What is Symmetric Cryptography?

“In symmetric cryptography, the sender and the receiver use the same secret key and the same cryptographic algorithm to encrypt and decrypt data. For example, Alice can encrypt a plaintext message using her shared secret key and Bob can decrypt the message using the same cryptographic algorithm Alice used and the same shared secret key.”
That is, symmetric cryptography is what most people think of when they imagine codes and code breaking.  It is also old-school cryptography, to include one-time pads, etc.

plain text         78617 78377 50528 37726 48357 57578 31118 36868 6883

key                    13698 93797 05536 49550 66877 17941 11148 70355 7593

cipher text      81205 61064 55054 76276 04124 64419 42256 06113 3376

“The key needs to be kept secret, meaning that only Alice and Bob should know it; therefore, an efficient way for exchanging secret keys over public networks is demanded. Asymmetric cryptography was introduced to solve the problem of key distribution in symmetric cryptography. Popular symmetric algorithms include the
advanced encryption standard (AES) and the data encryption standard (3DES).”
From: The Impact of Quantum Computing on Present Cryptography,  Here
(The example is ours)
How do we manage symmetric keys?
 Screenshot-2018-6-5 How is the key shared in symmetric key cryptography

This part about key exchange is from:


Let’s use PGP and TAILS: A Beginner’s Guide

Let’s Use TAILS

(The Amnesic Incognito Live System)

TAILS is an operating system designed for security. PGP is a specific encryption program, which was invented in 1991 by Phil Zimmerman, whose many versions became interoperable under a standard called OpenPGP. GnuPG, also known as GPG, is an implementation of PGP.  If you are using GPG on TAILS, you are using PGP.

In order to ensure the confidentiality of data during transmission, to ensure its integrity, to prove that a message is authentic, and to decrypt confidential data send to you:

(1) Choose a USB

You are going to use TAILS as a live system on a USB.  Live system means that the operating system is on your USB and it will only run in the RAM of your computer.  You want to make your computer boot from your live USB and not from your computer’s hard drive.

Note that some USBs are not compatible with TAILS:

  • SanDisk Cruzer Edge 8GB
  • SanDisk Cruzer Extreme USB 3.0 16GB, 32GB and 64GB
  • SanDisk Cruzer Fit USB 2.0 8GB, 16GB, and 32G
  • SanDisk Cruzer Force 8GB
  • SanDisk Cruzer Glide 4GB, 8GB and 16GB
  • SanDisk Cruzer Switch USB 2.0 8GB and 32GB
  • SanDisk Cruzer USB 3.0 64GB
  • SanDisk Cruzer Blade 4GB, 8GB, and 32GB
  • SanDisk Cruzer Facet
  • SanDisk Cruzer Orbiter 32GB (hangs at installation time but boots fine afterwards)
  • SanDisk Ultra 16GB, 32GB

(2) Download TAILS 

You can use any computer to do this.  Firefox will allow you to verify your download using an add-on, which is very convenient.

If you are not familiar with TAILS, watch this outstanding video by the Center for Investigative Journalism in London:

They offer the  best instruction available anywhere about how to set up TAILS and use GnuPG.


(3) Verify your download.  This must be done.

Here is a video that will tell you exactly how to do it:

(4) Choose a computer on which to use TAILS

Start with a computer to hand and make sure to set your copy of TAILS to “disable all networking” whenever you create files or perform encryption/decryption.  This is the standard way to use TAILS.

If you wish to go to an extremely high level of security, dedicate one computer that never gets online, has never been online, cannot get online–ideally with no wireless antenna, no network interface card, no hard drive, no audio/microphone ports–that you will use to run your live USB with “disable all networking” checked every time. As with the standard setup, you will store your keys on an encrypted partition using a passphrase. You will also use the encrypted partition to store revocation certificates.  A netbook will do nicely as this sort of base computer.  Flashing its CMOS is not a bad idea before you start.

(5) Learn the difference between symmetric and asymmetric encryption



(6) Create keys

In PGP, the certification key is used to sign sub-keys and to sign the keys of other people.  You want to create a (C) certification key first, and then move on to an (E) encryption key and (S) signing key.  You can also create an authentication key (A), which has special purposes.  The C key is often called the master key.

You will have some decisions to make about public key algorithms, symmetric algorithms, hashes, key sizes, and compression, but those are easy.

Generally, you do not want to use one key for everything:  CSEA.  This may open you up to attack.  Think of that certification key as your identity and protect it as such.  It can stay valid forever.  Your encryption and signing keys are recommended to have a lifetime of 2 years or so.  You can change them out.  You can save your old keys if you need to. If you have files that were encrypted with an E key, then you will need that particular key.

That certification key (C) binds itself to your E and S keys.  You only need one E and one S in most cases.  If you start to use multiple E and S keys, that can cause problems.  Gpg will usually default to the latest key you created.

(7)  Generate revocation certificates. 

You want to escrow that certificate, probably on a piece of paper, and store it away from your device is a secure place such as a safe.  If you lose your confidential device, you can revoke your keys–no one can assume your identity.

(8) Set the preferences for how your keys will function.

That is done in the configuration file.

That’s It!  You are ready to use PGP.





Featured post

Cryptogeddon: Will Quantum Computing Kill Public Key Cryptography?

This is a very interesting article on a salient point in information security.  It is even readable.  Bruce Schneier insists that one-time pads are not the future of cryptography.  Sometimes one wonders.

The Impact of Quantum Computing on Present Cryptography


Screenshot from 2018-06-05 01-04-16

Here is an interesting quote from the conclusion:

“The consequence of this technological advancement is the absolute collapse of the present public key algorithms that are considered secure, such as RSA and Elliptic Curve Cryptosystems. The answer on that threat is the introduction of cryptographic schemes resistant to quantum computing, such as quantum key distribution methods like the
BB84 protocol, and mathematical-based solutions like lattice- based cryptography, hash-based signatures, and code-based cryptography.”
Featured post

If You Are Not Sure How to Set Up a Computer That Has Good Security: Mozilla Add-ons + a Good PC Setup

You only have normal information security needs, you are not an IT professional, and you want to cut through the verbiage and have a safe computer.

(1) The unpleasant fact is that you cannot absolutely secure any computer that touches the internet. But you can improve your security greatly.  A first step is to get yourself away from Windows, the most attacked operating system in the world, and one that spies on you like a professional.  Some people say this is arguable, especially when they simply like Windows, but it better to say goodbye. Go with Fedora as your operating system.  It is easy to use and it is free.  Keep in mind that Linux-based operating systems like Fedora are attacked in the same ways as Windows, but there is real benefit to cutting the cord to Microsoft.  All operating systems are somewhat mediocre.  There is nothing we can do about it at the moment.

However, if it has the name of a big American company on it, then don’t use it.  This really helps. You want to get away from Google, Microsoft, etc., as much as you can.  Let me emphasize this:  you especially must get away from Windows, Apple, and Google.  Other flavors of Linux are also good such as Ubuntu, Puppy, Mint, OpenSUSE, etc.  Puppy is easy to run in memory only.

Once you install Fedora you can use GnuPG, manage keys, install rkhunter, unhide, chkrootkit, clamav, and lynis.  It is all free.

(2) Use Mozilla as your browser and only Duckduckgo as your search engine.  Use the following Mozilla add-ons, and make sure to avoid Ghostery, which is a fraud.

This first add-on is your friend.  It stops tracking across tabs.  You can reduce much of what a company has to collect and sell about you.

Screenshot from 2018-05-21 14-37-28

This one is highly recommended for blocking trackers.

Screenshot from 2018-05-21 14-38-15

This one is dreaded by the people who track you.

Screenshot from 2018-05-21 14-38-58

Obfuscate the trail of your internet life.

Screenshot from 2018-05-21 14-39-31

Make it harder for hackers.

Screenshot from 2018-05-21 14-40-25

Those add-ons have been tested to see if they work together.  They do.

(3)  Use ProtonVPN to encrypt your traffic through your ISP.  Also use Protonmail as your email provider.  It is really worth it.  End-to-end encryption is the way to go.  We have analyzed their PGP keys, and it all looks good. They do a superior job in email and as a VPN.

Screenshot-2018-5-21 ProtonVPN Secure and Free VPN service for protecting your privacy

There are many other add-ons which are very good to use.  HTTPS Everywhere comes to mind.

(4) You must use strong passwords. Use Diceware to generate a password/passphrase that you can depend on.

Diceware is a good way to generate a dependable passphrase.  You can also measure its strength.  The Electronic Frontier Foundation also has a list of words to use.  Here is an example of a diceware password:

rice immorally worrisome shopping traverse recharger

-notice that one should keep the spaces between words

Diceware + 

So let’s now do three things:

(1) capitalize one word   (2) insert one group of symbols  (3) insert a number

rice immorally WORRISOME shopping traverse $**))1848 recharger

It is very important to note that a truly powerful password is generated randomly, but this method of Diceware or Diceware + does create demonstrably strong passwords.



How to Delete Facebook: to Not Have and to Not Hold and Forever Do Us Part

So, you finally got tired of bambi-eyed Zuckerberg and his hyper-aggressive machine of lies and tricks whose one goal of existence is to grab your data?  Good for you.

1.  Get rid of what devices you can and wipe the ones you cannot.

2.  Delete your Facebook account–after you stick some fake information on there. Facebook does not make it easy and fast to delete your account.  They would prefer that you deactivate it.  It is not obvious at all how to delete your account.  You actually have to go through several menus such as “learn more” and one in which you request to be deleted.  They give you 14 days to decide if you really want to go.  Aw, shucks…  they love you.  Well, not really.  They love selling you as if you were a product.  Bambi/Zuckerberg is not the most honest guy on the planet, and saying adios to his deception feels good.

3.  Start with a new or wiped desktop/tower computer/laptop/notebook.  This device is going to be the one you connect to the internet.  Wipe it again.  Download the latest version of Fedora or TAILS.  Fedora is very intuitive, and you can put it on your hard drive.  Or you could start using TAILS as a live USB and leave the hard drive empty.  The point here is to use a linux-based OS that does not collect on you or otherwise link to a big company.  Puppy Slacko is also a very good option.  What is not a good option is anything with Microsoft or Google written on it.

4.  This computer is not going to be used for any social media whatsoever, except perhaps Keybase.

5.  Verify your Fedora download.  Put it on your HHD.  Purchase ProtonVPN and a Protonmail account for your email.  Their servers in Switzerland are recommended.  Use Mozilla as your browser, with the following add-ons:  TrackMeNot, uBlock Origin, Privacy Badger, HTTPS Everywhere, and User-Agent Switcher.  All of these are fun to play.  You can also use NoScript, which is actually a very good idea, but it does require some attention.  It will give you a very clear picture of how web pages are tracked, and how you can stop it.

Most importantly, you want to use the add-on for Mozilla called “Multi-account Containers”–this is easy to use, and it effectively stops tracking from website to website.

6.  In Fedora, under software, you can download and use BleachBit, to delete cookies, empty the Firefox Cache, and clean up disc space.

7.  That’s it.  From then on, avoid Facebook, avoid liking stuff on other websites, use the containers, use your VPN, and you just got your privacy back.  Spend some time to learn the details of using the add-on NoScript, a powerful tool for your browser. Again, use the containers, and make it a habit.  Congratulations!

Speaking of Security: How Can the USA Better Protect its Classified Information?

Strictly speaking, putting a label on classified information does not protect it. In fact, the appearance of protection may be one part of the problem–unless the label and the efficacious protection were to go together. As a theoretical construct, such a system looks doable.

Make the container match the level of classification.  Labels with different colors do not actually protect anything.  The strength of the container should be consonant with the level of classification of the information inside, and it could have other important features such as tracking who saw it, where it was, when it was viewed, etc.

In the case of paper, instead of merely having a file on a desk, one could have a file that is a container which offers different levels of protection and also records metadata.  It might look like a file, but it would be more secure:  papers won’t fall out, the location of the file could be tracked very easily.

Electronic files with varying levels of encryption, physical security, and information collection capabilities, might be better than having loose papers and terabytes of downloadable information floating about.

Security is Relative, not Absolute

Many security products promise the moon and stars with ridiculous statements such as “stop hackers” and “100% safe”–which are misleading at best and dirty lies at worst. No one likes to be uncomfortable about security, but the truth is very uncomfy indeed:  there is no such thing as absolute security in information security, especially on the leakiest of untight and unwieldy ships, the U.S.S. Internet.

Kleptography is the new reality, and kleptotrojans in random number generators/compilers/key generators are a lethal threat.  What is kleptography you ask?  Kleptography is using encryption to steal everything on your computer without your knowing.

Getting on the internet means being open to the delivery of kleptographic tools.  Almost as bad, we now have the internet of things (IoT), another series of threats.  What is the solution?  For the information that you want to keep private, you must go off-line.  If your life depends on it, air gapping is the only solution.  If you are using a computer, as you probably are at this moment, everything on that computer is up for grabs.  That is fine, as long as you know it and you don’t mind that what is on there can be lifted very easily.

But there is strong security and near-absolute security for all levels of information.  We can have a high expectation of privacy, anonymity, or both, with good products and best practices.

Using a product such as Protonmail for your email provider is an instance of employing strong security to ensure privacy.  Encrypting a file off-line with a symmetric cipher such as CAMELLIA256 and hashing it with SHA512, and sending that over Protonmail would be even better.  Using a one-time pad, encrypting it with an appropriate public key or a symmetric cipher, and sending that over an end-to-end encrypted provider like Protonmail is near-absolute security (NAS).  NAS is as good as it gets. Done properly, such a message will remain unter vier Augen, and will have never really existed once the key to the one-time pad is destroyed.

That said, one must be careful to be aware and to follow the laws that apply to cryptography in your area.  For example, in Thailand it is illegal to destroy keys.  In Thailand, you can use symmetric keys, but you must keep a copy because that is the law.  Find out what the laws are for cryptography in your jurisdiction.

Can One Use Numbers as a One-Time-Pad Key? (a question at Cryptography Stack Exchange)

Yes, you can use numbers as a one-time-pad key. In fact, the CIA used to do it all the time, as did many.

When you use numbers the plaintext becomes letters by referring to a conversion table such as the venerable “Tapir” used by the STASI.

enter image description here

Here the addition will be modulo 10. Vernam Cipher, or the one-time pad (OTP), can also be done modulo 2:


message: 0 0 1 0 1 1 0 1 0 1 1 1 … pad: 1 0 0 1 1 1 0 0 1 0 1 1 … XOR ————————— cipher: 1 0 1 1 0 0 0 1 1 1 0 0 …


cipher: 1 0 1 1 0 0 0 1 1 1 0 0 … pad: 1 0 0 1 1 1 0 0 1 0 1 1 … XOR ————————— message: 0 0 1 0 1 1 0 1 0 1 1 1 …

Or it can be done modulo 26 (with English letters, for example):




Here is one example of what a CIA one-time-pad key looked like during the Cold War:

enter image description here

Create a free website or blog at WordPress.com.

Up ↑