Re: How to protect an encrypted file system for off-line attack?
Hi, Chris Jones wrote: While your brute force decryption is running, how do you determine you have found the one key and decide it's time to stop? Among trillions of trillions, when do you know you've hit the jackpot? And what if you encrypted the result multiple times with a number of different keys? You would have to find the first right key, then the next and so on until you know to stop as you have the final product; each level can be a complete success in decryption (ie key found). As computers get faster and more powerful, the initial encryption could be multiplied over and over to keep ahead. The question would remain though, how far ahead should you go -- if you think a computer will be X powerful/capable in 30 years time, do you encrypt something today to such a degree that in 30 years time it would still take forever to decrypt by cracking the keys (all of them). ;) Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Chris Jones: On Fri, Feb 27, 2009 at 08:34:25AM EST, Jochen Schulz wrote: This is a valid question! Depending on the encryption system in use, it cannot be answered satisfactorily. I'm not sure it's related to the encryption/decryption process. What I had in mind when I wrote the above was that with the immense volumes of output generated, having a crowd of quick-eyed folks look at it one individual dose at a time to determine the likelihood of its being the correct solution in a timely fashion is not practical. Sure, it isn't. But if you are, for example, trying to brute-force a LUKS key's passphrase, there appears to be a way to know whether the passphrase is correct, or not. But I can only guess how it is done. If a one-time pad is in use where the key is as long as the encrypted document, it cannot be answered at all. Don't take my word for it, but I believe it one-time pads .. as their name implies need to be unique to the document to make it impossible to decrypt. Otherwise you start introducing regularities. Sure. But you could just declare your whole hard disk (or a filesystem) as one document. As long as your purely random key is as long as this document, it would still qualify as one-time pad. Even if one key reveals a good looking plaintext, the attacker has no way to know whether this plaintext is the right one because other keys lead to other valid looking plaintext. Keeping in mind that what you (the cracker, I mean..) are looking for might not be plain text in the first place. Sorry, what I meant was unencrypted cleartext. I guess you could devise some complementary hardware support to your HD that would hold all the one-time pads and Mission Impossible style destroy itself within seconds in case of an emergency.. but I have a feeling that the encryption of an entire file system is more something that's meant to protect you from unsophisticated prying without making your existence miserable but that it was never meant to address the security of strategic files and truly sensitive data. Why not? What makes filesystem encryption less secure than e-mail or single file encryption? J. -- I am worried that my dreams pale in comparison beside TV docu-soaps. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
Re: How to protect an encrypted file system for off-line attack?
Andrew McGlashan wrote: And what if you encrypted the result multiple times with a number of different keys? Security does not improve so much, actually. http://en.wikipedia.org/wiki/Meet-in-the-middle_attack -- Unless you love someone, nothing else makes any sense. -- e.e. cummings Eduardo M KALINOWSKI edua...@kalinowski.com.br http://move.to/hpkb -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
hello, the discussion is really interesting and informative. there's just something I don't understand. Jeff Soules wrote: good.) In any case, with EncFS we're talking about a technological solution in which the encryption key is stored alongside the encrypted media, so whatever the password concerns are, this is unsuitable for keeping information truly secret when a hostile person might have enough physical access to the drive. does this also apply to cryptofs or whatever luks is using. I'm not very paranoid and don't have that much to hide, but I'm testing and using cryptsetup and still didn't find time to read all crypto realted stuff. thanks in advance - regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Chris Jones: I have a naive question. While your brute force decryption is running, how do you determine you have found the one key and decide it's time to stop? This is a valid question! Depending on the encryption system in use, it cannot be answered satisfactorily. If a one-time pad is in use where the key is as long as the encrypted document, it cannot be answered at all. Even if one key reveals a good looking plaintext, the attacker has no way to know whether this plaintext is the right one because other keys lead to other valid looking plaintext. So in this regard, one-time pads are the perfect encryption system. But unfortunately, it is not feasible to use it for hard disk encryption, since nobody is able to remember a passphrase of several gigabytes. :) J. -- People talking a foreign language are romantic and mysterious. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
Re: How to protect an encrypted file system for off-line attack?
On Fri, Feb 27, 2009 at 08:34:25AM EST, Jochen Schulz wrote: Chris Jones: I have a naive question. While your brute force decryption is running, how do you determine you have found the one key and decide it's time to stop? This is a valid question! Depending on the encryption system in use, it cannot be answered satisfactorily. I'm not sure it's related to the encryption/decryption process. What I had in mind when I wrote the above was that with the immense volumes of output generated, having a crowd of quick-eyed folks look at it one individual dose at a time to determine the likelihood of its being the correct solution in a timely fashion is not practical. Or, in other words, you need not only the decryption but also the analysis of its results be performed by some computer cloud, with at least comparable processing power to that of your decrypting machine. And as I undestand it, this would mean that you need another piece of software in your setup, one that can mimic our form of intelligence well enough to distinguish favorites from also-rans. The bottom-line, as I imagine it, would be that the source data contains some regularities that are trivial to identify. When entire file systems are encrypted, this would appear to be a fairly simple task. My guess is that on OSS systems such as linux, you would just about need to look for the first 8 butes of the FSF manifesto and be done. When dealing with individual files, I have a feeling you would need to distinguish between those where the actual data is encapsulated in some kind of file format .. while the data is totally variable there are I would imagine regularities in the capsule, and consenquently, cracking that type of encrypted input and deciding you have found what you are looking for should not be too difficult. And then there are simple text files and these are different in essence, because they only contain the data and nothing else and for all we know this data might be written in some rare forgotten language the craker team have not knowledge of.. or (worst case scenario) might even be perfect garbage to look at - such as a truly random sequence of bits .. in the event what is being decrypted happens to be a computer-generated key that was used to encrypt other data elsewhere for instance. To clarify, and hoping this is a valid example .. should my PIN be 12345 .. even should the cracker know it is a PIN he is decrypting.. and therefore that it should only comprise digits.. because the bank's keypad will accept nothing else.. will the decryption process come up with millions of five-byte combinations that can easily be discarded because they contain at least one byte that is not the in the 0-9 range.. and only one valid solution.. or will there be hundreds of false positives such as 54321 that will have made all the time and effort of the decryption less useful than taking a shot at guessing my favorite 5-digit combinations and entering them tentatively on the ATM's keypad? If a one-time pad is in use where the key is as long as the encrypted document, it cannot be answered at all. Don't take my word for it, but I believe it one-time pads .. as their name implies need to be unique to the document to make it impossible to decrypt. Otherwise you start introducing regularities. Even if one key reveals a good looking plaintext, the attacker has no way to know whether this plaintext is the right one because other keys lead to other valid looking plaintext. Keeping in mind that what you (the cracker, I mean..) are looking for might not be plain text in the first place. So in this regard, one-time pads are the perfect encryption system. But unfortunately, it is not feasible to use it for hard disk encryption, since nobody is able to remember a passphrase of several gigabytes. :) I guess you could devise some complementary hardware support to your HD that would hold all the one-time pads and Mission Impossible style destroy itself within seconds in case of an emergency.. but I have a feeling that the encryption of an entire file system is more something that's meant to protect you from unsophisticated prying without making your existence miserable but that it was never meant to address the security of strategic files and truly sensitive data. Thanks for your comments. CJ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On Tue, Feb 24, 2009 at 12:56:00AM EST, Ron Johnson wrote: On 02/23/2009 08:43 PM, Javier wrote: [snip] As I also have read in the Wikipedia, it is reseonable to crack a 56bits DES, a 64bits AES if you have online access to the machine, and probably in the future it might be possible to crack a 128bits, even offline. But, a 256 one? It seems incredible to me. 2^256 is this number: 115792089237316195423570985008687907853269984665640564039457584007913129639936 which is 10^79 iterations, I can't imagine the amount of power needed for cracking that... Isn't 4x10^80 the amount of atoms in the universe? 25 years ago, I had a KayPro II with CP/M, 64KB RAM and 2 380KB FDDs. (Sun 2s of the same era had a 10MHz MC68010, 4MB RAM and cost $44,000.) Now, I've got 131,000x more RAM, 2000x more MHz and pair of CPUs, and 790x more disk space. What kind of specialized crackers does the NSA have now, and how much faster and smaller (thus higher rack density) will they be in 2035? Sorry to revive and already dead thread .. I have a naive question. While your brute force decryption is running, how do you determine you have found the one key and decide it's time to stop? Among trillions of trillions, when do you know you've hit the jackpot? The answer is probably obvious but I just don't see it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/26/2009 05:34 PM, Chris Jones wrote: [snip] Sorry to revive and already dead thread .. I have a naive question. While your brute force decryption is running, how do you determine you have found the one key and decide it's time to stop? Among trillions of trillions, when do you know you've hit the jackpot? The answer is probably obvious but I just don't see it. When you can decrypt the document with it? -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On Thu, Feb 26, 2009 at 07:11:43PM EST, Ron Johnson wrote: On 02/26/2009 05:34 PM, Chris Jones wrote: I have a naive question. While your brute force decryption is running, how do you determine you have found the one key and decide it's time to stop? Among trillions of trillions, when do you know you've hit the jackpot? The answer is probably obvious but I just don't see it. When you can decrypt the document with it? You don't have access to the original unencrypted document to compare your output/solutions with, obviously you wouldn't need to decrypt it in the first place.. how do you know when you have successfully decrypted? Thanks, CJ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/26/2009 06:51 PM, Chris Jones wrote: On Thu, Feb 26, 2009 at 07:11:43PM EST, Ron Johnson wrote: On 02/26/2009 05:34 PM, Chris Jones wrote: I have a naive question. While your brute force decryption is running, how do you determine you have found the one key and decide it's time to stop? Among trillions of trillions, when do you know you've hit the jackpot? The answer is probably obvious but I just don't see it. When you can decrypt the document with it? You don't have access to the original unencrypted document to compare your output/solutions with, obviously you wouldn't need to decrypt it in the first place.. how do you know when you have successfully decrypted? The wrong key either (in the case of cryptfs) won't decrypt the file, or (alternatively) will create gobbledygook. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/26/2009 06:51 PM, Chris Jones wrote: On Thu, Feb 26, 2009 at 07:11:43PM EST, Ron Johnson wrote: On 02/26/2009 05:34 PM, Chris Jones wrote: Among trillions of trillions, when do you know you've hit the jackpot? When you can decrypt the document with it? You don't have access to the original unencrypted document to compare your output/solutions with, obviously you wouldn't need to decrypt it in the first place.. how do you know when you have successfully decrypted? The wrong key either (in the case of cryptfs) won't decrypt the file, or (alternatively) will create gobbledygook. I'm not familiar with cryptfs so I do not understand what you mean by not decrypting the file. Depending on what was encrypted, and given the time, I'm sure I'd be able to determine, one tentative key at a time, whether the output is gobbledygook or not.. But even if the original data was in the most readily legible and understandable form, how do I go about separating the output obtained with wrong candidate keys in their trillions from that obtained with the one true key, used when the data was encrypted? Sorry for being thick.. I don't get it. Thanks, CJ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/26/2009 08:32 PM, Chris Jones wrote: On 02/26/2009 06:51 PM, Chris Jones wrote: On Thu, Feb 26, 2009 at 07:11:43PM EST, Ron Johnson wrote: On 02/26/2009 05:34 PM, Chris Jones wrote: Among trillions of trillions, when do you know you've hit the jackpot? When you can decrypt the document with it? You don't have access to the original unencrypted document to compare your output/solutions with, obviously you wouldn't need to decrypt it in the first place.. how do you know when you have successfully decrypted? The wrong key either (in the case of cryptfs) won't decrypt the file, or (alternatively) will create gobbledygook. I'm not familiar with cryptfs so I do not understand what you mean by not decrypting the file. $ encfs ~/.crypt ~/crypt EncFS Password: Error decoding volume key, password incorrect $ encfs ~/.crypt ~/crypt EncFS Password: Depending on what was encrypted, and given the time, I'm sure I'd be able to determine, one tentative key at a time, whether the output is gobbledygook or not.. But even if the original data was in the most readily legible and understandable form, how do I go about separating the output obtained with wrong candidate keys in their trillions from that obtained with the one true key, used when the data was encrypted? Sorry for being thick.. I don't get it. That's ok, I'm very tolerant of Democrats. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/26/2009 08:42 PM, Ron Johnson wrote: On 02/26/2009 08:32 PM, Chris Jones wrote: [snip] Depending on what was encrypted, and given the time, I'm sure I'd be able to determine, one tentative key at a time, whether the output is gobbledygook or not.. But even if the original data was in the most readily legible and understandable form, how do I go about separating the output obtained with wrong candidate keys in their trillions from that obtained with the one true key, used when the data was encrypted? Forgot the important part: distributed.net somehow figured out how to do it, so presumably the NSA can too. Sorry for being thick.. I don't get it. That's ok, I'm very tolerant of Democrats. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Original Message From: cjns1...@gmail.com To: debian-user@lists.debian.org Subject: Re: How to protect an encrypted file system for off-line attack? Date: Thu, 26 Feb 2009 18:34:40 -0500 On Tue, Feb 24, 2009 at 12:56:00AM EST, Ron Johnson wrote: On 02/23/2009 08:43 PM, Javier wrote: [snip] As I also have read in the Wikipedia, it is reseonable to crack a 56bits DES, a 64bits AES if you have online access to the machine, and probably in the future it might be possible to crack a 128bits, even offline. But, a 256 one? It seems incredible to me. 2^256 is this number: 11579208923731619542357098500868790785326998466564056403945758400791 3129639936 which is 10^79 iterations, I can't imagine the amount of power needed for cracking that... Isn't 4x10^80 the amount of atoms in the universe? 25 years ago, I had a KayPro II with CP/M, 64KB RAM and 2 380KB FDDs. (Sun 2s of the same era had a 10MHz MC68010, 4MB RAM and cost $44,000.) Now, I've got 131,000x more RAM, 2000x more MHz and pair of CPUs, and 790x more disk space. What kind of specialized crackers does the NSA have now, and how much faster and smaller (thus higher rack density) will they be in 2035? Sorry to revive and already dead thread .. I have a naive question. While your brute force decryption is running, how do you determine you have found the one key and decide it's time to stop? Among trillions of trillions, when do you know you've hit the jackpot? The answer is probably obvious but I just don't see it. It's not as obvious as you may think. If you have a copy of both the plaintext AND the ciphertext then it's clearly obvious (the decrypted cipher text matches the plaintext). If you don't then it's the reverse of Ron's comment (the decrypted version is no longer gobblygook). Larry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.d ebian.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On Mon, Feb 23, 2009 at 07:53:54PM EST, Ron Johnson wrote: On 02/23/2009 06:12 PM, Chris Jones wrote: On Mon, Feb 23, 2009 at 02:34:26PM EST, Ron Johnson wrote: Given enough time, and resources, *nothing* is untouchable. It's just a matter of whether They think that the time-effort is worth being spent on *you*. Like, twenty times the estimated life of the universe.. a thousand times its mass in silicon chips. Everyone involved long dead anyways. http://en.wikipedia.org/wiki/EFF_DES_cracker When DES was approved as a federal standard in 1976, a machine fast enough to test that many keys in a reasonable time would have cost an unreasonable amount of money to build. http://en.wikipedia.org/wiki/EFF_DES_cracker#Technology Advanced Wireless Technologies built 1856 custom ASIC DES chips (called Deep Crack or AWT-4500), housed on 29 circuit boards of 64 chips each. The boards are then fitted in six cabinets. The search is coordinated by a single PC which assigns ranges of keys to the chips. The entire machine was capable of testing over 90 billion keys per second. It would take about 9 days to test every possible key at that rate. On average, the correct key would be found in half that time. In the 11 years since Deep Crack, IC process technology has improved by leaps and bounds, and the NSA can throw a whole lot of h/w in parallel at brute-force attacks. Combine that with Side Channel Attacks (easy if you have the machine that did the encryption, and which can discover part of the key) and mathematical analysis to determine even more of the key, you suddenly see something feasible. Obsolete sources my end.. Thanks for the heads-up. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On Mon, Feb 23, 2009 at 03:43:06PM -0500, Celejar wrote: On Sun, 22 Feb 2009 20:10:57 -0600 Ron Johnson ron.l.john...@cox.net wrote: On 02/22/2009 07:03 PM, Javier wrote: ... And which is better, Blowfish or AES? AES. Source? Wikipedia just says: Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard now receives more attention. http://en.wikipedia.org/wiki/Blowfish_(cipher) And what about Twofish? TwoFish was a final candidate for the AES. Generally all five final candidates (Rijndel - the one selected, Serpent, Twofish, MARS and RC6). All of those candidates proved[1] sufficiently secure. MARS and RC6 were generally slower than the other three. IIRC one main weaknes of Twofish was that it performed poorly on 8-bit processors. This is not such a big issue for you, I guess. Anyway, the AES cipher is one that is very well studied. It has been implemented all over. Just about anybody have tried to attack it and yet there's no known practical attack on it. It performs well. So it is a very sane choice as a block cipher. [1] proved: in a very weak sense of the word. In the sense that after a year or so of concentrated effort no attack was found, and their design seemed solid. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best ICQ# 16849754 || friend -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/24/2009 02:36 AM, Tzafrir Cohen wrote: [snip] Anyway, the AES cipher is one that is very well studied. It has been implemented all over. Just about anybody have tried to attack it and yet there's no known practical attack on it. It performs well. So it is ^ That's the word, of course... Any government that discovers a successful attack is going to keep quiet. a very sane choice as a block cipher. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Original Message From: javu...@gmail.com To: debian-user@lists.debian.org Subject: Re: How to protect an encrypted file system for off-line attack? Date: Tue, 24 Feb 2009 03:31:51 +0100 ow...@netptc.net escribió: Original Message From: javu...@gmail.com To: debian-user@lists.debian.org Subject: Re: How to protect an encrypted file system for off-line attack? Date: Mon, 23 Feb 2009 23:53:27 +0100 Ron Johnson escribió: On 02/23/2009 09:26 AM, Javier wrote: Ron Johnson escribió: On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote: 2009/2/21 Javier javu...@gmail.com: I'm actually using encfs to protect my sensitive data, Eh... http://xkcd.com/538/ That's known as Rubber Hose Decryption. Oh yes, but if he had the chance to scape, at least the files continue to be untouchable Given enough time, and resources, *nothing* is untouchable. It's just a matter of whether They think that the time-effort is worth being spent on *you*. Do you mean that there is a way to crack a 256bits AES? Yep! Given enough plaintext and ciphertext and enough time (or parallel compute power and less time), a brute force attack will always work. Larry What do you mean with always work? I mean, is it not going to take one million years or so? For example, if you encrypt your /home. My solution was a standard brute force attack. It seems each time a new algorithm arises purporting to take a million years to break, it is in fact broken within years and finally days. In fact IIRC the RSA system was broken after a challenge from Ron Rivest (the R) via a concerted attack using the Internet to parse out the key space. Larry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.d ebian.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Original Message From: ron.l.john...@cox.net To: debian-user@lists.debian.org Subject: Re: How to protect an encrypted file system for off-line attack? Date: Tue, 24 Feb 2009 04:27:31 -0600 On 02/24/2009 02:36 AM, Tzafrir Cohen wrote: [snip] Anyway, the AES cipher is one that is very well studied. It has been implemented all over. Just about anybody have tried to attack it and yet there's no known practical attack on it. It performs well. So it is ^ That's the word, of course... Any government that discovers a successful attack is going to keep quiet. a very sane choice as a block cipher. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. And in fact there always has been suspicion in the crypto community that, in at least some of the ciphers (going back to the original DES) that the NSA had built in a trapdoor such that they could easily decrypt the message but anyone else, not knowing the trapdoor, would have to use brute force. Never proven of course. larry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.d ebian.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
there's no known practical attack on it. It performs well. So it is ^ That's the word, of course... Any government that discovers a successful attack is going to keep quiet. Except in a certain side-channel sense -- any government that discovers a successful attack on an encryption algorithm it regularly uses will know that other parties could have discovered the same attack, and will then need to limit its use of the compromised algorithm. That behavior change will be observed by other parties and will prompt suspicion about a possible vulnerability. Unless the party that discovered the vulnerability stepped up use of the compromised algorithm, but only for unimportant data or misinformation... Oh, security headgames. On Tue, Feb 24, 2009 at 5:27 AM, Ron Johnson ron.l.john...@cox.net wrote: On 02/24/2009 02:36 AM, Tzafrir Cohen wrote: [snip] Anyway, the AES cipher is one that is very well studied. It has been implemented all over. Just about anybody have tried to attack it and yet there's no known practical attack on it. It performs well. So it is ^ That's the word, of course... Any government that discovers a successful attack is going to keep quiet. a very sane choice as a block cipher. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/24/2009 09:50 AM, ow...@netptc.net wrote: [snip] And in fact there always has been suspicion in the crypto community that, in at least some of the ciphers (going back to the original DES) that the NSA had built in a trapdoor such that they could easily decrypt the message but anyone else, not knowing the trapdoor, would have to use brute force. Never proven of course. larry That would only be possible if The Government controlled the source code, or had an understanding with those who write closed-source code. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Ron Johnson writes: [An NSA backdoor in DES successors] would only be possible if The Government controlled the source code, or had an understanding with those who write closed-source code. The claim is stronger than that. It is that there are backdoors in the algorithms: weaknesses that only NSA knows how to exploit. I find this extremely unlikely for several obvious reasons. -- John Hasler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/24/2009 12:59 PM, John Hasler wrote: Ron Johnson writes: [An NSA backdoor in DES successors] would only be possible if The Government controlled the source code, or had an understanding with those who write closed-source code. The claim is stronger than that. It is that there are backdoors in the algorithms: weaknesses that only NSA knows how to exploit. I find this extremely unlikely for several obvious reasons. Mainly that lots of academic mathematicians have looked at it and at least one of them is anti-American enough to squeal like a stuck pig... -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Original Message From: ron.l.john...@cox.net To: debian-user@lists.debian.org Subject: Re: How to protect an encrypted file system for off-line attack? Date: Tue, 24 Feb 2009 12:47:15 -0600 On 02/24/2009 09:50 AM, ow...@netptc.net wrote: [snip] And in fact there always has been suspicion in the crypto community that, in at least some of the ciphers (going back to the original DES) that the NSA had built in a trapdoor such that they could easily decrypt the message but anyone else, not knowing the trapdoor, would have to use brute force. Never proven of course. larry That would only be possible if The Government controlled the source code, or had an understanding with those who write closed-source code. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. Ron et al Actually this was the case with the DES; the NSA put out a RFP and worked with the potential vendors quite closely during the development. IBM (Tuchman and Myers) eventually won the bid. I attended a week-long security seminar series in which Myers himself vociferously denied the trap-door theory. Who can tell? Larry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.d ebian.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/24/2009 03:35 PM, ow...@netptc.net wrote: [snip] Ron et al Actually this was the case with the DES; the NSA put out a RFP and worked with the potential vendors quite closely during the development. IBM (Tuchman and Myers) eventually won the bid. I attended a week-long security seminar series in which Myers himself vociferously denied the trap-door theory. Who can tell? *You* (or, more specifically, anyone who knows cryptography) can tell whether an algorithm has weaknesses, like a back door. A sufficiently competent programmer can find back doors in code (cc not withstanding). No such back doors were ever found in OSS implementations of DES or AES. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote: 2009/2/21 Javier javu...@gmail.com: I'm actually using encfs to protect my sensitive data, Eh... http://xkcd.com/538/ That's known as Rubber Hose Decryption. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Ron Johnson escribió: On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote: 2009/2/21 Javier javu...@gmail.com: I'm actually using encfs to protect my sensitive data, Eh... http://xkcd.com/538/ That's known as Rubber Hose Decryption. Oh yes, but if he had the chance to scape, at least the files continue to be untouchable and saving the data, could save other people involved, too. Note that they would kill or torture him anyway. Even they would kill him faster if there were no encryption... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Jeff Soules escribió: Hi Javier, Thank you for your reply. Given the hypothetical (but all too possible) situation you describe, there are different considerations. Now imagine the worst situation, that a friend wants to protect his data from his corrupt dictatorial government Absolutely a possibility. There are many levels of secrecy -- filesystem encryption prevents the contents from being known, but does not hide the fact that there is a secret. The presence of a secret could be enough right there. The kind of government you describe doesn't need to find evidence in order to disappear a person. This also makes it all the more possible that, if his house is raided and encrypted files are found, someone might try to torture the information out of him. (Even if the partition is named something harmless-sounding, I can't imagine cops anywhere who wouldn't demand it be decrypted so they could check it, and refusal would not look good.) In any case, with EncFS we're talking about a technological solution in which the encryption key is stored alongside the encrypted media, so whatever the password concerns are, this is unsuitable for keeping information truly secret when a hostile person might have enough physical access to the drive. I think it is entirely too likely that a government like this either would be able to compromise the data (with or without recovering the passwords), or would be willing to punish him just for having encrypted data to begin with, if they know he has it. Then my question is: is EncFS good enough to protect his data? I think the SD with stored password is a good solution. While he is not in the house, he can carry the SD or have it hidden somewhere. While he is in the house, and police enter, he might have enough time to probably destroy the SD and turn off the computer. With the level of danger involved here, I think the security issue is more that there be some rapid way to destroy any evidence of the existence of the data (possibly destroying the data itself), rather than making sure the password stays safe. Destroying the SD card is a start, but really a person under this kind of government would need to be able to say No, there are no secrets, not Here's a filesystem that you can't read. That was my point in the original email -- while there are some interesting technical problems here, I think in this case the digital security is less important than the social/personal security surrounding it. Or, rather, the digital security will not wind up being the weakest link in the chain. I wonder if in this situation it might be more appropriate to store the encrypted filesystem on an external pluggable device, like a USB key. If a person in this environment were not using many multimedia files, then storage needs might be very moderate, able to fit on some of the larger USB keys (8-16 GB) that can be had for around US $30. (I don't know what kind of budget a person in this situation might have). But by storing any incriminating files on an external medium, preferably a (physically) small one, and then encrypting that, a person could both hide the very existence of prohibited data, and also have a data store that can be more easily hidden or destroyed during a police raid. (Chuck it in the sewer or something if needs be). If the computer is seized or stolen while the person is away, oh well; there's nothing incriminating on the computer, not even any suspicious encrypted filesystems. That's if there is a reasonable reaction time before being taken into custody. I really don't know whether it'd be better to keep this on his person with a plan to ditch or destroy it, or to find a hiding place the police wouldn't check where it could be accessed without arousing suspicion. Good luck to any person who finds himself in such a situation. As to passwords, another method that works well is to take the initials of a memorable phrase, and then make a few predictable changes. For instance, you could take the phrase working to enhance civil liberties by overthrowing kings and dictators to create w2EcLx0KD -- which has a decent 10-char length with some character distribution while remaining very memorable. I hope all this helps. Thank you for your help. The main point here is: if he is lucky enough, no police would enter into his house. If he has little luck, police would enter while he is not in the house, and probably has time to scape, so for this the encryption is very good. With very bad luck, police could enter his house and arrest him, but in this case the encryption will still be useful, as it can save other people. Of course, this would be just a little part of what he would do. There would be more important issues, like taking care about not being discovered in his movements and communications, and have a back door for leaving the country. Thank you again. -- To
Re: How to protect an encrypted file system for off-line attack?
Jeff Soules wrote: ... The most intrusive attacks, where an attacker has complete control of the user's machine (and can therefor modify EncFS, or FUSE, or the kernel itself) are not guarded against. Do not assume that encrypted files will protect your sensitive data if you enter your password into a compromised computer. ... Seems to me that the man page is talking about two situations: #1. Someone has rooted your box. In this case, your encryption can be bypassed, because unless your secret passphrase is actually an entire RSA key, the password is just a gatekeeper and everything needed to decrypt the fs is on the box. A (sufficiently clever) attacker with root (and enough time) could modify the EncFS program itself to bypass the password check and just decrypt your files. The password should be used to _encrypt_ the encryption key. Then you're not vulnerable to bypassing of a password check. But, as you said, if the machine is compromised, then once you enter the password, the data can be decrypted. Daniel -- (Plain text sometimes corrupted to HTML courtesy of Microsoft Exchange.) [F]
Re: How to protect an encrypted file system for off-line attack?
2009/2/23 Javier javu...@gmail.com:
The main point here is: if he is lucky enough, no police would enter
into his house.
Since this has become a tinfoil hat thread more than an encryption thread...
My own personal solution to the problem has been this: my hard drive
decryption password is 25 random printable ASCII characters. And I do
mean random. It's something like ]\gj-eR4cn-nc;i...@{gawa*po, which I
have committed to *muscle memory*. That is, if you ask me what my
password is, I genuinely don't know it, because I have to sit in front
of a keyboard to type it out, and I often make mistakes. I also rotate
it once a year. My hope is that this means the password can't be
obtained from me under duress, because I would be unable to type it
out without making mistakes if I were under duress.
My paranoia is vaguely justified, since I live in Mexico and we do
have an ongoing history of torture in this country, although I'm not
too sure what the torturers could want from my hard drive except my
homemade pr0n (that's really the reason I encrypt my laptop's hard
drive, so that in case of theft my girlfriend and I don't end up in
RedTube). How do you justify your paranoia, Javier? ;-)
- Jordi G. H.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/23/2009 09:26 AM, Javier wrote: Ron Johnson escribió: On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote: 2009/2/21 Javier javu...@gmail.com: I'm actually using encfs to protect my sensitive data, Eh... http://xkcd.com/538/ That's known as Rubber Hose Decryption. Oh yes, but if he had the chance to scape, at least the files continue to be untouchable Given enough time, and resources, *nothing* is untouchable. It's just a matter of whether They think that the time-effort is worth being spent on *you*. and saving the data, could save other people involved, too. Note that they would kill or torture him anyway. Even they would kill him faster if there were no encryption... That might be a good thing. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On Sun, 22 Feb 2009 20:10:57 -0600 Ron Johnson ron.l.john...@cox.net wrote: On 02/22/2009 07:03 PM, Javier wrote: ... And which is better, Blowfish or AES? AES. Source? Wikipedia just says: Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard now receives more attention. http://en.wikipedia.org/wiki/Blowfish_(cipher) And what about Twofish? Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On Mon, 23 Feb 2009 00:06:02 -0500 Jeff Soules sou...@gmail.com wrote: Hi Javier, Thank you for your reply. Given the hypothetical (but all too possible) situation you describe, there are different considerations. Now imagine the worst situation, that a friend wants to protect his data from his corrupt dictatorial government Absolutely a possibility. There are many levels of secrecy -- filesystem encryption prevents the contents from being known, but does not hide the fact that there is a secret. The presence of a secret could be enough right there. The kind of government you describe doesn't need to find evidence in order to disappear a person. This also makes it all the more possible that, if his house is raided and encrypted files are found, someone might try to torture the information out of him. (Even if the partition is named something harmless-sounding, I can't imagine cops anywhere who wouldn't demand it be decrypted so they could check it, and refusal would not look good.) In any case, with EncFS we're talking about a technological solution in which the encryption key is stored alongside the encrypted media, so whatever the password concerns are, this is unsuitable for keeping information truly secret when a hostile person might have enough physical access to the drive. I think it is entirely too likely that a government like this either would be able to compromise the data (with or without recovering the passwords), or would be willing to punish him just for having encrypted data to begin with, if they know he has it. Then my question is: is EncFS good enough to protect his data? I think the SD with stored password is a good solution. While he is not in the house, he can carry the SD or have it hidden somewhere. While he is in the house, and police enter, he might have enough time to probably destroy the SD and turn off the computer. With the level of danger involved here, I think the security issue is more that there be some rapid way to destroy any evidence of the existence of the data (possibly destroying the data itself), rather than making sure the password stays safe. Destroying the SD card is a start, but really a person under this kind of government would need to be able to say No, there are no secrets, not Here's a filesystem that you can't read. That was my point in the original email -- while there are some interesting technical problems here, I think in this case the digital security is less important than the social/personal security surrounding it. Or, rather, the digital security will not wind up being the weakest link in the chain. This is exactly the sort of problem that StegFS was invented to solve. Unfortunately, there has never been a stable release, and development has stagnated. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Ron Johnson escribió: On 02/23/2009 09:26 AM, Javier wrote: Ron Johnson escribió: On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote: 2009/2/21 Javier javu...@gmail.com: I'm actually using encfs to protect my sensitive data, Eh... http://xkcd.com/538/ That's known as Rubber Hose Decryption. Oh yes, but if he had the chance to scape, at least the files continue to be untouchable Given enough time, and resources, *nothing* is untouchable. It's just a matter of whether They think that the time-effort is worth being spent on *you*. Do you mean that there is a way to crack a 256bits AES? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Jordi Gutiérrez Hermoso escribió:
2009/2/23 Javier javu...@gmail.com:
The main point here is: if he is lucky enough, no police would enter
into his house.
Since this has become a tinfoil hat thread more than an encryption thread...
My own personal solution to the problem has been this: my hard drive
decryption password is 25 random printable ASCII characters. And I do
mean random. It's something like ]\gj-eR4cn-nc;i...@{gawa*po, which I
have committed to *muscle memory*. That is, if you ask me what my
password is, I genuinely don't know it, because I have to sit in front
of a keyboard to type it out, and I often make mistakes. I also rotate
it once a year. My hope is that this means the password can't be
obtained from me under duress, because I would be unable to type it
out without making mistakes if I were under duress.
My paranoia is vaguely justified, since I live in Mexico and we do
have an ongoing history of torture in this country, although I'm not
too sure what the torturers could want from my hard drive except my
homemade pr0n (that's really the reason I encrypt my laptop's hard
drive, so that in case of theft my girlfriend and I don't end up in
RedTube). How do you justify your paranoia, Javier? ;-)
- Jordi G. H.
I've discovered that the program apg is very nice, it can produce
lengthy but pronounceable pass phrases like these (40 readable chars,
probably equivalent to a 256bit random one):
# apg -m 40
WoitshEfHoQuagAdCurnashiawRaikBatJakEax,
gohoirAsejhukcaroldOafyebgimwacpokAtulv,
JewvudNuitImEbotThitObijedTehosenyebbev?
OjRalavCiHomOn3omesDifNicEfBisyokaddagOo
ubhousWicyerfeaTwephijhuDreapNogJosisIj5
ZykAdbeinAckrahapecdofsEnLojkitfucAxooj*
About my paranoia... not that much. I've never used encryption until
now, I have nothing to hide to police, and am living in Spain, which is
supposed to be a good democratic country. But I have recently adquired a
laptop, and there is sensible data in it, like passwords, private mail
from people with truly despotic goverments, personal photos, and some
private data from the work which might be convenient to protect. I'm
more worried about friends...
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On Mon, Feb 23, 2009 at 02:34:26PM EST, Ron Johnson wrote: Given enough time, and resources, *nothing* is untouchable. It's just a matter of whether They think that the time-effort is worth being spent on *you*. Like, twenty times the estimated life of the universe.. a thousand times its mass in silicon chips. Everyone involved long dead anyways. +1 on RHD and messier (and subtler} techniques... way to go. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Original Message From: javu...@gmail.com To: debian-user@lists.debian.org Subject: Re: How to protect an encrypted file system for off-line attack? Date: Mon, 23 Feb 2009 23:53:27 +0100 Ron Johnson escribió: On 02/23/2009 09:26 AM, Javier wrote: Ron Johnson escribió: On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote: 2009/2/21 Javier javu...@gmail.com: I'm actually using encfs to protect my sensitive data, Eh... http://xkcd.com/538/ That's known as Rubber Hose Decryption. Oh yes, but if he had the chance to scape, at least the files continue to be untouchable Given enough time, and resources, *nothing* is untouchable. It's just a matter of whether They think that the time-effort is worth being spent on *you*. Do you mean that there is a way to crack a 256bits AES? Yep! Given enough plaintext and ciphertext and enough time (or parallel compute power and less time), a brute force attack will always work. Larry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.d ebian.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/23/2009 06:12 PM, Chris Jones wrote: On Mon, Feb 23, 2009 at 02:34:26PM EST, Ron Johnson wrote: Given enough time, and resources, *nothing* is untouchable. It's just a matter of whether They think that the time-effort is worth being spent on *you*. Like, twenty times the estimated life of the universe.. a thousand times its mass in silicon chips. Everyone involved long dead anyways. http://en.wikipedia.org/wiki/EFF_DES_cracker When DES was approved as a federal standard in 1976, a machine fast enough to test that many keys in a reasonable time would have cost an unreasonable amount of money to build. http://en.wikipedia.org/wiki/EFF_DES_cracker#Technology Advanced Wireless Technologies built 1856 custom ASIC DES chips (called Deep Crack or AWT-4500), housed on 29 circuit boards of 64 chips each. The boards are then fitted in six cabinets. The search is coordinated by a single PC which assigns ranges of keys to the chips. The entire machine was capable of testing over 90 billion keys per second. It would take about 9 days to test every possible key at that rate. On average, the correct key would be found in half that time. In the 11 years since Deep Crack, IC process technology has improved by leaps and bounds, and the NSA can throw a whole lot of h/w in parallel at brute-force attacks. Combine that with Side Channel Attacks (easy if you have the machine that did the encryption, and which can discover part of the key) and mathematical analysis to determine even more of the key, you suddenly see something feasible. Of course, all this effort would not be spent on a dissident with some naughty books. +1 on RHD and messier (and subtler} techniques... way to go. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/23/2009 02:43 PM, Celejar wrote: On Sun, 22 Feb 2009 20:10:57 -0600 Ron Johnson ron.l.john...@cox.net wrote: On 02/22/2009 07:03 PM, Javier wrote: ... And which is better, Blowfish or AES? AES. Source? Wikipedia just says: Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard now receives more attention. http://en.wikipedia.org/wiki/Weak_key#List_of_algorithms_with_weak_keys Blowfish. Blowfish's weak keys produce bad S-boxes, since Blowfish's S-boxes are key-dependent. There is a chosen plaintext attack against a reduced-round variant of Blowfish that is made easier by the use of weak keys. This is not a concern for full 16-round Blowfish. http://en.wikipedia.org/wiki/Blowfish_(cipher) And what about Twofish? -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On Tue, 24 Feb 2009 00:10:54 +0100 Javier javu...@gmail.com wrote: ... I've discovered that the program apg is very nice, it can produce lengthy but pronounceable pass phrases like these (40 readable chars, probably equivalent to a 256bit random one): Or pwgen. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On Mon, 23 Feb 2009 18:59:56 -0600 Ron Johnson ron.l.john...@cox.net wrote: On 02/23/2009 02:43 PM, Celejar wrote: On Sun, 22 Feb 2009 20:10:57 -0600 Ron Johnson ron.l.john...@cox.net wrote: On 02/22/2009 07:03 PM, Javier wrote: ... And which is better, Blowfish or AES? AES. Source? Wikipedia just says: Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard now receives more attention. http://en.wikipedia.org/wiki/Weak_key#List_of_algorithms_with_weak_keys Blowfish. Blowfish's weak keys produce bad S-boxes, since Blowfish's S-boxes are key-dependent. There is a chosen plaintext attack against a reduced-round variant of Blowfish that is made easier by the use of weak keys. This is not a concern for full 16-round Blowfish. http://en.wikipedia.org/wiki/Blowfish_(cipher) But it's not a concern for full 16-round Blowfish, so is that really a problem? There is no effective cryptanalysis on the full-round version of Blowfish known publicly as of 2009[update]. A sign extension bug in one publication of C code has been identified. In 1996, Serge Vaudenay found a known-plaintext attack requiring 28r + 1 known plaintexts to break, where r is the number of rounds. Moreover, he also found a class of weak keys that can be detected and broken by the same attack with only 24r + 1 known plaintexts. This attack cannot be used against the regular Blowfish; it assumes knowledge of the key-dependent S-boxes. Vincent Rijmen, in his Ph.D. thesis, introduced a second-order differential attack that can break four rounds and no more. There remains no known way to break the full 16 rounds, apart from a brute-force search. Bruce Schneier notes that while Blowfish is still in use, he recommends using the more recent Twofish algorithm instead. http://en.wikipedia.org/wiki/Blowfish_(cipher)#Cryptanalysis_of_Blowfish And what about Twofish? So as I said, anything wrong with Twofish? Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/23/2009 07:12 PM, Celejar wrote: [snip] But it's not a concern for full 16-round Blowfish, so is that really a problem? There is no effective cryptanalysis on the full-round version of Where there's smoke, there might be fire. [snip] So as I said, anything wrong with Twofish? Don't know... -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
ow...@netptc.net escribió: Original Message From: javu...@gmail.com To: debian-user@lists.debian.org Subject: Re: How to protect an encrypted file system for off-line attack? Date: Mon, 23 Feb 2009 23:53:27 +0100 Ron Johnson escribió: On 02/23/2009 09:26 AM, Javier wrote: Ron Johnson escribió: On 02/23/2009 01:28 AM, Jordi Gutiérrez Hermoso wrote: 2009/2/21 Javier javu...@gmail.com: I'm actually using encfs to protect my sensitive data, Eh... http://xkcd.com/538/ That's known as Rubber Hose Decryption. Oh yes, but if he had the chance to scape, at least the files continue to be untouchable Given enough time, and resources, *nothing* is untouchable. It's just a matter of whether They think that the time-effort is worth being spent on *you*. Do you mean that there is a way to crack a 256bits AES? Yep! Given enough plaintext and ciphertext and enough time (or parallel compute power and less time), a brute force attack will always work. Larry What do you mean with always work? I mean, is it not going to take one million years or so? For example, if you encrypt your /home. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Ron Johnson escribió: On 02/23/2009 06:12 PM, Chris Jones wrote: On Mon, Feb 23, 2009 at 02:34:26PM EST, Ron Johnson wrote: Given enough time, and resources, *nothing* is untouchable. It's just a matter of whether They think that the time-effort is worth being spent on *you*. Like, twenty times the estimated life of the universe.. a thousand times its mass in silicon chips. Everyone involved long dead anyways. http://en.wikipedia.org/wiki/EFF_DES_cracker When DES was approved as a federal standard in 1976, a machine fast enough to test that many keys in a reasonable time would have cost an unreasonable amount of money to build. http://en.wikipedia.org/wiki/EFF_DES_cracker#Technology Advanced Wireless Technologies built 1856 custom ASIC DES chips (called Deep Crack or AWT-4500), housed on 29 circuit boards of 64 chips each. The boards are then fitted in six cabinets. The search is coordinated by a single PC which assigns ranges of keys to the chips. The entire machine was capable of testing over 90 billion keys per second. It would take about 9 days to test every possible key at that rate. On average, the correct key would be found in half that time. In the 11 years since Deep Crack, IC process technology has improved by leaps and bounds, and the NSA can throw a whole lot of h/w in parallel at brute-force attacks. Combine that with Side Channel Attacks (easy if you have the machine that did the encryption, and which can discover part of the key) and mathematical analysis to determine even more of the key, you suddenly see something feasible. Of course, all this effort would not be spent on a dissident with some naughty books. +1 on RHD and messier (and subtler} techniques... way to go. As I also have read in the Wikipedia, it is reseonable to crack a 56bits DES, a 64bits AES if you have online access to the machine, and probably in the future it might be possible to crack a 128bits, even offline. But, a 256 one? It seems incredible to me. 2^256 is this number: 115792089237316195423570985008687907853269984665640564039457584007913129639936 which is 10^79 iterations, I can't imagine the amount of power needed for cracking that... Isn't 4x10^80 the amount of atoms in the universe? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/23/2009 08:43 PM, Javier wrote: [snip] As I also have read in the Wikipedia, it is reseonable to crack a 56bits DES, a 64bits AES if you have online access to the machine, and probably in the future it might be possible to crack a 128bits, even offline. But, a 256 one? It seems incredible to me. 2^256 is this number: 115792089237316195423570985008687907853269984665640564039457584007913129639936 which is 10^79 iterations, I can't imagine the amount of power needed for cracking that... Isn't 4x10^80 the amount of atoms in the universe? 25 years ago, I had a KayPro II with CP/M, 64KB RAM and 2 380KB FDDs. (Sun 2s of the same era had a 10MHz MC68010, 4MB RAM and cost $44,000.) Now, I've got 131,000x more RAM, 2000x more MHz and pair of CPUs, and 790x more disk space. What kind of specialized crackers does the NSA have now, and how much faster and smaller (thus higher rack density) will they be in 2035? -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
As Ron said, the problem you're describing is a little bit different from the one the man page talks about. The most intrusive attacks, where an attacker has complete control of the user's machine (and can therefor modify EncFS, or FUSE, or the kernel itself) are not guarded against. Do not assume that encrypted files will protect your sensitive data if you enter your password into a compromised computer. How you determine that the computer is safe to use is beyond the scope of this documentation. Seems to me that the man page is talking about two situations: #1. Someone has rooted your box. In this case, your encryption can be bypassed, because unless your secret passphrase is actually an entire RSA key, the password is just a gatekeeper and everything needed to decrypt the fs is on the box. A (sufficiently clever) attacker with root (and enough time) could modify the EncFS program itself to bypass the password check and just decrypt your files. #2. Your box is keylogged, or (for some unknown reason) you put in your decryption password on a compromised/keylogged other box. This isn't strictly an offline attack, it could happen remotely if the password is compromised. I suppose you could get around this by automating the way your fs password is input (although if it's automated input over stdin, couldn't a properly designed keylogger still eavesdrop on it?), but that's kind of missing the point, which is if situation #2 happens, you will soon find yourself in situation #1. There, the real questions to ask are how do I avoid getting a keylogger and how do I catch a user account compromise before the attacker can gain root. Taking steps in response to those questions will make you much more secure across the board. If you're simply worried about protecting your filesystem from offline attacks, i.e. someone has physical access to your computer without having rooted it or whatever, then (as always with security) it becomes a question of how good is good enough. How long can someone sit at your computer trying to log in before it locks out for half an hour? How long before you (or someone else) comes back to stop them? Having logged in, how long before they manage to decrypt the filesystem without using EncFS? Etc. We're starting to talk about a very dedicated attacker at this point, who must have a compelling motivation for attacking your box specifically; these aren't government secrets, right? At any rate, in this kind of situation, other security considerations and means of attack (http://xkcd.com/538/) start to come into play. In fact, the main scenarios I can imagine are either that you're trying to keep personal files secret from a prying but technically skilled family member, or that you're protecting a corporate environment from some kind of industrial espionage (although again, in the latter case I think you're more vulnerable to social engineering attacks than strictly technological ones). Though I would wonder if, in those scenarios, having the password automatically input from an SD card or something might actually decrease your security. If you're talking about offline attacks, that's someone with access to the computer's physical environment (and who may even have seen you put in the SD card while you mount encrypted FSs). A non-compromised, keyed-in password would actually provide more protection in that case than an SD card that's sitting on your desk somewhere and that any joe could plug in. After all that, if this problem still seems compelling to you, then I suppose the best situation would be for you to have an SD card or whatever, kept secure and separate from the box, that feeds the actual encryption key into the system, with that key not being stored locally at all. Ideally you would also have some kind of second password check required to get the program to actually use the RSA key, so you can depend on both something you have and something you know. I've no idea how to implement this technically; I don't see a facility in EncFS to do anything like this. Also, this setup makes your data brittle; if your SD card gets wet or zapped, your filesystem is gone. There's always compromises between security and convenience, and security and resilience of data. And, joy of joys, make sure you store your backups somewhere nice and secure. With your EncFS setup you probably want to store the backups of the encrypted filesystem away from all the others, so that someone getting ahold of them has to crack the actual encryption rather than just hunt around for the key. On Sat, Feb 21, 2009 at 11:16 AM, Javier javu...@gmail.com wrote: Sorry for my ignorance in this respect, I hope you can help me. I'm actually using encfs to protect my sensitive data, but this is what is said in the manual: The most intrusive attacks, where an attacker has complete control of the user's machine (and can therefor modify EncFS, or FUSE, or the kernel itself) are not guarded
Re: How to protect an encrypted file system for off-line attack?
Jeff Soules escribió: As Ron said, the problem you're describing is a little bit different from the one the man page talks about. The most intrusive attacks, where an attacker has complete control of the user's machine (and can therefor modify EncFS, or FUSE, or the kernel itself) are not guarded against. Do not assume that encrypted files will protect your sensitive data if you enter your password into a compromised computer. How you determine that the computer is safe to use is beyond the scope of this documentation. Seems to me that the man page is talking about two situations: #1. Someone has rooted your box. In this case, your encryption can be bypassed, because unless your secret passphrase is actually an entire RSA key, the password is just a gatekeeper and everything needed to decrypt the fs is on the box. A (sufficiently clever) attacker with root (and enough time) could modify the EncFS program itself to bypass the password check and just decrypt your files. #2. Your box is keylogged, or (for some unknown reason) you put in your decryption password on a compromised/keylogged other box. This isn't strictly an offline attack, it could happen remotely if the password is compromised. I suppose you could get around this by automating the way your fs password is input (although if it's automated input over stdin, couldn't a properly designed keylogger still eavesdrop on it?), but that's kind of missing the point, which is if situation #2 happens, you will soon find yourself in situation #1. There, the real questions to ask are how do I avoid getting a keylogger and how do I catch a user account compromise before the attacker can gain root. Taking steps in response to those questions will make you much more secure across the board. If you're simply worried about protecting your filesystem from offline attacks, i.e. someone has physical access to your computer without having rooted it or whatever, then (as always with security) it becomes a question of how good is good enough. How long can someone sit at your computer trying to log in before it locks out for half an hour? How long before you (or someone else) comes back to stop them? Having logged in, how long before they manage to decrypt the filesystem without using EncFS? Etc. We're starting to talk about a very dedicated attacker at this point, who must have a compelling motivation for attacking your box specifically; these aren't government secrets, right? At any rate, in this kind of situation, other security considerations and means of attack (http://xkcd.com/538/) start to come into play. In fact, the main scenarios I can imagine are either that you're trying to keep personal files secret from a prying but technically skilled family member, or that you're protecting a corporate environment from some kind of industrial espionage (although again, in the latter case I think you're more vulnerable to social engineering attacks than strictly technological ones). Though I would wonder if, in those scenarios, having the password automatically input from an SD card or something might actually decrease your security. If you're talking about offline attacks, that's someone with access to the computer's physical environment (and who may even have seen you put in the SD card while you mount encrypted FSs). A non-compromised, keyed-in password would actually provide more protection in that case than an SD card that's sitting on your desk somewhere and that any joe could plug in. After all that, if this problem still seems compelling to you, then I suppose the best situation would be for you to have an SD card or whatever, kept secure and separate from the box, that feeds the actual encryption key into the system, with that key not being stored locally at all. Ideally you would also have some kind of second password check required to get the program to actually use the RSA key, so you can depend on both something you have and something you know. I've no idea how to implement this technically; I don't see a facility in EncFS to do anything like this. Also, this setup makes your data brittle; if your SD card gets wet or zapped, your filesystem is gone. There's always compromises between security and convenience, and security and resilience of data. And, joy of joys, make sure you store your backups somewhere nice and secure. With your EncFS setup you probably want to store the backups of the encrypted filesystem away from all the others, so that someone getting ahold of them has to crack the actual encryption rather than just hunt around for the key. Ok, thank you for your help. I've read it carefully. Now imagine the worst situation, that a friend wants to protect his data from his corrupt dictatorial government, and he doesn't want to directly make the question here, because he is afraid. For email, there is PGP, I suppose it is good enough, right?
Re: How to protect an encrypted file system for off-line attack?
On 02/22/2009 07:03 PM, Javier wrote: [snip] Now imagine the worst situation, that a friend wants to protect his data from his corrupt dictatorial government, and he doesn't want to directly make the question here, because he is afraid. From your name, we can reasonably narrow it down. I.e., he's probably not in the PRC... I think the SD with stored password is a good solution. While he is not in the house, he can carry the SD And if he's caught, they find it on him. or have it hidden somewhere. That which is hidden can be found. While he is in the house, and police enter, he might He goes thru the hassle of encrypting everything, then relies on might have enough time to probably destroy the SD and turn off the computer. Pulling the plug, though, is pretty quick. What would you recommend in this imaginary case? For him to use his memory. But even then, rubber hose decryption can be quite effective. Annyhow, I'd suggest that sensitive files be stored in an innocuously-named encfs directory mounted with the --idle= option. Also, I have seen that encfs support up to 2048 characters for the pass phrase. Is it better to have a very large random pass, or it is irrelevant at some point? If he can remember a long phrase, longer is always better... Something like the first 5 or six words of a widely-known (but seemingly irrelevant) document. And which is better, Blowfish or AES? AES. -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
Hi Javier, Thank you for your reply. Given the hypothetical (but all too possible) situation you describe, there are different considerations. Now imagine the worst situation, that a friend wants to protect his data from his corrupt dictatorial government Absolutely a possibility. There are many levels of secrecy -- filesystem encryption prevents the contents from being known, but does not hide the fact that there is a secret. The presence of a secret could be enough right there. The kind of government you describe doesn't need to find evidence in order to disappear a person. This also makes it all the more possible that, if his house is raided and encrypted files are found, someone might try to torture the information out of him. (Even if the partition is named something harmless-sounding, I can't imagine cops anywhere who wouldn't demand it be decrypted so they could check it, and refusal would not look good.) In any case, with EncFS we're talking about a technological solution in which the encryption key is stored alongside the encrypted media, so whatever the password concerns are, this is unsuitable for keeping information truly secret when a hostile person might have enough physical access to the drive. I think it is entirely too likely that a government like this either would be able to compromise the data (with or without recovering the passwords), or would be willing to punish him just for having encrypted data to begin with, if they know he has it. Then my question is: is EncFS good enough to protect his data? I think the SD with stored password is a good solution. While he is not in the house, he can carry the SD or have it hidden somewhere. While he is in the house, and police enter, he might have enough time to probably destroy the SD and turn off the computer. With the level of danger involved here, I think the security issue is more that there be some rapid way to destroy any evidence of the existence of the data (possibly destroying the data itself), rather than making sure the password stays safe. Destroying the SD card is a start, but really a person under this kind of government would need to be able to say No, there are no secrets, not Here's a filesystem that you can't read. That was my point in the original email -- while there are some interesting technical problems here, I think in this case the digital security is less important than the social/personal security surrounding it. Or, rather, the digital security will not wind up being the weakest link in the chain. I wonder if in this situation it might be more appropriate to store the encrypted filesystem on an external pluggable device, like a USB key. If a person in this environment were not using many multimedia files, then storage needs might be very moderate, able to fit on some of the larger USB keys (8-16 GB) that can be had for around US $30. (I don't know what kind of budget a person in this situation might have). But by storing any incriminating files on an external medium, preferably a (physically) small one, and then encrypting that, a person could both hide the very existence of prohibited data, and also have a data store that can be more easily hidden or destroyed during a police raid. (Chuck it in the sewer or something if needs be). If the computer is seized or stolen while the person is away, oh well; there's nothing incriminating on the computer, not even any suspicious encrypted filesystems. That's if there is a reasonable reaction time before being taken into custody. I really don't know whether it'd be better to keep this on his person with a plan to ditch or destroy it, or to find a hiding place the police wouldn't check where it could be accessed without arousing suspicion. Good luck to any person who finds himself in such a situation. As to passwords, another method that works well is to take the initials of a memorable phrase, and then make a few predictable changes. For instance, you could take the phrase working to enhance civil liberties by overthrowing kings and dictators to create w2EcLx0KD -- which has a decent 10-char length with some character distribution while remaining very memorable. I hope all this helps. I think the SD with stored password is a good solution. While he is not in the house, he can carry the SD or have it hidden somewhere. While he is in the house, and police enter, he might have enough time to probably destroy the SD and turn off the computer. What would you recommend in this imaginary case? On Sun, Feb 22, 2009 at 8:03 PM, Javier javu...@gmail.com wrote: Jeff Soules escribió: As Ron said, the problem you're describing is a little bit different from the one the man page talks about. The most intrusive attacks, where an attacker has complete control of the user's machine (and can therefor modify EncFS, or FUSE, or the kernel itself) are not guarded against. Do not assume that encrypted files will protect your sensitive data
Re: How to protect an encrypted file system for off-line attack?
2009/2/21 Javier javu...@gmail.com: I'm actually using encfs to protect my sensitive data, Eh... http://xkcd.com/538/ - Jordi G. H. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
How to protect an encrypted file system for off-line attack?
Sorry for my ignorance in this respect, I hope you can help me. I'm actually using encfs to protect my sensitive data, but this is what is said in the manual: The most intrusive attacks, where an attacker has complete control of the user’s machine (and can therefor modify EncFS, or FUSE, or the kernel itself) are not guarded against. Do not assume that encrypted files will protect your sensitive data if you enter your password into a compromised computer. How you determine that the computer is safe to use is beyond the scope of this documentation. So my question is: how can I truly protect a filesystem against offline attacks? I have thinking of using an SD card for storing the passwords in, and some kind of script or program to automatically retrive password from the card when needed. Then, if I retire the card, then my filesystem is secure. But I also have more questions... is the AES encoder that encfs uses by default secure enough? If not, is there another way to use another one, for example, GnuPG? Thank you. -- gpg --keyserver pool.sks-keyservers.net --recv-keys AFC23C68 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: How to protect an encrypted file system for off-line attack?
On 02/21/2009 10:16 AM, Javier wrote: Sorry for my ignorance in this respect, I hope you can help me. I'm actually using encfs to protect my sensitive data, but this is what is said in the manual: The most intrusive attacks, where an attacker has complete control of the user’s machine (and can therefor modify EncFS, or FUSE, or the kernel itself) are not guarded against. Do not assume that encrypted files will protect your sensitive data if you enter your password into a compromised computer. How you determine that the computer is safe to use is beyond the scope of this documentation. So my question is: how can I truly protect a filesystem against offline attacks? But that's different from the issues raised in the quote from the man page. I have thinking of using an SD card for storing the passwords in, and some kind of script or program to automatically retrive password from the card when needed. -S, --stdinpass Read password from standard input, without prompt‐ ing. This may be useful for scripting encfs mounts. Note that you should make sure the filesystem and mount points exist first. Otherwise encfs will prompt for the filesystem creation options, which may interfere with your script. Then, if I retire the card, then my filesystem is secure. Your filesystem is inaccessible, even to you!! (Unless you remember the passphrase...) But I also have more questions... is the AES encoder that encfs uses by default secure enough? If not, is there another way to use another one, for example, GnuPG? -- Ron Johnson, Jr. Jefferson LA USA The feeling of disgust at seeing a human female in a Relationship with a chimp male is Homininphobia, and you should be ashamed of yourself. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
