Here's How Law Enforcement Cracks Your iPhone's Security Code (Video)

The guy whose encryption standard you're praising says AES is the next best thing. Everyone else at that conference agrees. These are not government agents these are crypto geniuses.

Blowfish is fine. AES is fine. Blowfish is potentially more secure in that generating keys is slower over large periods of time. AES is potentially more secure in that it has 4x the block size. This makes blowfish better for small files (Firefox's master password uses this iirc) and AES better for large files.

You do not simply crack encryption, you do not simply build a backdoor into one. These aren't programs the way you're used to thinking of them they're pure math.

If you aren't willing to listen to them who are you willing to listen to?

Sums it up for me.

 

Is it possible to tell what algo was used to encrypt? I didn't think it was, but Slashdot says our favorite TrueCrypt user Daniel Dantas used AES...and we know his data is still secure.

http://yro.slashdot.org/story/10/06/26/1825204/fbi-failed-to-break-encryption-of-hard-drives

PD

 

On a somewhat lighter side...
http://xkcd.com/538/

 

lol very true.

If they know the tool used to encrypt it they can guess. Like if I see a bitlocker partition I can say "Oh, it's 128 or 256AES" but that's it. There might be some other method to tell.

 

There is no way to tell. Unless there is a flaw in the algorithm the data is pseudo-random. All pseudo-random data is just that: pseudo-random data. You can't discern any information from it.

 

That's what I figured. I mean, with bitlocker you know it's AES but I don't see how else you could verify the information. If there's a hidden truecrypt partition it's impossible to tell.

 

The question that crosses my mind at this point is how is cipher hacking performed, considering that you cannot determine what type of encryption is used? How does an attacker determine what approach to use (other than brute forcing the password)? Like for example, faced with an encrypted file, a hacker might treat the file as an AES, only to discover a year later that it was actually DES and he should have approached the issue differently?

Noob here, so if my question doesn't make sense, please tell me why. Thanks.

 

Normally it's a matter of bruteforcing the key and flipping 2^128bits or 2^256 bits depending on the cipher.

If you have cryptographic flaws you can perform hash collisions, which are incredibly limited in what they can do and incredibly rare even in older ciphers like MD5. You have to get two separate pieces of information to hash same thing and then if that information is present in a piece of data you could potentially get the key or some such thing.

If you're present for the actual encryption you can perform side channel attacks. Side channel attacks basically watch the hardware to try to tell what the software is doing. (For this the device has to be turned on and you would need to encrypt it with the same key the same exact way... so yeah. It's more for "stealthy" hacking, like a keylogger sorta deal but way more advanced.)

If you don't know which cypher is being used you don't have a leg to stand on, really. In computer security you always assume that the attacker not only knows the system but that they likely know it better than you do - so that's probably not the best way to do it.

Cracking into encrypted data is hard especially for modern ciphers. That's why tee idea that these ciphers are backdoor'd is a bit silly to me - it doesn't really make sense. You do not simply build back doors or find gaping flaws in modern crypto. I can not stress this enough. Even when flaws are found they are not always practical and this has been true time and time again.

 

ot posts removed

Edit: The on-going discussion about ciphers was split off from this point in the "iPhone Security Code" topic. See it here:

https://www.wilderssecurity.com/showthread.php?t=321583