Currently, I’m using GNU Privacy Guard [1] and Veracrypt [2] to protect sensitive information on my hard drive with a password. A password that is only 7 characters long is usually considered much too weak to be of any use. Any law enforcement official, any spook and any cyber criminal worth his salt would be able to open the file in question faster than it takes to spell NSA.
I wonder if there are tools that check a number of files for weak encryption (using, I guess, a brute force approach) and if they find one, open the file. And the question which is even more important: If these tools do exist, how prevalent are they?
My security scenario is this: The aim is not to protect against an expert attacker who knows that I have encrypted files and who wants to gain access to those files. I’m thinking more of a nosy individual who happens to stumble upon a discarded hard drive and who checks if there is anything interesting (documents, pictures) but who will not put in any more effort once he realizes that there is only (what appears to be) random binary data.
Well I can whip up a script to run such a brute force attack in 5 minutes, for the case of a command line GNUPG, to run a DICTIONARY attack.
The strength is in the size of the dictionary.
You use the term “brute force” unclearly.
Of course I could grow my dictionary in increments, taking 5 minutes of coding to make it 10,000 times larger. (eg apples1, apples2, apples007 and so on.)
But then the run time (to create the dictionary, and then to test the dictionary against the encrypted file) , increases radically too.
The other form of brute force is to be able to crack it, 100% sure, against any password… Well DES and RC5-40 and RC5-56 were cracked in lesser time,
but in 2002 RC5-64 was cracked after many cpu’s ran the 100% brute force attack against it… for 5 years. The idea is that the computer power at NSA could do it in far less time, and also there may be custom CPU systems built to speed up the job. Custom ? nah these days there’s ready built hardware… the modern parallel processor 3d graphics chips’s can be used to run the tight loops really fast, while the computers main cpu does Word processing email,displaying the news, playing candy crush… the DES crack hardware is so so similar to the fastest graphics cards of today.
Who needs custom hardware, or even their own hardware, these days? In July 2012, security researchers David Hulton and Moxie Marlinspike unveiled a cloud computing tool for breaking the MS-CHAPv2 protocol by recovering the protocol’s DES encryption keys by brute force. This tool effectively allows members of the general public to recover a DES key from a known plaintext-ciphertext pair in about 24 hours.
Basically, they replaced a $250,000 custom hardware containing 1000 cpu’s, with time rented from cloud CPU/RAM/HDD suppliers, a few thousand worth.