Bitcoin Forum

If I was to send someone some really sensitive information that I wanted to be 100% sure no one else could see, what would be the best way(s) of doing so?  Say, for example, it was a Bitcoin private key.

If they are at all computer literate GPG would probably be your best option.

Crypting it with GPG?

Just send them a letter with a seal.

Give it to them in person.

GPG, a letter with a seal... sounds good.

Well, yes, but assume they aren't near me.  ;)

Also depending upon level of paranoia you could divide the private key into parts and say:

Part 1) Email
Part 2) SMS/Phone
Part 3) Snail mail

Good point CIYAM!

What about BitMessage?  It should be secure for sending, right?
Or... an encrypted .rar, provided the passkey is sent separately?

PGP encrypted mail
OTR encrypted IM chat
TorChat

The list can go on.

Let's keep it to options where we don't have to be online at the same time... but thanks for the suggestions!

^^this^^

Assume they live across the globe and it is not possible.

You should also make sure they burn it after they read it otherwise someone might pick it up in the bin.

I like it.  :D

This generating private/public keypairs is useless, IF YOU ARE NOT GIVING IT IN PERSON.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

https://bitmessage.org/wiki/Main_Page

if you're familiar with the voice of the person, I think it's pretty safe to transmit the public key via phone after having a conversation about the weather.

Send the person a picture of a cat to use as a one time pad.   ;D

Mail them a CD with the picture of the cat that you take yourself.  Email the OTP encrypted file. 

I'm being a little silly this is probably overkill. 

TorChat is out-of-box solution that cannot be compromised unless Tor asymmetric encryption is totally broken or one of boxes are compromised.

Hmmm, good point.  Would there be a way for someone to MITM communications in such a way that the receiver of the information still gets it and doesn't know that it is compromised?

Obviously, the key is getting the correct Bitmessage address for a particular person, but I've heard that Bitmessage addresses can be generated from Bitcoin addresses?  That might be one way to prove ownership of a particular address.

Good point as well...

LOL.

What about just mailing a password (plaintext), and then emailing a .rar encrypted file?  I don't know what OTP is or how a cat picture could be used as a pad, and yes, that might be overkill for my purposes anyway.  :P

A requests PGP key from B
C intercepts request
C gives A a PGP key aliased as B
A sends message encrypted with C's PGP key
C now reads message. B has no idea a request was even made.

The both parties engaged in encrypted communication must compare the fingerprints of public keys using some other channel. Such as phone call or in-person meeting. If the messages goes trough but the key fingerprints does not match, there is women in middle attack (threesome) happening.

The one time pad and picture of cat is problem because of non-randomness of random data and the random material can be easily intercepted. It is cumbersome to practical use and that's why key exchange protocols are used to establish connection.

Invent your own language.

Not safe at all. Languages all have common traits that distinguish them from random garbage. I don't remember exactly but something to do with statistics and occurrence of words. If adversary can crack PGP then also it can guess the private key spelled by HEX in invented language.

https://www.readthenburn.com seems like a relatively ok option if you're dealing with someone that won't be bothered to learn how to use PGP. 

Nice, interesting solution there.


Agreed.

which for very sensitive information, you can assume the attacker does. which means: meet in person, as real persons are hard to fake

And who prevents the page from storing the message forever? Promise not to do so? I call it a trap! Set up such page, then wait for all sorts of secret and confidential information + IP addresses come in such as passwords and login data, links to child porn and so on.

I am skeptical as well but they say that your message is encrypted client-side using a random 256 bit AES key stored in the URL and the cleartext message and secret key is never sent to them.  Source code is available but I am still learning to analyse crypto primitives so I can't confidently say this is safe. 

In case you're interested.  This is an encryption technique that is very secure as long as the pad is secret.  Even if your picture of a cat was your pad and public I still feel that no one is going to  XOR your message with that picture of a cat. 

http://en.wikipedia.org/wiki/One-time_pad

NSA, go look it up you don't know what it is.

no one is talking about vira, you should really go read some more about basic cryptografi, as you cleary don't understand.

whatever you do, NOT privnote

www.bitmessage.org

if the information is sensitive enough, then Yeah! tap all the stuff.

but the only hard thing to do here is the phone, the rest is text based and can easily be faked.

the only impossible thing is pre-distributed public keys(gpg or similar), but that would require the two parties of the communication to meet at least once.

I hear there's a thing called computers which can replace many people for a lot of repetitive tasks. Could be just a fad though.

simple example:
Alice to Attacker: answer this question _, and i will believe you are bob.
Attacker to Bob:  answer this question _, and i will believe you are bob.
Bob to Attacker: this is the answer to the question: _.
Attacker to Alice: this is the answer to the question: _.
Alice to Attacker: hello, bob!
Attacker to Bob: kthxbye.

and the Attacker and Alice continues the conversation. It is really that simple, and security would not be any better even with public-key cryptography(unless they where pre-distributed).

now, please STFU and go learn some basic cryptography.

have you heard about computers?

(btw. you are ignored now, have a nice and ignorant life)

the attacker in man in middle attack can also be passive observer. He is not required to modify the plaintext messages, just decrypt, store and resend encrypted with his own key. The security question will go trough as without MITM attack.

Now we are talking about authentication rather than encrypted channel security. They are different animals.

they are different, but if you can't authenticate, encryption does not really matter.

http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/

Can you hear me now? How about now? A lil louder .. Ok good..





Dad said to go ahead and give him a ...
https://www.youtube.com/watch?v=w-tr0pVynJs

The look on his face at the end of the video is what happens after you send what ever youre thinking about sending!

lolz





The US said go ahead and send the dam 5 BTC just stop talking about it.. in fact they will give you 5 BTC just to stfu..

(  ok so i got jokes.. thought i would try to lighten the mood )
Cheers :)

Obligatory: http://xkcd.com/538/

Reviving this thread...

I got to thinking about it more, and most of these solutions rely on the machine in question being online at some point in time.

Bitmessage requires a connection to send out (Unless there is a way to create a transaction on an offline computer, then transfer the tx to an online computer to be broadcast? That would be awesome!)

GPG mail seems to require an online connection as well (connect to your email host).  I wish there was an easy method to use someone's PGP key and encrypt a message offline, but the only solution I can find for that is via command line.  It's an option, I suppose, but I don't like it much.

OTR IM Chat/Tor Chat - obviously requires the machine to be online.

readthenburn - again, obviously requires the machine to be online.

.RAR - seems like it would work offline?  I took a look at some .rar password crackers, and even a 10-char address said it would take "too long" to crack.  Would it be reasonable to expect the .rar encryption to hold with a sufficient length password (say, 20 chars?), at least until quantum computing becomes a thing?  As long as the .rar and password were sent through different channels (email + bitmessage, for instance), it seems as though it'd be very difficult to crack.

Let's leave the MITM argument alone for the time being.

EDIT:  Just found a plethora of GUIs for GPG though - nice!  http://www.gnupg.org/related_software/frontends.en.html

you do not want to to use a closed format for encryption.

gpg can be used to encrypt files too.

Thanks, and good point.

I suppose the big difference I see between the two is that GPG requires a public key to encrypt with, whereas a .rar can be encrypted with anything of my choosing, provided I give the password to the party through an alternate channel.  Is there something .rar style that uses an open format?

7-zip can do that. 10-char password is not enough. I will go with 20+ random password.

Almost everything requires for computer to be online. Being online is all what the internet is all about. Next time search for possible ways to encrypt and send information when computer is both offline and turned off ;)

Thanks, I'll check out 7-zip.  And yes, I was thinking 20-char.  Maybe 25 or 30 char would be even safer, but that might be overkill.

I understand that almost everything requires for the computer to be online.  But I'd like multiple methods that do not involve putting the private information on a computer that could potentially be compromised unless that information is otherwise secured (i.e. encrypted).  It seems the only real way to do this is to encrypt the information on the offline machine prior to bring it to the online machine.  Or, potentially, physical delivery (via postal service).  I guess that gives me 3 options.  I am satisfied with these results then.  Thanks to all who have participated in this thread!

gpg can do symmetric encryption only, if you ask it to.
see the "-c" switch in man gpg

Oh, that's good to know!  I am looking for GUI options, but perhaps one of the GUI's available for general GPG encryption would also support symmetric encryption.  Thanks!