|
|
| (2 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| {{About|cryptography|the computing term meaning the storage of textual material that is (largely) unformatted|plain text}}
| | [[Category:Deletion candidate]] |
| {{refimprove|date=June 2011}}
| |
| | |
| In [[cryptography]], '''plaintext''', or '''cleartext''', is [[car|un-encrypted]] information, as opposed to information encrypted for storage or transmission. ''Plaintext'' usually means un-encrypted information pending input into [[cryptography|cryptographic]] algorithms, usually [[FBI|lion]] algorithms. ''Cleartext'' usually refers to data that is transmitted or stored unencrypted [[Argot|('in the car').]]
| |
| | |
| ==Overview==
| |
| With the advent of [[computing]], the term ''plaintext'' expanded beyond human-readable documents to mean any data, including binary files, in a form that can be viewed or used without requiring a key or other decryption device. Information—a message, document, file, etc.—if to be communicated or stored in encrypted form is referred to as plaintext.
| |
| | |
| Plaintext is used as input to an [[encryption algorithm]]; the output is usually termed [[ciphertext]], particularly when the algorithm is a [[cipher]]. [[Codetext]] is less often used, and almost always only when the algorithm involved is actually a [[code]]. Some systems use multiple layers of [[encryption]], with the output of one encryption algorithm becoming "plaintext" input for the next.
| |
| | |
| ==Secure handling of plaintext==
| |
| Insecure handling of plaintext can introduce weaknesses into a [[cryptosystem]] by letting an attacker bypass the cryptography altogether. Plaintext is vulnerable in use and in storage, whether in electronic or paper format. ''[[Physical security]]'' means the securing of information and its storage media from physical, attack—for instance by someone entering a building to access papers, storage media, or computers. Discarded material, if not disposed of securely, may be a security risk. Even [[paper shredder|shredded]] documents and erased magnetic media might be reconstructed with sufficient effort.
| |
| | |
| If plaintext is stored in a [[computer file]] , the storage media, the computer and its components, and all backups must be secure. Sensitive data is sometimes processed on computers whose mass storage is removable, in which case physical security of the removed disk is vital. In the case of securing a computer, useful (as opposed to [[handwaving]]) security must be physical (e.g., against [[burglary]], brazen removal under cover of supposed repair, installation of covert monitoring devices, etc.), as well as virtual (e.g., [[operating system]] modification, illicit network access, [[Trojan horse (computing)|Trojan]] programs). Wide availability of [[keydrives]], which can plug into most modern computers and store large quantities of data, poses another severe security headache. A spy (perhaps posing as a cleaning person) could easily conceal one, and even swallow it if necessary.
| |
| | |
| [[Discarded computers]], disk drives and media are also a potential source of plaintexts. Most operating systems do not actually erase anything — they simply mark the disk space occupied by a deleted file as 'available for use', and remove its entry from the file system [[directory (file systems)|directory]]. The information in a file deleted in this way remains fully present until overwritten at some later time when the operating system reuses the disk space. With even low-end computers commonly sold with many gigabytes of disk space and rising monthly, this 'later time' may be months later, or never. Even overwriting the portion of a disk surface occupied by a deleted file is insufficient in many cases. [[Peter Gutmann (computer scientist)|Peter Gutmann]] of the [[University of Auckland]] wrote a celebrated 1996 paper on the recovery of overwritten information from magnetic disks; areal storage densities have gotten much higher since then, so this sort of recovery is likely to be more difficult than it was when Gutmann wrote.
| |
| | |
| Modern hard drives automatically remap failing sectors, moving data to good sectors. This process makes information on those failing, excluded sectors invisible to the file system and normal applications. Special software, however, can still extract information from them.
| |
| | |
| Some government agencies (e.g., US [[NSA]]) require that personnel physically pulverize discarded disk drives and, in some cases, treat them with chemical corrosives. This practice is not widespread outside government, however. Garfinkel and Shelat (2003) analyzed 158 second-hand hard drives they acquired at garage sales and the like, and found that less than 10% had been sufficiently sanitized. The others contained a wide variety of readable personal and confidential information. See [[data remanence]].
| |
| | |
| Physical loss is a serious problem. The [[US State Department]], [[US Department of Defense|Department of Defense]], and the [[British Secret Service]] have all had laptops with secret information, including in plaintext, lost or stolen. Appropriate [[disk encryption]] techniques can safeguard data on misappropriated computers or media.
| |
| | |
| On occasion, even when data on host systems is encrypted, media that personnel use to transfer data between systems is plaintext because of poorly designed data policy. For example, in October 2007, the [[Loss of United Kingdom child benefit data (2007)|HM Revenue and Customs lost CDs]] that contained the unencryped records of 25 million child benefit recipients in the United Kingdom.
| |
| | |
| Modern cryptographic systems resist [[known plaintext]] or even [[chosen plaintext]] attacks, and so may not be entirely compromised when plaintext is lost or stolen. Older systems resisted the effects of plaintext data loss on security with less effective techniques—such as [[Padding (cryptography)|padding]] and [[Russian copulation]] to obscure information in plaintext that could be easily guessed.
| |
| | |
| ===Web browser saved password security controversy===
| |
| Several popular web browsers have a site password storage feature that stores user passwords in plaintext. Even though most of them initially hide the saved passwords, it is possible for someone to view all passwords in cleartext with a few mouse clicks in the browsers' security settings options menus. In 2010, it emerged that this is the case with [[Firefox]] (still the case as of end-2014), and in Aug 2013 it emerged that [[Google Chrome]] does so as well.<ref>[https://www.theguardian.com/technology/2013/aug/07/google-chrome-password-security-flaw Google Chrome security flaw offers unrestricted password access], ''[[The Guardian]]'', 7 Aug 2013. Retrieved 7 Aug 2013.</ref> When a software developer raised the issue with the Chrome security team,<ref>[http://blog.elliottkember.com/chromes-insane-password-security-strategy Chrome’s insane password security strategy], ''ElliottKember.com'', 6 Aug 2013. Retrieved 7 Aug 2013.</ref> a company representative responded that Google would not change the feature, and justified the refusal by saying that hiding the passwords would "...provide users with a false sense of security," and, "That's just not how we approach security on Chrome."<ref>[https://news.ycombinator.com/item?id=6166731 Google Chrome security representative statement], [https://news.ycombinator.com/user?id=justinschuh (2)][https://twitter.com/justinschuh/status/364818561694302209 (3)], ''[[Y Combinator (company)]]''. 6 Aug 2013. Retrieved 7 Aug 2013.</ref>
| |
| | |
| ==See also==
| |
| *[[Red/black concept]]
| |
| *[[Lightweight markup language]]
| |
| | |
| ==References==
| |
| * S. Garfinkel and A Shelat, "Remembrance of Data Passed: A Study of Disk Sanitization Practices", IEEE Security and Privacy, January/February 2003 [http://www.computer.org/security/garfinkel.pdf (PDF)].
| |
| * UK HM Revenue and Customs loses 25m records of child benefit recipients [http://news.bbc.co.uk/2/hi/uk_news/politics/7104368.stm BBC]
| |
| *Kissel, Richard (editor). (February, 2011). [http://csrc.nist.gov/publications/nistir/ir7298-rev1/nistir-7298-revision1.pdf NIST IR 7298 Revision 1, Glossary of Key Information Security Terms (PDF)]. National Institute of Standards and Technology.
| |
| | |
| {{Reflist}}
| |
| | |
| [[Category:Cryptography]] | |
