This is the first article in a series that will look at some of the best free (and cheap) security software.
Each article will focus on software that is easy to acquire, install and use. I will try to focus on software that is truly free, i.e., freely available for download with no further obligations on the part of the user. In some cases the software will be "free for home use." In other cases, the software will be shareware: free for a trial period (perhaps indefinitely). In a few cases I will discuss software that is 'cheap.' By cheap, I mean it costs less than a few tens of U.S. dollars. Legal caveat: It is always your responsibility to read the fine print, and therefore understand the conditions for use of the software.
Fair disclosure: The choice of software discussed in these articles is biased. I write about what I use and have found most accessible and easy to learn. I expect that I will miss many 'favorites.' I will try to cover some of the more popular free software (e.g., PGP/GPG) as well as lesser known programs. Most of the software will be for either Microsoft or UNIX (especially Linux) environments. On occasion, I may discuss software useful for PDAs. If I miss one of your favorites, please feel free to send me email at email@example.com. I will try to have a 'backscatter' section in future articles that references some of your favs.
In this article we will focus on software that implements hash functions and encryption/decryption. Remember hash functions? These are mathematical functions that take an unspecified number of bytes (called the pre-image) as their input and generate a fixed number of bits for their output. Well known hash functions usually produce 128, 160, 192, 256 (or more) bits of output. In a good hash function, if you change one bit of the input, approximately 50 percent of the output bits also change. Furthermore, it's virtually impossible to find two different inputs to a good hash function that will generate the same output. Therefore if two files hash to the same value, it is safe to conclude that the files contain identical content. Another important hash function property is that given a hash function output value, it is virtually impossible to deduce the input (the so-called one-way nature of hash functions). The output of a hash function is sometimes referred to as a cryptographic checksum.
Most UNIX systems already include some version of a popular hash function named MD5. C source code and executables of MD5 exist for Windows as well, but here we focus on an easier and graphical program intriguingly named Hashish. Hashish is available at: http://sourceforge.net/projects/hashish/. Versions for Windows and Unix exist. The Hashish program, when launched, looks like this:
In the pulldown pane labeled 'Algorithm' is a list of popular hash functions, including SHA (various lengths), MD5, RIPEMD-160, HAVAL and one that's new to me, named Panama Hash. After selecting the algorithm you prefer, you may enter a filename to be hashed, or, to just play with the tool, you may enter a string. Clicking the Hash button computes the hash. Simple and elegant. The only significant downside is that you can't use Hashish in scripted programs (where you would want to invoke it multiple times and store the results).
Two of my favorite cryptography programs for Windows environments are: Abicoder and EasyCrypto. Abicoder is available at www.abisoft.net/bd.html. EasyCrypto may be found at www.handybits.com. Both these programs can encrypt one or more files at a time, and both can create self-decrypting archives. A self-decrypting archive is an encrypted file that itself contains one or more files. You may send this file to another person (with a Windows OS computer) and they will be able to decrypt and unpack it without having any special encryption software installed on their system. All they need is the password that you used to perform the encryption. Of course you're not going to email them that password! You're going to tell them using an 'out of band' channel, like the telephone or in person.
Abicoder can use Bruce Schneier's Blowfish algorithm (up to a maximum of 448 bits) or triple-DES (168 bits, but perhaps a smaller number of 'effective' bits). EasyCrypto uses Blowfish up to 128 bits. Readers are cautioned to check local laws before using these (or any other cryptography) programs.
Abicoder looks like this when it's running:
Note that a Key Length meter is present to display the number of bits in your encryption key. This won't prevent you from choosing 'easy' keys, but it will show you if you're using fewer bits than you had intended.
EasyCrypto looks like this:
EasyCrypto lets you enter a password or select one from another source (see the 'Get Password From' tab). I haven't used this feature, but it appears to be able to support various hardware devices (e.g., card readers, fingerprint readers).
The grand daddy of free encryption software is PGP. PGP was developed by Phil Zimmerman and has a long and fascinating history that includes threats of U.S. government action against Mr. Zimmerman for violating encryption export laws. Space limitations prevent even a brief summary of how PGP has evolved over the last decade. What follows is a short description of the current situation. The commercial version of PGP had been controlled by NAI until recently, when NAI decided no longer to continue to develop it (see www.pgp.com for the details of NAI's current involvement with PGP). NAI had previously made an unsuccessful attempt to sell PGP. There are freeware versions of PGP available including one called GPG (Gnu Privacy Guard), and PGP is also an RFC Standard.
For more details see www.ietf.org/rfc/rfc2440.txt.
PGP/GPG programs and information may be found at the following URLs: www.openpgp.org, www.pgpi.org, www.pgp.com (the NAI site), www.gnupg.org (the GPG site), http://crypto.radiusnet.net/archive/pgp (a good site for finding recent PGP distributions), and http://munitions.vipul.net/dolphin.cgi?action=render&category=0402 (where GUIs for PGP on Linux may be found). Finally, try the PGP FAQ, www.faqs.org/faqs/pgp-faq/where-is-PGP.
PGP is a fairly complex piece of software. It uses symmetric (private) key and asymmetric (public) key algorithms. The original purpose of PGP was to allow anyone, regardless of their knowledge of cryptography or even computers, to fairly easily be able to send confidential email to others and/or to protect information locally in files. It continues to do these functions and many more, including managing encrypted folders and VPN connections.
PGP requires users to generate a key pair and to distribute the public key to people they wish to securely communicate with. The 'PGP community' provides a few PGP directories (called key servers) on the Internet for this, although one can also send one's public key by email. PGP keys may be signed by trusted third parties as a means of assuring their validity.
The downside of PGP is that it remains a tool, by and large, of people who have at least moderate levels of technical skills. This isn't really the fault of PGP, which has (IMHO) made the product as easy to use as possible without introducing weaknesses that could be exploited to steal keys, impersonate others or break file encryptions.
To say the least, there is a lot of free and low cost software that implements hash functions and encryption/decryption algorithms. Hopefully the software described here has encouraged you to go out and try some of it. And if I've missed your favorite, drop me a note and I may be able to reference it in a future article.
Richard Steinberger is a senior security architect with Cable & Wireless Internet services. Richard may be reached at firstname.lastname@example.org.