Decryption Challenge. Who is willing to try?

Discussion in 'privacy technology' started by truthseeker, Jul 20, 2008.

Thread Status:
Not open for further replies.
  1. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Hi everyone,

    There has been some talk from certain people that a Winrar encrypted file can be easily decrypted using certain software.

    Well I am putting out a challenge to everyone.

    I created a text file and wrote a word within that text file.

    Can anyone tell me what the word within the text file is?

    Download the encrypted Winrar file from here:

    http://rapidshare.com/files/131216857/encrypted.rar.html

    The first person to tell me the word in the text file, if that is possible, will be known around here as a legend :)
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Want to tell me if the password you used to encrypt it used
    alpha numerics, uppercase, lowercase, special characters, spaces?
    what about the length?
    is it a word?
     
  3. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    But that's the whole thing.... A person would not know that, and they would need to decrypt the file having no ideas about the password at all.

    Can it be done? If so, please show me. I am not certain if Winrar password protected files can be decrypted by someone using special software. I would love to see someone tell me the word inside the text file I uploaded.

    This will be interesting. I will not tell you anything more. Can you break it?
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Here is the deal: passwords have a property called entropy. Entropy is determined basically by the character set and length of password. The more entropy, the more passwords to guess. The more passwords to guess, the more flops (computing cycles) it takes. I have programs that can crack winrar. However, depending on the entropy of the password, it could take 1 minute, or 100 years. If we know the length of the password and the characters used, I can just about tell you how long it would take to crack it on the flops of a single core machine.
     
  5. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    if your password is short i can crack it very quickly. the longer it is, the more exponentially difficult it will be to crack, by orders of magnitude.
     
  6. reparsed

    reparsed Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    40
    Location:
    Ohio, USA
    Isn't there a difference between actual code breaking and brute force password cracking?
     
  7. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Ok I understand.

    It is a non dictionary based password. It contains 17 characters, some numbers and even a space.

    So can someone crack my Winrar files if they got my files somehow?
     
  8. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    So all these Winrar password break programs I see on the internet, all have to use brute force on my winrar files?

    With my 17 character, numbers and space password, would they be able to break it?

    I still have a Winrar file for download if anyone wants to download it and tell me the word that is written inside the text file.

    Anyone?

    http://rapidshare.com/files/131216857/encrypted.rar
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    In truthseekers challenge, there are no rules :)

     
  10. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    17 length, with a pool set of 26+26+10+1, would be ~63^17, or 3.8x10^27.

    Assuming a blind brute-force attack...

    If you could try 200 passwords per second (most machines can do about 20 to 100) it would take 615 million billion years to crack the full keyspace. Now if you harnessed a VIA Padlock crypto engine and it was super magic, it might only take 38 million years. And if you wiped out duplicates and bad entropy combos, you might be able to cut your keyspace down to 30 million years. And if you had it cracking on 10,000 machines in parallel, you could do it in 3000 years. And if you cracked randomly, you could have it in 1500 years with a 64% probability.
     
  11. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Yep thats right :) No rules, all is fair.

    I am so excited and interested to see if someone can tell me the word I typed in the text file.

    I put the challenge out in this forum, because I know the regulars here are some of the best security experts and best when it comes to security issues.

    So if nobody here can't tell what the "secret word" is in that Winrar file, then I am very confident that I can keep using Winrar to encrypt my work folders :)
     
  12. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Xerobank, so are you saying that the Winrar encryped file I uploaded won't be able to be beaten?

    Are you indicting that I can now confidently use Winrar and that password to securely encrypt files in the future?

    So there doesn't exist any "magic" Winrar password breaker that I have heard about that can break anyone Winrar password, no matter what it is, or how long it is?
     
  13. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Incidentally, your headers are encrypted in addition to the file itself (ouch), but I found a hash collision at o:J for the header CRC, for whatever that means.
     
  14. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    In Winrar, I selected password and "encrypt file names". Is that a good idea to keep doing in the future? Does that encrypt the Winrar file + the filename(s) inside the Winrar?

    And can you please elaborate what you mean when you say, " I found a hash collision at o:J for the header CRC"?
     
  15. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    No. Rar uses AES-128. And I am calculating at todays power, and using a brute force attack. The best thing to do would be to attack the cipher for weaknesses. Your password has about 85 to 105 bits of entropy. If a cipher weakness was discovered, it could drop your entropy down to say 42 bits of entropy, which is 50+ orders of magnitude easier to crack, and could maybe be done in less than a year, maybe a few days who knows.

    WARNING: BROAD GENERALIZATIONS AHEAD

    When quantum computers come along in the next few decades, they will be able to crack some algorithms at light speed, rendering all passwords using the cipher completely solvable at instantaneous speed. Now for elliptic curve crypto ciphers, that won't work as fast, but it will still work to some degree.

    The point is use different passwords, use good ciphers, make them long and strong, change them frequently.

    UPDATE:
    NIST says that things encoded with AES-128, using a good password, can be expected to be kept secure past the year 2030.
     
    Last edited: Jul 20, 2008
  16. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Ok thanks XeroBank. I just obtained Winrar recently and a licence from Winrar, and I was not sure if Winrar was good enough to encrypt my work folders and personal files.

    But with your help, I am now confident that if my Laptop was stolen or accessed by the average user, or even an IT and Security Expert, that they would not be able to access my encrypted Winrar files. At least not until 2030 :)

    I thought these so called "Winrar password breakers" I have seen and heard about has already found some "backdoor weakness" and could open and access any Winrar encrypted file, no matter how long or strong the password was. But now I have learned from you that is not the case and I can confidently use Winrar to encrypt my files.

    Thanks XeroBank for all your help.

    P.S After the year 2030 or beyond, if you ever learn my "secret word" in that Winrar file, then please let me know ;)
     
  17. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I wouldn't say it means anything. But collisions can hint at bad crypto implementation, I think. Ask the resident crypto kid.
     
  18. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Whoa whoa whoa. Pause. Bad conclusion. If your laptop is stolen or confiscated, winrar won't protect anything because the file remnants remain. What? You have the plaintext file. Winrar reads it and creates a new encrypted file. You/winrar delete the old plaintext file. A computer forensics guy can come along and recover the original file.

    Winrar is good for securing if you are sending the file to someone else, but it won't work for local file encryption. For that you need whole disk encryption, or to use a non-windows machine and wipe the slack/cache frequently in addition to RAR.
     
  19. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    who is the local crypto kid?
     
  20. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    When I create a new encrypted Winrar, I tell Winrar to wipe the original files. I then also use Eraser to wipe my trashcan using 7 wipes.

    And I also use Eraser regularly to wipe free HDD space with 3 wipes. And I just installed Truecrypt. Is that good to combat those issues you mentioned?
     
  21. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Yep, we have established this, because you are unable to break my Winrar file :)
     
  22. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Truecrypt was the right answer there. Good luck with it. If you're running truecrypt, you probably don't need to do secure erase/delete because the information is already encrypted when it was deleted. What you need to do now, is to make sure you aren't backing anything up to unencrypted space, and that you aren't leaving your system unattended without password, and that you aren't allowing autoplay for usb / cd /dvd, and you have all firewire ports turned off when not in use.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    Another possible solution would be us ShadowDefender and shadow the system while working on private stuff. Then when your files are encrypted commit those. Everything else was written to SD's disk container file, and that is deleted on reboot.

    Someone would have to go to a bit of expense to first recover that file, and then get anything out of it.

    Pete
     
  24. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Nobody has been able to tell me the "secret" word in the Winrar archive so far.

    Is anyone trying to break it open? :)
     
  25. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    I don't think so. If malware like a keylogger recorded your password, there's no need to try a brute force attack. And Justin Troutman regularly says that the implementation is much more vulnerable.
     
Loading...
Thread Status:
Not open for further replies.