How Long to Crack an 'Encrypted' HD?

brainburger asks: "In the UK, Tony Blair has recently lost a parliametary vote to allow the police to hold terrorist suspects for 90 days without trial. One of the justifications the police gave for the extension from 14 days to 90 days was that they need the extra 76 days to decrypt the computer hard-drives of suspects. This has been seen by some as the only compelling reason to allow 90 days. The time-limit has been extended to 28 days instead, but Tony Blair insists 90 days is required. Are there really any encryption systems that cannot be cracked in 28 days, but which can be cracked in 90? Aside from the not-much-discussed issue that the police can no longer interrogate a suspect after they are charged, I suspect the police meant unencrypted machines. What do you think?"

How about Safehouse?

[kriston]

I'd love to see how Safehouse from www.pcdynamics.com [pcdynamics.com] will do. Encrypt file-based real drive volumes with AES, Twofish, Blowfish, 3DES, and DES.

Kris

My take on the subject

[ScrewMaster]

is that if cracking encrypted hard disks is really that important, it would be better to simply give police enough computer power to crack the encryption in less time and avoid the civil liberties issues. Of course, giving the police that much computer power will eventually guarantee even more civil liberties issues.

Re:Before you answer

[Yehooti]

Is he supposing that national assets be brought into play? I'd hope that they are much better at this than the local police.

I'm amazed at how the UK is handling this

[defile]

The United Kingon approaches counter-terrorism as part of a criminal investigation and has to deal with due process of law. Hence the debate over extending detention from 14 days to 90 days.

The United States approaches counter-terrorism as military action and the President signs an executive order that allows for indefinite detainment of suspects.

Fascinating. The UK has much more experience dealing with domestic terrorism -- did they originally overreact as well or are the two circumstances different from the get-go?

mostly analysis, I suspect

[SuperBanana]

Just cracking it isn't enough. They have to then sift through gigs of data to look for evidence.

Mmm...I suspect the issue isn't "cracking"; I think the story poster was hinting at this with the last sentence or two. Chances are "crack" is being used liberally to present it using "terms" something Joe Q Legislator and John Z Public can understand. I would bet it is mostly analysis (or as you put it, "sift through".) Chances are serious criminal investigation units already have custom (ie distributed to several systems, nicely wrapped with scripts and such, etc.) cracking solutions akin to L0phtcrack and John The Ripper, set up and ready to go, on some nice hardware- so that if they need to crack a password for someone's Windows account, they can do so, and quickly. Somehow I doubt that it takes them more than 30 days to do so. There is also a considerable amount they can access without any "cracking."

However, nothing trumps the human rights of the suspect. Here in the US, you have to be released within 24 hours of arrest if you are not charged (well, excepting Patriot Act crap.) Often times the police don't have the evidence yet to hold you on a crime. Unfortunately- that's just too bad! Case/workload isn't the burden of the suspect- it's YOUR burden. If YOU can't analyze the hard drive in the time period someone can be legally held...hire more people to do the analysis, or just suck it up.

In which case, maybe it is deliberately misleading. Ie, "We need 90 days to crack encryption" sounds a lot more unavoidable than "we have such a high workload we can't get through looking at the contents of the disk before 90 days." Not to mention, the latter can also imply quite a bit of incompetence (ie, management hasn't scaled hiring/budget to the problem, or management isn't being effective, or they're all taking 2 hour lunches to watch soccer, etc.)

Re:I'm amazed at how the UK is handling this

[Anonymous Coward]

The United Kingon approaches counter-terrorism as part of a criminal investigation and has to deal with due process of law.

Maybe you should ask Gerry Conlon [wikipedia.org] about "due process" in the UK?

Not to say the US policies are sane, but many of the strident critics around here seem to have selective amnesia when it comes to other countries doing the same or worse in fighting terrorism.

This is stupid

[damiam]

IIRC it's a crime in Britain to refuse to hand over encryption keys when required by the police. So why don't they just seize the hard drives and ask for the key? If the suspect gives it up, all is well. If he refuses, then the police don't need to hold him without charge for even one day, much less 90, because they now have a charge to pin on him.

Re:Are they insane?!

[minus_273]

actually they do. One of the things they talk about is the decadence of the west and non muslims in general. That would include bars, clubs, tank-tops, bikinis, beer, wine etc etc. all thing we are free to enjoy.

Re:Why MOD down?

[WindBourne]

I own the first edition and have read it, as well as several other books.

Plain and Simple, anything that is not going to be handled in under 2 weeks, will not be handled in the next 90 days, or 90 year years. So arguing that you need 90 days to try and decrypt is false. The only thing that could be argued is that the cops do not have the time to process what they have so they need a longer time. Well, if that is the case, than more CPU power is what is needed.

My suggestion to you (most likely IFWM), is that you get a clue and some manners.

Re:Cracking passphrase-based keys

[dstech]

Well, brute-forcing techniques don't generally try "every possible combination" until they have exhausted some list of common passwords (with permutations on those common phrases).

Anyway, I think PGP uses SHA-1 to convert your passphrase into a 160-bit hash key (i.e. any passphrase you use is converted into a 160-bit value). Ideally, no two passphrases generate the same key, but in practice it's possible to find a collision in an average case time of 2^80 iterations... difficult, but computationally feasible.

I'm not sure how related to the current discussion this is, but I suppose that 2^80 random attempts should produce a matching passphrase, even if it isn't the original passphrase.

William Stallings' "Cryptography and Networking Security" has a good treatment of the vulnerabilities in MD5 and SHA-1, although it doesn't mention the relatively recent MD5 collision vulnerability (search /. for many dupes on that matter).

Re:The answer is....

[Dwonis]

That's *an* answer, but it's not the *ultimate* answer, which of course is a1d0c6e83f027327d8461063f4ac58a6.

Re:Are they insane?!

[killjoe]

Whoo Hoo. I can't wait till they modernize and make all their girls run around dressed like $5.00 prostitutues too!. It will be so cool to go to bagdad get shitfaced in a bar, puke on the sidewalk and watch the skimpily dressed girls flash the crowd!. Now that's what I call western civilization damnit.

Did The UK Overreact In The Past?

[cmholm]

"Overreact"? If we set an arbitrary starting point after WWII, and stay within the British Isles, then some folks in Ulster/Northern Ireland would probably say yes, they overreacted. Although prison detentions had the sanction of a legal process, there were a number of occasions when the SAS ambushed IRA cells in counties adjoining the border with the Republic.

If we reach out beyond the UK proper, and look at how the British dealt with insurgents in Kenya, Malaysia, and southern Yemen, they largely went the military route. Worked in the first two, not so much in Yemen.

Re:They're welcome to try it

[tmasssey]

My telephone accepts SD cards and plays MP3's. So, I have a couple of dozen MP3's on my SD, including a few MP3's made from recordings I've personally made of live music. Now, I choose *several* of these MP3's. The only place these MP3's exist is on my SD: I created them from live recordings and only I have them. I then combine these MP3's, separated by unique passwords, to generate a hash. Imagine something like this pseudeo-command-line:

cat Recording1.mp3 + echo "Password One" + cat Recording2.mp3 + echo "Password Two" + cat Recording3.mp3 | sha1sum | decrypt_my_hard_drive

That's very much like a book cipher [wikipedia.org]. A book cipher can be *very* strong (almost like a one-time cipher) *if* the source text is sufficiently rare (or obscure).

Now, imagine that the police seize my notebook. They see that my hard drive is encrypted and needs a 256-bit key. Where are they going to get the key? Is it simply a password? Is there some sort of key file? Is the key on the notebook? Is it on the SD in my phone? Or the SD in my camera? Or the half-dozen floppies I have in my notebook bag? Or one of the dozen or more CD's that are in my notebook bag? In this case, it's the combination of 3 different MP3's and two passwords. It could have just as easily have come from any number of different pieces of media: a file on a floppy, CD and SD card, plus an arbitrary number of passwords kept *only* in my head.

Or how about selecting three graphics from popular websites? Imagine selecting three common topic icons on Slashdot such as the "Borg Bill", Broken Windows and the privacy binoculars. If you view Slashdot regularly, those files would appear in your cache: no big deal. But use *those* as keys! Just hope someone doesn't update the graphics! :) Even better: you're the webmaster for some website. Of course, you browse that website. Use graphics in your browser's cache from *there*: you know if the graphics will change! And the fact that these graphics are in your cache is perfectly natural. No one has the resources to hash every possible combination of three graphics in your browser's cache, especially with passwords between them.

At that point, I'm not worried about them getting my key without help from somewhere: they're sure not brute-forcing it like a simple passphrase. I'm not worried about them brute-forcing a full-strength modern encryption algorithm. However, there are at least two things about which I *do* need to be worried: 1) Was the encryption algorithm implemented properly, without unintentional weaknesses or even intentional back-doors? 2) Was my key somehow cached somewhere to be found? This area could be the biggest issue: the command line I used is in the history, pieces of the data used to make up my key (or the key itself!!) were swapped to disk at some point and could be used to help reconstruct the key, etc. Even if investigators only knew which files made up my key, that would be *devistating* to my security. Now I'm back to something only slightly more complex than a straightforward password!

Security is not simple. If large and powerful governments can't keep data secure from motivated enemies (and the entire history of the Cold War bears this out), I think that there is near zero chance for individuals to do the same.

Re:How about Safehouse?

[Anonymous Coward]

Which is why Gitmo is in Cuba. There you're "guilty until we say otherwise", and just far enough to possibly (or perhaps plausibly) be out of reach of the U.S. courts system.

Re:My take on the subject

[rtb61]

Better a new worm, the 28 day holiday virus, that creates a series of psuedo encrypted files that contain nothing, they just have suggestive file names and are hidden from the user, how long can they lock you up for not knowing a password ;-).

Re:My take on the subject

[Lord Kano]

Police work SHOULD be hard. It SHOULD be time consuming. It SHOULD be inconvienent for those performing it. Because when they must expend effort and experience inconvienence they are only going to take the time to scrutinize people who they actually believe had done something. Otherwise they'll be doing it just to pass the time.

Every hoop that the police must jump though will save us all from harrassment.

LK

Re:Cracking passphrase-based keys

[pugugly]

You would think so - but the evidence doesn't seem to indicate that most of the time. My own (2nd hand) experience was with a guy that embezzled and committed tax fraud. He actually encrypted his schemes, but used simple passphrases. Got caught when he left the company and the IT gut looked at the hard-drive before reformatting it and went "That's weird - why is he encrypting stuff?"

Started trying some obvious phrases that didn't work, then pulled his IE cache and used some of those. Then went "Holy Sh*t".

Criminals are, pretty much by definition, people that want more than they're making legally and lack either the imagination or the patience required to achieve the goal. This is not a personality type particularly conducive to not getting caught.

Pug

Re:Pardon the obvious...

[AAWood]

Like many before you, you've stripped out possibly the most important word in that saying. The correct form is "presumed innocent until proven guilty." That doesn't mean everyone is an innocent person when they walk into a police station, it just means they aren't judged and sentenced until there's some proof that they're guilty. Wanting to be able to make sure a person is still around once you've checked and possibly found some proof isn't, in itself, a breach of that concept, it's just good common sense. The question is one of where you draw the line; is 90 days excessive? I think it probably is, although certainly not nearly as excessive as the whole Guantanamo Bay situation... but that's getting off-topic.

Probably more like:

[temojen]

90 days in jail will ruin you financialy (can't go to work, so can't pay bills), so it's in your best interest to give them the passphrase and hire a lawyer while you still are solvent. Plus, they can tell the other inmates that they think you have kiddie porn on your computer and they'll let the inmates do the torturing.

90 days won't give them enough time to crack the key, but it will make you think really hard about giving them the passphrase so they let you go.

Re:Before you answer

[CountBrass]

And the fact that the police aren't up to the job and can't do whatever they need in a timely manner can't possibly be a reason to lock people up without trial for 3 months! WITHOUT TRIAL!

The police in the UK have far too much power as it is. Of all the democratic countries in the world we're the closest to a police state. Tony Bliar even had police chiefs lobbying on his behalf for this 90 day detention (see many of today's UK newspapers)! Police are not supposed to be involved with politics!

To give you an idea of the power they already have. I was walking home a couple of months ago. Two policeman pulled over and arrested me. The reason? I was wearing similar clothes to a burglar. Apparently fawn is a very unusual colour for a suit (it was bought from Marks & Spencer so yeah really rare). I was locked up. Because I had been arrested, the police are allowed to search my home WITHOUT A WARRANT! My wife was in the bath, heard a noise and discovered 3 policeman in our hallway. This was the first she'd heard of my arrest.

I was finally released (and my trousers returned!) when a detective sergeant decided I couldn't possibly have done it. I was, as I had told all the officers I encountered, in a meeting in another town with 10 other people and all of us have security clearance!

The police have far too many powers already! They should be cut back, not extended.

Re:How about Safehouse?

[nogginthenog]

Not true (yet). That part of the RIPA Act is not yet in force, probably due to the fact it's would be unworkable in practise.

I forgot the password Your Honour!

Now prove I haven't. Also you have to remember that real terrorists probably have quite strong convictions and wouldn't easily give up a password that would damage their cause.

Re:Cracking passphrase-based keys

[Anonymous Coward]

"Anyway, I think PGP uses SHA-1 to convert your passphrase into a 160-bit hash key (i.e. any passphrase you use is converted into a 160-bit value). Ideally, no two passphrases generate the same key, but in practice it's possible to find a collision in an average case time of 2^80 iterations... difficult, but computationally feasible."

Actually, the 2^80 iterations are the so called birthday attack which has the following objective: Find 2 random strings that have the same hash.
This does not match the objective here, which is a pre-image objective: Given a hash, find a string that produces that hash. Even worse, the pre-image is unknown.

Re:Before you answer

[Sique]

There is something called 'checking for facts' (like phoning the wife to make sure he is the one who he claims to be).

Re:Whatever it is...

[-brazil-]

It's called "rubber hose cryptanalysis". Tends to be rather effective, that's why the US government is working so hard to have it allowed to them.

It's one of the relatively few applications where torture actually works, because you can immediately and objectively verify the answers you get. Not so with questions like "who are your accomplices?" where you tend to eventually get the answers you want to hear, whether they're true or not.

Re:Before you answer

[Shisha]

Very good point :-)). But surely the terrorist are not stupid and if they know that the detention period would be now 90 days, then they'll use longer keys, encrypt things a few times, etc. hence bringing the time to decrypt the hard drive to something more like 1 year.

Would we then be prepared to support detention for one year without a charge?!? I know I won't. The police simply has to work around the hard drive encryption, when collecting evidence.

Re:Before you answer

[clap_hands]

Actually, even AES-192 is considered sufficient for TOP SECRET by the NSA:

"CNSSP-15 correctly states that 192-bit AES keys are sufficient for protecting even TOPSECRET information. However, Suite B uses only 256-bit keys to enhance interoperability." -- http://www.nsa.gov/ia/industry/crypto_suite_b.cfm? MenuID=10.2.7 [nsa.gov]

Re:Are they insane?!

[glesga_kiss]

Until 9-11, the IRA did the same in New York every St Patricks day. White Christians behaving the same way, who would have thunk it...?

Re:Before you answer

[hackstraw]

While this sounds bad, i can read between the lines that you matched the description of a criminal (as you say yourself that there was an alibi involved... no such thing without a special crime you were suspected), so this is _far_ from the "random arrest because we dont like the way you look" kind of arrest you want to make it seem.

There is a BIG difference between being questioned and being arrested and having your house searched unexpectedly without a warrant with your wife, presumably naked, in the bath by three strange men.

Also take into account that this was only burglary. A crime against property, not against people. There is not immediacy in arresting such a person. Shake them down, ask them for an alibi. This guy seems to be a professional/business type, and not a burglar. Aside from the high end burglar that knows what they are looking for, burglars are typically just a parasite. Someone short on cash for some reason or another who is looking for a quick buck. (Correct me if I'm wrong between the distinction between burglars in the US and England).

In this case, here are my problems.

1) immediate arrest with the only evidence being that he dressed like the guy in question
2) immediate search of the home without a warrant.

I don't dress that uniquely. I don't want to get arrested for it. I've had my car ransacked by the police twice, both times were within their rights (kinda), and its still not cool because they are not very concerned with your property during or after the search. They just turn stuff inside out. I've had to police come to my house a few times for suspecting things of me or neighbor complaints or whatever. They never arrested me, nor was my property searched.

Contrary to how it sounds, I really try to stay away from the police, but they seem to like me for some reason, but they have not gotten too out of hand with me yet. Lied to me, hassled me, tried to intimidate me, arrest me. Yeah, thats part of their job and personal adrenaline requirements. Fine.

But the two above mentioned things are wrong. In the US things are a little different because many of the citizens are armed. Especially at their home. Also we are lawsuit happy. Both of these things help keep things in check. Most people are pussies, but if the police state thing keeps increasing, its going to get messy.

90 days gets past many, many things.

[abb3w]

This odd 90 days which the Police told Tony Blair that they can break any encryption in. They can't - it's impossible!

Well... yes, and no. 90 days gives sufficient time for an dedicated attack that should break anything that will be breakable: the human-factors attacks.

- There'll be multiple encrypted files, particularly if they are encrypting their communications (guilty or not guilty). Each one would need 90 days.

Very few of even the most paranoid cypherpunks I know use multiple keys; I don't know any who use more than five. If you crack one file, you've probably figured out the key the suspect uses for at least 20% of the data.

- They'll not know the encryption algorithm in all cases, so would need to try every one. Each one would need 90 days.

Not necessarily. There would be a few leading suspects; generally starting with any crypto software with signs of ever being installed on the hard drive, along with a couple really widely used ones. (GPG/PGP, OS X's FileVault, a couple others). Unless you're dealing with the hacker equivalent of the Unibomber-- a lone genius working in isolation-- you're probably dealing with a widely shared algorithm. Furthermore, while many of the messages can't be decrypted, many standard encryption methods put enough metadata in to allow identifying the algorithm.

- There are HUNDREDS of encryption algorithms that use such large keys that you can't realistically expect to crack the password in 90 years, let alone 90 days.

True. But most people don't use raw keys; memorizing a pair of 600 hexit prime numbers is a bit of a challenge. Most people use a password. Clever ones use a passphrase. And 90 days gives you time for a seriousdictionary attack. Of course, 90 days isn't enough time for breaking the password of a professional paranoid; but the cops are looking for something the suspect could have memorized... which may limit the scope. In 90 days, a high-end single-CPU ought to be able to crack any 8 character password. A phrase dictionary could tie up a few more machines trying for something longer. A search of every piece of paper in the suspects entire apartment might also be fruitful... but I don't think either US or UK powers allow that without SOME other evidence.

And it's still possible to take one and write your own with an even longer key. (The details of which would be secret so they couldn't crack it in the first place anyway).

Actually, this might be what the police are hoping for. Most crypto systems developed by amateurs are "easily" broken by professionals. Of course, by "easily', I mean "in a month or so".

Myself, when I'm feeling paranoid, I use GPG from a bootable CD on a non-networked PC, a 4096 bit keypair with the private key stored on a USB flash drive I carry (two backup copies exist, located... er, hither and yonder), with the passphrase to access the private key being a simple number.

Of course, by "simple", I mean "a prime number 25 base-sixteen hexits long". I estimate a dedicated planet-wide effort might crack it in 100 years... most of which time should be devoted to developing a quantum computer for a direct assault on the RSA algorithm.