 Welcome back everyone. Today we're going to be talking about what encryption can't do and you've probably seen videos before where I'm talking about using encryption, especially using PGP or GPG To do different types of public key encryption. So today I thought I'd talk about what encryption actually can't do and I'm getting this from this book this PGP book from Simpson Garfinkel O'Reilly Media in 1994 on page 55 the end of the second chapter basically they go through what encryption can't do and I thought this was really good kind of review or consideration, so I thought we should talk about it a little bit. So first one thing encryption can't do or cryptography can't do, cryptography can't protect your unencrypted documents and what they're really talking about here is thinking about where your data is located or how you're dealing with your data before it's encrypted or potentially even while it's unencrypted, where is your data located. So for example, if you had an encrypted container and or you had an encrypted file and you decrypted, where are you storing the decrypted file? Are you ever storing that file in a location that could potentially be carved later? So if somebody got access to your computer, could they do file carving on your hard drive to be able to recover maybe a file that was deleted, but it was unencrypted some time at some point on the disk. So think about where is the data before it's encrypted and also after it's encrypted whenever you're working with the data, where is that data located and what kind of traces would remain on the system? Whenever it's not, whenever it's not being used anymore. And cryptography can't protect against stolen encryption keys. Obviously, if you're using some type of encryption or cryptography, if an attacker gets your keys, well, then they can potentially get access to all of the device or all of the encrypted files or data. So how can we actually protect against this? Well, you have to secure your keys just like you're securing your data. We'll talk a little bit more about securing data in a second, but think about how you're actually storing the keys. Now with PGP or GPG, there's a lot of discussion of, you know, how to make secure key rings and keeping key rings offline and not generating keys on an internet-connected computer and all of these things. It can get really complicated the way we do key management. But that is for a reason. It's to make things more secure. It's to make the key or the overall keys, the system, more secure. So cryptography can't protect against stolen encryption keys. All we can do is try to mitigate that as much as possible. Cryptography can't protect against destructive attacks. So sometimes attackers aren't interested in getting access to the data. They're making sure they're interested in making sure that you can't get access to the data. So cryptography can't protect against destructive attacks. Imagine that you had an encrypted file. Well, if somebody deletes that file, you can't get access to it either. If you have an encrypted container, maybe they could, if they can't, for example, delete the file, maybe they could corrupt the file in some way, which makes it difficult for you to access the data. So encryption, anyone who's ever forgotten their password or forgotten their key or whatever, knows that if you, if anything goes wrong, then you can't get access to the data or you probably can't get access to the data. So cryptography can't protect against destructive attacks and destruction, especially whenever you're dealing with encryption, is a real potential, let's say. Cryptography can't protect against booby-trapped encryption program. And this is basically talking about viruses or dealing with programs that have somehow been altered. If you're in an extremely secure environment, the only way you can guarantee that programs haven't been tampered with is if you write those programs yourself, unless you're a government agency or something like that, or maybe a huge corporation, that's probably not possible. I mean, think about, most people are using Linux or Microsoft Windows or OSX, something like that. They didn't write those programs, or they probably didn't write most of them. So think about whether we can actually trust the programs that we're using. How do we know that the programs that we're using to manage and handle our encryption have not been compromised in some way? Well, we have to just go through and test our programs, check hash values whenever we're downloading software, check for running processes or any network connections that are created or any additional programs that are running in our system whenever we run some new encryption software. All we can do is be diligent about checking the program we're using or potentially write it ourselves. But again, if we're writing our own cryptography, if you're not a cryptographer and you're writing some sort of encryption program, you're probably getting it wrong, right? So basically the best we can do as end users really is to do due diligence for our own systems and check that the application is running as we would expect it to and not doing anything overly suspicious. Cryptography can't protect you against a trader. So whenever you're encrypting something, especially if you're sending a message to someone else, if that person decrypts the message because you let them decrypt the message and then they share the decrypted message with somebody else, then there's nothing you can do about that. You've given ownership basically of the data to somebody else who has access to be able to decrypt the data. So cryptography can't protect you against a trader. If somebody can access the data, if they have permission to, then they could do anything they want with that data. And cryptography can't protect you against the record of a message or the fact that a message was sent. And this is basically referring to direct communication. So I can think of some situations where maybe you don't have direct communication, but we're talking about the channel here. So in the book, they're specifically referring to email. So imagine that you sent an email to somebody and that email was encrypted. Well, people wouldn't be able to see the encrypted contents of the email, but they would potentially be able to see who the email was from and who it was to and when it was sent. So that could actually tell you quite a bit about what's going on or give some context around it. I think the example in the book was if somebody sends a message, an encrypted message email to somebody else, and then one of those people murder somebody, and then after the murder is done, they send another encrypted message, then depending just on the timeline, the fact that they know that the message was sent between two people and a murder took place where both of these people knew who was murdered, that could be enough to kind of make people suspicious of what the contents are likely to be. Now, can we confirm that the contents of the email are talking about murder? No, but it could be circumstantial depending on what the timeline was. So cryptography can't protect you against the record of a message or the fact that a message was sent if you're encrypting the contents. Now, if you're using, yeah, basically it's about setting up a secure channel. So in this case, a secure channel somehow has to be set up, but even secure channel setup is very difficult and that's a whole other topic. So these are some of the things that cryptography or encrypting data on disk or messages that are being sent usually by email, these are some of the things that cryptography can't do. So really, you need to think about where the data is that you're working with and what you're trying to protect and then think about how that data could potentially be attacked. So that's it for today. I just wanted to give you kind of a heads up on a really interesting book and I always talk about how good encryption is or that you should use encryption, but also keep in mind that it's not a silver bullet. It can't solve every problem and you have to be aware of these other things that it can't do. So that's it for today. Thank you very much. If you like this video, please subscribe for more.