general encryption question

Discussion in 'Software for Windows' started by Special K, Nov 29, 2012.

  1. Chiefcrowe

    Chiefcrowe Diamond Member

    Joined:
    Sep 15, 2008
    Messages:
    4,302
    Likes Received:
    2
    The hacker wouldn't necessarily know, but if he somehow breaks into your email account then he can go on from there. He could also use social engineering.
    That one wired writer got totally owned by someone recently via social engineering.

    It is unlikely it would happen to you, that is true, but it's better to be more secure online.


     
  2. Special K

    Special K Diamond Member

    Joined:
    Jun 18, 2000
    Messages:
    7,080
    Likes Received:
    0
    Let's say I'm using TrueCrypt on my entire drive, I'm logged into windows, and I use the windows lock screen while I'm away from my computer. Are there any cracks/exploits that can be used to bypass the windows lock screen? The windows lock screen would be the only thing protecting my drive if I were already logged into windows, since the TrueCrypt password appears when the PC first boots up.
     
  3. theevilsharpie

    theevilsharpie Platinum Member

    Joined:
    Nov 2, 2009
    Messages:
    2,321
    Likes Received:
    0
    Possibly. When the operating system is loaded and running, you're at its mercy to protect your data.
     
  4. masteryoda34

    masteryoda34 Golden Member

    Joined:
    Dec 17, 2007
    Messages:
    1,399
    Likes Received:
    0
    The answer depends on how paranoid you are.

    If someone has physical access to the PC they could also perform a cold boot attack where they cool down the RAM, pull it out of the running system, insert it into another system, and are able to save the data, which would include the encryption keys.
     
  5. Special K

    Special K Diamond Member

    Joined:
    Jun 18, 2000
    Messages:
    7,080
    Likes Received:
    0
    How could they move the ram to another system with its contents intact? As soon as you remove power, the stored values are lost.
     
  6. masteryoda34

    masteryoda34 Golden Member

    Joined:
    Dec 17, 2007
    Messages:
    1,399
    Likes Received:
    0
    Not exactly true.

    Source: https://citp.princeton.edu/research/memory/
     
  7. Special K

    Special K Diamond Member

    Joined:
    Jun 18, 2000
    Messages:
    7,080
    Likes Received:
    0
    I only skimmed the paper, but wow. I had no idea RAM contents could remain for seconds after removing power, considering the refresh times.

    Having said that, I can't imagine a typical home user would need to protect themselves against an exploit that sophisticated.
     
  8. beginner99

    beginner99 Platinum Member

    Joined:
    Jun 2, 2009
    Messages:
    2,817
    Likes Received:
    2
    Well yes if some hacker wanted to get to me personally for whatever reason he could but that applies probably to 99.99% of person were the remaining ones are the ultra paranoid types.

    Social engineering, sorry but I'm as arrogant as to say I would not fall for it. (Unless you count putting a gun to my head as social engineering).
     
  9. Special K

    Special K Diamond Member

    Joined:
    Jun 18, 2000
    Messages:
    7,080
    Likes Received:
    0
    Did you read the Wired writer's story?

    http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

    It's not like the hackers called him up on the phone pretending to be a CSR or something.

    I'm not saying you would fall for anything, but it's worth reading the story to see exactly what all is contained within "social engineering". It was very interesting to see how many social/procedural loopholes the hackers exploited to hack the guy.
     
    #34 Special K, Dec 3, 2012
    Last edited: Dec 3, 2012
  10. SMOGZINN

    SMOGZINN Diamond Member

    Joined:
    Jun 17, 2005
    Messages:
    8,715
    Likes Received:
    4
    If they have physical access to your system there are about a hundred ways to get past windows security. A keylogger dongle is probably the easiest.
     
  11. SMOGZINN

    SMOGZINN Diamond Member

    Joined:
    Jun 17, 2005
    Messages:
    8,715
    Likes Received:
    4
    You seem to be thinking of a password as something separate from the encryption, when it is in fact the key to the encryption.

    The one of the most basic forms of encryption is the alphabet offset type of encryption, ROT13 is common one. In this case all letters are moved 13 places forward. So that 'how are you' becomes 'ubj ner lbh'. This is encryption, with out knowing the password 13 (as an aside 13 is not really a password in this case, but we will get into that in a second) you can not read the message. But as you can tell, brute forcing this encryption is quite easy.

    Now lets contemplate a bit more complex encryption scheme. Now instead of just moving all the numbers forward 13 characters we are going to move them forward a random number of characters. To do this we are going to use this formula:

    Take the count of the letter's position in the sentence and add to it alphabetical number of the letter in the password, if you hit the end of the password start over at letter 1.

    So now I have the password: Yellow (25 - 5 - 12 - 12 - 23)

    I have the sentence: how are you

    It becomes: hlf ptj kip

    Now this is a lot harder to crack, it can be done, but with out already knowing the key you will take a lot longer to do it.

    Modern methods of cryptography are a lot like this, they password is a key part to a formula needed to be solved to put the information back in it's original configuration. Now, of course, the formulas are a LOT more complex, and they do all sorts of things to the data other then just swapping letters around. But this should get you thinking about how keys (passwords) relate to cryptography.
     
    #36 SMOGZINN, Dec 3, 2012
    Last edited: Dec 3, 2012
  12. Special K

    Special K Diamond Member

    Joined:
    Jun 18, 2000
    Messages:
    7,080
    Likes Received:
    0
    Did you forget the letter 'O' in the above password?

    Which letter of the password did you add to each letter of the phrase "how are you"? That part wasn't clear to me from your description above.

    All encryption programs I've seen (KeePass, TrueCrypt, etc.) allow the user to specify their own master password. I could pick something as simple as "cat" for my password. In my previous post, I was making a distinction between two methods of accessing encrypted data:

    1. Hacking the master password ("cat" in my example above) using brute force or some other method. This would involve just trying many different combinations at the password prompt, correct? In the case of KeePass or TrueCrypt, this would allow the hacker to view the data unencrypted in its native application once the password was guessed.

    2. Accesssing the encrypted data using some non-standard method (a hex editor, for example; I'm sure there are more sophisticated tools out there) that bypasses the master password entirely. I'm not sure how a brute force attack would work on a dump of binary encrypted data. Would they just keep trying random operations on the encrypted data to see if they worked? Or would they only need to guess the key (i.e. the password) since the algorithms for encryption standards are all public knowledge?

    My statement was only that the encryption program is ultimately only as strong as the master password that protects it. I could use AES 256 bit + twofish encryption, but if my master password is "cat", then I would argue the encryption is worthless vs. having password protection without any underlying encryption.

    In a brute force attack, does the attacker need to guess the entire key to the encryption, or just the password used to construct the key?
     
    #37 Special K, Dec 3, 2012
    Last edited: Dec 3, 2012
  13. theevilsharpie

    theevilsharpie Platinum Member

    Joined:
    Nov 2, 2009
    Messages:
    2,321
    Likes Received:
    0
    A brute-forcing attacker would need your master password to break the encryption. No one is going to brute the actual encryption key.
     
  14. smakme7757

    smakme7757 Golden Member

    Joined:
    Nov 20, 2010
    Messages:
    1,479
    Likes Received:
    0
    These days a good rule of thumb is a password of 14 character including all possible character types.

    Numbers, Letters, Symbols, Small letter, Capital letter.

    You increase the bruteforce time by a massive amount by just using an extra character type.

    A good example:
    smakme7757 = 3,760,620,109,779,060 (possible passwords)

    Smakme7757 = 853,058,371,866,181,866 (possible passwords)

    Smakme7757! = 5,748,511,570,879,116,626,495 (possible passwords)

    On top of that you have length which is extrmely important. A longer password will almost always be better than a shorter password.

    You have to keep in mind that anyone trying to crack your password doesn't know anythnig about it. So when they start brute forcing a password they have to make a few assumptions to cut down the brute force time.

    Take this password: Smakme7757!

    The hacker might assume:
    1. He has a capital letter
    2. He has small letters
    3. He has numbers

    Then he runs his program and never ever find my password because i have a symbol in there.

    Brute forcing isn't really viable if you have a decently long password.

    With that being said encryption is only as strong as the password used with it. But at the end of the day there always needs to be an entry point. Wether this is a hardware token, a password, an RFID tag or what ever, if it falls into the wrong hands the game is up.

    So yes, you are right, if the password is compromised then it's all over, but that's why it's up to you to have a decent password strategy.

    Also keep in mind that AES128/256 is considered unbreakable. It's much harder to break the encryption rather than the master password. But even trying to brute force the passwor would take such an immense amount of time that it's just not worth it. People usually result to torture before the bother brute forcing a password.

    And the only way to "bypass" the master password is to break the encryption and that's just not going to happen, at least not yet, not by normal consumers.
     
  15. Mark R

    Mark R Diamond Member

    Joined:
    Oct 9, 1999
    Messages:
    8,496
    Likes Received:
    0
    It depends on the way in which the password and key are used.

    Passwords are usually dictionary words, or permutations of these with highly restricted strings of characters. As a result, most human generated passwords have far less "entropy" than the actual key used for encryption.

    Even a "complex" password like "xO;Zhv39w>H$1rjw" has only about 72 bits of entropy. A more practical password like "Ch1ck3nButT$" has barely 32 bits of entropy (because of the fact that it's 2 dictionary words, with some minor obfuscation - now, crude brute-force techniques might not be able to utilise an advanced dictionary attack, but modern password cracking software is now available with very sophisticated dictionaries and permutations specifically to focus on this type of password construction). 128 bit encryption is considered the minimum commercial standard today, so even with an absurdly complex password like the above, brute forcing the password is many, many orders of magnitude easier than brute-forcing the actual encryption key.

    To get around this, best practice is to use a very complex and resource intensive algorithm to convert the password into the key. (Traditionally, programmers have used an algorithm like MD5 to convert a password into a binary string suitable for use as an encryption key - there are problems with this approach). Modern password-digest algorithms are designed to take substantial CPU time (1-2 seconds on a fast CPU) and use lots of RAM (32-64 MB+). By making the password-to-key conversion process ridiculously CPU/RAM hungry, it severely hampers a brute-force attack on the password. (For example, truecrypt uses a highly resource intensive algorithm to generate the key from your passphrase, specifically for this reason).

    If a fast GPU can brute force 100 billion encryption keys per second, but a top-end CPU can only manage 1 password per second, then it might be worthwhile for an attacker to try to brute-force the encryption key rather than the password.
     
    #40 Mark R, Dec 3, 2012
    Last edited: Dec 3, 2012
  16. Zodiark1593

    Zodiark1593 Platinum Member

    Joined:
    Oct 21, 2012
    Messages:
    2,220
    Likes Received:
    0
    An attacker wanting to get your data would have two potential points of attack. The user's password, and the encryption itself. A strong encryption bars the latter, leaving only the password. Conversely, a broken encryption can easily allow data to be exposed, regardless of password.

    An analogy would be the lock and key. The encryption serves as the lock for the data, the password being the key. If the lock i unbreakable, the attacker would have to forge a key to break in.

    Now, with AES, the password can easily become the weak link. A Brute Force will eventually find the correct password, the key to a strong password is making a brute force unfeasible. This is done by using many differing characters. For example, while using lower case letters only, any given character will contain one of 26 possibilities. Using uppercase letters doubles this to one of 56 possibilities per character. Then you have numbers and then symbols like & or *. Each additional character exponentially increases the password possibilities, so thorough brute force will take a very long time.

    Another mistake when making passwords is using a variant of a word in the dictionary. Word lists can be employed to quickly run through the more common passwords, so using a random password is more secure.

    So, the point of strong encryption is to guard against one point of attack.
     
  17. beginner99

    beginner99 Platinum Member

    Joined:
    Jun 2, 2009
    Messages:
    2,817
    Likes Received:
    2
    As I said yes if I am the target and the only target and not the mass, I agree they would be able to get to me. But that is unlikely as I'm not a journalist, CEO or otherwise "more known" person.

    But with phishing mails for the masses and similar stuff, no I don't think so.
     
  18. masteryoda34

    masteryoda34 Golden Member

    Joined:
    Dec 17, 2007
    Messages:
    1,399
    Likes Received:
    0
    Of course. I was just pointing out what I would consider to be the most extreme example.
     
  19. Special K

    Special K Diamond Member

    Joined:
    Jun 18, 2000
    Messages:
    7,080
    Likes Received:
    0
    OK, I just conducted an experiment:

    I created one MS Word 2010 document containing only the sentence: "This is a test.". I then created another MS Word 2010 document that contained the same exact sentence, only it was encrypted and saved with a password.

    I opened both of them in a hex editor. The text was nowhere to be found in the entire document. In this case, what benefit is the encryption providing? It seems as though the text isn't even visible in the bytes of the saved document anyway, so I would imagine it would take a very determined individual to attempt to reverse engineer the MS World file structure to extract out the text. In this case, password protection without any encryption seems like it would be just as effective as password protection with encryption.
     
  20. Special K

    Special K Diamond Member

    Joined:
    Jun 18, 2000
    Messages:
    7,080
    Likes Received:
    0
    Also, here's another question:

    The encryption programs I have looked at (admittedly just KeePass and Truecrypt at this point) both say that if you forget your master password, your data is gone for good.

    If these programs don't store your password somewhere, how are they able to determine that you entered it correctly? If your password is simply a string of bytes input to the decryption algorithm, then technically any string of bytes combined with the encrypted data would produce some output, right. Whether that output is truly decrypted would be up to the user to decide.

    Do these programs store a hash of your password somewhere, and then just compare the hash of what you typed in with the hash that was created when you set your master password, and then if they match, the program proceeds with the decryption algorithm?
     
  21. masteryoda34

    masteryoda34 Golden Member

    Joined:
    Dec 17, 2007
    Messages:
    1,399
    Likes Received:
    0
    The nature of your question implies that you have no fundamental understanding of what encryption really is or means. Instead of asking overly specific questions, you should start by learning about the fundamentals of encryption.

    http://www.amazon.com/Cryptography-D.../dp/0764541889
     
  22. LokutusofBorg

    LokutusofBorg Golden Member

    Joined:
    Mar 20, 2001
    Messages:
    1,063
    Likes Received:
    0
    I agree. The OP's posts keep saying the same things over and over even though people are explaining things in very simple terms that anybody with a basic understanding of encryption would grasp.
     
  23. Nothinman

    Nothinman Elite Member

    Joined:
    Sep 14, 2001
    Messages:
    30,672
    Likes Received:
    0
    People have already reverse engineered the old Office formats, so your experiment is pointless. How do you think free software like LibreOffice is able to open Word docs? Just because you don't understand the math behind the encryption doesn't make it pointless.