Password File Protection Question

I was reading about this case

*The federal government is asking a U.S. District Court in Vermont to order a
man to type a password that would unlock files on his computer, despite his
claim that doing so would constitute self-incrimination. *

Now that’s not my question, when I read this I thought, well this is the US government, they have the best computer guys in the world, they could crack it. After all they have access to the laptop.

Here’s the second part of the story

*The agents seized the laptop, and a Vermont Department of Corrections
investigator copied its contents. But the investigator could not get access
to the drive Z content because it was protected by Pretty Good Privacy, a
form of encryption software used by intelligence agencies in the United
States and around the world that is widely available online. PGP, like all
encryption algorithms, requires a password for decryption. *

Now I’m thinking OK shouldn’t the company that sells the software Pretty Good Privacy have the algorithm or whatever you call it used to create a password?

I guess I’m not understanding how that works. Why would the government allow such software to be sold. It was my understanding the government required cell phone providers to allow them access to decoders so while the general public couldn’t decode cell phone calls, the government could (subject to regular laws).

I guess the question is why doesn’t the government just ask the manufactures of Pretty Good Privacy for their encryption method. Isn’t that normally how you solve an encryption method?

Oops sorry I accidently cut and pasted too much. I know you’re not allowed to paste entire articles that wasn’t my intention. Can a moderator please fix that.

Sorry about that…

If you can use an algorithm to get the password then you don’t have good encryption.

The PGP algorithm is public knowledge.

Also the government does not break the encryption on phone signals. They require the phone companies to have equipment that can record the phone calls as they pass through the normal phone network.

The trouble with keys to the kingdom of encryption is that as soon as ANY one too many people have access, it is not secure anymore.

If the company sell outside the US, the other places in the world are vulnerable also because that key IS GOING to get sold… I can see the company not wanting it let it go, they would be bankrupt in a day…


It comes down to cost benefit ratios…

This idiot had child porn… Ohhhhhh badddddddddddd

But they are not willing to spend the $ to crack the code…

Now if it was a 15 Billion drug deal, well, a Billion would be worth it.

A real honest to Og bad guy plot they have to crack… They will crack it…

As much as I hate child porn, this should get a pass… Sounds like he is so stoopid that they will get him soon anyway… Just trying to back door a way to save $$$ down the line…

It is always about money…


The government knows the PGP encryption method, as noted above it’s freely available. And no, that’s not how you solve an encryption method. As far back as 1883, it was realised it was best to assume that encryption methods are known to your adversaries … it’s point 2 of Kerckhoff’s principle :-

Uh… You seems to not know very much about encrypting. It’s not always about the money. There are encryption methods so strong, that simply there is not enough computing power in all machines in the world to crack it within thousand or millions of years - so they are in all practical terms unbreakable.

The password, for better or worse, is chosen by the user. The algorithms are public knowledge. The ultimate strength of the encryption is usually limited by the password chosen by the user.

Not all versions of PGP are commercial products. In fact, many are the result of international open source projects, maintained and developed by volunteers.

The government doesn’t outright prohibit strong encryption on cell phone networks, they just use their influence, which is immense, to discourage it.

IMHO, the government has no legal basis to regulate the sale, distribution or possession of encryption software. It’s closely related to freedom of speech, the right to privacy, and the right to remain silent. Export is regulated under ITAR, like other technology with military applications.

That’s assuming that they have a warrant, or other legal authorization, and are willing to go through official channels. There are companies that produce portable systems that can monitor cell phone calls in the field. Guess who their major customer is?

Assuming the law were changed so that the government could legally require the owner to enter the password (which doesn’t seem likely, or a good idea, but never mind…), you still can’t compel someone to actually do it.

Sure, you can then charge them with perverting the course of justice, or withholding evidence, or some such, but that’s not going to result in them being locked up forever, in any sane system of justice - and it certainly doesn’t seem right to change things so that a person could be jailed for life for merely refusing to type a word into a computer.

Welcome to life in the UK

The trick is using plausible deniability. If you have material you wish to hide, and you fear compulsion, you created an encrypted container. Within that container, you store material that may justifiably require encryption - personal data, password files, etc. Then you create a second hidden container within the first for the really secure material, with it’s own passphrase. You can be compelled to open the primary container under duress, but if you never reveal the existence of the hidden container, you cannot be forced to and no-one can even prove that it is there. Of course, if you have a 10Gb encrypted container with 10Mb of used files, someone may get suspicious. The other thing is that your hidden files cannot be protected - if someone copies a 10Gb file into the opened container, it will overwrite the hidden container beyond recovery.


I removed the long quotation at the OP’s request. Here is a link to a previous thread we did on this story: .

There are several links to the story and related commentary in that thread. The thread did not address the topics raised by the OP.

Nope. Not any more.

An encryption “password” isn’t really a password in the old sense, like a guard on the door who knows the password and won’t let you in unless you do too. Instead, it’s more like a key. The choice of password determines the “shape” of the key.

The encryption algorithm combines the key with the data in such a way that the data is scrambled. This process isn’t reversible without the key. Knowing the algorithm used doesn’t help you at that point. It’s like knowing how a pin-tumbler lock works; you know that the pins all have to be raised by specific amounts but that doesn’t give you the key to any particular lock.

In fact, it’s considered good encryption protocol not to keep algorithms secret. A public algorithm is much more likely to be tested and have any weaknesses exposed than a secret algorithm.

The “strength” of an encryption method is often given in terms of “bits”, e.g. 128 bit encryption, 256 bit encryption etc. This can be approximately thought of as the length of the password used. The simplest method of breaking cryptotext is to try all the possible passwords one at a time. Computers are very good at e.g. running through all the words a dictionary, for example. This is called brute-forcing. For long passwords, brute-forcing takes an unreasonable amount of time - centuries or milennia.

There are some much smarter attacks that can be made on cryptotext, and wiki describes a few, but basically a well-implemented strong encryption scheme with a long password isn’t breakable by any methods or agencies we know about. Poorly implemented schemes however can be broken even if the algorithm is strong. Using a weak password for example makes the cryptotext vulnerable to some of the more sophisticated attacks. It’s like buying a pick-resistant lock and leaving your spare key under the doormat.