Re: [qubes-users] Re: Qubes default cryptsetup. How strong is it?

[Robin Schneider]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 21.06.2016 23:54, Arqwer wrote:
> How "quick" any of available super PCs (10,649,60 cores, 125,435. TFLOP/S
>> )  can find the password (e.g 8-16 chars) encrypted with Qubes default 
>> settings cryptsetup?
>> 
> 
> Encryption is the hardest part of chain. If the passphrase is long 
> enough.If password is 16 random lowercase and uppercasr letters, then it
> is 52^16 combinations, it is about 10^27. If you can crack 100 Peta 
> passwords/S, then it will take 10^(27-17) = 10^(10) seconds to brute the 
> password, which is 316 years. (Really expectation is half of it, so 158 
> years on average). Of course, if those letters are not "Password12345678".
> 
> How can we improve security to prevent this?
> 
> 
> If 316 years is not enough, than you can add one more character, to make
> it 16 thousands of years!


Most of those projections about how many years brute forcing a passphrase with
that many bits of entropy may take completely ignore one key aspect, especially
when you are talking about hundreds of years and that is technical advance and
Moore's law. So to be realistic, you would need to take that into
consideration.

Refer to:

*
https://crypto.stackexchange.com/questions/1815/how-to-account-for-moores-law-in
- -estimating-time-to-crack

- --
Live long and prosper
Robin `ypid` Schneider
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXabyzAAoJEIb9mAu/GkD4DhQP/iru7NGtTJ6gVdsdnYlZfLx1
6uTWhX0mwwOYw1TMV4wGC9uW2NDGsiVXHHEJSXpdeLvMwZYdZGfKxu8vv8SRpUQc
SZYI38gybmYn4+wg/fp4oU6cDaHqJ2eh+oOh1YUZhnewOM/jcUMD7kK+sVFcP0Sr
koagcIuEXFC0nRnwZsSMtcfr1DQ3x/rJHQuBwdfQLpKyK6gDOVJEqQ5K1kh0Q2w+
yUEcMVtJiMdFkYyTFu7/pcuVv4Xgssiw+8eUt7tsr8QO5Sqczhr0oxlN3d8EwEeX
2H8poeBIPJ1v++xqiFuglxA2NkS3pi/y5VMWqs4rI8phazSvgPhkcZJ7NOsNpo6k
NkOFZHccwdRAq9KVq8M6OGcFk6ulSU6Y1SayHxkNM9zQ8ofJ4IBoJ4b+zAwcKta6
nPidNlPjhATD1BY0G1wO61TtfCqYqHuEdENvxko+Q2OXuNqaNREs+9+xdQrcwTuJ
hCy+YMC5wS1W25Le4f8Q0oNQrhMiLM92/YNz+tW8JzmLLU1LdzbM4Dz9Kf3aGrqV
Fi0FSj4MdRLzD9lLiZ6zUXpCpfYGlACyP2j58mssa5jLyKqHvEiMt1cSiOAoE16O
Lqxr0D8/M/O4Zx7o9NuQWi86stKK39x1xzbzOTCo0zjK+zwd8L5LspbVZpmW8AQW
q5t6CA096mCC45lflC4F
=0UJ1
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a69beae4-41e8-6f5b-9cce-b56916e1c6a3%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes default cryptsetup. How strong is it?

[Arqwer]

> Will Qubes Manager work fine if VMs will not be available at the boot time 
> or some time after that, before user will not mount container? 
>
 
Yes. I have R3.0, and some vm's are on secondaty, encrypted drive. I mount 
it using crontab like
@reboot /my/script/to/mount/encrypted/secondary/drive
I used this instruction  
to move appvms there. But I did it not in purpose of security, but just to 
have more disk space. I store the key to that drive in dom0.

How "quick" any of available super PCs (10,649,60 cores, 125,435. TFLOP/S 
> )  can find the password (e.g 8-16 chars) encrypted with Qubes default 
> settings cryptsetup? 
>

Encryption is the hardest part of chain. If the passphrase is long 
enough.If password is 16 random lowercase and uppercasr letters, then it 
is  52^16 combinations, it is about 10^27. If you can crack 100 Peta 
passwords/S, then it will take 10^(27-17) = 10^(10) seconds to brute the 
password, which is 316 years. (Really expectation is half of it, so 158 
years on average). Of course, if those letters are not "Password12345678". 

How can we improve security to prevent this? 


If 316 years is not enough, than you can add one more character, to make 
it  16 thousands of years!

Is it a good idea to install some 3th party software tat dom0 to make 
> crypto container to store some VMs and mount it before VM start? 


I don't think so. The more different tools you use, the more there are 
chances to use something wrong.

After all, there are much easier ways to get your data.  For example 
hardware backdoor called Intel ME.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8ddbccc9-8bf7-4626-8bcd-bf6d07824872%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.