Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Long to Crack an 'Encrypted' HD?

Posted by Cliff on from the incarcerated-without-indictment dept.

brainburger asks: "In the UK, Tony Blair has recently lost a parliametary vote to allow the police to hold terrorist suspects for 90 days without trial. One of the justifications the police gave for the extension from 14 days to 90 days was that they need the extra 76 days to decrypt the computer hard-drives of suspects. This has been seen by some as the only compelling reason to allow 90 days. The time-limit has been extended to 28 days instead, but Tony Blair insists 90 days is required. Are there really any encryption systems that cannot be cracked in 28 days, but which can be cracked in 90? Aside from the not-much-discussed issue that the police can no longer interrogate a suspect after they are charged, I suspect the police meant unencrypted machines. What do you think?"

42 of 733 comments (clear)

  1. Before you answer by denissmith · · Score: 5, Funny

    But remember the requirement - 90 days for the POLICE to crack the encryption- I don't know why they don't just make it 'indefinite detention'.

    --
    I have nothing to hide. So, why are you spying on me?
    1. Re:Before you answer by Anonymous Coward · · Score: 4, Informative

      They don't need to do that. Over here, refusing to reveal an encryption key when required by the Police is an offence in itself.

      RIP Act 2000

    2. Re:Before you answer by DarkEdgeX · · Score: 4, Funny

      I've seen CSI, I know it really only takes a few minutes to decrypt a criminals hard drive.

      --
      All I know about Bush is I had a good job when Clinton was president.
    3. Re:Before you answer by CountBrass · · Score: 5, Interesting
      And the fact that the police aren't up to the job and can't do whatever they need in a timely manner can't possibly be a reason to lock people up without trial for 3 months! WITHOUT TRIAL!

      The police in the UK have far too much power as it is. Of all the democratic countries in the world we're the closest to a police state. Tony Bliar even had police chiefs lobbying on his behalf for this 90 day detention (see many of today's UK newspapers)! Police are not supposed to be involved with politics!

      To give you an idea of the power they already have. I was walking home a couple of months ago. Two policeman pulled over and arrested me. The reason? I was wearing similar clothes to a burglar. Apparently fawn is a very unusual colour for a suit (it was bought from Marks & Spencer so yeah really rare). I was locked up. Because I had been arrested, the police are allowed to search my home WITHOUT A WARRANT! My wife was in the bath, heard a noise and discovered 3 policeman in our hallway. This was the first she'd heard of my arrest.

      I was finally released (and my trousers returned!) when a detective sergeant decided I couldn't possibly have done it. I was, as I had told all the officers I encountered, in a meeting in another town with 10 other people and all of us have security clearance!

      The police have far too many powers already! They should be cut back, not extended.

      --
      Bad analogies are like waxing a monkey with a rainbow.
    4. Re:Before you answer by slavemowgli · · Score: 4, Informative

      No. It should happen like this: you're arrested because you match the description of a burglar or other criminal they're looking for (although whether merely wearing a suit of the same colour should be counted as "matching the description" is debatable, too); you're brought before a judge within 24 hours, who will issue a formal arrest warrant, and you will be given time to consult with your lawyer. Your background will be checked, and *if* there is no easy reason why you must be innocent (such as having attended a conference in another town at the time the crime in question happened!), *then* a search warrant for your home can be issued by a *judge*.

      --
      quidquid latine dictum sit altum videtur.
    5. Re:Before you answer by Nept · · Score: 4, Funny

      Of all the democratic countries in the world we're

      Even in a democratic country, fawn-coloured suits should be illegal.

      --
      "Teachers leave us kids alone ..." - Roger Waters, Pink Floyd
  2. How about Safehouse? by kriston · · Score: 4, Interesting

    I'd love to see how Safehouse from www.pcdynamics.com will do. Encrypt file-based real drive volumes with AES, Twofish, Blowfish, 3DES, and DES.

    Kris

    --

    Kriston

    1. Re:How about Safehouse? by Dr+Caleb · · Score: 4, Insightful

      It's not how long it takes to crack, it's how long it takes to make a copy. Then cracking can be at your lesuire.

      --
      "History doesn't repeat itself, but it does rhyme." Mark Twain
    2. Re:How about Safehouse? by dougmc · · Score: 4, Insightful
      It's not how long it takes to crack, it's how long it takes to make a copy. Then cracking can be at your lesuire.
      Probably an insightful comment, and any single drive can be copied in a few hours. Though the police might have a hard time copying 100+ TB of drives ...

      But really, the problem is that the police don't like to release their suspects before they're sure they're not guilty of something. Even if the drives couldn't be copied without decrypting them first, the police could just take the hardware and release it when they're ready, but release the suspect quickly. But they don't want to do that -- he could be a terrorist! (or he could be totally innocent, but of course police don't make that sort of mistake.)

      Though personally I think the 90 days thing is just a crock. It's also obviously just those pesky civil rights that are keeping law enforcement from turning this world into a paradise without crime, terrorism or software piracy overnight -- or at least that's sometimes how they seem to act.

    3. Re:How about Safehouse? by SteveAyre · · Score: 5, Insightful

      Exactly.
      This time was referring to habeas corpus.

      Basically when Tony Blair came to power it was 7 days. He raised it to 14, now 28 but he still wants 90 days.

      This is the period of time the police are legally allowed to hold you with no evidence whatsoever that you've done anything wrong, just because they suspect you might have. It's a period of time where the police can hold you while look for evidence. Once they find the smallest amount of evidence they can then charge you and then can keep looking for evidence.

      This bill's meant to allow the police to break any encryption so that they would now be able to pick people up they suspect of terrorism and detain them until they've broken every encrypted file on their computer on the off chance that they'll find evidence that way when they can't find any other evidence whatsoever.

      3 entire wasted months of your life dragged away from your job (which probably won't be there when you return) and your family while they break your PGP encrypted emails to your girlfriend on the off chance the two of you are discussing how to blow up parliament.

      As an example: Check this story out. This journalist hadn't actually done anything, and they released him after a day. They did during that time confiscate his computer equipment.
      If this had been raised to 90 days it's entirely possible he'd have been held for 90 days while they decrypted anything they found on his hard drives.

      After the 90 days are up they would still have released him. And they would not even have to explain why he'd been locked up, because he'd never been charged.

      The bill has too major flaws.

      1) There's nothing really to stop the power being abused by police who don't like the look of someone or have a grudge against them, which is exactly what it is designed to prevent. You do require the judges permission keep them for that long, but it's not too hard to create a case of why you suspect someone.

      2) This odd 90 days which the Police told Tony Blair that they can break any encryption in. They can't - it's impossible!
      - There'll be multiple encrypted files, particularly if they are encrypting their communications (guilty or not guilty). Each one would need 90 days.
      - They'll not know the encryption algorithm in all cases, so would need to try every one. Each one would need 90 days.
      - There are HUNDREDS of encryption algorithms that use such large keys that you can't realistically expect to crack the password in 90 years, let alone 90 days. There are a few around that even with all the supercomputers in the world working it won't have tried every key before the universe ends. And it's still possible to take one and write your own with an even longer key. (The details of which would be secret so they couldn't crack it in the first place anyway).

    4. Re:How about Safehouse? by Paul+Jakma · · Score: 4, Insightful

      legally allowed to hold you with no evidence whatsoever that you've done anything wrong, just because they suspect you might have.

      Oh no, even better than that: Just because they suspect you maybe will.

      And this a country which is a part of a coalition trying to "bring democracy" to others.

      --paulj

      --
      I use Friend/Foe + mod-point modifiers as a karma/reputation system.
  3. No more AES by Smarty2120 · · Score: 5, Funny

    I'd better not use AES to encrypt my hard drive or I'd guess they can hold me without charge until the sun burns out.

  4. My take on the subject by ScrewMaster · · Score: 4, Interesting

    is that if cracking encrypted hard disks is really that important, it would be better to simply give police enough computer power to crack the encryption in less time and avoid the civil liberties issues. Of course, giving the police that much computer power will eventually guarantee even more civil liberties issues.

    --
    The higher the technology, the sharper that two-edged sword.
  5. Decrypt ~and~ analyze by jarich · · Score: 4, Insightful

    Just cracking it isn't enough. They have to then sift through gigs of data to look for evidence. And that's ignoring stegnography.

    --
    Agile Artisans
    1. Re:Decrypt ~and~ analyze by needacoolnickname · · Score: 5, Funny

      If they didn't stop to look at all the naked pictures I am sure they could get through it much quicker.

    2. Re:Decrypt ~and~ analyze by BiggerIsBetter · · Score: 5, Insightful

      So you're saying I should make the volume unencrypted so they don't hold me long, but use AES encrpyted data stored stenographically within my porn collection so they can't get at my secrets?

      Why, that might almost work...

      --
      Forget thrust, drag, lift and weight. Airplanes fly because of money.
  6. Are they insane?! by Blymie · · Score: 5, Insightful

    1: Today's terrorism is different because attacks do not have political aims and are designed to cause mass casualties, with no warning, involving suicide bombers

    Retired senior judge Gerald Butler states: "The mere fact a threat is "completely different" is, of itself, no justification for an extension in the detention laws. But it is true we face a new and terrifying threat in this country."

    Not politically motivated?!

    What on earth are these people talking about? Good gried, "GET OUT THE MIDDLE EAST, WEST!" sounds _very_ political to me! "STOP MESSING IN OUR AFFAIRS", sounds political to me!

    These attacks are completely and totally politically motivated.

    The militants in the Middle East, right or wrong, is ABSOLUTELY, COMPLETELY, and TOTALLY in the middle of a political struggle with the West.

    1. Re:Are they insane?! by iamdrscience · · Score: 5, Funny

      No, no, terrorists are just trying to kill us because they're evil, there's no reason they do it, it's just their evil muslim way. Didn't you get the memo?

    2. Re:Are they insane?! by defile · · Score: 5, Insightful

      Not politically motivated?!

      The politician that acknowledges that terrorists are politically motivated would be accepting responsibility for provoking violent retaliation. Much better for their careers if terrorists are portrayed as driven by some kind of insane freedom-hating bloodlust. This way they're more like earthquakes, and who can stop earthquakes? No one.

    3. Re:Are they insane?! by jafac · · Score: 4, Insightful

      That would include bars, clubs, tank-tops, bikinis, beer, wine etc etc. all thing we are free to enjoy.

      Ah yes! All the things the Christian Fundamentalists also want to ban.

      --

      These are my friends, See how they glisten. See this one shine, how he smiles in the light.
    4. Re:Are they insane?! by SacredNaCl · · Score: 4, Insightful

      I don't think you'll find any reasonable person saying to kick them back to Africa and the Mideast. But you will find that there is a strong resentment among reasonable people towards these freeloaders and complainers who have infiltrated the country and are suddenly trying to turn it into something that it has never been. Concessions should not be forthcoming only from the existing populace. The immigrants should also be prepared to adopt some cultural changes if they wish to migrate.

      I think you will find plenty of reasonable people advocating the position that multiculturalism does not work, leads to conflict, and in the case of N. Africans leads to a good deal of crime as well.

      I can fully understand Arabs & Muslims not wanting us in their countries, just as easily as I can understand large number in the US not wanting the invasion of Mexicans & Haitians we have, or people in France not wanting the invasion of Africans they have.

      After people get done shouting "racist", "xenophobe", "blah blah blah" ... and actually sit down and look at the data, then take a look around the world where its been tried, then take a look back at history and see the ruins of civilizations that thought it was a grand way to go... A fair & reasoned arguement can be made upon the facts, historical record, and current trials in quite a few diverse cultures that it weakens the society invaded & often destroys it.

      It isn't a problem if the people coming over are prepared to assimilate into that culture, speak a common language, share basic cultural values. But when you get large numbers that do not share those values, will not assimilate, will not speak a common language - you end up effectively with two disparate peoples trying to share a single state. If it goes on long enough, you usually see two state solutions offered, and its rarely a peaceful transition to that point.

      Given history, I find nothing unreasonable in the arguement that France and French people may be unwilling to continue the current course: to abandon their cities endlessly and watch them turn into the equivalent of Detroit, and to face a civil war down the road which likely splits the state.

        I think the government lacks the backbone to bring real solutions to this problem to the table and will return to appeasement rather quickly, but it is the real issue and not the immediate economic issues. Their only way out of this may well be a very radically different immigration policy, and deporting those who are unwilling & unable to assimilate and become productive members of the society and culture they have.

      The cost for multicultural experiements which don't pan out is quite high indeed.

      --
      Freedom is merely privilege extended unless enjoyed by one and all.
  7. What do I think? by rezza · · Score: 5, Insightful

    I think it's a bullshit excuse, that's what I think. With encryption algorithms, we're talking orders of magnitude, and most algorithms that can't be bruteforced in 28 days will take longer than 90. This is just a shitty excuse to get joe public on Tony's side.

  8. Simple answer by __aamcgs2220 · · Score: 4, Funny

    If you want an unreadable hard drive, you can forget about blowfish, twofish, MD5, SHA, and every other cryptographic solution. There is only one way to do it and one number to remember: 1.21 gigawatts.

    1. Re:Simple answer by numbski · · Score: 4, Funny

      But the only way you could get that kind of power is with a bolt of lightning! Unfortunately, one never knows where or when a bolt of lightning might strike. :\

      --

      Karma: Chameleon (mostly due to the fact that you come and go).

  9. Cracking passphrase-based keys by Rikus · · Score: 5, Insightful

    Are there really any encryption systems that cannot be cracked in 28 days, but which can be cracked in 90?

    Probably, but since encrypted hard drives usually involve a passphrase being converted into a key of suitable length by one-way hash algorithms, why not crack the passphrase instead of the actual key? Even with 256-bit AES (or something like it), a weak passphrase-based key is probably one of the easier ways to go after the data. Of course, if the suspect carries their completely random key around on a USB drive of some sort, that's a different matter.

    1. Re:Cracking passphrase-based keys by mhore · · Score: 5, Insightful
      Probably, but since encrypted hard drives usually involve a passphrase being converted into a key of suitable length by one-way hash algorithms, why not crack the passphrase instead of the actual key? Even with 256-bit AES (or something like it), a weak passphrase-based key is probably one of the easier ways to go after the data. Of course, if the suspect carries their completely random key around on a USB drive of some sort, that's a different matter.

      I wish I could mod you up. Very true. This is something I've thought about. Let's say I'm using GPG or something like that. If the Feds come after my files and I've got my secret key lying around on my computer, or even somewhere easy to find, I think it'd be much easier just to crack the passphrase -- because really, there are common things a lot of people do for passwords. Replacing letters by numbers, adding #, !, @, alternating upper-lower case, etc. In the end, for most people, the password is something that is easy to remember, because if it's not, you're either going to have to have a great memory, or write it down somewhere. With this in mind, wouldn't cracking the passphrase be feasible in a smaller amount of time than if it were just brute forced? I honestly don't know -- I'm largely ignorant in that area, but it intrigues me nonetheless.

      (I am aware, for the record, that brute forcing a password of any real length... e.g. even 6 or 7 chars long... requires an extraordinary amount of combinations of letters, numbers, and symbols... but if we can group those combinations into smaller units, don't we reduce the number?)

      Mike.

      --

      Mmmm......sacrelicious.

  10. Better question? by dcapel · · Score: 5, Funny

    How long does it take the police to figure out that my drive is not corrupted, it just isn't running Windows.

    --
    DYWYPI?
  11. They don't need much time at CTU! by weharc · · Score: 5, Funny

    Come on, I've seen them decrypt files and hard drives in a matter of minutes on 24. What are the pommy police up to, maybe they need to start watching it for tips.

    1. Re:They don't need much time at CTU! by iamdrscience · · Score: 4, Funny
      Come on, I've seen them decrypt files and hard drives in a matter of minutes on 24. What are the pommy police up to, maybe they need to start watching it for tips
      Yeah, that technology is only available in America. They don't have that type of tech in the UK, obviously.
  12. I'm amazed at how the UK is handling this by defile · · Score: 5, Interesting

    The United Kingon approaches counter-terrorism as part of a criminal investigation and has to deal with due process of law. Hence the debate over extending detention from 14 days to 90 days.

    The United States approaches counter-terrorism as military action and the President signs an executive order that allows for indefinite detainment of suspects.

    Fascinating. The UK has much more experience dealing with domestic terrorism -- did they originally overreact as well or are the two circumstances different from the get-go?

    1. Re:I'm amazed at how the UK is handling this by defile · · Score: 5, Informative

      Such detention is not allowed in the US.

      In case you're not being sarcastic, you might be shocked to read about Jose Padilla.

    2. Re:I'm amazed at how the UK is handling this by Fulcrum+of+Evil · · Score: 4, Insightful

      In case you're not being sarcastic, you might be shocked to read about Jose Padilla

      You may be shocked to hear that, sometimes, Bush's government (well every government, really) does things that it knows are illegal.

      --
      "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  13. Re:They're welcome to try it by meowsqueak · · Score: 4, Informative

    Beware if you come to New Zealand and are arrested over your HDD. The defense of Not Incriminating Yourself no longer applies to electronic encryption and passwords and you will be charged with something like obstructing justice or worse. My understanding is you could end up in prison for twelve months simply by refusing to decrypt your data.

  14. This sounds like a bogus excuse by Kaemaril · · Score: 5, Informative

    Hold on. Anyone remember the Regulation of Investigatory Powers 2000 Act? Isn't it an offence - punishable by a prison sentence - to not hand over encryption keys? If they need to crack it, they can just tell the suspect to hand over his key(s). If he/she doesn't, he goes down for more than 90 days anyway ...

  15. This is stupid by damiam · · Score: 4, Interesting

    IIRC it's a crime in Britain to refuse to hand over encryption keys when required by the police. So why don't they just seize the hard drives and ask for the key? If the suspect gives it up, all is well. If he refuses, then the police don't need to hold him without charge for even one day, much less 90, because they now have a charge to pin on him.

    --
    It's hard to be religious when certain people are never incinerated by bolts of lightning.
  16. The longer the better by Turn-X+Alphonse · · Score: 4, Insightful

    Police want the time to take some pressure off themselvs. If they can extend the deadline by 2 and a half months they have more time to get everything done. They don't "need it", but they want it because it's a damn sight easier for them.

    Although I'm outright against this and any other attempt to make a police state. If you lock a guy up for 3 months you've pretty much taken his job away from him, maybe his house (if renting) and rumours spread fast, so good luck getting hired againa as a "possible terrorist". The reason the vote was against it is because it would ruin people's lives if this were to be brought upon them.

    --
    I like muppets.
  17. Combined methods are the best solution by Ingolfke · · Score: 4, Funny

    If you need complete security from all government agencies (or other parties) you need to combine a strong encryption system like ROT13 with a text-based cyphering system like l33t sp34k. Continued study into lossy 1-bit compression, which effectively reduces and entire file to a single bit, could also be used to thwart the unauthorized individuals from gaining access to your data. Of course, you'd have to accept a little data loss if you chose to compress your encrypted files.

    I am currently working on the next-gen encryption system that will handle binary files better than ROT13 (yes, I know it's hard to believe). This new system will use the same encryption concepts on the entire WORD. I call this system ROTl33tn00b, or R0t3n for short. When I have my code (pure VB6) finished I will release it to the community under GNU/GPL.

  18. Computer power by Beryllium+Sphere(tm) · · Score: 4, Insightful

    Any cipher that can be cracked given "enough computer power", for any practical value of "enough", is broken. Utterly broken, obsolete, not fit for use, an ex-cipher, singing in the choir unusable. DES, for example.

    Guessing a passphrase is believable, though. That might take large-but-feasible computer resources. English text has only one point something bits of entropy per character on the usual estimate. Who has a sixty-character passphrase?

  19. Pardon the obvious... by SeaFox · · Score: 4, Insightful

    If you need time to crack the hard drive YOU FUCKING TAKE THE HARD DRIVE!. Why do you need to hold the person for 90 days when you can simply take his hard drive and hold it for as long as you want.

    Because if he knows you'll find something on his hard drive once you decrypt it, he may decide to disappear during the 90 days it takes you to find it, whereas if you can keep in custody until you finish he wont have that opportunity?

    1. Re:Pardon the obvious... by Petrushka · · Score: 4, Funny

      If I had mod points I'd mod you off-topic. That's not a comment on you, it's a comment on what the world is becoming.

  20. The Police... by jd · · Score: 4, Funny

    I dunno - Sting might be really good at maths.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  21. Short Answer: No by Jerk+City+Troll · · Score: 4, Insightful

    No, you cannot decrypt a hard disk in 90 days (assuming the use of strong encryption). If you find you're using Rijndael or Serepent, you're good. However, in the period of 90 days, you're more likely to experience a psychological break due to duress (like torture). Most people could handle 14 days, but not 90. Once you break, you'll be more than happy to hand over your keys.

    To clarify the difference of 14 and 90 days in detainment, consider the following. Those detaining have had a couple periods on which to deprive the detainee of food and water to the point of going critical without actually killing you. Once someone become dependent on their captors for essentials like food and water, they become loyal. They have also had the opportunity to deprive the person of sleep for a solid 12 or more days, which can drive most people close to the point of insanity. Also, the textbook technique for "breaking" someone where captors inflict physical pain then "rescue" the person from it requires several iterations. 14 days just simply is not enough to accomplish these things. 90 would suffice.

    And let me also point out that this is how the United States government operates these days. It would be reasonable to assume some of our closest allies are engaged in similar activities with "terror suspects".

    --
    Join Tor today!