You can have the strongest encryption in the world and it won't protect your data if you use a weak key.
For law enforcement officials charged with busting sophisticated financial crime and hacker rings, making arrests and seizing computers used in the criminal activity is often the easy part. More difficult can be making the case in court, where getting a conviction often hinges on whether investigators can glean evidence off of the seized computer equipment and connect that information to specific crimes.
Encryption – strong encryption – is widely available, cheaply or for free.
Many of the encryption programs used widely by corporations and individuals provide up to 128- or 256-bit keys. Breaking a 256-bit key would likely take eons using today's conventional "dictionary" and "brute force" decryption methods -- that is, trying word-based, random or sequential combinations of letters and numbers -- even on a distributed network many times the size of the Secret Service's DNA. [Distributed Networking Attack]
But all is not lost. You don't need to break the key. The user never remembers the key – he uses a password to access the key stored on the hard drive. The password is a lot easier to remember, and most people pick weak passwords.
Yet, like most security systems, encryption has an Achilles' heel -- the user. That's because some of today's most common encryption applications protect keys using a password supplied by the user. Most encryption programs urge users to pick strong, alphanumeric passwords, but far too often people ignore that critical piece of advice, said Bruce Schneier, an encryption expert and chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif. "Most people don't pick a random password even though they should, and that's why projects like this work against a lot of keys," Schneier said. "Lots of people -- even the bad guys -- are really sloppy about choosing good passwords." Armed with the computing power provided by DNA and a treasure trove of data about a suspect's personal life and interests collected by field agents, Secret Service computer forensics experts often can discover encryption key passwords.
Clues can include terms in documents and e-mails, and also words found in web pages gleaned from the browser history. Custom word lists generated from these sources work 40-50% of the time.
Some files are proving tougher to crack. One group which communicates in English, Russian and Ukranian, using a mishmash of Roman and Cyrillic alphabets, is not yielding very well to this technique.
Here, the set of possible passwords is large enough to look random to investigators.
No comments:
Post a Comment