Silk Road forums

Discussion => Security => Topic started by: Thekla1 on June 14, 2013, 08:06 pm

Title: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: Thekla1 on June 14, 2013, 08:06 pm
Hi all,

I'm sure most of you are aware of the revelations in the news at the moment regarding the NSA and the whistelblowing. Guardian newspaper in UK been at the forefront of the story, and put this up on their site today.

CLEARNET WARNING http://www.guardian.co.uk/world/2013/jun/14/nsa-utah-data-facility

What I was interested in was the speculation by William Binney about a facility so powerful it could use 'brute force' attacks on encryption (about half-way down article).

A lot of you know a lot more than me about this stuff, so tell me, is Tor/PGP doomed in the longer run by massive government number-crunching?

Your info welcome, don't go all conspiracy theory  ;).

Take care.
Title: Re: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: seatturtle on June 14, 2013, 08:39 pm
i heard from a smart source that once quantum computing is developed to a point of major utility,(20 years) in theory no amount of encryption could stand a chance because a quantum processor would be solving the encryption from every angle, simultaneously, at lightspeed. he said it would crack a 2048 bit pgp key in under 10 seconds. I was reflecting later on this, but I want to ask whether quantum processors, on the other hand, will be using the same computing power to generate infinitely more layered encryption keys and hashes. My guess is that itll end up being a massive, massive drain on energy :/
Title: Re: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: crystal on June 14, 2013, 08:57 pm
Thanks for pointing that out, Thekla1 - great article.

As most pgp users (and tor, and ssl/https) mostly use weak encryption, if it's not possible to decrypt everything now, it's probably a matter of month/years... and anyway, quantum computing will probably be able to break today's strongest encryption in not that long...

But some cyphers are probably stronger on the long run that other? Could they resist quantum computing though?...

Title: Re: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: Duffman on June 14, 2013, 09:12 pm
Quantum computers are still very much in their infancy but it's indeed something to think about for the future.
They could indeed feasibly decrypt most public key cryptography like RSA which PGP uses.
However symmetric cryptography like AES wouldn't be that much affected by quantum computers.
They would only speed up the process of brute forcing but AES-256 would still be very secure so we would just have to increase the keyspace we currently use to stay secure. So if quantum computers do indeed become available we'll have to make the switch to quantum-proof encryption algorithms instead.
Title: Re: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: The-Truth on June 14, 2013, 09:14 pm
Get a Fips 197 Compliant thumb & then load on true crypt too.. basically the hw encryption allows 5 tries then
destroys content, should they break that then you have to deal with sw encryption too, hell you could even get a biometric thumb drive.
Title: Re: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: dupersouperhigh on June 15, 2013, 04:25 am
The statute of limitations on any sketchy business will run out before quantum computers get to the point of being able to solve such complicated problems like these.
Title: Re: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: kmfkewm on June 15, 2013, 05:47 am
i heard from a smart source that once quantum computing is developed to a point of major utility,(20 years) in theory no amount of encryption could stand a chance because a quantum processor would be solving the encryption from every angle, simultaneously, at lightspeed. he said it would crack a 2048 bit pgp key in under 10 seconds. I was reflecting later on this, but I want to ask whether quantum processors, on the other hand, will be using the same computing power to generate infinitely more layered encryption keys and hashes. My guess is that itll end up being a massive, massive drain on energy :/

Quantum computers can break many types of asymmetric cryptography, such as RSA which is used by GPG. The time required to break encryption will be equal to the time required to encrypt something, so they will be able to break a ciphertext as quickly as they can encrypt it. Of course they need to have a certain number of stabilized qubits in order to carry out this sort of attack, and it could be a while before they manage to create such powerful quantum computers. Increasing key strength does increase the amount of stabilized qubits required to crack the key, but many people imagine that attackers will exponentially increase the number of qubits they can stabilize. RSA and ECC based cryptography looks like it has a shelf life, although it is not certain that things will go this way, they could run into some unforeseen problems with constructing such large quantum computers.

There are quantum encryption systems but the way they work is entirely different from traditional cryptosystems. Quantum encryption systems are based on the laws of quantum physics, the two primary techniques exploit quantum uncertainty and quantum entanglement. The quantum uncertainty based cryptosystems allow Alice and Bob to exchange data such that if Eve intercepts any of it they will be immediately notified of the interception. This allows them to transfer keying material between each other, and to transmit new key bits if they detect any of them are intercepted. This means that Eve will never successfully intercept an encryption key without alerting the communicating parties. It seems that this is the approach the US military has taken. The quantum entanglement based systems allow Alice and Bob to exchange data such that it is impossible for Eve to intercept it. This is done by entangling photons, which means that a change in one photon causes an immediate change in the photon it is entangled with, across space and with no identifiable connection. This means that Alice can entangle a pair of photons and then send one of them to Bob, and then Alice and Bob can share keying material with each other by modifying their photons and observing the correlated change in the other photon. Since there is no link between the entangled photons, it is impossible for Eve to intercept the transmitted keys. It appears that this is the approach the Chinese military has taken.

More interestingly, or at least more applicable to us, there are also classical asymmetric cryptosystems that are not vulnerable to any known quantum attacks. A popular class of such algorithms is called 'multivariate quadratic polynomial cryptography'. Cryptosystems based on multivariate quadratic polynomials will likely be required sometime in the future, assuming that attackers manage to stabilize enough qubits to carry out the quantum attacks on prime factorization (RSA) and elliptic curve logarithm (ECC) based cryptosystems.

Additionally, symmetric algorithms such as AES are resistant to all known quantum attacks. The best quantum attack against symmetric algorithms is only capable of dividing their bit strength in half, giving AES-256 a key space of 2^128. This is indeed a big reduction in key space, but enough is preserved to maintain the cryptographic integrity of the algorithm.

Title: Re: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: Chupa Chups on June 15, 2013, 03:01 pm
Im working in the quantum computer area and believe me, its a long way to go. Shure, we can make some q bits, but they wont last long enough for long calculations and its exponentially harder to entagle them all. And even if you have a high grade entanglement you can control how you want, you still limited by the  data rate of your device. So for cracking PGP you need to couple your qbits with telecomunication fiber technology and they are still limited by electronics sped. So dont wory brothers in crime,  it will take 10-20 years (if not more), till q computing can calculate things more complex than 79*11 in a NSA building. This will change only, if one can devolope a quibit in silicon technology that can be upscaled with low cost/ low effort.


Best regards
Title: Re: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: lex on June 17, 2013, 05:12 am
Additionally, symmetric algorithms such as AES are resistant to all known quantum attacks. The best quantum attack against symmetric algorithms is only capable of dividing their bit strength in half, giving AES-256 a key space of 2^128. This is indeed a big reduction in key space, but enough is preserved to maintain the cryptographic integrity of the algorithm.

Regarding AES-256 encryption [with Truecrypt], are you factoring in the salt with your calculations?

"512-bit salt is used, which means there are 2512 keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks"
http://www.truecrypt.org/docs/header-key-derivation

Will the salt really thwart brute force as it is alleged?
Title: Re: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: sharonneedles on June 17, 2013, 09:59 am
kmfkewm +1 for your in depth explanation of quantum encryption and classical algorithmic encryption. If you have any more details or links where we can learn more please do share. This is riveting information.
Title: Re: NSA brute force attacks (don't wet your knickers, it's theoretical)
Post by: kmfkewm on June 17, 2013, 12:16 pm
kmfkewm +1 for your in depth explanation of quantum encryption and classical algorithmic encryption. If you have any more details or links where we can learn more please do share. This is riveting information.

You could read about Shor's algorithm and Grover's algorithm. Wikipedia is generally a great source for basic knowledge about cryptography, it is extremely superficial but it is great for giving you an idea of things to look up.

Additionally, symmetric algorithms such as AES are resistant to all known quantum attacks. The best quantum attack against symmetric algorithms is only capable of dividing their bit strength in half, giving AES-256 a key space of 2^128. This is indeed a big reduction in key space, but enough is preserved to maintain the cryptographic integrity of the algorithm.

Regarding AES-256 encryption [with Truecrypt], are you factoring in the salt with your calculations?

Grover's algorithm is a quantum based direct attack on symmetric encryption keys, not on their corresponding passwords. The strength of a symmetric algorithm is hard limited by the key space of the algorithm. Grover's algorithm cuts key strength in half, the quality of the password or PBKDF will have no effect on it.

Quote
"512-bit salt is used, which means there are 2512 keys for each password. This significantly decreases vulnerability to 'off-line' dictionary/'rainbow table' attacks"
http://www.truecrypt.org/docs/header-key-derivation

Will the salt really thwart brute force as it is alleged?

Truecrypt almost certainly is using something called a password based key derivation function, commonly referred to as a PBKDF. PBKDF's are used for turning a users password into a symmetric encryption key. When you encrypt a file with an algorithm like AES-256, you must provide a key that is of the appropriate length. That is to say that you cannot directly use the password 'password' with AES-256, you need to convert the password into a 256 bit key. This could naively be done by using a hash algorithm, perhaps you take the SHA256 value of 'password', which is '6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e' (in hex), and which consists of 256 bits. PBKDF's do use hashing as their primitives, but they add at least two important features. The first feature they add is called salting. Salting adds some fixed randomness to your password prior to hashing it. You see, if your password is 'password', then you are weak to rainbow table attacks. A rainbow table attack involves the attacker taking sometimes terabytes worth of dictionary words / leaked passwords / common phrases / etc, and hashing all of them with a specific algorithm (generally with many algorithms, which is I believe where it gets its name from, it stores the SHA256 of the password, the MD5 of the password, the SHA512 of the password, etc). This takes a lot of computational power, but after it is done once the attacker no longer needs to compute the hash values again, now they can attempt to directly use the stored hash data as the symmetric encryption key until they find the correct one. Any half decent rainbow table will have the SHA256 value of 'password' stored in it. To protect from rainbow tables, the encryption program will generate a few random bytes of data, let's say 'j82opdl29e' , and then it concatenates it to your password prior to hashing your password. Therefor your password is now really 'j82opdl29epassword' , but you only need to remember password because the salt is handled by the encryption program (and generally stored in plaintext with the encrypted data, salts do not need to be secret). This means that your password now produces the key  '718e7e73155913d6ab75a6d4a3a0e515f0c2056c25c98103f9d4f2dd8e661172' ,  which will not likely be part of the attackers rainbow table. Since everybody who uses the program has a different salt generated, the input password 'password' can now produce a wide variety of different output keys (for example, since Truecrypt uses a 512 bit salt, a rainbow table effective against it will be 2^512 times as large, and take 2^512 as many operations to compute, as a rainbow table effective against an application that doesn't use any salt at all. Essentially this means that Truecrypt is immune to rainbow table attacks).

Another thing that PBKDF's do is iteratively hash a password. This is what protects from brute force attacks. If the attacker obtains your salt (which they can easily do since the salt isn't itself encrypted) then they can start the brute force attack with 'j82opdl29e' and start adding characters to it, perhaps starting at 'j82opdl29ea' and then going to 'j82opdl29eb' etc. Additionally they can try computational dictionary attacks directly (although the salt protects from rainbow table based attacks). Now it takes a very small amount of time to take the hash value of 'j82opdl29ea', and a very small amount of time to take the hash value of 'j82opdl29eb' etc. So instead the PBKDF will have a set number of iterations, probably in the thousands or tens of thousands. Without iterations the key corresponding to the password ''j82opdl29ea' is '19798b674de3fa0111d46315048a5b33893b347249af9dc9ba106af3eea9a824', assuming that SHA256 is used. With 10,000 iterations of hashing, as specified by the PBKDF, the hash is that hashed out 10,000 additional times. For example

19798b674de3fa0111d46315048a5b33893b347249af9dc9ba106af3eea9a824 SHA256 = 68529cb832e34720b8be405233bca6d231a95766dacf36a66acc769bbab71daf SHA256 = 31a065cb81ba09fa9831b0700a904fad25b5e39d88160764c6b325dc61df614c etc....

This obviously will take ten thousand times longer for an attacker to compute. Usually this will work out to about a second or two to convert a password to a key (although it is entirely computationally bound), an amount of time that is not noticeable to a user with the correct password, but which adds up to a lot of time for an attacker who needs to repeatedly guess incorrect passwords. If it takes two seconds to do that many iterations, it takes you two seconds to obtain your key after correctly entering your password, but an attacker who attempts 100,000,000 different passwords before they get the correct one ends up spending over six years with an equal amount of computational power.

So in summary PBKDF's can protect you but they don't protect the encryption algorithm itself, and they don't protect the actual symmetric key from being brute force (only the password used to derive the key). So against the quantum attack called Grover's algorithm, PBKDF's have absolutely no effect at all. The reason for this is that you can always try to obtain the encryption key without the password at all, although generally it is vastly more efficient to guess the password than it is to break the encryption key. For example, with AES-256 we know the encryption key is 256 bits. Nothing stops you from starting at

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

and working your way up to

11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

and everything in between. Of course this leaves you with 2^256 permutations of bits to try in order to exhaust the key space. It is much more likely that the bit pattern will map to a specific input password that is much easier to guess or brute force. PBKDF's try to strengthen the password, but they don't come anywhere near to giving most passwords 256 bit equivalent security. Grover's algorithm is not concerned with breaking the password to obtain the correct key, it is concerned with breaking the symmetric key directly. I don't really understand how it works in detail, but it works such that the number of bits you need to guess in order to form the correct encryption key is cut in half. So instead of going from

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

to

11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

and everything in between, you only need to go from

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

to

11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

and everything in between. In such an attack the attacker doesn't even care if they can map the bit sequence that the symmetric key consists of to a human readable password, because the only reason somebody tries to figure out the human readable password is so that they can derive the correct bit sequence from it. Grover's algorithm goes straight to brute forcing the correct bit sequence, it doesn't start at the password.

Thankfully even going from

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
to
11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
and everything in between

is not realistic. This means that 256 bit algorithms are not broken by Grover's algorithm. On the other hand, against 128 bit algorithms it turns into

0000000000000000000000000000000000000000000000000000000000000000
to
1111111111111111111111111111111111111111111111111111111111111111
and everything in between

which is possible to brute force. Therefor 128 bit symmetric algorithms are broken by Grover's algorithm.