what the machine does

for instance when sending data through the ports, you can protect the port by not allowing access into it, which is done often through authorization strictly between machines without users knowing it

You seem to be using an extremely overgeneralized meaning of encryption. In general, just translating data between two different encodings is not considered to be encryption. And I've certainly never heard anyone claim that port blocking is a form of encryption.