Ask HN: Is it safe to publish sensitive data in public if encrypted?

4 points by vrypan 9 years ago | 8 comments

Suppose you encrypt very sensitive and valuable data with the strongest available crypto. Would it be safe to store the encrypted data in public, for example in a blog post or a public github repo?

CarolineW 9 years ago |

It depends. Here are the questions that came to my mind in under 30 seconds:

* For how long must it be secure?

* Against whom must it be secured?

* What are your potential losses if it's broken?

* How can you be sure you've used a secure implementation?

* What do you think the "strongest available crypto" currently is?

* Can you be sure that the key will never be compromised?

* Where will you store the key?

* Do you need to send the key to someone else?

* Where will the encryption happen?

... and there's more.

vrypan 9 years ago | |

* For how long must it be secure? let's say for 10 years

* Against whom must it be secured? Everyone, including national agencies and organised crime.

* What are your potential losses if it's broken? A lot of money.

* How can you be sure you've used a secure implementation? No idea

* What do you think the "strongest available crypto" currently is? No idea, but I would guess someone has this answer

* Can you be sure that the key will never be compromised? No, but this is a separate problem, I assume here that the key is not compromised.

* Where will you store the key? Off-line

* Do you need to send the key to someone else? No.

* Where will the encryption happen? Locally.

tallship 9 years ago | | |

Considering that you don't know whether you can be sure that you've used a secure implementation, then the answer is a resounding, NO! It is not, by your own admission, 'safe' to publish any data that needs to remain secure in a publicly available setting.

Once you can answer yes to:

<snip> How can you be sure you've used a secure implementation? No idea </snip>

Then you will be able to ascertain for yourself whether your encrypted data, placed in a publicly available location, is "Safe Enough", "Secure Enough" for your needs.

It would be naive to assume that any data placed somewhere, encrypted or not, is stored with a completely invulnerable method.

That having been said, one must rise to the occasion of determining how secure something needs to be, and then availing oneself of the means to achieve that level of security.

I hope that helps, but in reality, there really isn't a cut and dried YES|NO answer - only relative levels of reasonable assurance in securing your data and communications.

CarolineW 9 years ago | | |

>> What are your potential losses if it's broken?

> A lot of money.

What is the potential gain to your adversaries?

The other question is: Why would you do this?

The answer is: You can publish things that are encrypted, but the level of confidence is tied up with knowing that the encryption is secure against all attack vectors as applied by your most determined and well-resourced adversary for ten years, during which time advances in attacks will be made.

If you think no one will really care, if your adversaries have little or nothing to gain, then you're probably fine.

If they stand to gain a lot, you're probably not.

But I'm not an expert, I'm just trying to highlight some of the issues for you.

sova 9 years ago | | |

Elliptic Curve Cryptography

fergbrain 9 years ago |

My understanding is that NSA considers classified data that has been encrypted using a suitable cipher/key to be unclassified and suitable for transmission on unsecure systems/networks.

SXX 9 years ago |

Vernam cipher will come to rescue.