How solid is cascading cipher - Truecrypt.

Guys,

I lost a USB stick, with some important data (financials, numbers, etc.). I had created a Truecrypt container with a cascading triple cipher (one of the options, can't remember exactly which ones) and a 18 char long password with letters, numbers and symbols (no upper caps).

I've a backup elsewhere, just the nuiscance of having it (the data) out of my sight for a couple of days.

How about it? Crackable?

 

Well, you're probably quite ok.

Did you create a volume or encrypt the entire device? If the answer is 1) did you use a nonsense name for the container, something like picture.jpg or did you call it my-secret-docs? If the answer is 2) you're good. A lucky finder will think the device is simply unformatted, format it and use it.

Mrk

 

Meh. I named it 'Container'. I know, unimaginative.

It does have some MP3's and other stuff. So I'm thinking that if it's found they'll take the music, and delete everything else.

 

LOL I don't care if they know its a TC container, you said you used a

"18 char long password with letters, numbers and symbols (no upper caps)."

You defiantly don't have anything to worry about!

now their was some talk that Truecrypt v6 shouldn't be trusted, if this was true, only the Government could open your container anyways, but probably wouldn't bother unless it had to do with National security, like your a terrorist or something! so as to keep their secret a secret!

 

Double checking! LOL!

In every online 'password check' service I've been it shows that it is a 'strong' password.

 

Heh, 'Strong' is relative.

I was using the same style of passowrds as I've been changing all my online passwords lately. This style has shown up as 'Moderate' to 'Strong' depending on site in quesiton. I think those little indicators are kind of 'feel good fluff' anyways. If you have a strong password you know it. If you don't know, it probably isn't.

But I'll agree, its very unlikely that someone will gain access, unless it wasn't lost as much as purposefully taken.. in which case they may have secured the password already. But then we're going from chance to espionage/intentional theft.

 

Well, at least is strong enough to disuade any casual cracking.

 

So how would a pottential attacker would go about cracking a TrueCrypt container? I mean, decryption is performed on the fly. There's no hash present. The attacker does not know the length and/or complexity of the passphrase. Brute forcing the container will take him probably forever...

Wow. And to think that it is an Open Source product. Heck, I'll go over there and make a donation. Worth every penny.

 

The best time/effort trade-off would probably be either a keylogger to capture your password or just plain stealing your keys from memory, I'd say. With some background research, though, an adversary could potentially narrow the field of potential passwords enough to make a brute-force attack conceivable.

You'd really have to have something worthwhile in there for someone to go to that much effort, though! None of the methods above [save perhaps keylogging] are exactly a walk in the park for your casual cracker.

 

Precisely. It would be very hard to get the keys from memory once the container is dismounted.

 

It's completely safe. It would have been completely safe with any one of the single cyphers. You don't need to cascade them. AFAIK nobody has come close to cracking a 256bit AES or Blowfish key.

Brute force is the only way and 18 characters is pretty strong. Clearly a simple dictionary attack would fail so surely then they are reduced to trying every combination of the usual keyboard characters. I make that 26 letters x 2. Numbers 1-0 x 2 plus a few spare characters (12x 2). All that is 96 characters. So thats 96^18 which is MASSIVE number of combinations.

Even assuming they get lucky and hit it 50% of the way into the search or narrow it down a lot, there is no way anyone without a cluster of supercomputers and their own electric substation is going to crack that.

Or have I got that wrong?

 

Someone has recently shown the power of using NVIDIA's CUDA for cracking passwords much faster... but all-in-all you got it pretty right.

 

Sounds interesting - do you have any particular links worth reading?

It would need to be pretty fast if it's just brute forcing.

Even at a billion combinations a second i make that 479603335372621236652373132 seconds which is 15198037203389875067 years!