This project has moved and is read-only. For the latest updates, please go here.

Cracking TrueCrypt 530% faster.

Topics: Technical Issues
Nov 13, 2015 at 6:02 PM
Hi Mounir

I thought you might be interested to see how crackers are attacking TrueCrypt and the breakthroughs with optimisation.
Finally this means we reduced the number of workitems from 53 to 10, which is a effective cracking speedup of 530%.
Nov 13, 2015 at 8:46 PM

Thank you for sharing this.
The idea used is interesting although it doesn't help cracking the key derivation itself but it reduces complexity when the cipher used is unknown.

One must never forget that "Attacks always get better, never worse".
Nov 13, 2015 at 9:59 PM
You're welcome :)

I am not going to pretend I understand it fully, but I wonder if there is something simple which could be done to protect VeraCrypt from this sort of optimisation ?

Actually, atom is someone I think you would get on well with, he is very clever like yourself, especially when it comes to programming and encryption etc. As there are not many people like you two in the world, I guess it might be nice for you to talk with someone like atom.

Thank you for all your hard work in the background on VeraCrypt. I notice you receive some complaints, silly requests and ungrateful comments from the general public. I just want you to know there are many people wishing you well and who are extremely grateful for veraCrypt.
Nov 18, 2015 at 2:19 PM
TrueCrypt/VeraCrypt keeping the cipher/hash it uses secret has never been real security. It's what's called "security by obscurity" and something that has never been accepted as being truly secure. The strength of a cipher system is the strength of the cipher, not in hiding which cipher you use.

So I encourage people to think of this "attack" as not an attack, but of a verification that the security that you bought by keeping the cipher secret was never really security at all. If you're like me and have never factored in the idea that keeping your algo secret added security, then VeraCrypt is no weaker today than it was before this.
Nov 24, 2015 at 11:31 PM
Edited Nov 24, 2015 at 11:37 PM
The day will arrive when only One-Time-Pad (Vernam Cypher) is safe and reliable. Doubt it? All you need to do is imagine infinite processing power battling a finite number of possible passwords . OTP is mathematically proven to be absolutely 100% crack-proof providing you don't make a mistake with true randomness. Computers are not good at generating true randomness with their CPUs. Yes, OTP has its inconveniences. The key is the size of the encrypted file. So what? There are now 1TB USB sticks and a 4-6TB HDD is cheap.

I think it would be a good idea for VeraCrypt to think about deploying OTP as a long-term beta feature.
Nov 27, 2015 at 3:06 PM
GeorgeWest wrote:
The key is the size of the encrypted file. So what? There are now 1TB USB sticks and a 4-6TB HDD is cheap.
And how are you going to protect the HUGE OTP Key itself? You cant memorize a key with the length of your encrypted data so it has to be in a form of a keyfile. And how will you protect this keyfile?????
Nov 28, 2015 at 8:08 AM
Alex512 wrote:
GeorgeWest wrote:
The key is the size of the encrypted file. So what? There are now 1TB USB sticks and a 4-6TB HDD is cheap.
And how are you going to protect the HUGE OTP Key itself? You cant memorize a key with the length of your encrypted data so it has to be in a form of a keyfile. And how will you protect this keyfile?????
The problem you mention is quite small compared to the problem created by infinite processing power versus a finite number of passwords. The OTP key is not really a password. It is essentially the other half of the information needed to determine every bit's state. If you have a 2000 byte file with a 1999 byte key, that key must be a password requiring an algorithm - and infinite processing power will absolutely crack it. If that same file was protected with a 2000 byte OTP key, it can't ever be known if it was cracked correctly because every possible 2000 byte file (there are 256^2000 of them) has the same probability of being the correct decryption. Consequently, you can encrypt a pic of your dog with OTP and there is a password that will decrypt it to a pic of your cat. There are other passwords that will decrypt it to a pic of Bugs Bunny, Mickey Mouse, and so on. In fact, for plausible deniability, I can create alternate keys that will will decrypt an OTP drive/container/file to anything I want. I could create a key that decrypts 10 confidential text files in a container to 10 comic strips of Superman - and another password if you prefer XMen. There is a password that would decrypt the container itself to a video of the Mars landing. This is the power of OTP. Its not that you can't decrypt it. Its that it decrypts to anything and everything.

TrueCrypt and VeraCrypt have always supported keyfiles. Why is it any more difficult to protect a keyfile just because that keyfile is larger? Since Windoz is now a super spy tool with a built-in keyboard logger, I would consider the use use of keyfiles to be a necessity. Who cares how big it gets? I use Linux. But still, I will not blindly trust any OS. My private data stays on a system absent any ability to connect to anything. I update it from a private repository on a read-only USB stick. I've done this for 15 years ever since I found out about the Eschelon project.
Nov 29, 2015 at 1:42 AM
Edited Nov 30, 2015 at 1:38 AM
We are far far from needing to resort to a OTP. The weak link in today's encryption tend to be twofold:
  1. Size of passwords people use
  2. The use of poor algorithms long after they cease providing forward security.
Governments need encryption, but they are also scared to death of it. Which is why you see them do everything they can to keep the official standards employed just a little bit ahead of what private industry is capable of breaking into (but not what they are capable of breaking into). This is why stuff like MD5 hung around so long, and why DSS always has and always will use key sizes that are too small.

That all being said, the encryption arms race is stacked heavily in favour of the encryptor. Obscuring data will always be computationally easier than unobscuring it. This is why governments are frightened of encryption. Properly chosen algorithms offer very (!) good forward security. Do you know how large a number 256 bits represents? Let's talk cold hard numbers. In fact, let's go far beyond what will be possible in the next ten years. Let's take a cpu capable of checking a hundred trillion keys per second. Let's take an organization that has a hundred trillion of those CPUs all working to brute force your 256 bit key. And let's say we're paranoid, so our standard isn't the 50% chance most people use, but you don't want there to be more than a .1% chance. You're still talking 10^38 years. That is so many times the current age of the universe that the answer doesn't matter.

True, the odds are heavily in favour of the encryption algorithm at some point being found to have a weakness long before the heat death of the universe. But every time someone finds a weakness in one type of encryption, the next generation of algorithms plug that hole and any other hole even remotely close to it. As long as we're not letting governments decide what algo to use and how many key stretching iterations to use, the odds of a catastrophic singular breakthrough in cryptography that renders a current algo "broken" overnight is, in my view less than the odds of guessing the 256 bit key. There will be time to get your data somewhere safe.

Now, I always recommend the conservative path when it comes to security. Just for the very reason that conservatism is cheap. As an example, I use Serpent, not AES, for that very reason. The authors of Serpent took the amount of security they thought necessary to be secure for the next century, and they said, ok, let's double it, just in case. I like that. Because it's never the problem you know, it's the problem you can't foresee right now that you want to protect against. But you can still take things way too far. And my opinion is that the OTP is just that. Taking things too far. If you have a good random keyfile that is the size of your key, and a password on top of that, other holes in your security are likely to be far far less secure than your encryption is. If you're that paranoid, better line your house with copper, because the tempest emissions from your computer are a far bigger security risk than your encryption is.