Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Encryption solutions

  1. #1
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    5

    Default Encryption solutions

    Hi there.

    I've been a user of TrueCrypt for a while, and a happy one. However now I need to make sure of its security, and it escapes my hacking knowledge by far. I was wondering to what extent a normal AES + Whirlpool encryption would do the job, and if there are vulnerabilities to be exploited other than Brute Forcing or Keylogging. I was wondering also whether AES-Twofish-Serpent combined provides a real improved security, as it would be just a waste of processor if it is not necessary. In any case I have to use a solution that would allow real-time file usage. Data should be protected enough to prevent anyone with a good knowledge, tools, and my computer in their hands from breaking the encryption. Yeah, brute force could get you anywhere, but in my imaginary world they wouldn't have resources to use for more than 10 days (to say a number) to do the job.

    Can you guys throw me clues or direct me to sources of information?

  2. #2

    Default Re: Encryption solutions

    hi madmanu,

    even we have seen in the past how crypto stuff can fail (e.g. DES or MD5) from a pure protocol prospective, the key challenge in cryptography is key management.

    Regarding AES, there was an almost independant worldwide challenge looking for the most secure algorithm for the next decades (which is quite challenging concerning computer processing power and new ideas, like not only using traditional CPU-cylces, also using other components like graphic card processing power).

    Some people may disagree, but Bruce Schneir's Crypto Gram is the right start to talk about crypto philosophy ;-)
    Crypto-Gram Newsletter

    Regarding truecrypt (I'm also prefering container encryption for my sensitive data over full filesystem encrpytion)
    Schneier on Security: TrueCrypt

    Also concerning truecrypt attack vectors, read this:
    Bootkit bypasses hard disk encryption - The H Security: News and Features


    Conclusion:

    Get a trusted copy of truecrypt..USE COMPLEX PASSWORD and good entropy to generate container, don't save history or cache passwords! Choose the right algorithm combination, based on your need of performance+security (use truecrypts benchmark tool).

    /brtw2003

    P.S.: even some people think our *N*S*A* (simple obfuscation ;-) friends still have endloss access to computing power & master minds - attacking an AES256 and higher, using SHA512 or higher and so on...the will likely use a much simpler way: social engineering ... and not waiting the next 2 years to decrypt your stuff ;-)
    Last edited by brtw2003; 02-28-2010 at 08:10 PM.

  3. #3
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    5

    Default Re: Encryption solutions

    Cascading different encryption algorithms, as AES, Twofish and Serpent, only does increase security by preventing the use of vulnerabilities of any of them, should any be discovered. Should two have a vulnerability, the third one would still be in place. That makes sense, just logical, but focused as I was on something else I didn't realize before. In this case, cascading is not a need for me.

    The questions seem to be:

    1-Are there any known vulnerabilities in AES? (none that I can tell from what I've found).
    2-What lenght should the password be to prevent a brute force attack from being successful, provided the intruder has my machine and less than a month to obtain the password? (taking for granted that the attacker might have one, or many, GPUs for the attack).
    3.-Is there a way of delaying password tries, to further difficult brute forcing, or it only depends on the software that is used for trying? (as a delay in TrueCrypt wouldn't make a difference if the opponent used his own decryption software that wouldn't include delays)

  4. #4
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Encryption solutions

    1. Yes but as of right now they really are not practicable, but more of a theory. That does not mean this can't change overnight.
    See also http://en.wikipedia.org/wiki/Advance...hannel_attacks
    2. The password should be as long as possible for maximum protection. But there are two caveats to this. One the password needs to not only be a long one but a complex one as well.
    Example: aaaaaaaa while may be considered long is not very complex versus 1hT*(ldE while both use 8 characters the second one is more complex. This equates to more time to brute force.
    Two Maximum protection may be negated by the second sentence in 1 above.
    3. Yes there are some such as two factor authentication.
    While Bruce Schneir is the "guy" for all things encryption, it might not be best to start out with reading his works. Take a look at this resource for a good overview on 256-bit AES and password recovery.
    I think it is a much better article to kind of "get your feet wet" with. Also forget the fact that they may be trying to sell something.
    Password recovery, 256-bit AES encryption vs. brute force - how strong and reliable is Private Disk's encryption

    Another very light-hearted approach to understanding AES= http://www.moserware.com/2009/09/sti...-advanced.html
    Last edited by Archangel-Amael; 02-28-2010 at 09:35 PM.

  5. #5
    Member whitelisted's Avatar
    Join Date
    Feb 2010
    Posts
    72

    Default Re: Encryption solutions

    Quote Originally Posted by Archangel.Amael View Post
    Example: aaaaaaaa while may be considered long is not very complex versus 1hT*(ldE while both use 8 characters the second one is more complex. This equates to more time to brute force.
    Wait, are you sure about this? Complexity protects you against dictionary attacks and the like, but If the keyphrases are of equal length, and if the attack is simple brute force, then surely both passphrases will be broken in roughly equal time?

  6. #6
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    5

    Default Re: Encryption solutions

    First of all, thank you both brtw2003 and Archangel.Amael for such clarifying and clear information. My previous reply wasn't supposed to be an answer to brtw2003, I just didn't see his post until after sending.

    I think the solution I need, this time, is clear. AES with a strong, +20 characters, password. I don't carry state secrets, nor my grandma's cheesecake recipe, so it is unlikely my potential opponent will know more than the community in terms of exploits. Furthermore, the seed is already inside me and I will have no other choice than to keep learning about encryption. Should AES be easily crackable in the future, chances are I will get to know in a reasonable amount of time, and change my containers.

    I've seen the Bruce Schneir mentioned by Archangel.Amael all over the place while digging information, and his Secrets and Lies seemed to be quite popular. It goes for 5 pounds on UK eBay including post costs to my country, so unless you guys consider some other piece of his any better for an eager starter, I'll just get that book for my shelf after going through the links you've given me.

    Thanks again and have fun!

  7. #7
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Encryption solutions

    Quote Originally Posted by whitelisted View Post
    Wait, are you sure about this? Complexity protects you against dictionary attacks and the like, but If the keyphrases are of equal length, and if the attack is simple brute force, then surely both passphrases will be broken in roughly equal time?
    You are confusing dictionary attacks with bruteforce attacks. Don't feel bad lots of people even pro's do this.
    While there are similarities between the two they are not one and the same. In most cases, a dictionary attack will work more quickly than a brute force attack. The caveat is that the password has to be in the dictionary in order to be successful. However A brute force attack is, more certain to achieve results eventually how long being a key factor. Because in this case we will apply every single possibility to the key-space (given that one the attacking force holds out and two the encrypted container does the same). So the major difference is having the actual password, even if we don't know it. A standard combination padlock with a 40 digit face only has 64,000 possible combination's that means I don't need to know the actual code. I can just try all of them. This is somewhat feasible however with computers and "real encryption" it become exponentially harder.
    So as for your question from above, If I know the max password length is 4 and it can only contain lower case letters and or numbers 0-9 then I only need to insert each one 1 time until one of them will "fit". Now this by itself is not really complicated but if I add more possible characters ( such as upper case letters and special characters such as * ,%,$ to each space within the password and I increase the length (from 4 to 14) then it become more complex. I hope that makes the above a bit clearer. By all means let me know.
    As an after thought on this somewhere on the old forums there is another good explanation thread on this very topic. I just don't know where.

    Quote Originally Posted by madmanu View Post
    First of all, thank you both brtw2003 and Archangel.Amael for such clarifying and clear information. My previous reply wasn't supposed to be an answer to brtw2003, I just didn't see his post until after sending.
    You are welcome.
    I think the solution I need, this time, is clear. AES with a strong, +20 characters, password. [/quote] Or more characters. This is one of those cases where you could say "the more the merrier". However it is not always true all the time.
    I've seen the Bruce Schneir mentioned by Archangel.Amael all over the place while digging information, and his Secrets and Lies seemed to be quite popular.
    By it but don't put it on the shelf. Read it first. I have read it and so have several other people that frequent this forum. I recommend it and it is a good book.
    Last edited by Archangel-Amael; 03-01-2010 at 04:49 PM.

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Encryption solutions

    Quote Originally Posted by madmanu View Post
    First of all, thank you both brtw2003 and Archangel.Amael for such clarifying and clear information. My previous reply wasn't supposed to be an answer to brtw2003, I just didn't see his post until after sending.

    I think the solution I need, this time, is clear. AES with a strong, +20 characters, password. I don't carry state secrets, nor my grandma's cheesecake recipe, so it is unlikely my potential opponent will know more than the community in terms of exploits. Furthermore, the seed is already inside me and I will have no other choice than to keep learning about encryption. Should AES be easily crackable in the future, chances are I will get to know in a reasonable amount of time, and change my containers.
    I wish more users could figure things like this out.

    It's great to try to have the absolute "best" security but it has to be reasonably inline with what it's protecting.

    AES is currently a Government accepted encryption standard (assuming it's implemented properly....which I believe it is in TrueCrypt). The Gov't has information assets of far greater interest/value/complexity than 99.999% of home users ever will. It would be far easier for a malicious individual to get information about a single person by stealing and sorting through their garbage for a few weeks than trying to steal a laptop or storage device and decrypting/brute forcing AES. Even that assumes that your SIN/SSN or whatever I can dig up is worth my time and effort (vs your trash). Really the majority of individuals in the population have almost nothing worth wasting time on when there are still 10s of 1000s of idiots who run exes from email for which they don't know the sender, will fall for phishing scams, etc.

    You are confusing dictionary attacks with bruteforce attacks. Don't feel bad lots of people even pro's do this.
    I've always considered a Dictionary attack to be a specific subtype of Brute Force attack(s).
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  9. #9
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Encryption solutions

    Quote Originally Posted by thorin View Post
    I wish more users could figure things like this out.
    Me too.

    It would be far easier for a malicious individual to get information about a single person by stealing and sorting through their garbage for a few weeks than trying to steal a laptop or storage device and decrypting/brute forcing AES.
    Which brings this to mind.



    I've always considered a Dictionary attack to be a specific subtype of Brute Force attack(s).
    Works for me. If my goal is to obtain the password or the information in the encrypted vessel then if I start with bruteforce knowing it will give me the answer (eventually) and work down to easier methods of obtaining said info, then it would indeed be a subset.

  10. #10
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default Re: Encryption solutions

    Oblig XKCD



    Damnit, that picture wasn't there when I started posting this.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Page 1 of 2 12 LastLast

Similar Threads

  1. this network requieres encryption to be enabled
    By superxoan in forum Beginners Forum
    Replies: 1
    Last Post: 02-21-2010, 05:42 PM
  2. can someone teach me about HD encryption
    By Dante in forum Beginners Forum
    Replies: 6
    Last Post: 02-07-2010, 11:56 PM
  3. bt4-final hard drive encryption
    By lordplagueis in forum Beginners Forum
    Replies: 8
    Last Post: 02-05-2010, 08:41 AM
  4. error network requires encryption to be enabled
    By qpens8 in forum Beginners Forum
    Replies: 6
    Last Post: 02-03-2010, 01:47 PM
  5. Full HD encryption with Luks and LVM
    By Ulrick13 in forum Beginners Forum
    Replies: 4
    Last Post: 02-01-2010, 03:12 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •