TrueCrypt Keyfiles, does TC use the full length of the file or only the first 1024bit

Discussion in 'privacy technology' started by gamenano, Mar 3, 2010.

Thread Status:
Not open for further replies.
  1. gamenano

    gamenano Registered Member

    Joined:
    Mar 3, 2010
    Posts:
    3
    Hi,

    New to the forum so hello everyone. I am started to step up security on my system mainly because I now have a lot more client details such as their bank details, plus I have recently started to hire a few people.

    TC is my primary defence. I do use keyfile for all my containers but would like to know if a bigger keyfile will be better of makes no differents?

    All my container's password are 100 highly mixed char in length(kept in Keepass in my USB stick) plus a keyfile. How long would it take for a supercomputer to crack? Just curious, I certain that FBI or CIA will not interest in any of my files.

    Thanks for your help.
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    From http://www.truecrypt.org/docs/?s=keyfiles-technical-details:
    "The maximum size of a keyfile is not limited; however, only its first 1,048,576 bytes (1 MB) are processed (all remaining bytes are ignored due to performance issues connected with processing extremely large files). The user can supply one or more keyfiles (the number of keyfiles is not limited)."

    Passwords cannot exceed 64 characters, and even that would be considerable overkill for most situations.

    We're talking huge numbers here, and TrueCrypt slows down brute-force attacks by design. Even a 20-character random password without a keyfile would probably be quite safe for the forseeable future. The much greater danger is that you will somehow permanently lose access to your own data. I strongly suggest making regular backups (encrypted, of course) of your data, as well as backing up your TrueCrypt volume headers.
     
  3. gamenano

    gamenano Registered Member

    Joined:
    Mar 3, 2010
    Posts:
    3
    Thank you very much for your response dantz. I did input 100 char when mounting with TC, is that mean the last 36 char were ignored?

    I was trying to get to the Password Recovery Speeds link but the link is not working. I will be greatful if there is a chart regarding length of password against time to rehold brute force attack.

    Furthermore, I use keepass to protect my password, in file -> database setting. under security tab, there are something called key transformation. I have setted to 300000. It saids the higher the number the harder are dictionary attacks. I have increased the number significantly compared to default but did not notice any slow down for openning the database. Is higher the key transformation, the longer time for brute force to try out each password?

    Many many thanks. I know I am a bit annoyed. :argh:
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Yes.

    You mean this link? It's working for me:
    http://www.lockdown.co.uk/?pg=combi

    Most decent TrueCrypt passwords would fit into the "96 characters - Mixed upper and lower case alphabet plus numbers and common symbols" category. But the charts don't go up to 64-character passwords. You'll have to find another site, or do the math yourself.

    Yes, higher numbers will slow down a brute force attack because it takes longer to process each attempt.
     
  5. gamenano

    gamenano Registered Member

    Joined:
    Mar 3, 2010
    Posts:
    3
    Yes. That's the link.

    it show the folloing message.

    :oops:

    But i think I can be assertain my password + TC are pretty safe. Thanks Again :thumb:
     
  6. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    With important data such as yours being protected by TrueCrypt, I would take a header backup, your keyfile, and your password in plain text and place it in a simple .rar or .zip file with an easy-to-remember password and using a computer with ZERO connection to you, upload it to the cloud (Gmail would work) and put it into a new account with ZERO connection to you. You then NEVER access that account with your own computer or any connections to you at all. It is there only for emergencies. Needless to say, you would not backup your actual volume (container) with this emergency archive.
     
  7. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Simple math:

    If your password is a string of 64 random characters (consisting of A-Z, a-z, 0-9) that would mean there are 62 possible characters for each character of the password. Therefore the formula is: 64^62 which is a number larger than a Googol. This means there are more possibilities in such a passphrase than there are atoms in the universe (which is about 10^80).

    So, basically, you could put a CPU on every square inch of the earth and still not brute force your password before the sun burned out. So, you don't have anything to worry about from the CIA or NSA -- they would be powerless to crack the password. More likely is they would beat it out of you (or send you to a foreign country that would).
     
  8. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    The practicality of this point may be moot, but to clarify, the expected value of finding the passphrase by brute force would be one-half of the total number of possibilities -- since, on average across cases, the algorithm would find the passphrase half-way through an exhaustive examination of the set of all possibilities.
     
  9. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    That's correct, but due to the random nature of all of this, it is also possible that the 64 character random password is brute forced on the first try. However, the probability of it happening is less than me winning the powerball every day of my life for the rest of my life.

    My point is, it isn't even worth mentioning this 50% chance since it will still take longer than the age of the universe even if we take into account the law of averages as you suggest.
     
  10. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    It is worth remembering that the probability of the brute force attack succeeding on the first try is exactly equal to the probability that it would succeed on the 2nd, 3rd, or Nth attempt. Thus, the best and unbiased estimate is the mid-point of the series, where “best” is defined as having the smallest sum of squared deviations of the difference between the successful attempt and the half-way point.
     
Loading...
Thread Status:
Not open for further replies.