Slashdot Mirror
How Long to Crack an 'Encrypted' HD?
brainburger asks: "In the UK, Tony Blair has recently lost a parliametary vote to allow the police to hold terrorist suspects for 90 days without trial. One of the justifications the police gave for the extension from 14 days to 90 days was that they need the extra 76 days to decrypt the computer hard-drives of suspects. This has been seen by some as the only compelling reason to allow 90 days. The time-limit has been extended to 28 days instead, but Tony Blair insists 90 days is required. Are there really any encryption systems that cannot be cracked in 28 days, but which can be cracked in 90? Aside from the not-much-discussed issue that the police can no longer interrogate a suspect after they are charged, I suspect the police meant unencrypted machines. What do you think?"
But remember the requirement - 90 days for the POLICE to crack the encryption- I don't know why they don't just make it 'indefinite detention'.
I have nothing to hide. So, why are you spying on me?
it's longer than the suspect's skull during interrogation
I'd love to see how Safehouse from www.pcdynamics.com will do. Encrypt file-based real drive volumes with AES, Twofish, Blowfish, 3DES, and DES.
Kris
Kriston
I'd better not use AES to encrypt my hard drive or I'd guess they can hold me without charge until the sun burns out.
is that if cracking encrypted hard disks is really that important, it would be better to simply give police enough computer power to crack the encryption in less time and avoid the civil liberties issues. Of course, giving the police that much computer power will eventually guarantee even more civil liberties issues.
The higher the technology, the sharper that two-edged sword.
this is no dupe?!?!!? what are u talking about. the last article stated that blair wanted 90 days.
this article states that he didnt get what he wanted.
quite different if u ask me...and somewhat interesting
Just cracking it isn't enough. They have to then sift through gigs of data to look for evidence. And that's ignoring stegnography.
Agile Artisans
1: Today's terrorism is different because attacks do not have political aims and are designed to cause mass casualties, with no warning, involving suicide bombers
Retired senior judge Gerald Butler states: "The mere fact a threat is "completely different" is, of itself, no justification for an extension in the detention laws. But it is true we face a new and terrifying threat in this country."
Not politically motivated?!
What on earth are these people talking about? Good gried, "GET OUT THE MIDDLE EAST, WEST!" sounds _very_ political to me! "STOP MESSING IN OUR AFFAIRS", sounds political to me!
These attacks are completely and totally politically motivated.
The militants in the Middle East, right or wrong, is ABSOLUTELY, COMPLETELY, and TOTALLY in the middle of a political struggle with the West.
I think it's a bullshit excuse, that's what I think. With encryption algorithms, we're talking orders of magnitude, and most algorithms that can't be bruteforced in 28 days will take longer than 90. This is just a shitty excuse to get joe public on Tony's side.
If you want an unreadable hard drive, you can forget about blowfish, twofish, MD5, SHA, and every other cryptographic solution. There is only one way to do it and one number to remember: 1.21 gigawatts.
Are there really any encryption systems that cannot be cracked in 28 days, but which can be cracked in 90?
Probably, but since encrypted hard drives usually involve a passphrase being converted into a key of suitable length by one-way hash algorithms, why not crack the passphrase instead of the actual key? Even with 256-bit AES (or something like it), a weak passphrase-based key is probably one of the easier ways to go after the data. Of course, if the suspect carries their completely random key around on a USB drive of some sort, that's a different matter.
f439f4af0cd24d0d07144ec2f6853d2f
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
How long does it take the police to figure out that my drive is not corrupted, it just isn't running Windows.
DYWYPI?
Come on, I've seen them decrypt files and hard drives in a matter of minutes on 24. What are the pommy police up to, maybe they need to start watching it for tips.
The United Kingon approaches counter-terrorism as part of a criminal investigation and has to deal with due process of law. Hence the debate over extending detention from 14 days to 90 days.
The United States approaches counter-terrorism as military action and the President signs an executive order that allows for indefinite detainment of suspects.
Fascinating. The UK has much more experience dealing with domestic terrorism -- did they originally overreact as well or are the two circumstances different from the get-go?
So they are attempting to crack encryption of a device that contain copyright'ed material (if this guy saved his email, then anything he wrote should be automatically copyrighted). Isn't this a violation of the DMCA?
I know I'm probably missing some technicality, but it's a fun thought argument.
Hell, with a good hammer it only takes one swing! ... What's everybody looking at me for?
Beware if you come to New Zealand and are arrested over your HDD. The defense of Not Incriminating Yourself no longer applies to electronic encryption and passwords and you will be charged with something like obstructing justice or worse. My understanding is you could end up in prison for twelve months simply by refusing to decrypt your data.
Mmm...I suspect the issue isn't "cracking"; I think the story poster was hinting at this with the last sentence or two. Chances are "crack" is being used liberally to present it using "terms" something Joe Q Legislator and John Z Public can understand. I would bet it is mostly analysis (or as you put it, "sift through".) Chances are serious criminal investigation units already have custom (ie distributed to several systems, nicely wrapped with scripts and such, etc.) cracking solutions akin to L0phtcrack and John The Ripper, set up and ready to go, on some nice hardware- so that if they need to crack a password for someone's Windows account, they can do so, and quickly. Somehow I doubt that it takes them more than 30 days to do so. There is also a considerable amount they can access without any "cracking."
However, nothing trumps the human rights of the suspect. Here in the US, you have to be released within 24 hours of arrest if you are not charged (well, excepting Patriot Act crap.) Often times the police don't have the evidence yet to hold you on a crime. Unfortunately- that's just too bad! Case/workload isn't the burden of the suspect- it's YOUR burden. If YOU can't analyze the hard drive in the time period someone can be legally held...hire more people to do the analysis, or just suck it up.
In which case, maybe it is deliberately misleading. Ie, "We need 90 days to crack encryption" sounds a lot more unavoidable than "we have such a high workload we can't get through looking at the contents of the disk before 90 days." Not to mention, the latter can also imply quite a bit of incompetence (ie, management hasn't scaled hiring/budget to the problem, or management isn't being effective, or they're all taking 2 hour lunches to watch soccer, etc.)
Please help metamoderate.
Seriously, they have the guy for 90 days! It takes alot less to just beat his password out of him.
What's that I hear you say? You can't do that in a free country? Holding a person for 90 days without charging him with anything is a new and interesting definition of the word "free".
"Freedom. You keep using that word. I do not think it means what you think it means"
Ever wonder why Orwell set 1984 in GB? Now you know.
Hold on. Anyone remember the Regulation of Investigatory Powers 2000 Act? Isn't it an offence - punishable by a prison sentence - to not hand over encryption keys? If they need to crack it, they can just tell the suspect to hand over his key(s). If he/she doesn't, he goes down for more than 90 days anyway ...
IIRC it's a crime in Britain to refuse to hand over encryption keys when required by the police. So why don't they just seize the hard drives and ask for the key? If the suspect gives it up, all is well. If he refuses, then the police don't need to hold him without charge for even one day, much less 90, because they now have a charge to pin on him.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
Police want the time to take some pressure off themselvs. If they can extend the deadline by 2 and a half months they have more time to get everything done. They don't "need it", but they want it because it's a damn sight easier for them.
Although I'm outright against this and any other attempt to make a police state. If you lock a guy up for 3 months you've pretty much taken his job away from him, maybe his house (if renting) and rumours spread fast, so good luck getting hired againa as a "possible terrorist". The reason the vote was against it is because it would ruin people's lives if this were to be brought upon them.
I like muppets.
If you need complete security from all government agencies (or other parties) you need to combine a strong encryption system like ROT13 with a text-based cyphering system like l33t sp34k. Continued study into lossy 1-bit compression, which effectively reduces and entire file to a single bit, could also be used to thwart the unauthorized individuals from gaining access to your data. Of course, you'd have to accept a little data loss if you chose to compress your encrypted files.
I am currently working on the next-gen encryption system that will handle binary files better than ROT13 (yes, I know it's hard to believe). This new system will use the same encryption concepts on the entire WORD. I call this system ROTl33tn00b, or R0t3n for short. When I have my code (pure VB6) finished I will release it to the community under GNU/GPL.
Not necessarily. If you REALLY wanted to hide something on your hard drive, it'd be cakewalk for anyone really determined. Just get a 256 bit encryption system put on there (nearly impossible to 'brute force' with simple computing power due to the sheer number of possibilities).
On top of that you can hide messages in thousands of different possible files on the computer. It could be anywhere; a driver, a PC save game file, the user name and password for someone MMO account spelt backwards, it could be in plain sight on the desktop except its a code-word phrase that only the (presumably) terrorist knows. And thats on top of the encryption so the code breaking geeks can't even being working on this until the computers are done. Hiding data on a computer these days is a joke for anyone willing to spend the time and effort.
"Brute forcing" encryptions is a thing of the past. Contrary to popular belief, hardware has not necessarily kept up with software, as many high-end computer graphics designers will attest to. (Imagine today's top of the line computers trying to real-time render the orc's attack on Helm's Deep with all the fancy graphics, special AI and fancy camera work all going on at the same time.)
I own the first edition and have read it, as well as several other books.
Plain and Simple, anything that is not going to be handled in under 2 weeks, will not be handled in the next 90 days, or 90 year years. So arguing that you need 90 days to try and decrypt is false. The only thing that could be argued is that the cops do not have the time to process what they have so they need a longer time. Well, if that is the case, than more CPU power is what is needed.
My suggestion to you (most likely IFWM), is that you get a clue and some manners.
I prefer the "u" in honour as it seems to be missing these days.
Just fishing for the amusing title, but in the (pretty large number of) posts I've looked at so far, no one has made the obvious observation that if the "terrorists" are actually concerned about being held some number of days, then they can just increase the level of encryption they use to make sure that it will take longer than that to decrypt their drives. There is no upper limit on the amount of encryption you use. For the police to claim that they need any fixed number of days is totally bogus, and the British police are just making excuses because they want to hold suspects for longer time periods. Heck, if having a HDD is the excuse for being held longer, then all the smart criminals will simply get rid of their computers. Of course that's on the theory that the amount of time the police are holding them has anything to do with whatever criminal action they might be planning.
In conclusion, I would guess that the stupid TV show called "24" must also be shown in Great Britain.
Real life is not like that. Before arresting someone, the police are supposed to already have some concrete and substantive basis for suspecting the person has committed a crime, or even stronger evidence that the person is really in the process of planning to commit a crime. The basis that "We think we'll find something AFTER we decrypt the HDD" is totally bogus. The reality here is they just want to quietly lean on the suspects for a longer time, and saying they need that much time because of HDD encryption is just a cheap--and stupid--excuse.
Having said that, I'm surprised the politicians weren't stupid enough to go along with the gag. That already puts them ahead of most American politicians. Can you try to imagine explaining HDD encryption to Dubya?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Any cipher that can be cracked given "enough computer power", for any practical value of "enough", is broken. Utterly broken, obsolete, not fit for use, an ex-cipher, singing in the choir unusable. DES, for example.
Guessing a passphrase is believable, though. That might take large-but-feasible computer resources. English text has only one point something bits of entropy per character on the usual estimate. Who has a sixty-character passphrase?
If you need time to crack the hard drive YOU FUCKING TAKE THE HARD DRIVE!. Why do you need to hold the person for 90 days when you can simply take his hard drive and hold it for as long as you want.
Because if he knows you'll find something on his hard drive once you decrypt it, he may decide to disappear during the 90 days it takes you to find it, whereas if you can keep in custody until you finish he wont have that opportunity?
If we reach out beyond the UK proper, and look at how the British dealt with insurgents in Kenya, Malaysia, and southern Yemen, they largely went the military route. Worked in the first two, not so much in Yemen.
Luke, help me take this mask off
cat Recording1.mp3 + echo "Password One" + cat Recording2.mp3 + echo "Password Two" + cat Recording3.mp3 | sha1sum | decrypt_my_hard_drive
That's very much like a book cipher. A book cipher can be *very* strong (almost like a one-time cipher) *if* the source text is sufficiently rare (or obscure).
Now, imagine that the police seize my notebook. They see that my hard drive is encrypted and needs a 256-bit key. Where are they going to get the key? Is it simply a password? Is there some sort of key file? Is the key on the notebook? Is it on the SD in my phone? Or the SD in my camera? Or the half-dozen floppies I have in my notebook bag? Or one of the dozen or more CD's that are in my notebook bag? In this case, it's the combination of 3 different MP3's and two passwords. It could have just as easily have come from any number of different pieces of media: a file on a floppy, CD and SD card, plus an arbitrary number of passwords kept *only* in my head.
Or how about selecting three graphics from popular websites? Imagine selecting three common topic icons on Slashdot such as the "Borg Bill", Broken Windows and the privacy binoculars. If you view Slashdot regularly, those files would appear in your cache: no big deal. But use *those* as keys! Just hope someone doesn't update the graphics! :) Even better: you're the webmaster for some website. Of course, you browse that website. Use graphics in your browser's cache from *there*: you know if the graphics will change! And the fact that these graphics are in your cache is perfectly natural. No one has the resources to hash every possible combination of three graphics in your browser's cache, especially with passwords between them.
At that point, I'm not worried about them getting my key without help from somewhere: they're sure not brute-forcing it like a simple passphrase. I'm not worried about them brute-forcing a full-strength modern encryption algorithm. However, there are at least two things about which I *do* need to be worried: 1) Was the encryption algorithm implemented properly, without unintentional weaknesses or even intentional back-doors? 2) Was my key somehow cached somewhere to be found? This area could be the biggest issue: the command line I used is in the history, pieces of the data used to make up my key (or the key itself!!) were swapped to disk at some point and could be used to help reconstruct the key, etc. Even if investigators only knew which files made up my key, that would be *devistating* to my security. Now I'm back to something only slightly more complex than a straightforward password!
Security is not simple. If large and powerful governments can't keep data secure from motivated enemies (and the entire history of the Cold War bears this out), I think that there is near zero chance for individuals to do the same.
Linux IT Consulting and Domino Development in Michigan
Unfortunately, I lost the thumbdrive about a week ago on the way home from work.
Sorry.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
I dunno - Sting might be really good at maths.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I think the most obvious step is for your friendly neighborhood criminals & terrorists to start remotely accessing their systems. Dumb terminals basically. There is no reason the computer can't be in another room, building, etc. Shouldn't a VPN over an encrypted wifi link be secure enough? 54 Mbps might be "slow" compared to normal HD access speeds, but the security gain should outweigh any performance loss. The police can't seize anything that isn't in the dwelling without (generally speaking) seeking additional warrants. Your mileage may vary
[Fuck Beta]
o0t!
Tony Blair: Fezzik, tear his arms off.
lorcha: Oh, you mean this encryption key.
90 days in jail will ruin you financialy (can't go to work, so can't pay bills), so it's in your best interest to give them the passphrase and hire a lawyer while you still are solvent. Plus, they can tell the other inmates that they think you have kiddie porn on your computer and they'll let the inmates do the torturing.
90 days won't give them enough time to crack the key, but it will make you think really hard about giving them the passphrase so they let you go.
This 90 day clause is the only part any one is interested in! I too thought 90 days was a bit much until I heard that EVERY 7 days the suspect is brought before a magistrate and the case for detention is reviewed
It seems that this fine point has been ignored??
I hope you don't really believe that.
Behold France which is currently in upheaval because unsatisfied Muslims are striking out at the national culture which has been keeping them down, nevermind the fact that the Muslims themselves segregate themselves from the rest of society by refusing to conform to the culture into which they immigrated.
Actually, the riots in France are not motivated on religious grounds. The riots are as a result of huge economic disadvantage, exploitation and unemployment in those communities which are rioting. This has come about because of racism and bigotry in France, not because of religion. The majority of the rioters are not even religious.
The Muslims are not rioting. The poor are rioting. Quite a lot of people will try and distract you from this fact, especially in France, where the poor rioting has a long and well documented history of toppling governments.
May the Maths Be with you!
This sounded like one of those "fishing" measures beloved of the UK police whereby they gain a power so vague they can use it to pursue just about anything. Granny not paid her TV licence? Ooh, there might be compromising evidence on a PC in her house.
The notion that terrorists stroll around with all their details encrypted on a laptop PC is completely false anyway. A good terrorist cell would have been trained ruthlessly to avoid such an obvious compromise and organized so that it had no information to retain or pass on anway. What they need to know would be a few fleeting instructions on a job by job basis. The most successful terrorist outfit of modern times, the Irish Republic Army, did not become viciously successful by using computers, FFS. Computers weren't even around for most of its active history. And such evidence as there is suggests that many terrorist operations have been coordinated on the basis of using throw-away mobile phones on a one-off basis.
Las qué passoun
tournoun pas maï
What data? You aren't offering any data; you're just spewing xenophobic garbage. You say historically multicultural societies don't work - what is your definition of such societies? What is the United States? If it is being "invaded" by Mexicans and Hatians, who is being invaded? Native Americans? The descendants of French and British immigrants from the 1600s? The descendants of Irish and Eastern European immigrants of the 1900s? The descendants of "Californios" of the 1800s? The US has its problems no doubt, but I'll take the cultural diversity here over a chauvinistic monoculture any day of the week, even a snooty one with a rich artistic and literary tradition like France.
The other thing wrong with what you're saying is that there is no turning back -- for better or worse, the European countries are not monocultures any more, and they have not been for at least a half century now. Short of a full-scale Fascist revival, how do you expect these countries to return to monoculture? One of the inevitable consequences of increasing globalization of the economy is increased cultural interaction, both in the western countries and in the "third world." Folks need to stop fantasizing about purifying their cultures and deal with the realities. We need to find a way to live together, period.
Everyone seems to be accepting the government's explanation of the motives for wanting 90 days. Seems to me that encryption is simply a convenient cover story - technical enough that 99% of voters won't presume to question it (or even think about it).
My take is that breaking (brainwashing, if you will) someone is a lot easier in 90 days than in 14, especially if you want to avoid any techniques that look too much like torture. Some of us might be able to resist two weeks of all-night questioning, sleep deprivation, and general abuse - but not three months. By then you wouldn't remember who you were, or which way was up. You could even be temporarily exported to Algeria, Egypt, Syria, or some other country that specializes in robust interrogation, and brought back (what was left of you) in time to be charged.
I am sure that there are many other solipsists out there.
This is a common approach to swap encryption on Linux and other Unices lately. What happens is that the encrypted drive is encrypted on every write, and decrypted on every read, at the single-block level. So even if the machine is suddenly powered-off and then the encrypted drive is read on another machine, it's still encrypted. It's more secure than data partition encryption, for sure. BUT, I think even this is probably flawed, unless you have audited the entire OS to make sure it doesn't store data on swap in any sort of predictable way. If you know that the kernel keeps data about the init process in the first block of swap, for instance, then you have a rosetta stone to break the encryption. A more likely example might be that the kernel might write certain patterns to swap frequently: say, a GNOME icon, followed by the data for the file associated with it. Each of these things in turn have certain recognisable patterns in memory or on swap, so that kind of thing would probably significantly reduce the data's secrecy.
No, you cannot decrypt a hard disk in 90 days (assuming the use of strong encryption). If you find you're using Rijndael or Serepent, you're good. However, in the period of 90 days, you're more likely to experience a psychological break due to duress (like torture). Most people could handle 14 days, but not 90. Once you break, you'll be more than happy to hand over your keys.
To clarify the difference of 14 and 90 days in detainment, consider the following. Those detaining have had a couple periods on which to deprive the detainee of food and water to the point of going critical without actually killing you. Once someone become dependent on their captors for essentials like food and water, they become loyal. They have also had the opportunity to deprive the person of sleep for a solid 12 or more days, which can drive most people close to the point of insanity. Also, the textbook technique for "breaking" someone where captors inflict physical pain then "rescue" the person from it requires several iterations. 14 days just simply is not enough to accomplish these things. 90 would suffice.
And let me also point out that this is how the United States government operates these days. It would be reasonable to assume some of our closest allies are engaged in similar activities with "terror suspects".
Join Tor today!
Well... yes, and no. 90 days gives sufficient time for an dedicated attack that should break anything that will be breakable: the human-factors attacks.
- There'll be multiple encrypted files, particularly if they are encrypting their communications (guilty or not guilty). Each one would need 90 days.
Very few of even the most paranoid cypherpunks I know use multiple keys; I don't know any who use more than five. If you crack one file, you've probably figured out the key the suspect uses for at least 20% of the data.
- They'll not know the encryption algorithm in all cases, so would need to try every one. Each one would need 90 days.
Not necessarily. There would be a few leading suspects; generally starting with any crypto software with signs of ever being installed on the hard drive, along with a couple really widely used ones. (GPG/PGP, OS X's FileVault, a couple others). Unless you're dealing with the hacker equivalent of the Unibomber-- a lone genius working in isolation-- you're probably dealing with a widely shared algorithm. Furthermore, while many of the messages can't be decrypted, many standard encryption methods put enough metadata in to allow identifying the algorithm.
- There are HUNDREDS of encryption algorithms that use such large keys that you can't realistically expect to crack the password in 90 years, let alone 90 days.
True. But most people don't use raw keys; memorizing a pair of 600 hexit prime numbers is a bit of a challenge. Most people use a password. Clever ones use a passphrase. And 90 days gives you time for a seriousdictionary attack. Of course, 90 days isn't enough time for breaking the password of a professional paranoid; but the cops are looking for something the suspect could have memorized... which may limit the scope. In 90 days, a high-end single-CPU ought to be able to crack any 8 character password. A phrase dictionary could tie up a few more machines trying for something longer. A search of every piece of paper in the suspects entire apartment might also be fruitful... but I don't think either US or UK powers allow that without SOME other evidence.
And it's still possible to take one and write your own with an even longer key. (The details of which would be secret so they couldn't crack it in the first place anyway).
Actually, this might be what the police are hoping for. Most crypto systems developed by amateurs are "easily" broken by professionals. Of course, by "easily', I mean "in a month or so".
Myself, when I'm feeling paranoid, I use GPG from a bootable CD on a non-networked PC, a 4096 bit keypair with the private key stored on a USB flash drive I carry (two backup copies exist, located... er, hither and yonder), with the passphrase to access the private key being a simple number.
Of course, by "simple", I mean "a prime number 25 base-sixteen hexits long". I estimate a dedicated planet-wide effort might crack it in 100 years... most of which time should be devoted to developing a quantum computer for a direct assault on the RSA algorithm.
//Information does not want to be free; it wants to breed.
Because that's where you keep all the digital photos you took of your wife naked as well as mpegs of your bedroom fun?
Because you have $1,000,000,000 worth of illegal MP3s on here, and it's cheaper to just spend the 90 days in jail then get caught by the RIAA.
Because you're a stubborn jackass and don't think you should need to give away your privacy.
True! One simple method is to use a randomly generated key file, store a few backups where no one will find them, and keep the original on you at all times. (mini-CD) If the cops are on your tail, just break the copy you have with you.
"That's so plausible, I can't believe it!" - Leela