Slashdot Mirror
FBI Failed To Break Encryption of Hard Drives
benoliver writes to let us know that the FBI has failed to decrypt files of a Brazilian banker accused of financial crimes by Brazilian law enforcement, after a year of attempts. Five hard drives were seized by federal police at the apartment of banker Daniel Dantas, in Rio de Janeiro, during Operation Satyagraha in July 2008. (The link is to a Google translation of the original article in Portuguese.) The article in English mentions two encryption programs, one Truecrypt and the other unnamed. 256-bit AES was used, and apparently both the Brazilian police and the FBI tried dictionary attacks against it. No Brazilian law exists to force Dantas to produce the password(s).
is waterboarding next to get the info?
...both the Brazilian police and the FBI tried dictionary attacks against it
They should have used a Portuguese dictionary not an English one! Geeze! Folks are soooooo US centric!
RIP America
July 4, 1776 - September 11, 2001
Just because you're paranoid does NOT mean that no one's out to get you.
And you KNOW the government is out to get you.
Could take a while.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
They should publish it as a DVD and within hours they'll be able to download the unencrypted file from a torrent! :o)
I thought this was not just a sound idea but a law.
Great stuff though, but expect some new laws by government that make it illegal not to provide your password/keys to the government upon a court order and if you don't provide it, expect an assumption of guilt and some extra punishment. I am not saying it's right, just saying that's probably going to be one of the outcomes of this.
Of-course the problem is that they got the drives physically (not that I am necessarily on the side of a allegedly corrupt banker, but I am not automatically assuming he is guilty of anything either.) Here is a good application for the 'cloud' (yikes) - keep your encrypted data so that nobody can even know it exists in the first place.
You can't handle the truth.
http://xkcd.com/538/
No, AES has been independently vetted and attacked by multiple security organizations. The only flaws that have been discovered in the algorithm are minor and inconsequential. The NSA is a double-edged sword - they help with useful security tools such as SELinux as well as their traditional spook espionage. The NSA can't crack AES even with a supercomputer (right now, and only if the user has a decent password and/or 2-factor authentication).
*offers b4upoo a roll of tinfoil and a bag containing 26 scrabble tiles*
Other agencies such as NSA can probably crack that encryption with ease if not instantaneously
Stop believing in spy movies.
The law of gravity. The feds hang you by your feet out a 5th floor window till you talk......
"The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
Presumably, they're looking for evidence, and based upon the effort they're going to, I suspect that they might not have a case without whatever is on the disks. Assuming that there's something on there that incriminates him. Which is why the 5th amendment protects the key.
This say plainly that if you encrypt your info with the right, cheaply available technology, not even the FBI could get it, no matter what is it, or who you are. How much time now till some law around criminalizing the use of encryption gets approved?
Not without violating the 5th amendment. If you can get the key via keylogger or malware it's fair game, otherwise they have to willingly provide it or you've got to crack it. But the constitution as it stands, does not allow the authorities to compel a suspect to produce the files.
... if I were the FBI and I could decrypt TrueCrypt, I'd not admit it and hope everyone keeps using it.
The government has a vested interest in appearing a lot more competent or advanced than they are. Then I look at the Gulf Oil Spill and know otherwise.
If the NSA could have unlocked it for them, I believe the FBI would have been there in a split second. They probably already asked.
Gotta ask, does AES have a backdoors that they can go "compell" an organization to give them the keys to it? Seems like shaky ground to secure data on, but the article mentions it.
No, AES has been independently vetted and attacked by multiple security organizations. The only flaws that have been discovered in the algorithm are minor and inconsequential.
That only matters if the implementation used doesn't have any important flaws. And a password wasn't stored anywhere by accident or 'overlooked mechanism' (caches etc). And the chosen keylength was enough to make brute-force attack unfeasible. And nobody else has/leaks password.
They don't have to crack a tried & tested algorithm, they only have to find the weakest link. Surely there's many links, most of those weaker than the algorithm itself.
Hard drive encryption has nothing to do with public-key encryption, much less public-key encryption using smallish keys (by today's standards, 1024 is practically insecure).
Symmentric encryption keysizes are not comparable to public key encryption keysizes. 128-bit AES keys are unbreakable today, and 256-bit keys are just healthy overkill.
You never want to wait longer then the heat-death of the universe, and most of the time the length of a human life time is sufficient. Anything longer then that counts as never.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
If we can crack 128 bit encryption then AES 256 should be easily breakable, http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html there's several attacks on the flawed key schedule in that reduce the search space to something like 2^110.5 instead of the 256bits that AES 256 implies. (this means that AES 128 is actually more secure in this regard, at least as currently understood).
Actually, this would not be unprecedented. I have heard of stories where the FBI sent macs and linux machines to CSIS (Canada's spy agency) because the FBI guys only knew how to crack into windows machines.
Jesus was a compassionate social conservative who called individuals to sin no more.
Agree. If they have the capability they're not going to reveal this for a relatively uninteresting financial crime. There is some question regarding the NSA and one of the standards to generate random numbers: http://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
It could even be that the NSA was asked first and failed, then they sent it to the FBI.
Daniel Dantas was involved in many shady operations, including one when the MCI company, which has used some funny accounting, bought Brazilian Embratel.
It was the Brazilian federal government which asked the US government for help in cracking that encryption. International cooperation among different countries law enforcement agencies often happens in crimes involving international money laundering, so probably the US state department went to some effort to fing which agency was the most likely to decrypt those disks.
If the passphrase has more than 256 bits, brute-forcing it is less efficient by a fair margin, than direct guessing. On the practical side, passphrase guessing likely becomes very expensive for something like 50+ bits of entropy with a good key-setup. Keep in mind that the key-setup may make you work for, e.g., 1 sec of CPU time per guess. With 50 bits, that is (assuming an EC3 small unit for simplicity) around 25 Billion USD for the crack. For every 10 additional bits, add a factor of 1000. With this money, you can built special-purpose hardware, but incidentally, that is likely only going to be faster but not cheaper.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Not never. Given enough time and CPU cycles, anything stored locally can be cracked. It's just a matter of how long you want to wait.
Wrong. There is a finite amount of matter and energy (and hence computing power) in the universe. With AES 256 these limits are already very close and possibly exceeded.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If the key is also stored on the drive, protected only by a password, it isn't merely "not crazy to think that the NSA could have this capability" it is "crazy to think that random script-kiddies do not have this capability".
Most people pick lousy passwords. Brute-forcing them is restricted only by the speed of your hardware(and password-guessing is one of those conveniently parallel problems that scales with almost perfect linearity across however many nodes you want to throw at it).
Either this guy is way above average when it comes to picking good passwords, or the key was, in fact, stored separately and never located, or (tinfoil hat) they actually cracked his password three years ago, didn't find enough evidence to build a case, and would rather "admit defeat", and encourage other malefactors to trust in their encryption, than just admit that they don't have a case....
And yet, the Government of the US, lead by the President of the US, fought a battle all the way to the Supreme Court of the US, arguing that they had the right to detain US citizens indefinitely without recourse to the courts simply because they called the citizen a name - "Terrorist" and "enemy combatant".
And the courts of the US haven't yet issued a ruling that this is against our precious constitution. Nor has our president, running on a platform of change, spoken out against this travesty:
http://en.wikipedia.org/wiki/Jos%C3%A9_Padilla_(prisoner)
http://www.foxnews.com/story/0,2933,506265,00.html
So, if a Police official steps up to you, and says "I think you are a Terrorist and an Enemy Combatant; please give me your encryption keys to prove your innocence", your refusal means indefinite detention in a military detention facility, subject to military interrogation methods which include those which we ourselves have called war crimes:
http://www.washingtonpost.com/wp-dyn/content/article/2007/11/02/AR2007110201170.html
A piece of paper protects no rights.
And the worms ate into his brain.
It may happen that you are forced by somebody to reveal the password to an encrypted volume. There are many situations where you cannot refuse to reveal the password (for example, due to extortion). Using a so-called hidden volume allows you to solve such situations without revealing the password to your volume.
The AES encryption has been public for a long time, nobody has found anything that would allow anyone to crack it with any computer out there today, the NSA has more stuff available and they still allow Top-Secret material to be protected with AES-256 (it has FIPS compliance), I doubt the NSA would do that if they thought there was any chance that AES could be cracked
The XKCD for that
I don't believe in time. It's a grand conspiracy designed to sell watches.
If the NSA could have unlocked it for them, I believe the FBI would have been there in a split second. They probably already asked.
You must remember that the NSA is in the national security business. Revealing that AES can be broken would be beyond huge, it'd be bigger than the breaking of the Enigma codes during WWII. It'd also destroy the value, because afterwards everyone would migrate to something else. So even if NSA has that capability it'd be Top Secret and not revealed just to catch this guy. It's something they'd use in secret for signals intelligence and only reveal if it was absolutely necessary in defense of the United States.
Gotta ask, does AES have a backdoors that they can go "compell" an organization to give them the keys to it?
AES itself? No. Any particular encryption software? Possibly, but as TrueCrypt is open source that's unlikely. Same with the full disk encryption in Linux. As pure brute force, there's not enough energy in the sun to break a 256-bit encryption. But there can always be some kind of algorithmic attack. I think for AES256 there was an attack lowering the strength to about AES128 strength. Still plenty strong but you can't knew if there's a better one.
Live today, because you never know what tomorrow brings
One of the great features of TrueCrypt is the whole alternate partition/segment idea. One password gives access to real data, while another (a duress password) would give some other access to an alternate segment. Put some benign documents in the alternate partition, and then under threat of water boarding, hand out the duress password. Assuming this all works, they find nothing, you go home.
Granted, I'm not encouraging this idea for criminal activity, but rather for truly sensitive data that shouldn't fall into the wrong hands.
$ man woman *
-bash:
A password based on a phrase where you substitute 3-4 letters for a few special characters and insert 1-4 extra characters into the middle of a word as to mess with the length, would be about has hard to break as the AES key itself. This would be an easy to remember password that would only take a few seconds to type and would render dictionary attacks useless.
"a large distributed attack should be able to 'crack' it with much less difficulty than reversing the AES itself"
Of course brute forcing a 256bit key could take 1,000,000,000,000 computers that could do 1,000,000,000,000 AES comparisons per second(aka, about 32,768 cores at 3ghz) about 1.8e+42 millennia. So, by "much less", so you mean to reduce the effectiveness to 1/10^42(0.00000000000000000000000000000000000000001%) would only take those 1 trillion 32k core 3ghz super computers 1000 years to break.
Assuming this person used a semi-decent password, the only way to get around this would be torture, key got cached/written down, bugged his keyboard, or general luck.
Fun fact told to me via a PHD in encryption. A 256bit symmetric algorithm that has no work around (AES has flaws that reduces its effectiveness) and using computers so efficient that it takes the theoretically smallest amount of energy to flip a bit, would on average consume most of the energy in the known universe to break a single key. (Think consuming all the stars in the Milkyway galaxy just a start)
"It is not crazy to think that the NSA could have this capability." I would say overly optimistic.
The FBI has not solved the P=NP problem, either
Or implemented practical cold fusion
Or developed a practical AIDS vaccine
Or found the cure to cancer
Or solved world hunger
Or stopped the oil spill
They failed to do all these things.
I don't see what gives you that impression. I'm merely pointing out that, with truecrypt(or any conceptually similar system), there are two things needed to obtain the actual decryption key and decrypt the volume: the password, and the keyfile.
The most secure configuration involves storing the keyfile separately from the encrypted volume(on a smartcard, USB drive, etc.). For reasons of convenience, though, Truecrypt(and, again, most of the conceptually similar systems) support storing the keyfile in the same location as the encrypted material, which is much less of a pain because you only need a password for access, don't have to carry a separate device, and so forth.
If this guy used the system properly, his volumes will be secure. Guessing a 1MB(in the case of truecrypt) random keyfile, or breaking the encryption will be functionally impossible.
If he went with the convenient setup, then the feds have both his encrypted volumes and his keyfiles. They only lack his password. Guessing passwords is, barring extraordinarily good ones, many orders of magnitude easier than guessing encryption keys, and is frequently within easy reach of brute force attack.
It's fairly easy to create a good, strong password for the really important stuff. I usually suggest the following:
1. Pick a phrase, any phrase "maryhadalittlelamb"
2. Add three "typos" with digit, capital and special character "marXyhadali6ttlel!amb"
3. Remember the typos as part of the words: "marXy" "li6ttle" "l!amb"
It'll never match a dictionary attack. It's too long with too large a character set to be brute forced, close to 128 bits. A hybrid attack possibly might but even if you know the phrase in 1. and exectly the method I told you guessing both the position and character will take about (21*20*19 * 10 (0-9) * 26 (A-Z) * 30 (the easy special chars) = 60 million permutations per phrase and in reality you won't know the phrase or if I did something slightly different, like adding two digits.
The most general fault people make is too short passwords, because they get annoyed by typos and because many systems don't handle more than 8 characters. That's too little if the attacker can run the password cracker locally, it's only good as network passwords where first off the network slows you down and second you can have slowdowns and lock-outs in place.
Live today, because you never know what tomorrow brings
Which is, again, why we'll probably just keep someone awake for 3 days while we scream at them and hit them under the arms with a phonebook until they talk.
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
So exactly how often does a government agency admit to failure at an issue this big ? I'm reading this as "FBI just managed to break TrueCrypt so we hope all you people use it."
Can I light a sig ?
Immunity means "Immunity against prosecution." So this is not the sort of thing they can use against someone. They can't say "You are immune from prosecution, now testify about your crimes. Ok, you testified, now we are going to charge you with those crimes." The person was given immunity from prosecution, can't prosecute them for those crimes.
The point of immunity is securing someone's testimony against another party. So lets say you and I had committed some crimes together. However your part was pretty minor, you'd done little things and you weren't the guy planning things. The prosecutors decide I'm the one they really want, you are just a petty crook they don't care about. However, you won't testify against me, not because you are scared of me but because in doing so you'd admit to your own crimes. They say "Ok we'll grant you immunity. Any crimes you testify about committing, you can't be prosecuted for." You then go and testify to all the stuff I've done. I go to jail, you do not.
Immunity isn't some magic way to make the 5th amendment disappear. What it does is protect someone's 5th amendment rights, while allowing them to testify. The 5th amendment says you can't be made to testify against yourself. So, if you are immune from being prosecuted there is no violation of your rights. Your testimony is not being used against you.
For the same reason they can't say "Ahhh! We had our fingers crossed! Deal doesn't count!" In that case your lawyer would argue to have your testimony, and any evidence as a result of it, suppressed. You only testified because you believed it could not be used against you, and there is a written deal to that effect. If they revoke the deal, then that violates your rights. A judge would then suppress the testimony, and all evidence that comes from it (US courts use a "poisoned fruit" idea that evidence that comes from a violation of rights itself cannot be used). Your lawyer then has the court dismiss the case due to lack of evidence.
You might notice that there are more than a few paranoid people on this site. They are convinced that the government is extremely evil, oppressive, and thus obviously extremely capable of doing amazing things that nobody else can. So the government can crack all encryption (even though the best research shows that isn't possible), the government can recover data from any harddrive unless you Gutmann wipe it (even though the best research shows a single overwrite screws over any recovery on EPRML drives). They believe the government is so amazingly competent and evil that they can organize thousands of people to plant explosives in the WTC and just make it LOOK like planes brought it down, and keep all that hushed up, and so on.
They believe that AES is "obviously" crackable simply because the public has it. They need no more evidence than that. It is paranoia, not facts, that they operate on.
Personally, I find it highly likely the government can't crack AES. They use it for classified data, it was designed to help secure our nation's financial system against foreign attack (one of the NSA's missions, they aren't only signals intelligence). It is probably the most analyzed crypto system in history, and nobody anywhere has found a major weakness. I'm going to cast in on the "it's secure" side of things.
Or the obvious, if it was known to be easily breakable, the US Government standard for encryption of Top Secret information would be something other than AES. But no, AES _is_ the standard for Top Secret information encryption.
If waterboarding is not torture, then you are willing, I presume, to undergo it for two or three days? If not, fuck you.
It has no lasting physical damage. And we already do waterboard our own military personnel to instruct them on what they might face if they were captured. Also the people that use it as a technique are required to also have it done to themselves in order to understand the physical and psychological effects is has.
So yeah, I'd be willing to be waterboarded. And like all techniques meant to momentarily weaken your resolve rather than actually hurt you, no I don't consider it torture.
Physical torture no, but it does qualify as psychological torture with potentially long lasting effects. Just check the citations in the wikipedia article http://en.wikipedia.org/wiki/Waterboarding. As such, it's a violation of the Geneva Convention (which the US govt claimed didn't apply). Go get a video of you being waterboarded and we might take you seriously.
I need to know what the Portuguese word is for 'PASSWORD"
FragHARD or don't frag at all
Gotta love it. Truecrypt used intelligently is impervious to dictionary attacks. The trick is keyfiles, which can be used together with garden-variety "weak" passwords. It also has hidden volumes, which have a couple of annoying gotchas, which provide "plausible deniability" (it says here). One nice trick with keyfiles is to use steganography to embed a signifant blob of /dev/urandom output into a photograph, which then hides in plain sight along with hundreds or even thousands of other similar photographs (this circumvents keystroke loggers) -- or on a thumb drive or cd-rom. Shred the cd-rom (or smash the thumb drive with a hammer, etc.), and Truecrypt volumes become indecipherable, because the actual key is literally unknown (and unmemorizible by ordinary human brains). Assuming the banker get his drives back (or his backup!), and recovers his copy of the cd-rom bearing the keyfile from his friend in Freeport who thinks it's a bootleg Grateful Dead concert, Truecrypt brings it all back like Lazarus. The Linux version uses an optional cascade of three keys (AES 256, Serpent and Twofish) and the (optional, but recommended) Whirlpool hash algorithm. Steganography is not part of Truecrypt in any version I know.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
Right, but even if in the applicable jurisdiction you are required to give them the key, you have now complied with the agreement. Nobody can prove you haven't. Assuming you are in a civilized country that's already sufficient to protect your data. It doesn't work in othe