hack truecrypt,how much time does it need?

Discussion in 'privacy technology' started by mantra, Mar 4, 2010.

Thread Status:
Not open for further replies.
  1. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,148
    Hi

    i have a question about truecrypt
    i know it's an open source , there are not backdoors

    but i'm thinking about how much time does a hacker need to find the password(crak/hack) of a truecrypt container?

    i know a password could be weak or strong

    i 'm thinking about a medium password

    thanks

    it's a technical question , i don't want to hack my truecrypt container:)
     
  2. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Re: hack truecryt,how much time does it need?

    It really depends on the hardware you have at your disposal to attempt such a hack... That is if you want to try a brute force approach.
     
  3. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,148
    Re: hack truecryt,how much time does it need?

    thanks
    so is possibile to decrypt for an hacker a file/container encryped?
     
  4. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Re: hack truecryt,how much time does it need?

    Of course, it's just a matter of writing a program that tries a list of passwords against a TC container.
     
  5. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Re: hack truecryt,how much time does it need?

    See https://www.wilderssecurity.com/showthread.php?p=1633727#post1633727 FWIW

    It might be useful if someone could characterize the strongest "type" of TrueCrypt password -- in terms of length and character set -- that can currently be brute forced by an adversary using all existing machines in a decade or so. Better yet would be estimates of time required vs password complexity and computing resources.

    Is it possible to use a password that Deep Thought couldn't brute force o_O
     
    Last edited: Mar 4, 2010
  6. Dreamwalker

    Dreamwalker Registered Member

    Joined:
    Apr 5, 2009
    Posts:
    2
  7. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Re: hack truecryt,how much time does it need?

    Thanks, Dreamwalker.
     
  8. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,148
    Re: hack truecryt,how much time does it need?

    http://www.lockdown.co.uk/?pg=combi&s=articles#classF

    thanks!


    the more complex password needs 83 Days need to be cracked
    truecypt does encrypt files , but only make container
    i'm thinking what could happen if i encrypt sever time the same file
    for example myfile.doc -> encrypted 4 times with 4 different password ?
     
    Last edited: Mar 5, 2010
  9. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Re: hack truecryt,how much time does it need?

    Using the formula POWER(Charset,Len) and assuming success at 50%, I've estimated how long Distributed.net's Project Bovine RC5-64 (7.6E+10 passwords/sec, according to http://www.lockdown.co.uk/?pg=combi&s=articles) would take to recover passwords of various complexity.

    http://img26.imageshack.us/img26/1452/passwordguessing.jpg

    Times are expressed in the following units, as appropriate ...

    seconds
    days
    years
    centuries
    age of Homo sapiens (ca. 2E+05 yr)
    age of Mammalia (ca. 2E+08 yr)
    age of the Universe (ca. 1.4E+10 yr)

    Are those results reasonable?
     
  10. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Re: hack truecryt,how much time does it need?

    FYI -- These approaches to estimating the protection provided by a passphrase assume that the passphrase is literally a random string of letters, numbers, and/or symbols. If you don’t actually use a random number generator to create the passphrase, then (1) the frequency of characters will mirror their distribution in natural language (e.g., “a” is considerably more common than “q”); and (2) it will contain sequential dependencies among the characters. Both effects may (greatly) reduce the effectiveness of the passphrase.

    P.S.: Humans are notoriously incapable of creating high-quality random numbers/strings, despite our perception that we can easily do so.
     
  11. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Re: hack truecryt,how much time does it need?

    Using 10,000 of the world's most powerful supercomputers working in tandem, brute force attack on my TC password, would take around 1 billion years.

    Use this website, select all characters Include Punctuation, and 64 chars in length.

    http://www.pctools.com/guides/password/
     
  12. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    TheMozart, if you have committed to memory a truly random string of 64 letters/numbers/symbols for your passphrase, then your cognitive facilities are impressive, indeed!

    Personally, I have no hope of remembering a passphrase like yours, such as:
    cR6pheze2ayuNA7uweWaq5K8zu4wuPra3rAmUvAmaB7stepREZeCr7xex3PAphe9​
    :)
     
  13. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    You don't need to, just the last few. Example retrieve your long pass and tag on the end the part you remember.
     
  14. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Re: hack truecryt,how much time does it need?


    If you're using a 64 character random password, it would take MUCH longer than a mere one billion years to crack. It would take every computer on earth billions of times longer than the age of our universe (~13 billion years).

    Basically, the moral of the story is that 64 characters is overkill. In order to obtain a password with 128 bits of entropy you need a 20 character string of random ASCII characters (out of 94 possibilities per character). Providing that, 128 bits of entropy would take longer than the age of the universe to brute force, but it wouldn't be as difficult to remember as a 64 character password that is vastly overkill.
     
  15. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    OK, who recognizes "AGiditp,oowtBi,tAa,twitolacC,ioG,tt."?

    Or better, perhaps, and this is a hint, "Geodipt,quiB,aA,tqilC,nGa."?
     
  16. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    The strength of a chain is equal to that of its weakest link. In this case, retrieving the first 60 characters of the 64-character password, for example, and then typing in the last 4 characters seems to be no stronger than having a passphrase that is only 4 characters in length, because the 60-character portion is subject to retrieval by the adversary in the same way that you access it. (This assumes that the adversary knows or can infer/guess your "scheme," of course, which may not be an unreasonable assumption.)
     
  17. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    No, not unreasonable, but with a little invention you can make it more unlikely.
     
  18. sfi

    sfi Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    68
    Re: hack truecryt,how much time does it need?

    I wouldn't use this. If you truly want your passwords to be safe, use an offline (nothing connected) system to generate your passwords. Thru the internet, there could still be intercepts.
     
  19. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    I remember mine, because I copy and paste it :)
     
  20. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Re: hack truecryt,how much time does it need?

    It wouldn't do them any good. I use an 18 char password I have memorized and type that before I paste the 64char password :)
     
  21. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Re: hack truecryt,how much time does it need?

    Why do people keep referencing this chart for these kinds of questions?? It just shows how little you actually know about encryption and passwords in general.

    At least on A, B, C, they are saying what kind of passwords they are trying to brute force. If you are simply trying to do "Does Guess = Password", sure, you can probably do 1,000,000,000 (F) passwords per second, provided Guess is simply going A, B, C, D, E, F, G. But the moment you have to start and add computation to Guess, you increase the time taken to get Guess, to check it against Password. While "Guess = Password?" continues to take one second (for illustration purposes), how long does it take to find "Guess"? One second? 10? A lot of security minded applications now days intentionally make computation of Password (and subsequently Guess) take time.

    I'll use KeePass as an example simply because the application lets you set how much computation it takes to do it. Keepass asks for the number of rounds (Number of times the Password is encrypted; See Here for more information) the password goes through. You can actually set it based on time (on your system, Keepass determines XX rounds take Time seconds. The XX is then set in the database as the number of rounds. On a faster system, it will take less Time, on a slower system, Time is increased.) The result is if someone attempts to brute force your password on a system equivalent to yours, the number of Guesses per second is going to be relatively low (Since it takes Time to compute Guess) and even running it on a machine twice as fast, is still going to only twice as fast(if that) as the original machine. Assuming you planned for Time to be one second on your machine, that still limits an attacker to two passwords per second on their machine. (See how fast that table was just demonstrated to be wrong?) Even 100,000 machines working in tandem would result in only 200,000 passwords per second. Using that table on the page, would still take 34 years assuming a 8 character 62 Possible Character(a-z, A-Z, 0-9) password (See 62 Char, Class B / 2).


    While that table may show how adding to your character base (IE going a-Z instead of just A-Z or a-z) will increase time, the time factors listed are completely irrelevant for most normal applications anymore. (By the way, who still uses a Pentium 100 for any kind of brute forcing?)
     
  22. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    FYI -- Depending upon the adversary and the how the password was constructed, a savvy attack might proceed far more quickly than some calculations suggest, if it employs dictionary or rainbow tables, for example.
     
  23. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,148
  24. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Dictionary, OK, but that doesn't take into account computing Guess (from my earlier post), and rainbow tables are irrelevant when salt (preferably random) is used, unless you can compromise the target, determine the salt, construct your rainbow table, then return to use it live, but there really isn't a speed advantage to this... Not to mention if you get access once, you mirror your target, then work on it in your own area.

    But salt is used to defeat rainbows.

    I guess the alternative is using a hash rainbow table (if they exist) which is all the possible hash values, but I have no idea how large it would be... but thanks to a calculator there are 3.4028236692093846346337460743177e+38 possible combinations. If I did my math right, it would take 9,973,638,011,820,690,691,325,952 Petabytes (or 9,288,674,231,451,648 Yobibytes) of space to store all these hashes. And thats only md5 hashes. And I'm pretty sure that amount of storage doesn't even exist.
     
  25. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
Loading...
Thread Status:
Not open for further replies.