How Long to Crack an 'Encrypted' HD? 733
brainburger asks: "In the UK, Tony Blair has recently lost a parliametary vote to allow the police to hold terrorist suspects for 90 days without trial. One of the justifications the police gave for the extension from 14 days to 90 days was that they need the extra 76 days to decrypt the computer hard-drives of suspects. This has been seen by some as the only compelling reason to allow 90 days. The time-limit has been extended to 28 days instead, but Tony Blair insists 90 days is required. Are there really any encryption systems that cannot be cracked in 28 days, but which can be cracked in 90? Aside from the not-much-discussed issue that the police can no longer interrogate a suspect after they are charged, I suspect the police meant unencrypted machines. What do you think?"
Re:Dupe (Score:3, Informative)
this article states that he didnt get what he wanted.
quite different if u ask me...and somewhat interesting
Dupe!!!! (Score:1, Informative)
Re:I'm amazed at how the UK is handling this (Score:5, Informative)
Such detention is not allowed in the US.
In case you're not being sarcastic, you might be shocked to read about Jose Padilla [chargepadilla.org].
Re:They're welcome to try it (Score:5, Informative)
Re:Are they insane?! (Score:1, Informative)
Many of them became French citizens not through their own choice, but through France's annexation of Algeria. Rather than "migrating", many just moved from one part of "France" to a different part. After independence, moving to Algeria may not have been an option for those who were born and raised in France proper. Even if it was an option, no-one has an obligation to emigrate because of their ethnicity.
This sounds like a bogus excuse (Score:5, Informative)
Hold on. Anyone remember the Regulation of Investigatory Powers 2000 [wikipedia.org] Act? Isn't it an offence - punishable by a prison sentence - to not hand over encryption keys? If they need to crack it, they can just tell the suspect to hand over his key(s). If he/she doesn't, he goes down for more than 90 days anyway ...
Re:How about Safehouse? (Score:3, Informative)
http://www.truecrypt.org/ [truecrypt.org]
Encrypted disks, crossplatform (win/lin).
Re:Are they insane?! (Score:2, Informative)
The bombers want to:
a) Get the "decadent westerners" out of Bali and
b) Destabilise the usually strong Balinese economy so that they can more easily attract followers there
A lot of Balinese have been killed as a result, but they aren't the primary target.
The terrorists in South-East Asia are a particularly nasty lot. They not only want to banish westerners and western ideas from the region, they also want to turn the entire area into a giant Caliphate.
Re:How about Safehouse? (Score:1, Informative)
So why 90 to crack encryption? If you don't give them you keys, they can charge you and go through the British court system and possibly get you for 2 years. The only reason they claim they need 90 days is so that when they want 180 (a year/forever), it doesn't seem as unreasonable. They want the ability to hold a person w/o trial or charging them for as l;ong as they like. Cracking encryption is a convient excuse. To the computer-illiterate it sounds plausable.
captcha compute
Re:Before you answer (Score:4, Informative)
They don't need to do that. Over here, refusing to reveal an encryption key when required by the Police is an offence in itself.
RIP Act 2000 [guardian.co.uk]
Re:The answer is.... (Score:3, Informative)
Back to the question: "How Long to Crack an 'Encrypted' HD?": it all depends on how well it is done. It also depends on where the disk key is stored. It is easier to crack a drive if the key is kept on the drive or left up to lazy humans to type in each time.
I'm not kidding about the last point. There are hard drive encryption products where drive is automatically mounted / accessed without human intervention. These products derive the decryption key from stored state on the hard drive. Sure they pull tricks such as storing the key material in a sector marked as "bad", but if you reverse engineer their process you can find the drive key and begin cracking the drive in milliseconds.
There are hard drive encryption products where a human must enter a password / pass-phrase access the drive decryption key. The time to crack the drive depends on how easy to guess the unlocking password / pass-phrase. This guessing can be done in parallel starting with common / poorly selected passwords / pass-phrases first. Too many people don't want to type in difficult / hard to type passwords. A guessing attack would frequently be successful against drives encrypted with products that require a human to type something.
Re:Before you answer (Score:3, Informative)
Re:Before you answer (Score:3, Informative)
Conveniently forgotten (Score:2, Informative)
This 90 day clause is the only part any one is interested in! I too thought 90 days was a bit much until I heard that EVERY 7 days the suspect is brought before a magistrate and the case for detention is reviewed
It seems that this fine point has been ignored??
Re:Cracking passphrase-based keys (Score:3, Informative)
No. 6 or 7 characters * 8bit/char = 48-56 bits at most. Because so many special signs are hard to reach, you can usually get away with 6bit, so 36-42 bits. That is insufficient to prevent any serious brute force attempt. A strong passphrase is roughly 20-25 characters long, and should have about three typos (the number of permutations make it fairly pseudorandom at this point). Something like: "MicrosXftIsEv6ilReadSla=hdot" should have 128bit+ strength. If you want 256 bit (read, fully uncrackable at any rate) you can double that. Remember, internet-safe passwords != passwords that are secure against local attack. If you can brute force it locally, 6-8 character passwords are way too little.
Re:No more AES (Score:3, Informative)
Unfortunately, for law enforcement etc, my entire home folder is now encrypted with AES128 encryption. Yep, all my email, all my documents, all my application preferences, even my entire MP3 music library (except that I went to lengths to not have this encrypted by symlinking it to somewhere else) is now AES128 encrypted. With a strong passphrase. It's really that easy.
I then have a file, also in my home folder, called my keychain. This is where I put stuff I really want to keep safe. All my passwords, all my bank a/c details, secure notes, login details, slashdot login etc. This is also encrypted. Yep, AES128. Even if my home folder was decrypted, there's still the keychain if they want to get to any secure notes or login details I might have.
90 days? You're not going to be able to do jack against this in 90 days. And this is just using simple stuff that's built into the OS.
k
Re:Easy way out (Score:3, Informative)
I hope you don't really believe that.
Re:Before you answer (Score:2, Informative)
"Number Crunching"
24 Hours - Period terriorism suspects in Australia (al_Qaeda death toll: 88) can be detained before criminal charges must be levelled.
5 Days - Period terriorism suspects in Spain (al_Qaeda death toll: 191) can be detained before criminal charges must be levelled.
7 Days - Period terriorism suspects in USA (al_Qaeda death toll: 3,000) can be detained before criminal charges must be levelled.
90 Days - Period terriorism suspects in UK (al_Qaeda death toll: 52) should be allowed to be detained before criminal charges must be levelled.
Re:How about Safehouse? (Score:3, Informative)
I have been burned before: I will never use a closed source software again for data encryption. The tinfoil hat crowd will worry about the possible NSA backdoor or weak implementation. More practically, I worry about the developer going out of business and the next windows update breaking my encryption software, leaving me high and dry with no other recourse but to downgrade or reinstall my system, get my data back, and start hunting for a new encryption solution. Save yourself the trouble and use TrueCrypt.
Now I was just going to write that the only problem with TrueCrypt was that it was Windows only (with Linux support on their roadmap, though...)... Well guess what: I just checked their site again, and here it is: "4.0, November 1, 2005 [...] TrueCrypt volumes can now be mounted on Linux." Perfect timing to prove again the superiority of Open Source
Re:Before you answer (Score:5, Informative)
Re:Before you answer (Score:3, Informative)
Even so, the US Govt considers 256 bit AES to be good enough for "Top Secret" documents so I doubt it's crackable in 90 days.
Actually no, they recommend using AES 256 for govn't sensitive, but unclassified data [nist.gov]. For anything classified, they are using classified military algorithms.
Re:Encryption mostly overrated (Score:3, Informative)
Re:Pardon the obvious... (Score:3, Informative)
Re:Before you answer (Score:3, Informative)
Re:How about Safehouse? (Score:3, Informative)
Tell that to the octagenerian who was detained under the previous Act for heckling at the recent Labour party conference. Or the woman in Scotland detained for several hours for *walking* down a cycle path.
it would bring many lawsuits
Don't think so, the whole point is to make it *legal*.
so theoretically, government officials reflect the will of the people in policy making.
Indeed, and according to polls apparently the majority of the British public think locking people up for 90 days without charge (first 7 days without judicial intervention too) *is* a good idea. They're terrorists after all, right? Never mind 90 days, throw away the key!
--paulj
Re:Before you answer (Score:3, Informative)
Re:Why keep it private? (Score:2, Informative)
Just a FIY, if you want to destroy data on a CD so that it can't be recovered, place it in a microwave for about 5 seconds. Try it with a blank to see what I mean.