Why can't investigators just hack encrypted drives? With unlimited resources and time, they can

Sunday, February 26, 2012

Why can't investigators just hack encrypted drives? With unlimited resources and time, they can

I blogged yesterday about the Eleventh Circuit case finding that compelling a defendant to provide an unecrypted copy of files would violate the Fifth Amendment. The drives in that case were encrypted using TrueCrypt (which I've discussed here).

To better understand the reason why law enforcement cannot simply "crack" the encryption, I wanted to better explain the situation. It can certainly be done through what is called a "brute-force attack" which would essentially develop a list of every possible password and try each one. The longer and more complicated the password, the longer it would take. Thus, adding length, capital letters, numbers, and symbols greatly increases the complexity. The type of security used also modifies the complexity. The attack will first attempt to use dictionary words, and the entire English language could be checked in a few minutes. Of course, there's the possibility that the password will be guessed early on, but there are no promises.

Suppose a drive was encrypted using a fairly average but secure password - 1 upper case letter, 6 lower case, 1 number, and 1 special character. A brute force attack could try the 2.5 trillion possibilities in about 3 days using only one computer.

If we upgrade the password to 3 upper case, 8 lower case, 2 numbers, and 1 special character, there are almost 12 quintillion combinations. Using one computer to crack it would take about 40,000 years (using modern-day computers), but if you could dedicate 100,000 computers to the task, it could be done in about 6 months.

Since TrueCrypt passwords can be up to 65 characters, these times could easily extend into millions of years.

For a handy spreadsheet to calculate your password's security, click here for one from Mandylion Research Lab. I make no promises that the calculations are accurate because the math is much to complex for me!

UPDATE: Thanks to a reader comment, I've been directed to Gibson Research Corporation's calculator (by Steve Gibson). The page contains a lot of great information on password strength and some helpful and interesting links. Thanks for the tip!

1 comments:

AnonymousFebruary 27, 2012 at 11:48 AM
Sounds like you are not aware of Steve Gibson's Password Haystacks page: https://www.grc.com/haystack.htm

He is a long-time security guru (he came up with the term Spyware back in the day) and this page provides a measure (in terms of centuries) that it would take to crack a password based on it's complexity.
ReplyDelete
Replies

Add comment

Disclaimer

Thank you for visiting Cybercrime Review. Please be aware that our authors do not represent clients and do not give legal advice. The information found on this blog is provided for educational and informational purposes only. If you do require legal advice, you should consult a licensed attorney in your jurisdiction.

Also, the postings on this site are our own and do not necessarily represent our current or past employers' positions, strategies or opinions.

We hope that the information you find here is helpful. Please contact us if you find an error in our analysis, have a question or comment, or are just looking for a good old-fashioned argument.

Sunday, February 26, 2012