polymorphic cipher

Discussion in 'privacy technology' started by syncmaster913n, Apr 2, 2012.

Thread Status:
Not open for further replies.
  1. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    775
    It seems fair to assume that they can decrypt most encrypted data, by brute-forcing with that computer power.
    Most passwords are in the top million used passwords.
    Long passwords are often sentences which must be setup in a way that a human must be able to remember, that narrows down the available passwords a lot.
    The methods used by people to create new passwords is not very long.
    If you create a brute force engine that works it's way through this list
    combined with the normal dictionaries etc it must be very easy for them to
    decrypt a large percentage of all AES-256 encrypted archives. Especially when well known or very short passwords are used.
    Of course if you are smart you can make it more difficult.
    but just imagine, if they would try to brute force let's say 10000 truecrypt encrypted
    Archives or zipfiles each of another average encryption user, how many do you think can be decrypted easy this way?
    From the things i've seen , i expect a lot.
    Of course i oversimplified this a bit, but you know what i mean.
     
  2. Tomwa

    Tomwa Registered Member

    Joined:
    Feb 3, 2010
    Posts:
    165
    Im presently using a 63 Character Random ASCII password from:
    https://www.grc.com/passwords.htm

    (I actually took bits and pieces from the keys and switched them around).

    I doubt I'll have to worry about anyone brute forcing my password anytime soon.

    Though I could still be brute forced I suppose via $5 wrench method.

    Perhaps users need to start beating themselves with wrenches to prepare themselves?
     
  3. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    775
    X942, is there any news yet?

    After i was looking at things like this, i became convinced that both ciphers can not be cracked yet,
    but brute forcing is a serious risk:

    http://www.youtube.com/watch?v=GzDbvd5knmQ

    And this:

    http://www.youtube.com/watch?v=0WPny7wk960

    With TurboCrypt it takes a lot longer to brute force the same dictionary as with TrueCrypt/AES for example.

    Passwords longer then 20 chars and no dictionary words in it,
    or without simple replacements like 'a' to '@' and 'o' to '0' are impossible to remember for the average user.
    63 characters is very funny, but i expect that you are not happy when there are new windows updates and you have to restart your pc a few times :)

    Or a traveler with an encrypted notebook.

    For the record, this is about the brute force risk in general,
    and if such an attack was done on TurboCrypt or TrueCrypt with AES.

    And although you can use very long generated password most users will not do that,
    Because they will have no easy way to remember or to enter this at every pc boot.
    For example if you have a company that has 100 sales persons traveling the globe with their encypted notebooks
    What will the passwords look like do you think?

    Brute forcing , hacking and malware attacks are the most often used methods of attack
    Not trying to crack the ciphers
     
    Last edited: May 25, 2012
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Bruteforcing and keylogging are pretty much the only ways to get in.

    As for bruteforce time it's really not an issue. 8 characters lower case is going to be more than a desktop can crack in any reasonable amount of time. 12 is fine.

    An average user doesn't have to remember anything complicated.

    Dictionary cracking is largely misunderstood. People think that if I have:
    catdogemugoat my password is insecure because it's just words. This isn't the case. Dictionary attacks only ever attack a single word + variations of the word.

    It's very simple for a user to remember a very very strong password and if you're using SHA512 (default for Truecrypt) to generate a key (or pbkf2 stretching like LastPass) there's just no practicality in bruteforcing.

    The problem is not that users aren't using 20 character passwords its that their passwords are "password123" or "<username>123" etc.
     
  5. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    775
    It is the only issue, the more possible passwords combinations i can test in a certain time frame or within certain cpu time,
    the higher the risk to find/crack the password. ;)

    A common misunderstand, please recheck the YouTube movies in my previous post.

    That would only be true if your dictionary contains only smaller words,names etc.
    And you must including the extra numbers or chars attached to it.

    A good example is one of the 1000 most used passwords i collected for research, it contains 18 chars, i will find this by brute forcing in seconds, because it is ranked very high on my brute force dictionary.

    For the record, be careful what you call safe, someone's life in any country may one day depend on it :oops:

    Anyway see what TrueCrypt recommends:
     

    Attached Files:

  6. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    775
    YES !!!

    You are exactly spot on, that is the problem.

    But to be honest, the other part of it is how to remember a generated password and how to enter that at every boot?

    Again, assume you are an IT man of a company with 100 sales persons that travel the world with encrypted notebooks disks.
    And each of these have to enter a password like this at every notebook boot:

    For the record, this is the smallest recommend password length:
    <12345678901234567890>

    So this would be a good password don't you agree?:
    Password is: @aP(~7>FS2k$.P{']Q_sPtC|!

    That will cause you and these sales colleagues some serious headache don't you think?

    ;)
     
    Last edited: May 26, 2012
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Anyone suggesting that you need a password like that is confused. The only time you should have a long password is when you can't verify how your data is being encrypted.

    DogShake52591 - two random words and a birthday I made up. Easy to remember and no one's bruteforcing or getting in through dictionary attacks.

    You can go crazy and add an exclamation point at the end.

    That is all it takes.

    You're still confused.

    I only have a few minutes so I'll make it quick.

    I don't care if your password is a million characters if it's on someone's dictionary it'll take no time to crack.

    That doesn't matter. Dictionary attacks don't mix and match words and numbers. It's simple as hell to stop one from working. The password above is not vulnerable and it's easy to remember. Bruteforcing it would be incredibly impractical. I believe it's 13 characters... 14 with a '!' and the character set is large (Assuming the attacker knows the set.)
     
  8. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    775
    You are right, but everyone who is really using brute forcing ,see the mentioned youTube vids, does.

    Even so, i do respect your different but perhaps dangerous opinion.

    And you don't have to believe me but "DogShake52591" is ..
    just as the makers of TrueCrypt wrote -> unsafe!

    So you don't have to agree with the developers of TrueCrypt or me,
    but i will not recomend using a password like this, if your life could be at stake.

    And of course you are right, not if you are using a dictionary only brute force attack, with a simple 1 cpu pc.

    But most certainly if the other party is using hardware like this:
    PLEASE LISTEN TO THE BRUTE FORCE SPECS:
    http://www.youtube.com/watch?v=A5RwZz9UPUs
    or setup like this in another country with even more CPU/GPU power ;)

    Of course this platform is not listed in the http://www.top500.org , but since a lot of the top 10 of those are not located in the US,
    one might expect platforms like the above these countries as well, and perhaps even in countries where you don't expect this at all.

    Your password example is ranked very high in the password creation method ranking list,
    Just below <word><number> and <Word with a Capital first char><number> and <word><word><number>
    You are using <Word with a Capital first char><Word with a Capital first char><number>

    Of course the English Dictionary is very tiny for brute forcers on this scale.
    And how many English words do we really use ? -> just 17,000 : http://iteslj.org/Articles/Cervatiuc-VocabularyAcquisition.html

    You can expect these 17000 to be highest in the word ranking, besides names etc of course.
     
    Last edited: May 26, 2012
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I suggest you use something other than youtube videos and truecrypt help pages to learn about cryptography.
     
  10. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    775
    Hi Hungry Man,

    Thanks for your very good suggestion, I agree and i did.
    Although i find the youtube videos of these Unversity studies quite informative.
    And no i will not make any of these kind of suggestions in your direction.

    But to get back on topic, i am glad that everbody seems to agree here on the fact that the Polymorphic cipher takes unbelievable much longer to brute force.
    And thus seems to be a stronger cipher against these kind of attacks.

    And that this Polymorphic cipher or the TurboCrypt encryption software using this, even after the sources handed over, is still standing strong.

    But on the other hand, X942 may have different results any day now.

    Btw thnx for those that refered me to other ciphers and software, there are more out there then i ever knew.
     
    Last edited: May 26, 2012
  11. berndroellgen

    berndroellgen Registered Member

    Joined:
    Nov 5, 2010
    Posts:
    59
    tuatara, you hit the nail on the head.
    If only 10% of all passwords can be attacked with a certain technique that allows to do this without anybody else knowing, ANY organization who's job it is to spy on people will employ that technique.
    That's pure logic.
     
  12. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Just added DogShake52591 to my word list:p
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Foiled again.
     
  14. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    803
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.