Do you think the feds can break GOOD encryption?
Asked by
LurveMe (
41)
May 6th, 2010
I was watching a story on American Greed where the feds were tracking a credit card fraud ring. They essentially seized the leader (Iceman)‘s computer and decrypted it. He was charged and convicted.
They never went into detail about how securely implemented the encryption (weak algorithms DES possibly, well known passphrases, etc.). I do understand that encryption can be defeated by poor implementations of the algorithms, but I don’t see how if it is proper.
Do you feel the feds can break PROPERLY IMPLEMENTED AES encryption? The key space on that sucker is 2^256 or ~1.1579 X 10^77 different keys. Even at a billion keys per second it would take ~1.15 X 10^68 seconds or 3.65X10^60 YEARS!! Thats YEARS! I don’t care how much computing power you throw at that thing…
Discuss
Observing members:
0
Composing members:
0
21 Answers
Yes. They have special teams for the really hard encryptions. Cryptologists use many different tools for deciphering codes. Given enough time, they can crack most encryptions. Though I do remember reading a story about one they had not cracked, I’ll see if I can find it. Found it, it’s a code the CIA has been working on for years. Here’s the link.
I’ve read two very interesting books about the NSA (The Puzzle Palace and Body of Secrets: Anatomy of the Ultra-Secret National Security Agency) and they have 6 acres of underground computers (many of them are massive super computers) at their headquarters in Fort Meade, Maryland. If they want to break codes and decrypt something, they certainly have the computer power and the knowledge on how to do so.
I think they have the manpower and motivation to be able to defeat good encryption.
I redid the math. Now assume they try 1,000,000,000,000,000,000 (18 0s) keys per second which I doubt they can do even with that power. I don’t even know what that number would be called lol.
To brute force the keyspace of 2^256 it still comes out to 3.67X10^51 YEARS.
Now I’ve read that the complexity of AES can be reduced (under certin specific conditions, most likely not a sufficently random key).
Lets assume the complexity was reduced to 2^128 and keys were still tried at the seemingly impossible rate mentioned above. It will still take 10790283070806 YEARS to brute foce the reduced complexity keyspace.
Math is math. These algorithims (AES) are PUBLIC and PROVEN (mathamatically) to be secure. How can the NSA just violate math? Exhausting a keyspace like this will require a power dissipation greater than that of the known universe or something of that matter
http://en.wikipedia.org/wiki/Brute_force_attack
They haven’t managed to break the voynich manuscript. Of course, that in itself may be a hoax…
The cost to break encryption and the time required make me seriously doubt they bother with it when there’s an alternatively method of getting the data → http://xkcd.com/538/ (I realize that link is a joke but seriously, I doubt it’s far from the truth—it’s by far the easiest solution)
@timtrueman I’m sure there are people interrogating suspects while the cryptologists are at work. So while they may not beat the guys with wrenches, I’m sure they are using just as effective interrogation technics.
Actually, there’s an interesting case about something called PGP encryption. (I don’t know much about it, but here’s a link to a wikipedia article.) Apparently, multiple governments have not been able to crack it. So, if they seize a computer running PGP encryption, they’ve resorted to (legally) trying to force the owner to reveal the password. One person is fighting a subpoena to reveal his password on 5th Amendment grounds.
I thought the US govt was trying to force encryption software companies to build a back door into the encryption or something? Or maybe limit the size of the keys?
I don’t know, but it wouldn’t surprise me. Here is what Phil Zimmermann (creator of PGP) has to say, though.
Short answer – Yes.
Long answer – It depends how much time, resources and processing power they are willing to throw at the problem.
Considering there are published AES attacks, imagine the techniques that they’ve not published over at No Such Agency.
Yes, of course they can. I have read (several years ago) that they actually hire people who compete with each other to see if one can write an unbeatable encryption, with the others trying to ‘crack’ it.
@Dr_Dredd I’ve used that encryption style in the past to protect myself against the government – worked great.
It’s not a matter of if but a mater of when.
Also bear in mind that technology advances pretty quickly. For instance, the Enigma cipher was devilishly difficult and decrypting Enigma messages was time-consuming beyond comprehension at one point. Flash forward about half a century and then you find more computing power in your living room than the entire world had back in 1945. Flash forward another 15 years to right now and you have PCs that make the computers of a mere five years ago look rather quaint. I think that there is an Enigma machine app for the iPhone…
If they can write it they can break it. If someone writes unbreakable code, they will be recruited. Just like hackers and phone phreaks are.
More clearly, any crypto is breakable… like @jerv says, it’s merely a function of time.
Bruce Schneier sums up the concept of risk nicely:
Cryptography is all about safety margins. If you can break n round of a cipher, you design it with 2n or 3n rounds. What we’re learning is that the safety margin of AES is much less than previously believed. And while there is no reason to scrap AES in favor of another algorithm, NST should increase the number of rounds of all three AES variants. At this point, I suggest AES-128 at 16 rounds, AES-192 at 20 rounds, and AES-256 at 28 rounds. Or maybe even more; we don’t want to be revising the standard again and again.
—
That said, I think it highly unlikely that anyone’s got instant, real-time decrypt capabilities that can be applied against the volume of all “interesting” communications.
Like all the above answers. Matter of time and resources. But smart experienced crackers use sophisticated methods targeted for the algorithm and/or situation.
The brute-force method is “guaranteed” to eventually work, but it is also the most inefficient. If you study the design of the encryption algorithm and system more you can create a compatible algorithm resembling the patterns eliminating waste cycles. If that doesn’t make sense, just think given the reaction of the encryption algorithm A and what you have to work with (file, part of key, other binary traces), you have a fair clue as to what could work or what couldn’t.
The situation: how did you acquire the encrypted file? Often it’s easier to attack flaws in the encryption/decryption program/software running in the client and/or server instead of attacking the encrypted file itself.
A situation where you only have the file to work with is in other words, worst case scenario. But even then, there’s shortcuts you can try. In other words, you may not need as many resources if you design a smart attack. But you won’t be decrypting the file on its own, but abusing the system it is tied to.
Governments and agencies can and will use those shortcuts as well as individuals. Attacking the weakest security links up until the required access to simply open the file in its natural system :)
Social engineering as in the cartoon posted by @timtrueman is probably the easiest way. That’s why god invented spies.
Answer this question
This question is in the General Section. Responses must be helpful and on-topic.