Cryptography for Mere Mortals #6

Cryptography for Mere Mortals #6

An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians.

Q: Is it really as easy to hack into someone’s computer or a website, or to decrypt an encrypted file, as they show it in the movies?

A: No, no, and no! This is worth repeating because folks don’t understand it, and get all kinds of wild ideas about passwords as a result. OK, having said that…actually the real answer is “sometimes, maybe”. But certainly not the way they do it in movies.

First, understand that far too many passwords are demonstrably weak. We’ve all been told not to use common words, but people do it anyway. And there are plenty of free cracking tools that make it easy to try every one of those words fairly quickly. So for people who use such weak passwords, it may be that easy—but still probably not in mere seconds or even minutes.

What’s far more likely is that (again, despite having been told repeatedly not to do so) the target has used a birthday, or anniversary, or the name of a spouse, pet, or relative. This starts to get into the realm of “social engineering”—gleaning useful information from people—which is the third way that passwords are frequently acquired. See this link for a spot-on cartoon showing how that works.

Note that for computer or website access, brute force likely won’t succeed anyway: most websites and operating systems will lock out a logon (temporarily or permanently) after some number of failed attempts. For example, Windows 7 adds a delay of about 30 seconds after the third failed attempt. More secure systems may lock the user out until a manual reset is performed by an administrator. (Most operating systems, Windows included, keep passwords hashed in a file. If you can get at that file, and the hashing was done badly—without a salt—you may be able to brute force some passwords. The next installment of CFMM will talk about hashing.)

For Windows there are other approaches. In Windows XP, you can boot to Safe Mode and reset the administrator password. Law enforcement can use the Microsoft COFEE (Computer Online Forensic Evidence Extractor) tool. The Wikipedia page linked in the previous sentence states that “COFEE includes tools for password decryption, Internet history recovery and other data extraction. It also recovers data stored in volatile memory which could be lost if the computer were shut down.” Of course there is now also an anti-COFEE tool called DECAF (Detect and Eliminate Computer Acquired Forensics), so if the bad guy has anticipated the attack and installed this, COFEE may be less effective.

And there’s always removing the hard drive and just reading the raw data. If the disk isn’t encrypted, this will work quite well. If it is encrypted, then you’re back to brute-forcing that password.

Which raises the next question: even supposing that you have the resources and time to brute-force a password, and the target won’t lock you out after some number of failed attempts, how do you know what algorithm to decrypt the data with? Was it encrypted with AES? What mode—EME*, CBC, FFX? Or was it DES or TDES? Or Blowfish, or any of the myriad other choices?

OK, let’s assume that you know that answer. There’s one last big problem: how will you know when you’ve cracked the encryption?

This is a non-trivial question. If you’re trying to login, you know when you’ve got the right password, because it lets you in. If you’re trying to decrypt a file, and you don’t know the expected file format in advance, you might find the right password on the first try and not realize it. For example, if I create a ZIP file of a Word document and rename it from .zip to .exe, you would probably check for the executable file header in the “decrypted” file. So even if you found the right password, you would not find that header, and would keep looking. You could check for multiple file formats on each attempt, but that would increase the time to crack.

When cryptographers look for weaknesses in an algorithm, they “cheat” by making assumptions: one of these is that they know the data format. As you can see from the preceding discussion, this gives them a pretty big leg up!

Oh, and one final point: passwords aren’t tumbler locks—you don’t crack them one digit at a time. There’s a good page here about that movie cliché.

So in short, there may be ways to break into someone’s computer or a website, or to decrypt an encrypted file, but movies and TV rarely show a realistic way to do so.

  • Jason Morgan

    I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading what you all have to say… oklahoma cirt restoration


Leave a Reply

Your email address will not be published. Required fields are marked *