How solid is cascading cipher - Truecrypt.

Discussion in 'privacy technology' started by citizenklaw, Jan 12, 2009.

Thread Status:
Not open for further replies.
  1. citizenklaw

    citizenklaw Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    7
    Guys,

    I lost a USB stick, with some important data (financials, numbers, etc.). I had created a Truecrypt container with a cascading triple cipher (one of the options, can't remember exactly which ones) and a 18 char long password with letters, numbers and symbols (no upper caps).

    I've a backup elsewhere, just the nuiscance of having it (the data) out of my sight for a couple of days.

    How about it? Crackable?
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Well, you're probably quite ok.

    Did you create a volume or encrypt the entire device? If the answer is 1) did you use a nonsense name for the container, something like picture.jpg or did you call it my-secret-docs? If the answer is 2) you're good. A lucky finder will think the device is simply unformatted, format it and use it.

    Mrk
     
  3. citizenklaw

    citizenklaw Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    7
    Meh. I named it 'Container'. I know, unimaginative.

    It does have some MP3's and other stuff. So I'm thinking that if it's found they'll take the music, and delete everything else.
     
  4. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    LOL I don't care if they know its a TC container, you said you used a

    "18 char long password with letters, numbers and symbols (no upper caps)."

    You defiantly don't have anything to worry about!

    now their was some talk that Truecrypt v6 shouldn't be trusted, if this was true, only the Government could open your container anyways, but probably wouldn't bother unless it had to do with National security, like your a terrorist or something! so as to keep their secret a secret!
     
  5. citizenklaw

    citizenklaw Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    7
    Double checking! LOL!

    In every online 'password check' service I've been it shows that it is a 'strong' password.
     
  6. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Heh, 'Strong' is relative.

    I was using the same style of passowrds as I've been changing all my online passwords lately. This style has shown up as 'Moderate' to 'Strong' depending on site in quesiton. I think those little indicators are kind of 'feel good fluff' anyways. If you have a strong password you know it. If you don't know, it probably isn't.

    But I'll agree, its very unlikely that someone will gain access, unless it wasn't lost as much as purposefully taken.. in which case they may have secured the password already. But then we're going from chance to espionage/intentional theft.
     
  7. citizenklaw

    citizenklaw Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    7
    Well, at least is strong enough to disuade any casual cracking.
     
  8. citizenklaw

    citizenklaw Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    7
    So how would a pottential attacker would go about cracking a TrueCrypt container? I mean, decryption is performed on the fly. There's no hash present. The attacker does not know the length and/or complexity of the passphrase. Brute forcing the container will take him probably forever...

    Wow. And to think that it is an Open Source product. Heck, I'll go over there and make a donation. Worth every penny.
     
  9. traxx75

    traxx75 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    106
    The best time/effort trade-off would probably be either a keylogger to capture your password or just plain stealing your keys from memory, I'd say. With some background research, though, an adversary could potentially narrow the field of potential passwords enough to make a brute-force attack conceivable.

    You'd really have to have something worthwhile in there for someone to go to that much effort, though! None of the methods above [save perhaps keylogging] are exactly a walk in the park for your casual cracker.
     
  10. citizenklaw

    citizenklaw Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    7
    Precisely. It would be very hard to get the keys from memory once the container is dismounted.
     
  11. NeilC

    NeilC Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    31
    It's completely safe. It would have been completely safe with any one of the single cyphers. You don't need to cascade them. AFAIK nobody has come close to cracking a 256bit AES or Blowfish key.

    Brute force is the only way and 18 characters is pretty strong. Clearly a simple dictionary attack would fail so surely then they are reduced to trying every combination of the usual keyboard characters. I make that 26 letters x 2. Numbers 1-0 x 2 plus a few spare characters (12x 2). All that is 96 characters. So thats 96^18 which is MASSIVE number of combinations.

    Even assuming they get lucky and hit it 50% of the way into the search or narrow it down a lot, there is no way anyone without a cluster of supercomputers and their own electric substation is going to crack that.

    Or have I got that wrong?
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Someone has recently shown the power of using NVIDIA's CUDA for cracking passwords much faster... but all-in-all you got it pretty right.
     
  13. NeilC

    NeilC Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    31
    Sounds interesting - do you have any particular links worth reading?

    It would need to be pretty fast if it's just brute forcing.

    Even at a billion combinations a second i make that 479603335372621236652373132 seconds which is 15198037203389875067 years!
     
Loading...
Thread Status:
Not open for further replies.