general encryption question

[Chiefcrowe]

The hacker wouldn't necessarily know, but if he somehow breaks into your email account then he can go on from there. He could also use social engineering.
That one wired writer got totally owned by someone recently via social engineering.

It is unlikely it would happen to you, that is true, but it's better to be more secure online.

Well if someone steals my password I have here, how would he know on which other sites I have accounts? And why would that hacker guy concentrate on my accoutn in the first place?






While i said i use the same password everywhere I don't. But for anonymous forums like this and others it's just easier to have 1 common password. And what to I care if someone steals my account here?

There are 2 important passwords: The one for online banking and the one for your email. Because in the email the attacker will potential see on which forums etc, you are registered and can just let the site send a new password.
(ok you can also add other stuff like facebook. Don't want that to be hacked easily)

My email is different, this is a no brainer, I mean anyone could setup a forum and then read out email address and password and check if they match or in the case the site is hacked, thats probably what the attacker will try...


And online banking is a no brainer too, obviously. But there you have additional measures.

 

[Special K]

Let's say I'm using TrueCrypt on my entire drive, I'm logged into windows, and I use the windows lock screen while I'm away from my computer. Are there any cracks/exploits that can be used to bypass the windows lock screen? The windows lock screen would be the only thing protecting my drive if I were already logged into windows, since the TrueCrypt password appears when the PC first boots up.

 

[theevilsharpie]

Let's say I'm using TrueCrypt on my entire drive, I'm logged into windows, and I use the windows lock screen while I'm away from my computer. Are there any cracks/exploits that can be used to bypass the windows lock screen? The windows lock screen would be the only thing protecting my drive if I were already logged into windows, since the TrueCrypt password appears when the PC first boots up.

Possibly. When the operating system is loaded and running, you're at its mercy to protect your data.

 

[masteryoda34]

Let's say I'm using TrueCrypt on my entire drive, I'm logged into windows, and I use the windows lock screen while I'm away from my computer. Are there any cracks/exploits that can be used to bypass the windows lock screen? The windows lock screen would be the only thing protecting my drive if I were already logged into windows, since the TrueCrypt password appears when the PC first boots up.

The answer depends on how paranoid you are.

If someone has physical access to the PC they could also perform a cold boot attack where they cool down the RAM, pull it out of the running system, insert it into another system, and are able to save the data, which would include the encryption keys.

 

[Special K]

The answer depends on how paranoid you are.

If someone has physical access to the PC they could also perform a cold boot attack where they cool down the RAM, pull it out of the running system, insert it into another system, and are able to save the data, which would include the encryption keys.

How could they move the ram to another system with its contents intact? As soon as you remove power, the stored values are lost.

 

[masteryoda34]

As soon as you remove power, the stored values are lost.

Not exactly true.

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard.

Source: https://citp.princeton.edu/research/memory/

 

[Special K]

Not exactly true.



Source: https://citp.princeton.edu/research/memory/

I only skimmed the paper, but wow. I had no idea RAM contents could remain for seconds after removing power, considering the refresh times.

Having said that, I can't imagine a typical home user would need to protect themselves against an exploit that sophisticated.

 

[beginner99]

That one wired writer got totally owned by someone recently via social engineering.

It is unlikely it would happen to you, that is true, but it's better to be more secure online.

Well yes if some hacker wanted to get to me personally for whatever reason he could but that applies probably to 99.99% of person were the remaining ones are the ultra paranoid types.

Social engineering, sorry but I'm as arrogant as to say I would not fall for it. (Unless you count putting a gun to my head as social engineering).

 

[Special K]

Well yes if some hacker wanted to get to me personally for whatever reason he could but that applies probably to 99.99% of person were the remaining ones are the ultra paranoid types.

Social engineering, sorry but I'm as arrogant as to say I would not fall for it. (Unless you count putting a gun to my head as social engineering).

Did you read the Wired writer's story?

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

It's not like the hackers called him up on the phone pretending to be a CSR or something.

I'm not saying you would fall for anything, but it's worth reading the story to see exactly what all is contained within "social engineering". It was very interesting to see how many social/procedural loopholes the hackers exploited to hack the guy.

 

[SMOGZINN]

The answer depends on how paranoid you are.

If someone has physical access to the PC they could also perform a cold boot attack where they cool down the RAM, pull it out of the running system, insert it into another system, and are able to save the data, which would include the encryption keys.

If they have physical access to your system there are about a hundred ways to get past windows security. A keylogger dongle is probably the easiest.

 

[SMOGZINN]

Right, what I meant was that in the case of TrueCrypt and KeePass, and presumably many other encryption programs, if someone cracks your master password, all of the protected data is available in plain text format. The encryption is useless at that point.

The encryption is only helpful for protecting against indirect attacks that bypass the password and standard methods of access, correct?

You seem to be thinking of a password as something separate from the encryption, when it is in fact the key to the encryption.

The one of the most basic forms of encryption is the alphabet offset type of encryption, ROT13 is common one. In this case all letters are moved 13 places forward. So that 'how are you' becomes 'ubj ner lbh'. This is encryption, with out knowing the password 13 (as an aside 13 is not really a password in this case, but we will get into that in a second) you can not read the message. But as you can tell, brute forcing this encryption is quite easy.

Now lets contemplate a bit more complex encryption scheme. Now instead of just moving all the numbers forward 13 characters we are going to move them forward a random number of characters. To do this we are going to use this formula:

Take the count of the letter's position in the sentence and add to it alphabetical number of the letter in the password, if you hit the end of the password start over at letter 1.

So now I have the password: Yellow (25 - 5 - 12 - 12 - 23)

I have the sentence: how are you

It becomes: hlf ptj kip

Now this is a lot harder to crack, it can be done, but with out already knowing the key you will take a lot longer to do it.

Modern methods of cryptography are a lot like this, they password is a key part to a formula needed to be solved to put the information back in it's original configuration. Now, of course, the formulas are a LOT more complex, and they do all sorts of things to the data other then just swapping letters around. But this should get you thinking about how keys (passwords) relate to cryptography.

 

[Special K]

You seem to be thinking of a password as something separate from the encryption, when it is in fact the key to the encryption.

The one of the most basic forms of encryption is the alphabet offset type of encryption, ROT13 is common one. In this case all letters are moved 13 places forward. So that 'how are you' becomes 'ubj ner lbh'. This is encryption, with out knowing the password 13 (as an aside 13 is not really a password in this case, but we will get into that in a second) you can not read the message. But as you can tell, brute forcing this encryption is quite easy.

Now lets contemplate a bit more complex encryption scheme. Now instead of just moving all the numbers forward 13 characters we are going to move them forward a random number of characters. To do this we are going to use this formula:

Take the count of the letter's position in the sentence and add to it alphabetical number of the letter in the password, if you hit the end of the password start over at letter 1.

So now I have the password: Yellow (25 - 5 - 12 - 12 - 23)

Did you forget the letter 'O' in the above password?

I have the sentence: how are you

It becomes: hlf ptj kip

Which letter of the password did you add to each letter of the phrase "how are you"? That part wasn't clear to me from your description above.

Now this is a lot harder to crack, it can be done, but with out already knowing the key you will take a lot longer to do it.

Modern methods of cryptography are a lot like this, they password is a key part to a formula needed to be solved to put the information back in it's original configuration. Now, of course, the formulas are a LOT more complex, and they do all sorts of things to the data other then just swapping letters around. But this should get you thinking about how keys (passwords) relate to cryptography.

All encryption programs I've seen (KeePass, TrueCrypt, etc.) allow the user to specify their own master password. I could pick something as simple as "cat" for my password. In my previous post, I was making a distinction between two methods of accessing encrypted data:

1. Hacking the master password ("cat" in my example above) using brute force or some other method. This would involve just trying many different combinations at the password prompt, correct? In the case of KeePass or TrueCrypt, this would allow the hacker to view the data unencrypted in its native application once the password was guessed.

2. Accesssing the encrypted data using some non-standard method (a hex editor, for example; I'm sure there are more sophisticated tools out there) that bypasses the master password entirely. I'm not sure how a brute force attack would work on a dump of binary encrypted data. Would they just keep trying random operations on the encrypted data to see if they worked? Or would they only need to guess the key (i.e. the password) since the algorithms for encryption standards are all public knowledge?

My statement was only that the encryption program is ultimately only as strong as the master password that protects it. I could use AES 256 bit + twofish encryption, but if my master password is "cat", then I would argue the encryption is worthless vs. having password protection without any underlying encryption.

In a brute force attack, does the attacker need to guess the entire key to the encryption, or just the password used to construct the key?

 

[theevilsharpie]

In a brute force attack, does the attacker need to guess the entire key to the encryption, or just the password used to construct the key?

A brute-forcing attacker would need your master password to break the encryption. No one is going to brute the actual encryption key.

 

[smakme7757]

These days a good rule of thumb is a password of 14 character including all possible character types.

Numbers, Letters, Symbols, Small letter, Capital letter.

You increase the bruteforce time by a massive amount by just using an extra character type.

A good example:
smakme7757 = 3,760,620,109,779,060 (possible passwords)

Smakme7757 = 853,058,371,866,181,866 (possible passwords)

Smakme7757! = 5,748,511,570,879,116,626,495 (possible passwords)

On top of that you have length which is extrmely important. A longer password will almost always be better than a shorter password.

You have to keep in mind that anyone trying to crack your password doesn't know anythnig about it. So when they start brute forcing a password they have to make a few assumptions to cut down the brute force time.

Take this password: Smakme7757!

The hacker might assume:
1. He has a capital letter
2. He has small letters
3. He has numbers

Then he runs his program and never ever find my password because i have a symbol in there.

Brute forcing isn't really viable if you have a decently long password.

With that being said encryption is only as strong as the password used with it. But at the end of the day there always needs to be an entry point. Wether this is a hardware token, a password, an RFID tag or what ever, if it falls into the wrong hands the game is up.

So yes, you are right, if the password is compromised then it's all over, but that's why it's up to you to have a decent password strategy.

Also keep in mind that AES128/256 is considered unbreakable. It's much harder to break the encryption rather than the master password. But even trying to brute force the passwor would take such an immense amount of time that it's just not worth it. People usually result to torture before the bother brute forcing a password.

And the only way to "bypass" the master password is to break the encryption and that's just not going to happen, at least not yet, not by normal consumers.

 

[Mark R]

In a brute force attack, does the attacker need to guess the entire key to the encryption, or just the password used to construct the key?

It depends on the way in which the password and key are used.

Passwords are usually dictionary words, or permutations of these with highly restricted strings of characters. As a result, most human generated passwords have far less "entropy" than the actual key used for encryption.

Even a "complex" password like "xO;Zhv39w>H$1rjw" has only about 72 bits of entropy. A more practical password like "Ch1ck3nButT$" has barely 32 bits of entropy (because of the fact that it's 2 dictionary words, with some minor obfuscation - now, crude brute-force techniques might not be able to utilise an advanced dictionary attack, but modern password cracking software is now available with very sophisticated dictionaries and permutations specifically to focus on this type of password construction). 128 bit encryption is considered the minimum commercial standard today, so even with an absurdly complex password like the above, brute forcing the password is many, many orders of magnitude easier than brute-forcing the actual encryption key.

To get around this, best practice is to use a very complex and resource intensive algorithm to convert the password into the key. (Traditionally, programmers have used an algorithm like MD5 to convert a password into a binary string suitable for use as an encryption key - there are problems with this approach). Modern password-digest algorithms are designed to take substantial CPU time (1-2 seconds on a fast CPU) and use lots of RAM (32-64 MB+). By making the password-to-key conversion process ridiculously CPU/RAM hungry, it severely hampers a brute-force attack on the password. (For example, truecrypt uses a highly resource intensive algorithm to generate the key from your passphrase, specifically for this reason).

If a fast GPU can brute force 100 billion encryption keys per second, but a top-end CPU can only manage 1 password per second, then it might be worthwhile for an attacker to try to brute-force the encryption key rather than the password.

 

[Zodiark1593]

In the case of TrueCrypt, all that is required to mount an encrypted volume is to enter the master password. Once that has been done, all of the data held in the volume is available for access in its unencrypted format. The same is true for KeePass - once the master password has been entered, all user names, passwords, etc. are available in plain text format.

In these two instances, what benefit is the encryption providing above and beyond the master password?

An attacker wanting to get your data would have two potential points of attack. The user's password, and the encryption itself. A strong encryption bars the latter, leaving only the password. Conversely, a broken encryption can easily allow data to be exposed, regardless of password.

An analogy would be the lock and key. The encryption serves as the lock for the data, the password being the key. If the lock i unbreakable, the attacker would have to forge a key to break in.

Now, with AES, the password can easily become the weak link. A Brute Force will eventually find the correct password, the key to a strong password is making a brute force unfeasible. This is done by using many differing characters. For example, while using lower case letters only, any given character will contain one of 26 possibilities. Using uppercase letters doubles this to one of 56 possibilities per character. Then you have numbers and then symbols like & or *. Each additional character exponentially increases the password possibilities, so thorough brute force will take a very long time.

Another mistake when making passwords is using a variant of a word in the dictionary. Word lists can be employed to quickly run through the more common passwords, so using a random password is more secure.

So, the point of strong encryption is to guard against one point of attack.

 

[beginner99]

Did you read the Wired writer's story?

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

It's not like the hackers called him up on the phone pretending to be a CSR or something.

I'm not saying you would fall for anything, but it's worth reading the story to see exactly what all is contained within "social engineering". It was very interesting to see how many social/procedural loopholes the hackers exploited to hack the guy.

As I said yes if I am the target and the only target and not the mass, I agree they would be able to get to me. But that is unlikely as I'm not a journalist, CEO or otherwise "more known" person.

But with phishing mails for the masses and similar stuff, no I don't think so.

 

[masteryoda34]

If they have physical access to your system there are about a hundred ways to get past windows security. A keylogger dongle is probably the easiest.

Of course. I was just pointing out what I would consider to be the most extreme example.

 

[Special K]

OK, I just conducted an experiment:

I created one MS Word 2010 document containing only the sentence: "This is a test.". I then created another MS Word 2010 document that contained the same exact sentence, only it was encrypted and saved with a password.

I opened both of them in a hex editor. The text was nowhere to be found in the entire document. In this case, what benefit is the encryption providing? It seems as though the text isn't even visible in the bytes of the saved document anyway, so I would imagine it would take a very determined individual to attempt to reverse engineer the MS World file structure to extract out the text. In this case, password protection without any encryption seems like it would be just as effective as password protection with encryption.

 

[Special K]

Also, here's another question:

The encryption programs I have looked at (admittedly just KeePass and Truecrypt at this point) both say that if you forget your master password, your data is gone for good.

If these programs don't store your password somewhere, how are they able to determine that you entered it correctly? If your password is simply a string of bytes input to the decryption algorithm, then technically any string of bytes combined with the encrypted data would produce some output, right. Whether that output is truly decrypted would be up to the user to decide.

Do these programs store a hash of your password somewhere, and then just compare the hash of what you typed in with the hash that was created when you set your master password, and then if they match, the program proceeds with the decryption algorithm?

 

[masteryoda34]

OK, I just conducted an experiment:

I created one MS Word 2010 document containing only the sentence: "This is a test.". I then created another MS Word 2010 document that contained the same exact sentence, only it was encrypted and saved with a password.

I opened both of them in a hex editor. The text was nowhere to be found in the entire document. In this case, what benefit is the encryption providing? It seems as though the text isn't even visible in the bytes of the saved document anyway, so I would imagine it would take a very determined individual to attempt to reverse engineer the MS World file structure to extract out the text. In this case, password protection without any encryption seems like it would be just as effective as password protection with encryption.

The nature of your question implies that you have no fundamental understanding of what encryption really is or means. Instead of asking overly specific questions, you should start by learning about the fundamentals of encryption.

http://www.amazon.com/Cryptography-D.../dp/0764541889

 

[LokutusofBorg]

The nature of your question implies that you have no fundamental understanding of what encryption really is or means. Instead of asking overly specific questions, you should start by learning about the fundamentals of encryption.

http://www.amazon.com/Cryptography-D.../dp/0764541889

I agree. The OP's posts keep saying the same things over and over even though people are explaining things in very simple terms that anybody with a basic understanding of encryption would grasp.

 

[Nothinman]

OK, I just conducted an experiment:

I created one MS Word 2010 document containing only the sentence: "This is a test.". I then created another MS Word 2010 document that contained the same exact sentence, only it was encrypted and saved with a password.

I opened both of them in a hex editor. The text was nowhere to be found in the entire document. In this case, what benefit is the encryption providing? It seems as though the text isn't even visible in the bytes of the saved document anyway, so I would imagine it would take a very determined individual to attempt to reverse engineer the MS World file structure to extract out the text. In this case, password protection without any encryption seems like it would be just as effective as password protection with encryption.

People have already reverse engineered the old Office formats, so your experiment is pointless. How do you think free software like LibreOffice is able to open Word docs? Just because you don't understand the math behind the encryption doesn't make it pointless.