a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by user-inactivated
user-inactivated  ·  3289 days ago  ·  link  ·    ·  parent  ·  post: To Encrypt or Not?

n=p*q has nothing to do with p=np. p and q are random primes that when generated and multiplied together equal a number n which is the modulus for RSA encryption.

P=NP refers to two sets of problems P and NP referring to how solvable the problem is in polynomial time. The problem's solvability in polynomial time is not actually an assumption used for any cryptographic system in use at the moment, and these are not numbers, they are sets.

So when a problem is considered NP-hard or NP-complete, it is considered "Not solvable in Polynomial time". RSA factoring is already solvable in polynomial time. The most efficient algorithm known is the Number Field Sieve, which is a polynomial equation. RSA's security actually relies on much harder assumptions than that, and makes those polynomial equations take a long time to solve.

To my knowledge, 512-bit RSA is reasonable to break using NFS on modern computers (msieve, for instance, can crack up to 110-digit modulus numbers or ~365-bit primes in about 2 days or so on a 3.3 Ghz processor). It's conceivable now that certain 1024-bit primes are solvable on NSA's machines, but not necessarily all. It's still possible, though, who knows.

I just checked Google's certificate and they are using 2048-bit encryption for their RSA portion of TLS. Keep in mind, this is not actually encrypting your data, a different algorithm is. TLS uses hybrid encryption, asymmetric (RSA/DSA/EC) or public key cryptography for the encryption and communication of a shared key for each session, then each session is encrypted with a symmetric algorithm (AES and Triple-DES most commonly used, but RC4 is still in use places and is weak). This is because public key cryptography on long messages is slow, while symmetric key cryptography is fast. Unfortunately, symmetric key cryptography relies on a pre-shared key, so basically we use public key crypto for the communication of a key for use in the symmetric algorithms.

Also to note, many VPN providers are audited by third parties on collection of data to make sure they are not logging anything. Despite what people believe about the NSA or FBI's legal powers, there is NO data retention requirement in the united states. Period. So many VPN providers can actually operate just fine without logging your connections. In theory the NSA can tap the line coming out assuming the VPN provider's servers are located in the US, but this just provides them with the plain-text of any non-HTTPS connection EVERYONE is using at that VPN provider, and is still anonymous.

Also, most VPNs set their servers up outside US jurisdiction, so that doesn't even really matter. Safe-Harbor laws are starting to get challenged, however, but even Microsoft has been fighting this (I can't remember if that case with Ireland was resolved yet or not). This also doesn't matter if they don't retain any logs.

Full disk encryption, also, is something that is way more important than you led on. If your phone is lost or stolen, if your laptop is lost or stolen, the entire disk, regardless of if you use some lock screen, is accessible to them if the disk is not encrypted. This means that you can grab credit card numbers, passwords, etc from cache files you had no idea existed, access to every file you have on your phone/laptop, etc. It is no protection against network attacks, you are correct, but when you have a mobile device it is still possible you can leave it somewhere or get robbed.

For phone encryption, there is really no reason not to encrypt. The only thing this means is if you forget your password/PIN/pattern, you can't recover your data, which you probably already have memorized just fine. Remote wiping a phone is not as good as one would think, since you can simply access the drive as well without connecting to any network, so the remote wipe signal will not be sent out if the person who stole your phone is savvy enough.