Can AES-256 be broken?

I came up with an idea that would be as good as using Neo's safekeys.

Write your login username and password in a text file. Then encrypt that file for safe keeping on your HDD.

And when you need to access a sensitive website, decrypt your text file and then drag your mouse over the username and copy it, and then use paste into the webform.

This would avoid the need to use the keyboard and be the same as using Neo's wouldn't it?

But on second thought, I think there are keyloggers which would read the plain text from the clipboard Forget I said anything hehehehe.

 

So you mean:
Using a password to encript the password you use for Keepass, which encript your other passwords?
The problem with this is that at some point you would have to type a password, although adding anothe password layer would help a lot. But I think it's adding unnecessary complexity.

I think the keepass keyfile in the USB stick is the best way to go.

(PS: I know you said forget it, sorry )

 

Well I meant that you can type your password into a text file. And whenever you need to enter that on your bank website for example, then you just copy it from the text file and then paste it into the website form, bypassing the actual typing the password on the keyboard, hence, keyloggers cannot log anything because you never typed anything using your keyboard. Does that make sense?

 

not much, since the text file can be stolen by anyone with access to your computer.

Keepass makes a lot more sense. Even if a keylogger finds out your master password, they would also need the actual password database file AND the Key file.
This way they would have to steal 3 things. If you keep them in separeted media (for example: computer, usb stick, head) it's much more difficult.

In my case, I ONLY have the bank password in keepass. The bank URL and my login name are in my head, so they can go ahead and steal the file if they want. The keepass master password is also only in my head.

Other than torture me, I don't think they could ever obtain my bank login and password.
(BTW, I don't even know the actual bank password)

EDIT: Keepass has also a portable version, so you can decript your password database on any computer.
EDIT2: be sure to have a backup of the keyfile safely stored in case you loose your usb stick.

 

Then you did not read my initial comments, scroll back, where I said that this text file would be kept on your HDD in an encrypted form. So even if your PC was stolen, the person would need 1 million years of brute force to access your text file.

Secondly, I am not sure why or how you got so confused with my comments. I am not referring to what you are and you are on a totally different topic to what I was talking about

Suffice to say, the topic was.... what's the best secure way to enter your password into a websites form. And the answer is... Use Neo's SafeKeys, or store the password in a text file, and drag, copy, and paste the text into the website password field, avoiding entering anything using the keyboard which then avoids any keylogger being able to log your keyboard.

 

Oh OK.
Let's see if I get it (it's one of the problems of not being a native english speaker).

You want to keep the password in an encrypted text file on an external HDD.
Seems pretty secure, but just remember that if you have a keylogger, they could get the password for that encrypted text file.
That's why I said Keepass would make more sense, since I see no added value in adding password over password over password when they can be logged. If, for encryption you use a password AND a keyfile (it doesn't mather if you use an encrypted txt or a keepass database), I think that is pretty much invincible.

Best regards

 

The use of a livecd is probably a good idea and should circumvent all but hardware keyloggers. That might be too awkward for normal browsing but you might feel it is worth it for banking details.

 

NO they cannot. A Keylogger does not search a persons HDD and then reads every bit of text contained in every text file found on the persons HDD. YOu are wrong.

Keyloggers read the keyboard entry, not read all the old text files on a persons HDD as you suggest.

And if they keylogged the password I enter to open that encrypted text file, it wouln't matter, because they cannot download my whole text file anyway, so that password to open the encrypted file that contains my bank password would be useless to them, because they still wouldn't know my bank password as that password is NEVER typed in using the keyboard.

So in all due respect, you are dead wrong and your reasoning is not accurate.

 

Yes I know what a keylogger is, I don't need the explanation.

But, if you are a target (very unlikely I think), and someone wants your info, they could keylog your password and then steal your HDD.
I know this is pure paranoia, but theoretically it's a (highly UNLIKELY) scenario.

Anyways, I'm done with this thread. Good luck.

 

What to really be concerned with.

Regardless of the target, it's reasonable to believe that AES-256 is quite sufficient - conservative and then some. I advocate using the AES whenever and wherever comfortably possible. Rijndael's underlying wide trail strategy renders efficient round transformations and allows for provable bounds on the correlation of linear trails and the weight of differential trails. Conservatism and simplicity are abundant in the design decisions behind it, which caters to the confidence that is wrought only of cryptanalysis.

Truth be told, though, the cryptography that's being used is rarely ever the problem. I can guarantee you with just a hair shy of absolute certainty, that if cryptography falls apart in practice, it's because of an implementation failure - not a cryptographic failure. You can implement the right cryptography the wrong way, or you can implement the wrong cryptography the right way. The former is a programming failure; the latter is a threat model failure. I see both happen quite often, and the overlaps between them, as well.

The bottom line is, don't worry so much about the cryptography being used; this is almost always the strongest link of any system. Worry about the implementation; this is almost always the bane of cryptography in practice. Regarding 7-Zip, I'm afraid I'm not familiar with how it implements cryptography, but in this past post, I reference works that investigate the security of WinRAR and WinZip; these cryptanalyses demonstrate just how easy it is to end up with insecurity, even when you start out with secure components.

I'll see what I can find out about the security of 7-Zip.

 

Re: What to really be concerned with.

Ok thank you, I look forward to learning what you find out about 7zip.

 

What is an HDD? And so are you saying that a keylogger is incapable of capturing keystrokes by using this method? Screenshots??

How about typing a password in an area where keyscrambler is active and then copy and paste it?

 

The answer to this issue, in my opinion, is to use an encryption product that supports two-factor authentication: (1) a password and (2) an authenticator (e.g., PKCS#11 token). In the absence of physically having the authenticator, the password alone will not allow an individual to decrypt a file.

All “professional grade” encryption applications (e.g., SecretAgent) support two-factor authentication.

 

or such as truecrypt's keyfile system.

I use a extremely lengthy randomized password and about 10 or so files randomly throughout my computer(that i've memorized) to lock my containers

 

True, but to the casual reader, this sentence might give the impression that encrypting with WinZip (using AES-128 or AES-256) is faulty. This has not been shown to be the case. To clarify, the issue with the standard “Zip 2.0” encryption is documented in the WinZip Pro 11.2 Help:

 

There are advanced keyloggers that also record mouseclicks, screenshots and the clipboard contents. Your idea is not bulletproof by any stretch of the imagination, and you need to learn a lot more about security.

 

I suggested that solution earlier at post 50. The problem is that the organization trying to authenticate you has to have multifactor authentication setup.

Many banks are rolling a solution where they send an sms to your mobile, which is actually quite an elegent solution.

 

Isn't that what we are all here to do dantz . I think this is a good learning experience though. Design a security and have everyone shoot it down! Then you improve your system, get it shot down again, improve again and so on until people can't figure out how to break it anymore!

 

HDD = Hard Disc Drive

In my limited understanding, a keylogger cannot pick up a text that is copied and pasted, for example Neo's SafeKeys. The reason is that nothing is entered into the keyboard. Isn't that right?

And the initial password would be typed while Ubuntu LiveCD is loaded, hence, no keylogger or keyscrambler can be running.

 

If you wanted to access some information on your computer in a truecrypt folder. what if you disconnected from the internet, activated Returnil, opened your file and extracted whatever you needed, then restart the computer? So since Returnil was active and you restarted without being connected to the internet, would that not prevent a software keylogger from getting your info?

 

As I mentioned earlier, Windows have APIs that allow the clipboard to be read. Think about it this way. You open word where your password is. You copy it so that it is in the clipboard. You goto Firefox and paste in your clipboard. Obviously Firefox has access to your clipboard. In fact, any program you choose to copy to has access to your clipboard because you can copy to them. By extension, any keylogger on your computer can read your clipboard.

 

Yes but I thought that Neo's SafeKeys bypasses that.

According to its website, http://www.aplin.com.au/?page_id=246

It says:

You type your password by clicking each button on the keyboard of this application (with your mouse). Your password will appear, letter by letter, in the text box at the bottom of the window (within a “******” password mask). Select the text with your mouse and then drag-drop it onto the password box on your online form. That’s it!

ADVANTAGES:

* You don’t use your keyboard (keyloggers cannot record the password)
* The utility changes width and height each time, as well as its placement on the screen (to fool mouse-loggers, buttons will always be in different positions each time you use the program)
* Nothing is stored in the clipboard (clipboard loggers cannot save the password).
* You can use upper-case letters and symbols (such as !@#${}) by pressing the CAP button - no matter how complex your password is, the utility can type it.

Notice it says, "Nothing is stored in the clipboard (clipboard loggers cannot save the password)."

 

Two issues

1) Screenshots/video can be taken of computer so virtual keyboards are completely useless in this respect. Even if it is in a different place and has a different location, as long as you can see it, a screenshot can see it.

2) Clipboard or not, the program calls on a Windows API to get the keys from the program to your form. If Firefox can read call the content from Neo Safekeys, why can't another program call the content as well?

 

Readers of this thread may be interested in Is AES a Secure Cipher?, an ”independent AES security observatory, maintained by Nicolas T. Courtois, cryptologist and code-breaker.”

 

Wow, I found your message interesting as you have just claimed to be able to defeat Neo Safekeys. Can you please prove your claims and then post them to the makers of neo Safekeys, and post it on youtube so we all can see how you defeat it. Thanks. I look forward to seeing you show us.