Using custom software and a computer cluster of 25 graphics cards, password-cracking expert Jeremi Gosney has created a system capable of guessing 350 billion Windows passwords per second. From the article, it takes 5½ hours to “brute force every possible eight-character [Windows] password containing upper- and lower-case letters, digits, and symbols.” This development reinforces the message of this xkcd comic, that long passwords are much harder to crack than shorter but more complicated ones. Note also that an easy way to create long but memorable passwords is to use a passphrase.
Archive for the 'Cryptography' Category
So you’ve got something on your computer that you don’t want anyone else to see. To this effect, you’ve encrypted the hard drive. But then you’re put into a situation where an official requires that you unlock the computer so they can inspect the contents (this could happen at a border crossing, for example). That’s where Plausible Deniability comes into play. It’s a feature of TrueCrypt, where you have two hidden encrypted volumes on the same disk partition, and the password you enter determines which one you actually see. So you enter the decoy password, and it unlocks the decoy partition which contains no sensitive files. The other hidden partition appears to be empty space containing nothing but random data. Note that this probably won’t prevent a computer forensics expert from realizing that you have a hidden partition, but the casual observer will probably be fooled.
I’m amazed at the lengths that cryptography experts will go to in order to uncover weaknesses in a particular encryption scheme. (Chad’s News readers may recall this post where the hacker used acid and an electron microscope to reveal the circuitry of an encrypted microchip.) This time a vulnerability was found in OpenSSL, which is used by just about everyone. The researchers modified the power supply in such a way that it caused a one-bit error, and from that error they were able to obtain four bits of the 1024-bit secret key. They continued to produce the errors until they had enough data to piece together the entire key.
Taking note of the date of the linked article (March 2010), I’m guessing they’ve fixed this problem in OpenSSL. And while the method might work on other implementations, as well as on older hardware that still uses an unpatched version of OpenSSL, I don’t really see this as being an issue for the normal Chad’s News reader.
Thanks to Josh for this topic.
As regular Chad’s News readers already know, the current public-key encryption scheme will be useless once we build quantum computers with enough qubits. So scientists have been searching for an encryption method that’s less susceptible to quantum computing algorithms. Turns out that one such scheme was developed in 1978 by CalTech mathematician Robert McEliece. It’s safe from all currently-known quantum computing attacks. McEliece’s system is a bit unwieldy—the keys are very large—but expect to hear more about it unless a better quantum-safe method is found.
I have no idea how this is possible, and the math is beyond me, but an IBM employee named Craig Gentry has found a way to add and multiply encrypted data without first decrypting it. It’s called “fully homomorphic encryption.”
DNA can be used to make a one-way process suitable for encryption. I don’t completely understand the details, but the concept is interesting. I’m also thinking that DNA cryptography might be easier to implement than quantum cryptography.
So you think your encrypted data is safe? Here’s what would really happen.
It has been known for some time that the advent of quantum computers will completely destroy our existing public key encryption system, which depends on the difficulty of factoring a very large number. The appropriate quantum factoring algorithm already exists—we simply need to develop a functioning quantum computer on which to run it. Two research groups have moved the technology forward by creating very small proof-of-concept quantum computers that perform a modified version of the factoring algorithm. Their quantum computers are not scalable but do demonstrate that some of the core technology is working.
The main lesson from this is that you cannot encrypt data with today’s technology and expect it to be safe for more than a few decades at most (who knows—it could be years instead of decades). Also, I wonder if cryptologists are looking for something other than factoring to replace the one-way algorithm essential to public key encryption.
Researchers were recently able to factor a specially formed (but hard to factor) 1039-bit number in a mere 11 months. It shouldn’t be too long before those 1024-bit encryption keys can be broken in a realistic amount of time. My key is 4096 bits, which was specifically discouraged by the key generation software because it was considered to be massive overkill. Maybe it pays to be paranoid. Of course quantum computers, if they ever become a reality, will make existing encryption methods obsolete.