> A truly random 256-bit symmetric key could theoretically be cracked > given enough time, but time to brute-force (given known technology) is > generally given in billions of years.
Awesome. Okay, here's a crypto theory question for ya... Could this be possible: A encrypted blob has the data required, and requires a key to unlock. If you have the key, it unlocks correctly and you have the data. Straight forward, I would think... But the blob is created in such a way that two keys work... one which is easy (or easier) to crack, perhaps with some dictionary-derived key, and another which is much harder to crack. This special blob will appear to be successfully cracked with the easier key... which the hacker then uses to try and pull data from whatever server they think they just compromised. The server knows both keys and uses the fact that the easier key (a 'honeypot key'?) was used to assume the key is in the process of being cracked... and then takes appropriate measures to prevent the account from being truly compromised... perhaps issuing a new key? Is this even possible? Perhaps this is already being done? --Matt Ross Ephrata School District ----- Original Message ----- From: Ben Scott [mailto:[email protected]] To: NT System Admin Issues [mailto:[email protected]] Sent: Thu, 10 Feb 2011 10:25:10 -0800 Subject: Re: IPhone attack reveals passwords in six minutes > On Thu, Feb 10, 2011 at 12:31 PM, Matthew W. Ross > <[email protected]> wrote: > >> If data is encrypted with strong crypto, and that crypto's secret > >> key is not stored on the device, then that data can generally be > >> considered safe even if the device is stolen. > >> > >> In English, that means if the security depends on a strong password > >> the user must enter (and not on some magic the manufacturer has > >> "hidden" inside the device), the password-protected data is safe. > > > > ... Isn't that only partially true? I mean, if the encrypted data is > stolen, > > isn't it reasonable to believe it can be cracked given enough time/cpu > power? > > You're basically correct. > > Given good algorithms and implementations, the strength of your > security depends on the strength of the key. If the password is an > English word, then yah, it's going to be straightforward to crack in > minutes or hours with a dictionary attack. If it's a a combination of > words and other characters, it's harder, but still within reason for > days, weeks, or months. Once you go to truly random characters, it's > dependent on the length. But even 10 characters might be crackable in > several years given commercially available technology. (I'm not up on > current predictions, so numbers may be off for times.) > > A truly random 256-bit symmetric key could theoretically be cracked > given enough time, but time to brute-force (given known technology) is > generally given in billions of years. It has been theorized that new > technology (especially "quantum computing") could drastically cut into > that, but it remains to be seen if such things are actually possible > or not. > > But 256 bits is a lot. Printable ASCII is roughly 96 characters. > That fits in roughly six and a half bits. So your passcode would need > to be around 40 characters long, and *completely* random (no words or > patterns), for it to be in that neighborhood. It's not realistic to > expect humans to do that. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
