Interesting idea. http://www.pcworld.com/businesscenter/article/190889/password_application_gives_wrong_info_to_fraudsters.html
Here they made an app with another approach. On Thu, Feb 10, 2011 at 7:41 PM, Matthew W. Ross <[email protected]>wrote: > > A truly random 256-bit symmetric key could theoretically be cracked > > given enough time, but time to brute-force (given known technology) is > > generally given in billions of years. > > Awesome. > > Okay, here's a crypto theory question for ya... Could this be possible: > > A encrypted blob has the data required, and requires a key to unlock. If > you have the key, it unlocks correctly and you have the data. Straight > forward, I would think... > > But the blob is created in such a way that two keys work... one which is > easy (or easier) to crack, perhaps with some dictionary-derived key, and > another which is much harder to crack. > > This special blob will appear to be successfully cracked with the easier > key... which the hacker then uses to try and pull data from whatever server > they think they just compromised. > > The server knows both keys and uses the fact that the easier key (a > 'honeypot key'?) was used to assume the key is in the process of being > cracked... and then takes appropriate measures to prevent the account from > being truly compromised... perhaps issuing a new key? > > Is this even possible? Perhaps this is already being done? > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: Ben Scott > [mailto:[email protected]] > To: NT System Admin Issues > [mailto:[email protected]] > Sent: Thu, 10 Feb 2011 > 10:25:10 -0800 > Subject: Re: IPhone attack reveals passwords in six minutes > > > > On Thu, Feb 10, 2011 at 12:31 PM, Matthew W. Ross > > <[email protected]> wrote: > > >> If data is encrypted with strong crypto, and that crypto's secret > > >> key is not stored on the device, then that data can generally be > > >> considered safe even if the device is stolen. > > >> > > >> In English, that means if the security depends on a strong password > > >> the user must enter (and not on some magic the manufacturer has > > >> "hidden" inside the device), the password-protected data is safe. > > > > > > ... Isn't that only partially true? I mean, if the encrypted data is > > stolen, > > > isn't it reasonable to believe it can be cracked given enough time/cpu > > power? > > > > You're basically correct. > > > > Given good algorithms and implementations, the strength of your > > security depends on the strength of the key. If the password is an > > English word, then yah, it's going to be straightforward to crack in > > minutes or hours with a dictionary attack. If it's a a combination of > > words and other characters, it's harder, but still within reason for > > days, weeks, or months. Once you go to truly random characters, it's > > dependent on the length. But even 10 characters might be crackable in > > several years given commercially available technology. (I'm not up on > > current predictions, so numbers may be off for times.) > > > > A truly random 256-bit symmetric key could theoretically be cracked > > given enough time, but time to brute-force (given known technology) is > > generally given in billions of years. It has been theorized that new > > technology (especially "quantum computing") could drastically cut into > > that, but it remains to be seen if such things are actually possible > > or not. > > > > But 256 bits is a lot. Printable ASCII is roughly 96 characters. > > That fits in roughly six and a half bits. So your passcode would need > > to be around 40 characters long, and *completely* random (no words or > > patterns), for it to be in that neighborhood. It's not realistic to > > expect humans to do that. > > > > -- Ben > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
