Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Wiggly Wayne DDS
Sep 11, 2010



Antillie posted:

Well Sourceforge is the official place to get Veracrypt and Veracrypt isn't abandoned so I don't think there is anything wrong with getting it from them. Sourceforge was never the official place to get GIMP. Also the results of the code audit of TrueCrypt prove that it and by extension its open source derivatives in fact can be trusted. Stop spreading FUD.
Are you loving serious? Back up those claims.

Adbot
ADBOT LOVES YOU

DeaconBlues
Nov 9, 2011
Thanks for the advice OSI bean dip.

I was just giving VeraCrypt a try out and pretty impressed until you said TrueCrypt wasn't trustworthy :/

I liked the PIM function, which does a similar thing to what I mentioned earlier about using CPU intensive iterations to make it hard for an attacker to quickly decrypt. This is basically what I'm looking for, I think: an alternative to hashing that stresses the CPU and RAM.

wyoak
Feb 14, 2005

a glass case of emotion

Fallen Rib

DeaconBlues posted:

What you've mentioned there, dougdrums and Antillie, were my concerns about just using a hash. Particularly about the thief knowing about hashing and trying various hash algo's during the brute-force attempt.

From the bits and bobs I have read, PBKDF2 and bcrypt are better than simple hashing because they utilize CPU and RAM more when doing a calculation. So if the attacker's PC is capable of performing a SHA256 hash in 0.001 seconds it might take the same PC 0.1 seconds to perform a PBKDF2 function. When you consider the number of permutations that the attacker has to generate before he/she finds the key that can make a major difference in time. I can only guess, but the difference between using a simple hash and PBKDF2 to find a 20 character password might be a difference of taking a few hours to a few years if each calculation is 100 times slower.
Anything (well, anything reputable) you'd be using to encrypt whatever you're worried about is already doing something like this under the covers - AES doesn't use passphrases for its key, it uses bits, so whatever encryption app you're using sends your passphrase through a key derivation function (like PBKDF2) to generate those bits. I can't imagine a scenario where you'd be better off with a short password + knowledge of which hashing function you used vs an easily remembered but sufficiently long phrase - you're not getting brute forced in either case unless someone figures out what you're doing in the first option (by, say, reading this thread).

wyoak fucked around with this message at 23:41 on Nov 20, 2015

Inspector_666
Oct 7, 2003

benny with the good hair

OSI bean dip posted:



Any basic understanding of prime numbers would be enough to not let you wonder about why these are the largest pairs. I am not going to explain what is wrong in this code because if you're asking this then you shouldn't dare think about writing such.

Could you maybe explain it to those of us who are interested? Or is this thread just for people who are already so smart they don't need to actually discuss anything because holy poo poo you guys are gooning it up so loving hard.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Antillie posted:

Well Sourceforge is the official place to get Veracrypt and Veracrypt isn't abandoned so I don't think there is anything wrong with getting it from them. Sourceforge was never the official place to get GIMP. Also the results of the code audit of TrueCrypt prove that it and by extension its open source derivatives are solid and can in fact be trusted. Stop spreading FUD.

I too have read the report and actually believe that the cryptography is likely sound. I have no reason to refute that as there were many talented people going over its code to see what flaws there were. Minus some minor ones that can be and have been corrected, overall it's fine.

However, you were quick to cite that report and then fail to look at what is outside of the cryptography which is how it works within the OS. Here are two vulnerabilities released this past September:

https://code.google.com/p/google-security-research/issues/detail?id=538

quote:

The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by abusing the drive letter symbolic link creation facilities to remap the main system drive. With the system drive remapped it’s trivial to get a new process running under the local system account.

https://code.google.com/p/google-security-research/issues/detail?id=537

quote:

The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by checking process of impersonation token which allow a user to inspect and potentially manipulate other users mounted encrypted volumes on the same machine.

These were not included in the original audit as they did not pertain to the cryptography. The original TrueCrypt developer(s) said that the software likely had some unfixable vulnerabilities and whether or not that can be confirmed, it can be confirmed that we have some code sitting within that is likely to rear its ugly head as more people descend on it. For this reason, I cannot put my faith in TrueCrypt (and its derivatives) not because of "FUD" but because we already have enough evidence to support that position.

Oh. And here's another security tool that was taken over by SourceForge.

Antillie
Mar 14, 2015

Wiggly Wayne DDS posted:

Are you loving serious? Back up those claims.

I was incorrect about VeraCrypt. It is in fact hosted at codeplex. However I did back up my claim about TrueCrypt with a link to a summary of the audit results.

So yes. I am loving serious.

Antillie
Mar 14, 2015

OSI bean dip posted:

Good info about TrueCrypt.

Interesting. Still those are things that can be fixed. Serious flaws are found in software all the time. I don't see how finding OS level flaws in TrueCrypt makes it harder to trust than Firefox or Chrome. Even Bash has had serious issues over the years.

wyoak
Feb 14, 2005

a glass case of emotion

Fallen Rib

Inspector_666 posted:

Could you maybe explain it to those of us who are interested? Or is this thread just for people who are already so smart they don't need to actually discuss anything because holy poo poo you guys are gooning it up so loving hard.
I'm no expert but if there's only 570 primes that the library can use it'd be trivial to generate every possible key. Real implementations use prime numbers of lengths that I can't comprehend.

wyoak fucked around with this message at 23:59 on Nov 20, 2015

Wiggly Wayne DDS
Sep 11, 2010



Antillie posted:

I was incorrect about VeraCrypt. It is in fact hosted at codeplex. However I did back up my claim about TrueCrypt with a link to a summary of the audit results.

So yes. I am loving serious.
You said:

quote:

Also the results of the code audit of TrueCrypt prove that it and by extension its open source derivatives in fact can be trusted. Stop spreading FUD.
The audit does not prove that, as OSI Bean Dip elaborated on.

Antillie posted:

Interesting. Still those are things that can be fixed. Serious flaws are found in software all the time. I don't see how finding OS level flaws in TrueCrypt makes it harder to trust than Firefox or Chrome. Even Bash has had serious issues over the years.
Well when the dev backs away from the project going "Don't touch this with a 10 foot pole" it changes the situation somewhat.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Inspector_666 posted:

Could you maybe explain it to those of us who are interested? Or is this thread just for people who are already so smart they don't need to actually discuss anything because holy poo poo you guys are gooning it up so loving hard.
I can but for the sake of what I was posting there I wanted to make it clear that asking that question means that you shouldn't be writing it.

RSA like many other ciphers rely on large prime numbers. When we talk about large prime numbers within RSA, we're talking taking two that are very, very far apart. In this code example, the smallest prime number is 4507 and the largest is 9533. They're both not what RSA is looking for nor are they very far apart--when we talk "large prime", we're talking of a prime that would of more or less 150 digits (the larger the better). We know based on this PHP array that there are only 570 prime numbers to choose from, meaning that there would only be something like <1,000,000 possible keys (I am doing ballpark numbers here and it would be between 100,000 and 1,000,000 so take it as it is). It wouldn't take long to run through all possible keys to decipher what was encrypted regardless of what key sets you're using.

I think that this article is probably worth a read:
http://doctrina.org/How-RSA-Works-With-Examples.html

Lain Iwakura fucked around with this message at 23:59 on Nov 20, 2015

Inspector_666
Oct 7, 2003

benny with the good hair
Right but why is 9521, 9533 the last pair in that guy's code?

(Is it something hilarious like him using a variable type that can't handle 5-digit numbers or something?)

EDIT: Or did you just mean that having the range all be so close makes it so dumb as to be entirely pointless and not worth thinking about at all.

Wiggly Wayne DDS
Sep 11, 2010



Inspector_666 posted:

Right but why is 9521, 9533 the last pair in that guy's code?

(Is it something hilarious like him using a variable type that can't handle 5-digit numbers or something?)
It was a pool from primes <10000

Antillie
Mar 14, 2015

Wiggly Wayne DDS posted:

Well when the dev backs away from the project going "Don't touch this with a 10 foot pole" it changes the situation somewhat.
I was referring specifically to the crypto. Which the audit does prove is solid. OSI bean dip was referring to OS specific issues that are outside of the audit and outside of what I was talking about. However he does make a good point. But the fact that these issues have been found also means that they will be corrected.

The TrueCrypt devs simply said that they were done. They never said why. Maybe they just got tired of working on the project. Maybe there is some horrible as yet unfound bug. Some bugs have been found and fixed. This is no different than any other software project. There might be some terrible remote code execution bug in Chrome right now but that isn't going to stop me from using Chrome.

I guess it just comes down to how paranoid you are.

Antillie fucked around with this message at 00:05 on Nov 21, 2015

wyoak
Feb 14, 2005

a glass case of emotion

Fallen Rib
Anyway this is neither here nor there but it kind of boggles my mind that computers can figure out if a 150 digit number is probably prime within a matter of microseconds and also that the 'probably' apparently isn't important.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Inspector_666 posted:

Right but why is 9521, 9533 the last pair in that guy's code?

(Is it something hilarious like him using a variable type that can't handle 5-digit numbers or something?)

EDIT: Or did you just mean that having the range all be so close makes it so dumb as to be entirely pointless and not worth thinking about at all.

It's because the developer didn't know what they were doing and decided to choose from a static list of primes <10,000. The prevailing thought in some circles for why the NSA is able to break so much cryptography isn't because they're looking for backdoors in the algorithms but instead poor implementations of prime numbers.

PHP isn't a language suited for doing such tasks anyway.

Antillie
Mar 14, 2015

OSI bean dip posted:

It's because the developer didn't know what they were doing and decided to choose from a static list of primes <10,000. The prevailing thought in some circles for why the NSA is able to break so much cryptography isn't because they're looking for backdoors in the algorithms but instead poor implementations of prime numbers.

PHP isn't a language suited for doing such tasks anyway.

On the subject of the NSA breaking crypto; Take a look at this paper. Specifically section "4.2 Is NSA Breaking 1024-bit DH?". It looks like most 1024 bit DH implementations use only two or three common sets of prime numbers. And it is plausibly within the capability of the NSA to have performed number field sieve precomputations for at least a small number of 1024 bit DH groups. Since most DH implementations use the same sets of primes the NSA could easily break IPSec, SSH, or TLS sessions protected with such a common 1024 bit DH exchange.

You guys probably already know about this but in the circles I tend to move in most people aren't aware of it.

Antillie fucked around with this message at 00:16 on Nov 21, 2015

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Antillie posted:

On the subject of the NSA breaking crypto; Take a look at this paper. Specifically section "4.2 Is NSA Breaking 1024-bit DH?". It looks like most 1024 bit DH implementations use only two or three common sets of prime numbers. And it is plausibly within the capability of the NSA to have performed number field sieve precomputations for at least a small number of 1024 bit DH groups. Since most DH implementations use the same sets of primes the NSA could easily break IPSec or TLS sessions protected with such a common 1024 bit DH exchange.

You guys probably already know about this but in the circles I tend to move in most people aren't aware of it.

Yeah. It was linked to in the article I shared.

wyoak posted:

Anyway this is neither here nor there but it kind of boggles my mind that computers can figure out if a 150 digit number is probably prime within a matter of microseconds and also that the 'probably' apparently isn't important.

It's not exactly that instantaneous.

Antillie
Mar 14, 2015

OSI bean dip posted:

Yeah. It was linked to in the article I shared.

Now that I have had time to read it I see that. Very nice. This is actually the reason why I am pushing for clients to use ECDHE instead of DHE (in addition to traditional RSA) on their HTTPS web sites as the devices we use for TLS termination do not support DHE exchanges larger than 1024 bits. The fact that ECDHE is also much faster is just a nice bonus. In fact I generally recommend the following cipher suite order when asked:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I know 3DES is getting pretty long in the tooth but some people still need to support TLS clients that can't do AES because stupidity reasons. I have often wondered about TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 vs TLS_RSA_WITH_AES_128_GCM_SHA256 since, as I understand it, it comes down to potential future padding issues with CBC vs ECDHE being better than RSA.

Antillie fucked around with this message at 00:50 on Nov 21, 2015

Kazinsal
Dec 13, 2011



Related to not rolling your own crypto, V8's Math.random() has some gnarly collision issues. Includes a graphical representation of noise generated by Safari's Math.random() vs. noise generated by V8's Math.random(). Patterns are immediately visible in the V8 one, while the Safari one is much more random.

RISCy Business
Jun 17, 2015

bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork bork
Fun Shoe

Antillie posted:

I thought this was a thread were we could discuss whether or not it should be best practice to disable TLS 1.0 on web servers that also support TLS_FALLBACK_SCSV. Or maybe what a good lifetime value would be for a HTTP Strict Transport Security header and the pros and cons of including the preload option in said header. But for some reason we are talking about a new form of advertising tracking that is supposedly only being used in India.

infosec is a much larger and broader topic than you think it is. it entails not only application and network security, but privacy, cryptography, anonymity, and more. stick around and you might learn something.

also: 3 keybase invites left, root[a]reverie.pw since i don't have plat anymore

RISCy Business fucked around with this message at 04:15 on Nov 21, 2015

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

Kazinsal posted:

Related to not rolling your own crypto, V8's Math.random() has some gnarly collision issues. Includes a graphical representation of noise generated by Safari's Math.random() vs. noise generated by V8's Math.random(). Patterns are immediately visible in the V8 one, while the Safari one is much more random.

Firefox's is good too, but I bet it's slower by a few microseconds, so the V8 team will be nuh-uh.

sarehu
Apr 20, 2007

(call/cc call/cc)
Math.random() isn't supposed to be secure or good. That it's so obviously your basic pseudo-random number generator is probably good in the long run.

titaniumone
Jun 10, 2001

DeaconBlues posted:

What you've mentioned there, dougdrums and Antillie, were my concerns about just using a hash. Particularly about the thief knowing about hashing and trying various hash algo's during the brute-force attempt.

From the bits and bobs I have read, PBKDF2 and bcrypt are better than simple hashing because they utilize CPU and RAM more when doing a calculation. So if the attacker's PC is capable of performing a SHA256 hash in 0.001 seconds it might take the same PC 0.1 seconds to perform a PBKDF2 function. When you consider the number of permutations that the attacker has to generate before he/she finds the key that can make a major difference in time. I can only guess, but the difference between using a simple hash and PBKDF2 to find a 20 character password might be a difference of taking a few hours to a few years if each calculation is 100 times slower.

who the gently caress do you think you are that a real concern is someone breaking into your house, stealing poo poo, and then focusing on breaking your encrypted files

get real

titaniumone
Jun 10, 2001

Kazinsal posted:

Related to not rolling your own crypto, V8's Math.random() has some gnarly collision issues. Includes a graphical representation of noise generated by Safari's Math.random() vs. noise generated by V8's Math.random(). Patterns are immediately visible in the V8 one, while the Safari one is much more random.

i'm the guy running a betting site relying on random numbers who's too stupid to understand the difference between a random number and a unique identifier.

this is an enormous article to explain his tentative grasp on random numbers and never once touches on why isn't he just using UUIDs of some form.

quote:

ENGINEERING THE DISRUPTION OF
REAL MONEY GAMING.
ah i see it's because he's an imbecile

Kazinsal
Dec 13, 2011



I didn't actually read what his situation was, I just assumed it was the gambling equivalent of bitcoin and was curious as to how he hosed everything up.

dougdrums
Feb 25, 2005
CLIENT REQUESTED ELECTRONIC FUNDING RECEIPT (FUNDS NOW)

OSI bean dip posted:

Any basic understanding of prime numbers would be enough to not let you wonder about why these are the largest pairs. I am not going to explain what is wrong in this code because if you're asking this then you shouldn't dare think about writing such.

How can nerds be so smug.

via
Dec 14, 2013
Wrong thread, I'm sure. But this has been bothering me for at least 15 years. Why were dictionary/brute force attacks ever possible? What is the use in letting a client attempt 1,000,000 passwords? Why would it even let you try five?

MrMoo
Sep 14, 2000

Simple, that requires state and adds complexity to the code.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

via posted:

Wrong thread, I'm sure. But this has been bothering me for at least 15 years. Why were dictionary/brute force attacks ever possible? What is the use in letting a client attempt 1,000,000 passwords? Why would it even let you try five?

If the software doesn't have any detection and just keeps allowing password attempts, then that is the reason why. It used to be common that someone would just hammer some basic accounts (usually service-related) on a UNIX server, log in, grab the passwd file, log off, and then later come in with an account that has more permissions as they've run a dictionary against the passwords.

Clifford Stoll's "The Cuckoo's Egg" is worth a read if you're curious how things used to be.

dougdrums
Feb 25, 2005
CLIENT REQUESTED ELECTRONIC FUNDING RECEIPT (FUNDS NOW)

via posted:

Wrong thread, I'm sure. But this has been bothering me for at least 15 years. Why were dictionary/brute force attacks ever possible? What is the use in letting a client attempt 1,000,000 passwords? Why would it even let you try five?

People still brute force ssh servers, I guess people still use guessable ones.

Mr Chips
Jun 27, 2007
Whose arse do I have to blow smoke up to get rid of this baby?

OSI bean dip posted:

Any basic understanding of prime numbers would be enough to not let you wonder about why these are the largest pairs. I am not going to explain what is wrong in this code because if you're asking this then you shouldn't dare think about writing such.

Second of all, anything derived from TrueCrypt should not be trusted.
Can you explain the mathematics for the first bit for everyone else who's interested in understanding why?


As for Truecrypt forks, if we're going to apply that level of paranoia consistently, what can we use? We can't do public code reviews on commercial, closed source FDE tools like Bitlocker and PGP. We can't rule out government intereference in Truecrypt, nor can we rule it out with commercial offerings (MS removed the Elephant diffuser from Bitlocker :tinfoil:), or undisclosed vulnerabilities that malicous actors are also exploiting etc etc

Mr Chips fucked around with this message at 13:51 on Nov 24, 2015

Main Paineframe
Oct 27, 2010

via posted:

Wrong thread, I'm sure. But this has been bothering me for at least 15 years. Why were dictionary/brute force attacks ever possible? What is the use in letting a client attempt 1,000,000 passwords? Why would it even let you try five?

Typically, people just didn't think about preventing it, or simply didn't bother. Preventing brute-forces requires at least a little extra effort above and beyond just implementing the authentication. It's not that there's any particular use in letting a client attempt 1,000,000 passwords, it's that it takes extra work to put something in to prevent them from doing so, and not everyone does that extra work.

Inspector_666
Oct 7, 2003

benny with the good hair

Main Paineframe posted:

Typically, people just didn't think about preventing it, or simply didn't bother. Preventing brute-forces requires at least a little extra effort above and beyond just implementing the authentication. It's not that there's any particular use in letting a client attempt 1,000,000 passwords, it's that it takes extra work to put something in to prevent them from doing so, and not everyone does that extra work.

It seems like when people get to brute force passwords these days it's because they were able to get the hashes via a compromised account and download the table, rather than somebody hammering a webserver or something.

Antillie
Mar 14, 2015

via posted:

Wrong thread, I'm sure. But this has been bothering me for at least 15 years. Why were dictionary/brute force attacks ever possible? What is the use in letting a client attempt 1,000,000 passwords? Why would it even let you try five?

I see SSH, RDP, and FTP servers get hit with brute force attacks all the time. Mostly because most people, including many sys admins, are bad a picking good passwords and/or don't bother to turn on account lockout policies. Systems with port 22, 21, or 3389 open to the world and poor passwords are low hanging fruit. And they are common enough for it to be worth letting a script look for them.

Brute force attacks are very easy to prevent. But the "it won't happen to me" mentality is quite common among the general sys admin population so there are a lot of systems out there that don't have any of the basic brute force mitigation methods configured. The same goes for web applications with badly written SQL queries and people installing Wordpress (and random Wordpress plugins) and then never updating it.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Mr Chips posted:

Can you explain the mathematics for the first bit for everyone else who's interested in understanding why?

In terms of why a large prime number is needed or how all of RSA works here? I am not a cryptographer so explaining RSA properly is not going to go well here--I do understand it and can give an explanation here but it's like me trying to explain my house's electrical system as if I have a plumber's perspective. I do recommend reading this page to see how it all works.

If we're talking about large primes here, it's quite simple: computers can't quickly factorize numbers. The problem that classical computers face right now is that calculating the factors of a number is quite intensive and that as numbers get larger the ability to determine all factors takes significantly longer (see this Wikipedia article for further elaboration). This is why finding prime numbers has over time taken longer, but if you want to see the problem first hand without a computer, see how long you take to count completely in primes and you'll start to understand that you're running into a similar problem.

[edit]

Just read this post:
http://forums.somethingawful.com/showthread.php?threadid=3750534&pagenumber=2#post453102981

quote:

As for Truecrypt forks, if we're going to apply that level of paranoia consistently, what can we use? We can't do public code reviews on commercial, closed source FDE tools like Bitlocker and PGP. We can't rule out government intereference in Truecrypt, nor can we rule it out with commercial offerings (MS removed the Elephant diffuser from Bitlocker :tinfoil:), or undisclosed vulnerabilities that malicous actors are also exploiting etc etc

If your concern is that you cannot do commercial code review of your closed source FDE (such as Bitlocker), why are you using Windows overall? Truthfully I am more worried about how the OS and FDE interact rather than the cryptography. If you're at this level of paranoia, use Linux with dm-crypt.

Lain Iwakura fucked around with this message at 18:06 on Nov 24, 2015

Antillie
Mar 14, 2015

Mr Chips posted:

As for Truecrypt forks, if we're going to apply that level of paranoia consistently, what can we use? We can't do public code reviews on commercial, closed source FDE tools like Bitlocker and PGP. We can't rule out government intereference in Truecrypt, nor can we rule it out with commercial offerings (MS removed the Elephant diffuser from Bitlocker :tinfoil:), or undisclosed vulnerabilities that malicous actors are also exploiting etc etc

For the truly paranoid the only real option is to roll your own solution. But I think we all know how well that tends to work out if you aren't an expert in cryptography and number theory.

However the second major audit of TrueCrypt, which includes more than just the cryptography functions audited previously in April, was recently completed. Ars Technica has a nice summary. The important part is that you have to realize what TrueCrypt and its derivatives are for. Securing data while it is at reset. That is, when the encrypted volume is not mounted.

Wiggly Wayne DDS and OSI bean dip will probably disagree but I feel that VeraCrypt is a reasonable alternative assuming you aren't in a position to spend millions of dollars to develop your own solution.

And honestly I feel that titaniumone makes a very good point. If someone breaks into your car or house and steals your laptop they aren't going to try and break any crypto, even terrible crypto, to try and find information about you. They are going to hawk it at the nearest pawn shop who will in turn throw a fresh Windows install on it and put it up for sale.

Now I suppose if someone broke into my car in the office parking lot and stole my laptop there is a small chance they might be someone looking for information on our company or our customers (such as private keys for TLS certificates, passwords for internal systems, ect...) and they may look around on my laptop for such information. I think that VeraCrypt would be perfectly capable of thwarting any such attempt. It might have some hidden flaw that would prevent it from keeping the NSA from extracting information from my laptop. But groups with the resources of a nation state aren't my main adversary. That said, I think that TrueCrypt/VeraCrypt, if properly used, would still give the NSA a serious headache.

Antillie fucked around with this message at 17:39 on Nov 24, 2015

ExcessBLarg!
Sep 1, 2001

Mr Chips posted:

Can you explain the mathematics for the first bit for everyone else who's interested in understanding why?
Prime numbers exist above 10,000, so the claim that 9533 is the largest prime is pretty laughable. As for why, I'm not a Mathematician so I won't explain it in a rigorous way, but intuitively there's nothing particularly special about "10,000" to think that there aren't prime numbers larger than that.

As for why it's a problem, the security of RSA relies on it being "slow" and "difficult" for computers to factor composite numbers into their prime factors. But while computers are "slow" at doing that, they're still able to do it pretty well for numbers of sizes that we can comprehend. Eight-digit RSA keys are effectively trivial to factor. Back in the 90s, RSA-768 keys with 232 digits (116 digit prime factors) were considered secure. But an RSA-768 key was factored in 2009 and at some point (if not already) they will be factorable by folks with sufficient funding (governments, etc.). RSA-1024 (~300 digit keys) is still considered secure, but uncomfortable, with RSA-2048 (~600 digit keys) being recommended (to the extent folks still recommend RSA).

Wolfram MathWorld has a page on RSA Numbers, discussing different key sizes and when the RSA Factoring Challenge keys were broken.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

ExcessBLarg! posted:

Prime numbers exist above 10,000, so the claim that 9533 is the largest prime is pretty laughable. As for why, I'm not a Mathematician so I won't explain it in a rigorous way, but intuitively there's nothing particularly special about "10,000" to think that there aren't prime numbers larger than that.

As for why it's a problem, the security of RSA relies on it being "slow" and "difficult" for computers to factor composite numbers into their prime factors. But while computers are "slow" at doing that, they're still able to do it pretty well for numbers of sizes that we can comprehend. Eight-digit RSA keys are effectively trivial to factor. Back in the 90s, RSA-768 keys with 232 digits (116 digit prime factors) were considered secure. But an RSA-768 key was factored in 2009 and at some point (if not already) they will be factorable by folks with sufficient funding (governments, etc.). RSA-1024 (~300 digit keys) is still considered secure, but uncomfortable, with RSA-2048 (~600 digit keys) being recommended (to the extent folks still recommend RSA).

Wolfram MathWorld has a page on RSA Numbers, discussing different key sizes and when the RSA Factoring Challenge keys were broken.

This is far better than what I had posted. :)

Antillie
Mar 14, 2015

So its not just one, but three rouge root certs that Dell has been installing on every laptop that it has sold for the past while. What really floors me is that they also included the private key so anyone can sign TLS certificates or executable code with this root cert and Dell PCs will trust the result automatically. Hooray for OEM stupidity.

Adbot
ADBOT LOVES YOU

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

They're doing the same thing as Lenovo and saying it's not a security problem, too.

Burn it. Burn it all.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply