Decryption Challenge. Who is willing to try?

Hi everyone,

There has been some talk from certain people that a Winrar encrypted file can be easily decrypted using certain software.

Well I am putting out a challenge to everyone.

I created a text file and wrote a word within that text file.

Can anyone tell me what the word within the text file is?

Download the encrypted Winrar file from here:

http://rapidshare.com/files/131216857/encrypted.rar.html

The first person to tell me the word in the text file, if that is possible, will be known around here as a legend

 

Want to tell me if the password you used to encrypt it used
alpha numerics, uppercase, lowercase, special characters, spaces?
what about the length?
is it a word?

 

But that's the whole thing.... A person would not know that, and they would need to decrypt the file having no ideas about the password at all.

Can it be done? If so, please show me. I am not certain if Winrar password protected files can be decrypted by someone using special software. I would love to see someone tell me the word inside the text file I uploaded.

This will be interesting. I will not tell you anything more. Can you break it?

 

Here is the deal: passwords have a property called entropy. Entropy is determined basically by the character set and length of password. The more entropy, the more passwords to guess. The more passwords to guess, the more flops (computing cycles) it takes. I have programs that can crack winrar. However, depending on the entropy of the password, it could take 1 minute, or 100 years. If we know the length of the password and the characters used, I can just about tell you how long it would take to crack it on the flops of a single core machine.

 

if your password is short i can crack it very quickly. the longer it is, the more exponentially difficult it will be to crack, by orders of magnitude.

 

Isn't there a difference between actual code breaking and brute force password cracking?

 

Ok I understand.

It is a non dictionary based password. It contains 17 characters, some numbers and even a space.

So can someone crack my Winrar files if they got my files somehow?

 

So all these Winrar password break programs I see on the internet, all have to use brute force on my winrar files?

With my 17 character, numbers and space password, would they be able to break it?

I still have a Winrar file for download if anyone wants to download it and tell me the word that is written inside the text file.

Anyone?

http://rapidshare.com/files/131216857/encrypted.rar

 

In truthseekers challenge, there are no rules

 

17 length, with a pool set of 26+26+10+1, would be ~63^17, or 3.8x10^27.

Assuming a blind brute-force attack...

If you could try 200 passwords per second (most machines can do about 20 to 100) it would take 615 million billion years to crack the full keyspace. Now if you harnessed a VIA Padlock crypto engine and it was super magic, it might only take 38 million years. And if you wiped out duplicates and bad entropy combos, you might be able to cut your keyspace down to 30 million years. And if you had it cracking on 10,000 machines in parallel, you could do it in 3000 years. And if you cracked randomly, you could have it in 1500 years with a 64% probability.

 

Yep thats right No rules, all is fair.

I am so excited and interested to see if someone can tell me the word I typed in the text file.

I put the challenge out in this forum, because I know the regulars here are some of the best security experts and best when it comes to security issues.

So if nobody here can't tell what the "secret word" is in that Winrar file, then I am very confident that I can keep using Winrar to encrypt my work folders

 

Xerobank, so are you saying that the Winrar encryped file I uploaded won't be able to be beaten?

Are you indicting that I can now confidently use Winrar and that password to securely encrypt files in the future?

So there doesn't exist any "magic" Winrar password breaker that I have heard about that can break anyone Winrar password, no matter what it is, or how long it is?

 

Incidentally, your headers are encrypted in addition to the file itself (ouch), but I found a hash collision at o:J for the header CRC, for whatever that means.

 

In Winrar, I selected password and "encrypt file names". Is that a good idea to keep doing in the future? Does that encrypt the Winrar file + the filename(s) inside the Winrar?

And can you please elaborate what you mean when you say, " I found a hash collision at o:J for the header CRC"?

 

No. Rar uses AES-128. And I am calculating at todays power, and using a brute force attack. The best thing to do would be to attack the cipher for weaknesses. Your password has about 85 to 105 bits of entropy. If a cipher weakness was discovered, it could drop your entropy down to say 42 bits of entropy, which is 50+ orders of magnitude easier to crack, and could maybe be done in less than a year, maybe a few days who knows.

WARNING: BROAD GENERALIZATIONS AHEAD

When quantum computers come along in the next few decades, they will be able to crack some algorithms at light speed, rendering all passwords using the cipher completely solvable at instantaneous speed. Now for elliptic curve crypto ciphers, that won't work as fast, but it will still work to some degree.

The point is use different passwords, use good ciphers, make them long and strong, change them frequently.

UPDATE: NIST says that things encoded with AES-128, using a good password, can be expected to be kept secure past the year 2030.

 

Ok thanks XeroBank. I just obtained Winrar recently and a licence from Winrar, and I was not sure if Winrar was good enough to encrypt my work folders and personal files.

But with your help, I am now confident that if my Laptop was stolen or accessed by the average user, or even an IT and Security Expert, that they would not be able to access my encrypted Winrar files. At least not until 2030

I thought these so called "Winrar password breakers" I have seen and heard about has already found some "backdoor weakness" and could open and access any Winrar encrypted file, no matter how long or strong the password was. But now I have learned from you that is not the case and I can confidently use Winrar to encrypt my files.

Thanks XeroBank for all your help.

P.S After the year 2030 or beyond, if you ever learn my "secret word" in that Winrar file, then please let me know

 

I wouldn't say it means anything. But collisions can hint at bad crypto implementation, I think. Ask the resident crypto kid.

 

Whoa whoa whoa. Pause. Bad conclusion. If your laptop is stolen or confiscated, winrar won't protect anything because the file remnants remain. What? You have the plaintext file. Winrar reads it and creates a new encrypted file. You/winrar delete the old plaintext file. A computer forensics guy can come along and recover the original file.

Winrar is good for securing if you are sending the file to someone else, but it won't work for local file encryption. For that you need whole disk encryption, or to use a non-windows machine and wipe the slack/cache frequently in addition to RAR.

 

who is the local crypto kid?

 

When I create a new encrypted Winrar, I tell Winrar to wipe the original files. I then also use Eraser to wipe my trashcan using 7 wipes.

And I also use Eraser regularly to wipe free HDD space with 3 wipes. And I just installed Truecrypt. Is that good to combat those issues you mentioned?

 

Yep, we have established this, because you are unable to break my Winrar file

 

Truecrypt was the right answer there. Good luck with it. If you're running truecrypt, you probably don't need to do secure erase/delete because the information is already encrypted when it was deleted. What you need to do now, is to make sure you aren't backing anything up to unencrypted space, and that you aren't leaving your system unattended without password, and that you aren't allowing autoplay for usb / cd /dvd, and you have all firewire ports turned off when not in use.

 

Nobody has been able to tell me the "secret" word in the Winrar archive so far.

Is anyone trying to break it open?

 

Hi

I don't think so. If malware like a keylogger recorded your password, there's no need to try a brute force attack. And Justin Troutman regularly says that the implementation is much more vulnerable.