[the Thing]

(02-04-2016 04:45 PM)DaveR Wrote:  

...

Hey man, thanks.

I didn't want to go into too much detail because in retrospect, a couple of books could be written from these concepts. For example I called PGP straight up an asymmetric cipher, but it actually is a hybrid system which uses both symmetric and asymmetric cryptography concepts. When PGP will encrypt a message an AES symmetric stream cipher is generated on the fly and this symmetric key is then encrypted with RSA public keys of all recipients. On the recipient side, the RSA private key is used to get the AES symmetric key which is then used to decrypt the message. Also, AES runs much faster than RSA, and new generation Intel processors contain special hardware that further accelerate it. RSA also increases file size, for example a 1,024 bit RSA key by design can only encrypt 117 bytes of plaintext in 128 bytes of ciphertext, therefore message sizes increase by ~10% and this matters when encrypting large files. Lastly it is much more feasible in terms of processing power and file sizes to encrypt only the AES key for each recipient instead of encrypting the entire file in case of multiple recipients. However the AES cipher is generated on the fly for each encrypted message and it's used only once so in retrospect, even though PGP is a hybrid system, it has all the benefits of an asymmetric cipher (in which a user can send an encrypted message to another user whom he has never met before, provided that the receiving user has advertised his public key somewhere) so it's not entirely wrong to call it an asymmetric system.

Though you're very right about metadata being important. It's important to remember that when sending PGP email, your name and the subject line goes unencrypted, as well as that the email client will leak your IP address all the way to the recipient, and all third parties in between can sniff on this information. There was a guy in Sweden who got caught selling steroids. His computer was subpoenaed and even though he only communicated with PGP email, the subject lines of emails had information about his practice and this was used against him in court.

I don't really trust any 3rd party hosted service, be it an email provider or messaging app. I believe as long as something is hosted in the U.S. a 3-letter agency can get their hands on it if they want it badly enough. I had a ruggedinbox.com email account that I used on the Deep Web, they say they clean the headers off IPs and other identifying information but I still made sure I only accessed it through the Tor network and only when I needed to.

I have an upcoming datasheet about how to set up your own Fuck Phone. My fuck phone is an Android phone, running a modified version of the Android operating system, has features such as automated call recording, location tracking, encrypted voice and video calls, and is properly hardened with full disk encryption and the option to route all outgoing connections through the Tor network. I mentioned it in some thread and I remember someone asking about it, but first I need to package all installation files together to make an easy install because I configured it custom and the datasheet will be a mess if I write it that way.