 |
Puppy Linux Discussion Forum Puppy HOME page : puppylinux.com "THE" alternative forum : puppylinux.info
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in|
The time now is Sat 25 May 2013, 22:14 All times are UTC - 4 |
 Forum index » Off-Topic Area » Security |
|
Cheap GPUs are rendering strong passwords useless?
|
 
|
View previous topic :: View next topic |
| Page 2 of 2 [22 Posts] | Goto page: Previous 1, 2 |
| Author | Message | ||||
|---|---|---|---|---|---|
|
DPUP5520
Joined: 16 Feb 2011 Posts: 759 |
Yes I remember that article, I read it a few months back, however there are two points there. 1. Truecrypt was not the only encryption program used to encrypt the drives 2. The ENTIRE drive/system was encrypted Those drives if I remember correctly were encrypted using 6.3 though I can't remember what the other program used was. _________________ PupRescue 2.5 Puppy Crypt 528 |
||||
|
|||||
 |
|||||
Swaphead
 Joined: 04 Nov 2010 Posts: 23 |
I've read this thread with lots of interest (but not much understanding  )
I'm confused by the terms "password hash" and "password hash file". Are we talking about a cracker gaining access to a file (or one item in a file) on (say) a Bank's website? Is that negligence on the bank's part? Or is this standard practice because the information is encrypted? Or are we talking about a cracker gaining access to (say) my machine? I got lost when we started talking about Puppy and hard-drive encryption. (I was probably lost already!) |
||||
|
|||||
|
|||||
|
Flash
Official Dog Handler  Joined: 04 May 2005 Posts: 9853 Location: Arizona USA |
Swaphead, here's how I understand it: The passwords are encrypted by a program which I'll call a hash algorithm because the encrypted password is called a hash and I don't know why. For some reason, probably convenience, the encrypted (hashed) passwords are stored in a file outside the main data base, the password hash file. The main data base may or may not be encrypted. (It seems to me that if it is encrypted, the encrypted passwords ought to be stored within it in such a way that they are not seen as a separate file.) And yes, you are right; it is negligence to allow access to the password hash file. Once a cracker has that file and the hash algorithm, he can run stuff through the hash algorithm until he hits on something that matches an entry in the stolen file. That's a password, which he can then use to gain access to that account in the main data base. |
||||
|
|||||
|
|||||
|
Swaphead
Joined: 04 Nov 2010 Posts: 23 |
Thanks, Flash I see what was confusing me most - it's the hacker's knowledge of / or access to/ the hash algorithm. I am no mathematician, but it seems to imply that sites are using a very limited number of widely known algorithms, or else they are making the hash algorithm as easily available as the hash file. |
||||
|
|||||
|
|||||
Mechanic_Kharkov
 Joined: 24 Jul 2011 Posts: 9 Location: Kharkov, Ukraine |
Please, show some link to such prove. I use TrueCrypt and it's important to me! But I typically use it to encrypt partitions, handle encrypted file containers, not for single file / folder. And anyway it's very interesting to know it prior that anybody else can get the ICE broken. If You mean discovery of Bruce Schneier that affects TC's "Plausible Deniability" mechanism only, that is not critical and really is not an issue of TrueCrypt Itself, but disk writing programs, saving data in unencrypted locations. And how lame are FBI hackers in this case? 
And what about GPUs - bravo! Respect to I. Golubev! How they (GPU developers) could know what their devices would be used for... Really much faster. |
||||
|
|||||
|
|||||
|
DPUP5520
Joined: 16 Feb 2011 Posts: 759 |
http://www.lostpassword.com/hdd-decryption.htm http://brian.carnell.com/articles/2008/truecrypt-deniable-file-system-broke/ The first link refers to the newest version of truecrypt while the second refers to an older version http://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html Info on the old Evil Maid attack Most of this info is a little older and does not really apply to 7.0a however it shows vulnerabilities in Truecrypt (or any encryption method) unless you are encrypting the entire filesystem. _________________ PupRescue 2.5 Puppy Crypt 528 |
||||
|
|||||
|
|||||
|
Mechanic_Kharkov
Joined: 24 Jul 2011 Posts: 9 Location: Kharkov, Ukraine |
Thank you, DPUP5520 for good news! There is no TrueCrypt encryption vulnerabilities info under given links was found. There are some explanations on my opinion about the links here. 1. This decryptor use memory snapshot with encrypted volume open and keys in RAM. If you let the attacker to take a snapshot of your entire RAM, then you can also tell him all your passwords from all used security tools in time as well.
About RAM access I told above, and hiberfil.sys can contain such data of a very lame user only. And what about brute-force with more-than-200-bits-length passwords... 
2. As I said before, all that Bruce Schneier and company were compromised is the Plausible Deniability feature only. The encrypted data itself can not be compromised in this way, just the fact that there is some encrypted data on the volume. And if one uses encrypted disk, and that one knows how software like mentioned MS Office handles files, then that one can easily set up necessary secure environment to prevent such data leakage (e.g. create RAM disk to store Windows temporary directories in it, prevent swap-file usage, etc). 3. This fantastic invisible girl Joanna Rutkowska has a wonderful brain, and if you don't eat color pills from her hands then she sends to you an evil maid!
This attack like the first one uses full memory access. So it affects total system's security but not the TrueCrypt's only. If you run any kind of evil code that have full read access to your RAM - there is no secure thing possible on your system at all. And it does not matter how that code was executed, with boot-loader, or with ordinary horse, elevating rights. Btw, if you have administrative rights on target machine then you can easily use any kind of keylogger instead of such an exotic way to take keys. So, still sure TrueCrypt is my trusted friend. Thanks. |
||||
|
|||||
|
|||||
| Page 2 of 2 [22 Posts] | Goto page: Previous 1, 2 |
|
|
View previous topic :: View next topic |
|
Forum index » Off-Topic Area » Security |
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum |
Powered by phpBB © 2001, 2005 phpBB Group