Advanced Encryption Chapter
I know, I have already discussed different areas of encryption in varying levels of detail. But I think an aspect that needs to be highlighted even further is a point I made shortly above. “When you are literally fighting for your life online, NEVER put all your trust into one company or service”. This applies to encryption on every level as well. Say you have a folder with 6-7 top-secret files in it and you need to make sure this folder is secure from all forms of compromise. You would want to make sure this folder was stored on a system that was completely encrypted and away from prying eyes. I personally would FDE a USB with VeraCrypt and a 45-50-character password. I would make sure the encryption algorithm was cascading like AES(Serpent). I would then mount the encrypted USB and place say 400 random files (pictures, random .txt files, etc) on the root directory. Then VeraCrypt (or MacOS with encrypted .dmg) would be used to create an encrypted container on the same USB using a different 50-character password and 3 keyfiles selected from the 300 images.
The folder container sensitive information would then be stored within the VeraCrypt container on the encrypted USB. To attack this setup, one would first need to break into the USB by attacking VeraCrypt; either by bruteforcing the password (not easily done with length of password), or attacking the encryption itself (which is also not happening due to cascading mode used). To put things bluntly, the FDE on the USB isn’t getting broken into unless they can steal your password. Furthermore, this adversary would also need to then successfully break into the VeraCrypt container being stored on said USB. Another feat that is pretty much impossible due to the 50-character password and added security of using 3 keyfiles from a 400 choice lot. 'apt-get install overkill --fix-missing'
When we take this same sort of thinking and apply it to securely communicating with someone, we should find ourselves looking for a method that would allow us to employ our own encryption over top of the encryption provided by the service we are using to communicate. Ideally, something like XMPP (using OTR and your own server of course) using Tor Messenger to keep things anonymous would be a good and secure method to communicate. On top of this, we could write our messages locally in a .txt document and then encrypt the text with the other person’s PGP key before sending it to them. An adversary would first have to break OTR (Off-The-Record) or attack the client we are using AND crack the PGP encrypted messages. The OTR protocol should make use of perfect forward secrecy to assure that even if you lose your private key, no previous messages can be compromised. No matter what form of communication you use, I would make sure it employs strong PFS, and has an easy way to add a form of encryption on top of it (like PGP). I am with Snowden when he says that Signal is a very secure way to communicate with someone. BUT, one would ideally need a true burner phone that doesn’t link to their identity or they have to give out their personal phone number to the other party. AND they need to be able to verify the source code on the device they are installing it on; a feature that is not yet available for iOS.
Another big issue we run into when we look at communicating securely with someone is how we chose and deploy this “method” of communication. If the FBI, CIA, GCHQ, or another big name organization knows we are using [email protected] over XMPP to initiate our secret communications with someone, they know what to attack. However, if we meet someone in a random TeamSpeak server, private message them the details for an encrypted IRC server employing good SSL and not logging connections, then initiate an OTR chat with the person on that IRC server to exchange XMPP usernames, OTR fingerprints, and PGP key information, we would be seriously decreasing the chance of those government organizations being able to attack us. Since they are unable to actively determine how we are communicating (if we are routing all connections through Tor and VPNs), we have used some obscurity to our advantage.