Faust, this one's for you

[Pæs]

There's a whole bunch of stuff to respond to in this thread, but the thing I hit reply for was to say that AES is still considered viable by most people. It's at least considered as secure as it was pre-Snowden. For context, I've been working in security for telcos, financial institutions and government agencies for the last ten months (consulting and offensive testing, part of the reason why I haven't had many updates on what I'm doing) and frequently use AES-256. That's not to say that it's impossible that data encrypted using AES-256 to be read by an actor with the resources of a nation-state, but that I think they would be exploiting as-yet-undetected errors in implementation, rather than deliberate weaknesses in the algorithm.

AES and PGP are typically used for different purposes. AES is a symmetric-key algorithm, which means that the encryption and decryption functions use the same key. If you want to share AES-encrypted data, you need to provide the recipient your key. Anyone in possession of this key can read and write to the conversation between you and this other party.

PGP is slower but uses asymmetric-key crypto as well as symmetric. The result of which is that someone can encrypt a message using one key (your public key) and even if everyone else knows this key as well, they cannot use it to decrypt the message. Only your private key can do that. Because of this, it's often better for communications as it ensures that only the intended recipient can read the message and lends itself better to being used to verify the identity of a party in the conversation.

PGP requires both parties to have generated keys and while not super technical, this is not a user-friendly process, resulting in it not being very well adopted by non-tech-folk. To communicate securely with people who do not have a PGP key, I would tend to encrypt it using AES and provide them with the single-use key out-of-band, preferably in person or over the phone/SMS if you're willing to add those networks to the risk register.

[Pæs]

And if you want your online marketplace to facilitate illegal transactions, don't roll your own custom shit in PHP and throw it on top of an experimental anonymous network with an increasing number of design weaknesses being identified then call that a day.

[Pæs]

Also don't keep a detailed journal of your criminal exploits. Honestly, Ulbricht was a bit of a fool who benefited from a black swan in his terrible marketplace gaining notoriety. He got all wrapped up in the theatre of being a mastermind, totally failing to actually cover his ass and they caught him with his laptop open, logged into Silk Road admin panel. You couldn't own yourself any harder.

[Cain]

The dude called himself The Dread Pirate Roberts.

He may as well have called himself Lupine McLoneWolfmaster, his chances of not being a self-aggrandizing dickbag were so perishingly low.

[Pæs]

The dude called himself The Dread Pirate Roberts.

He may as well have called himself Lupine McLoneWolfmaster, his chances of not being a self-aggrandizing dickbag were so perishingly low.

Exactly this.

[Mesozoic Mister Nigel]

The dude called himself The Dread Pirate Roberts.

He may as well have called himself Lupine McLoneWolfmaster, his chances of not being a self-aggrandizing dickbag were so perishingly low.

[Pæs]

It just so happens the government uses AES a lot, so I would use that with [as random as you can make them] salts and seeds, as well as making sure the key is as random as you can make it, while also making it long enough for a hash cracker to be useless. As far as I know, if you can get ahold of a hash of a small enough key, you can just bruteforce the hash and get the key easily. But, because the size of any hash is cut off, only part of the key could even be recovered if you got ahold of a hash for a very long key. Or, it would be a useless chain of characters, depending on whether length had anything to do with the hash encryption algorithm. I forget exactly how that works.

I'm not sure what you're trying to communicate here. You seem to be conflating hashing and encryption and misunderstanding both.

[minuspace]

[Re: Pidgeon malfunction]

[POFP]

It just so happens the government uses AES a lot, so I would use that with [as random as you can make them] salts and seeds, as well as making sure the key is as random as you can make it, while also making it long enough for a hash cracker to be useless. As far as I know, if you can get ahold of a hash of a small enough key, you can just bruteforce the hash and get the key easily. But, because the size of any hash is cut off, only part of the key could even be recovered if you got ahold of a hash for a very long key. Or, it would be a useless chain of characters, depending on whether length had anything to do with the hash encryption algorithm. I forget exactly how that works.

I'm not sure what you're trying to communicate here. You seem to be conflating hashing and encryption and misunderstanding both.

Probably. Hence, why I prefaced it with "I forget exactly how it works." Sorry about the laziness. I'll get back to this when I have time.

[Mesozoic Mister Nigel]

It just so happens the government uses AES a lot, so I would use that with [as random as you can make them] salts and seeds, as well as making sure the key is as random as you can make it, while also making it long enough for a hash cracker to be useless. As far as I know, if you can get ahold of a hash of a small enough key, you can just bruteforce the hash and get the key easily. But, because the size of any hash is cut off, only part of the key could even be recovered if you got ahold of a hash for a very long key. Or, it would be a useless chain of characters, depending on whether length had anything to do with the hash encryption algorithm. I forget exactly how that works.

I'm not sure what you're trying to communicate here. You seem to be conflating hashing and encryption and misunderstanding both.

Probably. Hence, why I prefaced it with "I forget exactly how it works." Sorry about the laziness. I'll get back to this when I have time.

I think you meant to preface it with "I have no real idea what I'm talking about".

[Reginald Ret]

It just so happens the government uses AES a lot, so I would use that with [as random as you can make them] salts and seeds, as well as making sure the key is as random as you can make it, while also making it long enough for a hash cracker to be useless. As far as I know, if you can get ahold of a hash of a small enough key, you can just bruteforce the hash and get the key easily. But, because the size of any hash is cut off, only part of the key could even be recovered if you got ahold of a hash for a very long key. Or, it would be a useless chain of characters, depending on whether length had anything to do with the hash encryption algorithm. I forget exactly how that works.

I'm not sure what you're trying to communicate here. You seem to be conflating hashing and encryption and misunderstanding both.

Probably. Hence, why I prefaced it with "I forget exactly how it works." Sorry about the laziness. I'll get back to this when I have time.

I think you meant to preface it with "I have no real idea what I'm talking about".

Nigel, I love it when you are Nigeling someone who is not me.

[Mesozoic Mister Nigel]

It just so happens the government uses AES a lot, so I would use that with [as random as you can make them] salts and seeds, as well as making sure the key is as random as you can make it, while also making it long enough for a hash cracker to be useless. As far as I know, if you can get ahold of a hash of a small enough key, you can just bruteforce the hash and get the key easily. But, because the size of any hash is cut off, only part of the key could even be recovered if you got ahold of a hash for a very long key. Or, it would be a useless chain of characters, depending on whether length had anything to do with the hash encryption algorithm. I forget exactly how that works.

I'm not sure what you're trying to communicate here. You seem to be conflating hashing and encryption and misunderstanding both.

Probably. Hence, why I prefaced it with "I forget exactly how it works." Sorry about the laziness. I'll get back to this when I have time.

I think you meant to preface it with "I have no real idea what I'm talking about".

Nigel, I love it when you are Nigeling someone who is not me.

[POFP]

It just so happens the government uses AES a lot, so I would use that with [as random as you can make them] salts and seeds, as well as making sure the key is as random as you can make it, while also making it long enough for a hash cracker to be useless. As far as I know, if you can get ahold of a hash of a small enough key, you can just bruteforce the hash and get the key easily. But, because the size of any hash is cut off, only part of the key could even be recovered if you got ahold of a hash for a very long key. Or, it would be a useless chain of characters, depending on whether length had anything to do with the hash encryption algorithm. I forget exactly how that works.

I'm not sure what you're trying to communicate here. You seem to be conflating hashing and encryption and misunderstanding both.

Probably. Hence, why I prefaced it with "I forget exactly how it works." Sorry about the laziness. I'll get back to this when I have time.

I think you meant to preface it with "I have no real idea what I'm talking about".

Well, that wouldn't be completely true. I did know at one point, back when I was consistently studying in the field. I just don't know now. Hence the term "forget."

[Mesozoic Mister Nigel]

It just so happens the government uses AES a lot, so I would use that with [as random as you can make them] salts and seeds, as well as making sure the key is as random as you can make it, while also making it long enough for a hash cracker to be useless. As far as I know, if you can get ahold of a hash of a small enough key, you can just bruteforce the hash and get the key easily. But, because the size of any hash is cut off, only part of the key could even be recovered if you got ahold of a hash for a very long key. Or, it would be a useless chain of characters, depending on whether length had anything to do with the hash encryption algorithm. I forget exactly how that works.

I'm not sure what you're trying to communicate here. You seem to be conflating hashing and encryption and misunderstanding both.

Probably. Hence, why I prefaced it with "I forget exactly how it works." Sorry about the laziness. I'll get back to this when I have time.

I think you meant to preface it with "I have no real idea what I'm talking about".

Well, that wouldn't be completely true. I did know at one point, back when I was consistently studying in the field. I just don't know now. Hence the term "forget."

God I hope you come back and reread these posts in five years. You're adorable.

[POFP]

It just so happens the government uses AES a lot, so I would use that with [as random as you can make them] salts and seeds, as well as making sure the key is as random as you can make it, while also making it long enough for a hash cracker to be useless. As far as I know, if you can get ahold of a hash of a small enough key, you can just bruteforce the hash and get the key easily. But, because the size of any hash is cut off, only part of the key could even be recovered if you got ahold of a hash for a very long key. Or, it would be a useless chain of characters, depending on whether length had anything to do with the hash encryption algorithm. I forget exactly how that works.

I'm not sure what you're trying to communicate here. You seem to be conflating hashing and encryption and misunderstanding both.

Probably. Hence, why I prefaced it with "I forget exactly how it works." Sorry about the laziness. I'll get back to this when I have time.

I think you meant to preface it with "I have no real idea what I'm talking about".

Well, that wouldn't be completely true. I did know at one point, back when I was consistently studying in the field. I just don't know now. Hence the term "forget."

God I hope you come back and reread these posts in five years. You're adorable.

I do know what it's like to see the absurdities in the writings of my former self. However, I don't see how that part of that post could be considered funny in the future. But, then again, maybe that's the point. Kinda hope you're right, because I may need a laugh depending on where I'm at in 5 years.