truecrack Password cracking for truecrypt(c) volume files.

Discussion in 'privacy technology' started by Hungry Man, May 24, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    truecrack
    Password cracking for truecrypt(c) volume files.

    https://code.google.com/p/truecrack/
     
  2. BrandiCandi

    BrandiCandi Guest

    And within that link is an excellent lesson in why dictionary words are terrible to use as passwords:
    It also doesn't mention anything about generating rainbow tables, but surely that needs to be done for the cracker to work.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You don't need rainbow tables for dictionary attacks.

    If my password is: Hungry Man
    the hash is: abcdefghiblahblahblah

    A dictionary attack will guess "table, man, lunch, hungry" whatever until it gets hungry man

    a rainbow table will guess "aerguhaerg, aeiuhqnrt, ougfhb, abcdefghiblahblahblah"

    It bypasses taking a hash of each of those, which saves time for really slow crypto methods. You can do it either way though.
     
  4. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    It had me interested until I read "Brute force", if you use proper passphrases and entropy this will not be an issue. Also keep your passwords used for encryption separate from those you use online. We in the forensic field make our dictionary lists based on the target’s personal information (easily pulled from social websites) and any login/password data we receive from subpoenas.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    lol it would be much bigger news if it did anything else
     
  6. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Well I do have my argument index cards ready right next to my coffee for the inevitable impending comment from someone here claiming TC is now broken and AES should not be used. :D
     
  7. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802

    lols thatd be the day :D , until then well be safe and IF anything would come up then there would be a simple countermeasure ....as per usual :rolleyes:
     
  8. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    So what if Serpent was used? Or Twofish? Like EB said, your password should not be 'real' words, and please try to use all 64 characters that TC allows...and a key file. This doesn't apply to containers but for system encryption, as recently discussed on the TC forums, if they can't get the boot loader (if it's on external media that remains hidden from discovery for example) they have to brute force 512bits. (I assume this has to do with salt and the resulting hash). Rainbow tables of random gibberish would be near impossible I would think.

    PD
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    64 characters? lol how can anyone remember that? 20 characters is already really overkill.
     
  10. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I can :D I don't use this method, but modified song lyrics are easy, as long as you modify them to not be 'real' words. I actually have four or five 64 character strings committed to long term memory, but have recently changed to only using 32 and having various Yubikey's remember the other 32.

    PD
     
  11. jitte

    jitte Registered Member

    Joined:
    May 2, 2012
    Posts:
    67
    I brought the subject of TrueCrack up the other day, though I've never used it or TrueCrypt.

    https://www.wilderssecurity.com/showthread.php?t=324156

    I don't have anything more sensitive than passwords to 3-4 Yahoo emaill accounts on my machines and use bcrypt, which uses Blowfish, to encrypt them as individual files then make the folder I keep them in hidden with a . in front of it.
     
  12. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    That is extremely slow, even in GPU mode. 10,000 passwords in 30 seconds is only 333.33 passwords per second. OTFBrutusGUI on my dual QuadCore Xeon running 16 CPU threads can try 1664 passwords per second and Ivan Golubev's Password Recovery Suite ( http://www.golubev.com/igprs/ ) running in GPU mode can supposedly try 27,000 passwords per second, although it can only attack SHA512.
     
  13. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Ho hum. Another forensic tool to "crack" Truecrypt volumes using dictionary words and character sets. Next!
     
  14. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    You are right, forget cracking AES!! Brute Forcing is the real danger for this hyperfast cipher!

    Its a good thing that threads like this and others in this forum make it clear, that although AES is not broken, it is possible to use brute forcers and retrieve more then 94% of the most used TrueCrypt passwords.
    Of course you can use a password generator that will use all types of chars in a random order in the maximum lenght of the TrueCrypt password size.
    But if you decide to use TrueCrypt in let's say a large company,with a lot of users,it might be unsafe or unusable.
    How must a traveler with his encrypted notebook disk remember such a password ?
    Write it down an type it over at every pc boot ?
    Or store his password in another TrueCrypt folder with the same kind of password :)
    Store it on a usb flash memory that can be read by his notebook when it is unlocked with eh ...? :)
    For the record a long password with dictionary words , easy to remember doesn't really help.
    And no replacements like "a" with "@" and o with "0" is not clever :)
    And 99 % of TrueCrypt users are using AES
    (because of the strong performance suggestions,
    and the fact that it is the only cipher to be able to encrypt the OS)

    To oversimplify:

    If you want to brute force your own home brew dictionary, build over the years...
    Then of course AES is your friend, and the fastes cipher you can use,
    to brute force such a fixed size dictionary. ;)

    See this: http://www.youtube.com/watch?v=GzDbvd5knmQ
    Just imagine what you could do with millions of dollars on hardware :)
     
    Last edited: May 25, 2012
  15. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    You can use other ciphers to encrypt the OS, you are limited only to RIPEMD-160.

    PD
     
  16. hashed

    hashed Registered Member

    Joined:
    May 5, 2012
    Posts:
    53
    I will do you one better than that, I use GRC's most excellent perfect password generator. If you can break through that line of gibberish, you deserve to get to my data :)

    ~h
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    @Tuatara,

    Wrong.
     
  18. hashed

    hashed Registered Member

    Joined:
    May 5, 2012
    Posts:
    53
    LOL, your memory is better than mine :)

    ~h
     
  19. Dick99999

    Dick99999 Registered Member

    Joined:
    Aug 3, 2012
    Posts:
    14
    Location:
    Netherlands
    More then 94% of the most used .... Which set of most used passwords are you refering to?
     
  20. x942

    x942 Guest

    Lol I remember 4 such passwords and one longer (~80 char) password. I also use a yubikey to output a random 32 char password in a random spot in my password (only on my laptop) so I know 64 chars and some where in there the yubikey outputs 32 chars that I don't know. This way if I am ever forced to disclose the password I can't as I don't know all of it and a yubikey can be destroyed easily if needed.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'm all for having passwords you can't remember. I don't remember most of mine - truecrypt does... but it would probably take longer than any of us will live just to get through a 20 character password using MD5.
     
  22. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    What's the benefit of using three encryption levels (AES-TWOFISH-BLOWFISH) on a Truecrypt volume?

    If I have a 20 character password that a programs successfully guesses, it would essentially unlock all three levels and give access to the data inside, right?
     
  23. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    If you believe that one of the available ciphers is at risk of being cracked in a direct attack (that is, irregardless of the password) then using two or three different ciphers to encrypt your data will help to defend against that possibility. The downside is that your performance will suffer significantly.

    Yes.
     
  24. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    lols talk about overkill , aes 256 ripemd160 with a 64bit passphrase(never use devices to store keyfiles i dont trust em , only thing to trust is your own memory if that fails well thats that but your not at risk having half your passphrase being discovered if they get to your device that holds that keyfile wich will make brute forcing much easier then for your adversary not to mention your keyfiles can become corrupted ) anyhow aes is more than enough to keep em busy for the next 100 years atleast until then youll be long dust , i can imagine the performance decrease with all 3 algorithms xD lmfao
     
  25. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    True, but a Key File is *extra* insurance (make copies). Not that *I* even use them, but you could, say, have a folder on every computer you own, named 'Key Files'. Inside that folder, you could have 10,000 text files that were generated with a random file generator, that contain random data. You could then encrypt those 10,000 files with GPG, AxCrypt, etc, using a random pass phrase that you don't remember. Your KF *could* be in there...but maybe it's elsewhere? LOL, have fun looking for Key Files... :D And *are* they Key Files? Maybe they are very small TC containers? Tick-Tock forensicator's, you don't have all the time in the world to process this machine...the cases are piling up! Hehehe.

    Ideas from: https://www.youtube.com/watch?v=-HK1JHR7LIM

    PD
     
Loading...
Thread Status:
Not open for further replies.