Slashdot Mirror
How Long to Crack an 'Encrypted' HD?
brainburger asks: "In the UK, Tony Blair has recently lost a parliametary vote to allow the police to hold terrorist suspects for 90 days without trial. One of the justifications the police gave for the extension from 14 days to 90 days was that they need the extra 76 days to decrypt the computer hard-drives of suspects. This has been seen by some as the only compelling reason to allow 90 days. The time-limit has been extended to 28 days instead, but Tony Blair insists 90 days is required. Are there really any encryption systems that cannot be cracked in 28 days, but which can be cracked in 90? Aside from the not-much-discussed issue that the police can no longer interrogate a suspect after they are charged, I suspect the police meant unencrypted machines. What do you think?"
this is no dupe?!?!!? what are u talking about. the last article stated that blair wanted 90 days.
this article states that he didnt get what he wanted.
quite different if u ask me...and somewhat interesting
Dupe! Dupe, I say. Seriously, though. This was one of the more commented on stories of the past week. I and other slashdotters are sensing subterfuge.
Read the only personal Runyon page out there.
Such detention is not allowed in the US.
In case you're not being sarcastic, you might be shocked to read about Jose Padilla.
Beware if you come to New Zealand and are arrested over your HDD. The defense of Not Incriminating Yourself no longer applies to electronic encryption and passwords and you will be charged with something like obstructing justice or worse. My understanding is you could end up in prison for twelve months simply by refusing to decrypt your data.
Behold France which is currently in upheaval because unsatisfied Muslims are striking out at the national culture which has been keeping them down, nevermind the fact that the Muslims themselves segregate themselves from the rest of society by refusing to conform to the culture into which they immigrated.
Many of them became French citizens not through their own choice, but through France's annexation of Algeria. Rather than "migrating", many just moved from one part of "France" to a different part. After independence, moving to Algeria may not have been an option for those who were born and raised in France proper. Even if it was an option, no-one has an obligation to emigrate because of their ethnicity.
Hold on. Anyone remember the Regulation of Investigatory Powers 2000 Act? Isn't it an offence - punishable by a prison sentence - to not hand over encryption keys? If they need to crack it, they can just tell the suspect to hand over his key(s). If he/she doesn't, he goes down for more than 90 days anyway ...
This is slashdot. We like free software!
http://www.truecrypt.org/
Encrypted disks, crossplatform (win/lin).
Sparks:Gadget:Beer Maker
Bali is a major holiday destination for westerners, especially Australians. Balinese aren't being targeted, as it isn't Hindu shrines or homes which are being bombed, it is nightclubs and restaurants full of tourists.
The bombers want to:
a) Get the "decadent westerners" out of Bali and
b) Destabilise the usually strong Balinese economy so that they can more easily attract followers there
A lot of Balinese have been killed as a result, but they aren't the primary target.
The terrorists in South-East Asia are a particularly nasty lot. They not only want to banish westerners and western ideas from the region, they also want to turn the entire area into a giant Caliphate.
You forgot one thing. Failing to turn over your encyrption keys or failing to prove you can't possibly know them (voip) can result in up to two years in prison. Cant remember name of law. But it was discussed last time this came up on /. .
So why 90 to crack encryption? If you don't give them you keys, they can charge you and go through the British court system and possibly get you for 2 years. The only reason they claim they need 90 days is so that when they want 180 (a year/forever), it doesn't seem as unreasonable. They want the ability to hold a person w/o trial or charging them for as l;ong as they like. Cracking encryption is a convient excuse. To the computer-illiterate it sounds plausable.
captcha compute
They don't need to do that. Over here, refusing to reveal an encryption key when required by the Police is an offence in itself.
RIP Act 2000
Back to the question: "How Long to Crack an 'Encrypted' HD?": it all depends on how well it is done. It also depends on where the disk key is stored. It is easier to crack a drive if the key is kept on the drive or left up to lazy humans to type in each time.
I'm not kidding about the last point. There are hard drive encryption products where drive is automatically mounted / accessed without human intervention. These products derive the decryption key from stored state on the hard drive. Sure they pull tricks such as storing the key material in a sector marked as "bad", but if you reverse engineer their process you can find the drive key and begin cracking the drive in milliseconds.
There are hard drive encryption products where a human must enter a password / pass-phrase access the drive decryption key. The time to crack the drive depends on how easy to guess the unlocking password / pass-phrase. This guessing can be done in parallel starting with common / poorly selected passwords / pass-phrases first. Too many people don't want to type in difficult / hard to type passwords. A guessing attack would frequently be successful against drives encrypted with products that require a human to type something.
chongo (was here)
Dunno if it was meant to be funny, but AES is a symmetric cipher with a maximum of 256 bits.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Even so, the US Govt considers 256 bit AES to be good enough for "Top Secret" documents so I doubt it's crackable in 90 days.
This 90 day clause is the only part any one is interested in! I too thought 90 days was a bit much until I heard that EVERY 7 days the suspect is brought before a magistrate and the case for detention is reviewed
It seems that this fine point has been ignored??
(I am aware, for the record, that brute forcing a password of any real length... e.g. even 6 or 7 chars long... requires an extraordinary amount of combinations of letters, numbers, and symbols... but if we can group those combinations into smaller units, don't we reduce the number?)
No. 6 or 7 characters * 8bit/char = 48-56 bits at most. Because so many special signs are hard to reach, you can usually get away with 6bit, so 36-42 bits. That is insufficient to prevent any serious brute force attempt. A strong passphrase is roughly 20-25 characters long, and should have about three typos (the number of permutations make it fairly pseudorandom at this point). Something like: "MicrosXftIsEv6ilReadSla=hdot" should have 128bit+ strength. If you want 256 bit (read, fully uncrackable at any rate) you can double that. Remember, internet-safe passwords != passwords that are secure against local attack. If you can brute force it locally, 6-8 character passwords are way too little.
Live today, because you never know what tomorrow brings
Whoops. I'm on Mac OS X. I went into the System Preferences -> Security pref pane. I clicked on the button that said "Turn On FileVault" I waited a minute or two while the hard drive churned and voila!
Unfortunately, for law enforcement etc, my entire home folder is now encrypted with AES128 encryption. Yep, all my email, all my documents, all my application preferences, even my entire MP3 music library (except that I went to lengths to not have this encrypted by symlinking it to somewhere else) is now AES128 encrypted. With a strong passphrase. It's really that easy.
I then have a file, also in my home folder, called my keychain. This is where I put stuff I really want to keep safe. All my passwords, all my bank a/c details, secure notes, login details, slashdot login etc. This is also encrypted. Yep, AES128. Even if my home folder was decrypted, there's still the keychain if they want to get to any secure notes or login details I might have.
90 days? You're not going to be able to do jack against this in 90 days. And this is just using simple stuff that's built into the OS.
k
Specialist Mac support for creative pros, Melbourne
I hope you don't really believe that.
From 'Private Eye' 2005/11/11 - http://www.private-eye.co.uk/
"Number Crunching"
24 Hours - Period terriorism suspects in Australia (al_Qaeda death toll: 88) can be detained before criminal charges must be levelled.
5 Days - Period terriorism suspects in Spain (al_Qaeda death toll: 191) can be detained before criminal charges must be levelled.
7 Days - Period terriorism suspects in USA (al_Qaeda death toll: 3,000) can be detained before criminal charges must be levelled.
90 Days - Period terriorism suspects in UK (al_Qaeda death toll: 52) should be allowed to be detained before criminal charges must be levelled.
Environmentalism is the new Victorianism. Everyone ties on a green corset and pretends we're virtuous.
In true Slashdot spirit, you should have mentioned the Open Source solution: TrueCrypt.
:-)
I have been burned before: I will never use a closed source software again for data encryption. The tinfoil hat crowd will worry about the possible NSA backdoor or weak implementation. More practically, I worry about the developer going out of business and the next windows update breaking my encryption software, leaving me high and dry with no other recourse but to downgrade or reinstall my system, get my data back, and start hunting for a new encryption solution. Save yourself the trouble and use TrueCrypt.
Now I was just going to write that the only problem with TrueCrypt was that it was Windows only (with Linux support on their roadmap, though...)... Well guess what: I just checked their site again, and here it is: "4.0, November 1, 2005 [...] TrueCrypt volumes can now be mounted on Linux." Perfect timing to prove again the superiority of Open Source
I code, therefore I am.
No. It should happen like this: you're arrested because you match the description of a burglar or other criminal they're looking for (although whether merely wearing a suit of the same colour should be counted as "matching the description" is debatable, too); you're brought before a judge within 24 hours, who will issue a formal arrest warrant, and you will be given time to consult with your lawyer. Your background will be checked, and *if* there is no easy reason why you must be innocent (such as having attended a conference in another town at the time the crime in question happened!), *then* a search warrant for your home can be issued by a *judge*.
quidquid latine dictum sit altum videtur.
Even so, the US Govt considers 256 bit AES to be good enough for "Top Secret" documents so I doubt it's crackable in 90 days.
Actually no, they recommend using AES 256 for govn't sensitive, but unclassified data. For anything classified, they are using classified military algorithms.
This is a common approach to swap encryption on Linux and other Unices lately. What happens is that the encrypted drive is encrypted on every write, and decrypted on every read, at the single-block level. So even if the machine is suddenly powered-off and then the encrypted drive is read on another machine, it's still encrypted. It's more secure than data partition encryption, for sure. BUT, I think even this is probably flawed, unless you have audited the entire OS to make sure it doesn't store data on swap in any sort of predictable way. If you know that the kernel keeps data about the init process in the first block of swap, for instance, then you have a rosetta stone to break the encryption. A more likely example might be that the kernel might write certain patterns to swap frequently: say, a GNOME icon, followed by the data for the file associated with it. Each of these things in turn have certain recognisable patterns in memory or on swap, so that kind of thing would probably significantly reduce the data's secrecy.
Switch back to Slashdot's D1 system.
This is not about the period of detention without trial (which can, unfortunately, be a very long time already). It's about detention without charge. Suspects can currently be held for 14 days without any explanation of what offence they are believed to have committed and the government wanted to extend that to 90 days.
The authorities aren't going to go around arresting everyone,
;)
... From what i've seen, the British people (and western Europeans in general) don't mind giving the government inordinate control over their lives.
Tell that to the octagenerian who was detained under the previous Act for heckling at the recent Labour party conference. Or the woman in Scotland detained for several hours for *walking* down a cycle path.
it would bring many lawsuits
Don't think so, the whole point is to make it *legal*.
so theoretically, government officials reflect the will of the people in policy making.
Indeed, and according to polls apparently the majority of the British public think locking people up for 90 days without charge (first 7 days without judicial intervention too) *is* a good idea. They're terrorists after all, right? Never mind 90 days, throw away the key!
--paulj
I use Friend/Foe + mod-point modifiers as a karma/reputation system.
Really? What nation's uniform were they wearing when they were picked up? Normally, when you're in a war and someone not wearing a uniform shoots at you, and you capture them, you hang them.
Just a FIY, if you want to destroy data on a CD so that it can't be recovered, place it in a microwave for about 5 seconds. Try it with a blank to see what I mean.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.