Board indexTopical DiscussionComputers, Math, Science, and Technology

Hackers and Autism

Page 2 of 2 [ 28 posts ]  Go to page Previous  1, 2

Previous topic | Next topic

sliqua-jcooter
Veteran
Veteran

User avatar

Joined: 25 Jan 2010
Age: 37
Gender: Male
Posts: 1,488
Location: Burke, Virginia, USA

04 Oct 2012, 10:43 pm

2fefd8 wrote:
sliqua-jcooter wrote:
The days of the worlds most powerful supercomputers not being able to brute force something for years are long gone.


This is completely false. There are plenty of problems which are still not tractable even for supercomputers. You can't brute force AES256 even with a supercomputer since it requires a search over a space of size 2^256 (yes, I know that AES lost two bits recently but that doesn't matter much here).


You're still trying to brute-force the key, not the passphrase that's used to derive the key. In a PKI situation, you're right - but we're talking about symmetrical encryption, so the key is NOT the weak point.

Quote:
sliqua-jcooter wrote:
On any symmetric passphrase-based system (which is what the vast majority of disk encryption systems use), the strength of the encryption isn't the key, but rather the entropy of the passphrase. You can have a 512-bit 3AES key, but if you only have a passphrase with 32 bits of entropy, then you're pretty much screwed.


So what? I said assuming it's done properly which would rule out weak passphrases.


32-bit entropy is the average 14-character passphrase. Not exactly weak.

LUKS takes roughly 1 second per attempt at unlocking the key per passphrase (this is all dependent on the system clock-speed - but these are the numbers I got during my test) - with each system I was running I could run roughly 1000 attempts concurrently - which means the total capacity of the cluster I threw together was 10000 attempts per second.


_________________
Nothing posted here should be construed as the opinion or position of my company, or an official position of WrongPlanet in any way, unless specifically mentioned.


2fefd8
Tufted Titmouse
Tufted Titmouse

User avatar

Joined: 25 Jul 2012
Age: 37
Gender: Male
Posts: 44

04 Oct 2012, 10:57 pm

sliqua-jcooter wrote:
You're still trying to brute-force the key, not the passphrase that's used to derive the key. In a PKI situation, you're right - but we're talking about symmetrical encryption, so the key is NOT the weak point.


If you use a random passphrase that is long enough, then you will have to check 2^256 possible keys.

sliqua-jcooter wrote:
32-bit entropy is the average 14-character passphrase. Not exactly weak.

LUKS takes roughly 1 second per attempt at unlocking the key per passphrase (this is all dependent on the system clock-speed - but these are the numbers I got during my test) - with each system I was running I could run roughly 1000 attempts concurrently - which means the total capacity of the cluster I threw together was 10000 attempts per second.


I'm not sure what you mean by the average 14 character passphrase. However, if you use a random 14 character passphrase (with uppercase, lowercase numbers and symbols allowed) for example, then you will have more than 84 bits entropy and you won't be able to crack it with your method in a reasonable amount of time.



sliqua-jcooter
Veteran
Veteran

User avatar

Joined: 25 Jan 2010
Age: 37
Gender: Male
Posts: 1,488
Location: Burke, Virginia, USA

04 Oct 2012, 11:00 pm

Yes, however most passwords aren't truely random. The password that unlocks your computer - by definition - has to be easily memorizable, which means that it more than likely follows certain patterns. For instance, I happened to know that my password was two uncommon english words, with certain letters substituted for numbers and standard punctuation.


_________________
Nothing posted here should be construed as the opinion or position of my company, or an official position of WrongPlanet in any way, unless specifically mentioned.


2fefd8
Tufted Titmouse
Tufted Titmouse

User avatar

Joined: 25 Jul 2012
Age: 37
Gender: Male
Posts: 44

04 Oct 2012, 11:17 pm

sliqua-jcooter wrote:
Yes, however most passwords aren't truely random. The password that unlocks your computer - by definition - has to be easily memorizable, which means that it more than likely follows certain patterns. For instance, I happened to know that my password was two uncommon english words, with certain letters substituted for numbers and standard punctuation.


It's true that most passwords are far from random. However, it is possible (although tedious) to memorize random passwords.

I imagine you're right that many people's passwords are weak enough to be broken by brute force in a reasonable amount of time but if you use a strong password it can't be cracked by brute force. It's true that if you use rules for generating a password (as you describe) then it will likely decrease how secure it is.

Anyway, I'm not talking about the typical case.



sliqua-jcooter
Veteran
Veteran

User avatar

Joined: 25 Jan 2010
Age: 37
Gender: Male
Posts: 1,488
Location: Burke, Virginia, USA

04 Oct 2012, 11:25 pm

2fefd8 wrote:
Anyway, I'm not talking about the typical case.


And I'm not interested in the theoretical. Let's get to the real point in all of this, mainly that individuals don't have to go to extraordinary lengths to protect their data.

The reason I spent so much time (and money) to brute force my partition is because I had a financial incentive to do so in a greater magnitude than what I spent. Most people aren't going to spend hundreds or thousands of dollars on infrastructure to break security unless there's some incentive for them to do so (financial or otherwise).

I have yet to see an example of an individual whose security needs legitimately justified full-disk encryption. I've seen plenty of businesses where it made sense, but no individuals. I've since stopped using full-disk encryption, and instead I only encrypt files that actually need to be encrypted (which accounts for less than 1% of all the files on my disk).


_________________
Nothing posted here should be construed as the opinion or position of my company, or an official position of WrongPlanet in any way, unless specifically mentioned.


Tensu
Veteran
Veteran

User avatar

Joined: 30 Dec 2009
Age: 35
Gender: Male
Posts: 1,661
Location: Nixa, MO, USA

04 Oct 2012, 11:45 pm

My password is a word I made up.



Delphiki
Veteran
Veteran

User avatar

Joined: 14 Apr 2012
Age: 182
Gender: Male
Posts: 1,415
Location: My own version of reality

04 Oct 2012, 11:49 pm

My password is pi, all of it.


_________________
Well you can go with that if you want.


JockGitJnr
Blue Jay
Blue Jay

User avatar

Joined: 24 Sep 2012
Age: 31
Gender: Male
Posts: 77

05 Oct 2012, 12:21 pm

sliqua-jcooter wrote:
any way you can come up with to only let a laptop boot with a USB key in it can be bypassed.

I would like to hear how this would be done. It does not even boot into the bios without the dongle. It is the same security that Auto Desk use for their laptops so I should think it is pretty secure.


_________________
What our ancestors would really be thinking, if they were alive today, is: "Why is it so dark in here?" - Sir Terry Pratchett


sliqua-jcooter
Veteran
Veteran

User avatar

Joined: 25 Jan 2010
Age: 37
Gender: Male
Posts: 1,488
Location: Burke, Virginia, USA

05 Oct 2012, 12:24 pm

JockGitJnr wrote:
sliqua-jcooter wrote:
any way you can come up with to only let a laptop boot with a USB key in it can be bypassed.

I would like to hear how this would be done. It does not even boot into the bios without the dongle. It is the same security that Auto Desk use for their laptops so I should think it is pretty secure.


A) of course it boots some kind of BIOS (or EFI).

Those systems usually are USB smart card based - and smart cards credentials can be stolen right off the USB device once the system is booted and replayed later. I haven't seen any technology like this that hasn't been broken.


_________________
Nothing posted here should be construed as the opinion or position of my company, or an official position of WrongPlanet in any way, unless specifically mentioned.


JockGitJnr
Blue Jay
Blue Jay

User avatar

Joined: 24 Sep 2012
Age: 31
Gender: Male
Posts: 77

05 Oct 2012, 7:38 pm

sliqua-jcooter wrote:
of course it boots some kind of BIOS (or EFI). Those systems usually are USB smart card based - and smart cards credentials can be stolen right off the USB device once the system is booted and replayed later. I haven't seen any technology like this that hasn't been broken.

Interesting. What about if the USB stick is removed and inaccessible after it has been booted. Will system still been under threat?


_________________
What our ancestors would really be thinking, if they were alive today, is: "Why is it so dark in here?" - Sir Terry Pratchett


2fefd8
Tufted Titmouse
Tufted Titmouse

User avatar

Joined: 25 Jul 2012
Age: 37
Gender: Male
Posts: 44

05 Oct 2012, 7:45 pm

sliqua-jcooter wrote:
And I'm not interested in the theoretical.


It's not purely theoretical. Memorizing a 16 character random password is quite doable (I've done it before). Alternatively, you could memorize a medium length sentence (which would probably be a lot easier and arguably more secure). Either method would defeat brute force attacks.

Also, in your case you had additional information (the two long words) which an ordinary attacker wouldn't have known. Having to consider all possible choices for those two words would make brute force search much less manageable.

In practice full-disk encryption is often effective; for instance, a quick Google search reveals that it often prevents law-enforcement agencies from obtaining data from systems which use full-disk encryption so I'm not convinced that it is as ineffective as you seem to be suggesting. As I've mentioned before, I'm sure there are cases where poor security practices make it vulnerable to brute force attacks.



2fefd8
Tufted Titmouse
Tufted Titmouse

User avatar

Joined: 25 Jul 2012
Age: 37
Gender: Male
Posts: 44

05 Oct 2012, 7:53 pm

JockGitJnr wrote:
sliqua-jcooter wrote:
any way you can come up with to only let a laptop boot with a USB key in it can be bypassed.

I would like to hear how this would be done. It does not even boot into the bios without the dongle. It is the same security that Auto Desk use for their laptops so I should think it is pretty secure.


You could make it secure if the USB stick was encrypted using a second key (which is also available to the hardware controlling the hard drive) which is inaccessible to the OS. However, the real problem is that any scheme based on storing the key on a USB stick can be broken by anyone who can steal the USB stick.