Quote:
Originally Posted by
Corona688
It's secure enough for some governments, so I'd say so.
Haha.. not not the best metric to measure crypt security these days...
In case you missed the news, the US NSA paid RSA $10M USD to make a known weak cipher the default crypto in the RSA crypto toolkit used by many products and companies. This was done to create a back door so NSA could easily break the encryption.
On another note, the
Rijndael cipher used in AES ccrypt has been the subject of a variety of successful attacks, for example (from the reference above):
Quote:
The first key-recovery attacks on full AES were due to Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger, and were published in 2011. The attack is based on bicliques and is faster than brute force by a factor of about four. It requires 2126.1 operations to recover an AES-128 key. For AES-192 and AES-256, 2189.7 and 2254.4 operations are needed, respectively.
So, it's not straightforward to answer questions like "Is ccrypt AES 256bit secure enough?" because the answer depends on what data you are trying to secure.
For the original poster, he says he wants to secure a ".TXT file with my passwords on cloud storage like Google Drive?" ... so that begs a number of security related questions:
Why store them on Google Drive? Why not store the encrypted data on a USB stick or burn it to a CD and keep it in a safe place off the net?
If the passwords are used to encrypt "casual" data and you are not concerned about governments or sophisticated criminals breaking your crypto, then perhaps it is OK to store your encrypted file on the net.
You should know that Google will make your files available to authorities without your knowledge under certain situations - so if you are doing things that make you a suspect to a government (like criminal activity, terrorism, etc.) then your AES crypto file on Google's cloud is certainly not secure and it can be accessed (by governments under certain conditions) and broken if required.
However, if you are just a normal person without a need for super secrecy and not a national security threat or criminal, you still need to realize that when you store on a cloud, it is really "not very secure" by definition. So you will be relying mostly on the strength of the crypto.
Now, if you have passwords protecting $100M USD of assets, then I don't think it's very secure to store these passwords on a cloud with ccrypt AES 256; and you should consider strong crypt with key length of 1024 or greater.
Risk is the intersection of many things (actually three things) - vulnerability, threat, and criticality.
Rijndael 256 has known vulnerabilities, so the rest of your risk management decision is based on threat and criticality. If you are not threatened by governments, criminals, or your ex-wife trying to get into your bank accounts (LOL) and you don't have anything so critical, then maybe you are "OK" using Rijndael 256 on a cloud.
However, I would not recommend it.
I would not recommend you store your encrypted password file on any cloud storage, and instead keep in on a UBS stick or similar "local" media that is easy for you to use, but very difficult for others to access.
And, if your data is very critical, the perhaps consider a 1024 bit key length versus 256.. or longer.
Hope this helps.