2

When I create a VeraCrypt file container using the GUI, it displays a warning whenever I type in a password under a given number of characters. I was wondering just how insecure, in practical terms, such a method of encryption really is.

To give a concrete example, suppose:

  • I have a 4 GB VeraCrypt-generated container on a USB drive.
  • The password for said container consists of 9 lower case letters, from the standard English 26 letter alphabet.
  • Within said container are a dozen or so files, ranging from a few bytes to a few hundred megabytes in size.
  • The USB drive in question falls into the hands of a party hostile to me.
  • Other than the contents of the USB drive described above, this hostile party has no knowledge of how the container is encrypted.

How much trouble will that hostile party have in decrypting my container? Could an intelligent and motivated, but otherwise quite ordinary, programmer with a mid-range laptop do it, or would he have to call in the CIA, etc?

chancellorofpaphos
  • 135
  • 1
  • 4
  • the container has, if I remember correctly, a well known structure and if an attacker wants to decrypt it it will probably try to recover the key with a dictionary attack on the password. Weaker the password, easier the attack. – ddddavidee May 27 '20 at 09:25

2 Answers2

7

9 lower case letters with standard English alphabet make around 40-bit direct search this is very low password entropy. This is quite achievable even you use high iteration numbers like 200000 iterations for the HMAC-SHA-256. 200000 makes $\approx 2^{18}$ so in total $\approx 2^{58}$

Even public laboratories in the USA, like Oak Ridge Summit, can achieve this;

  • The super computer Summit can reach $\approx 2^{63}$ SHA-1 hashes around one hour, $\approx 2^{72}$ hashes in one year.

Actually there are two recommendations for you

  1. Use diceware based passwords. EFF has a very decent page about this. This is a very good method to generate strong passwords that one can easily remember. With 8 words one can reach the 96 bits password entropy. A small list;

    • 7 words have 80 bits
    • 8 words have 96 bits
    • 9 words have 128 bits password entropy.

  2. Use the hidden volume in VeraCrypt. The hidden volume is created under a VeraCrypt volume that is indistinguishable from the free space of VeraCrypt volume since the free space in VeraCrypt is random, not zero, or FF. Keep in mind that, you must use a different password for this hidden volume.

    An important aspect of the hidden volume is the plausible deniability. One can give the key of the outer VeraCrypt volume as honesty and keep the hidden volume key for themself. Since the hidden volume is indistinguishable from the free space it is not noticeable.

    Note that as pointed by Mark, a forensic analysis can reveal the hidden volume. It is not perfect yet.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • Thank you. That EFF diceware page looks really useful. Just out of interest, what kind of rate of SHA hashes could one expect - very roughly, of course - from the kind of computer a private individual might own, e.g. a mid-range laptop? – chancellorofpaphos May 27 '20 at 14:14
  • 2
    The default should be enough with a good entropy password. It can be used to measure the brute-force time. – kelalaka May 27 '20 at 14:21
  • Sorry. I phrased that last comment poorly, which I think caused you to answer a different question than the one I was asking. What I meant was: You said that breaking the encryption I described would involve doing $\approx 2^{48}$ SHA hashes, that the Summit supercomputer could do $\approx 2^{63}$ such hashes in an hour - and therefore, I infer, it would take around $2^{-15}$ hours, i.e. a fraction of a second, to break my encryption. But what would these numbers look like for a home computer? – chancellorofpaphos May 27 '20 at 15:09
  • 2
    First off all, hashing is not encryption. You download can use hashcat to measure your pc time. – kelalaka May 27 '20 at 15:16
  • And another thing! You said that combining $2^{18}$ interations with a 40-bit direct search would give you $2^{48}$ hashes. But shouldn't it be $2^{18} \times 2^{40} = 2^{58}$? Or have I totally misunderstood how that works? – chancellorofpaphos May 27 '20 at 15:16
  • 1
    @chancellorofpaphos Yes, my mistake. Corrected, thanks – kelalaka May 27 '20 at 15:23
  • Correcting the arithmetic of people much cleverer than I am is always a good feeling! So would I be correct in thinking that, based on your back-of-an-envelope calculations, it would take the Summit $\approx 2^{-5}$ hours $\approx 2$ minutes to break the encryption I described? – chancellorofpaphos May 27 '20 at 15:58
  • 3
    Yes, approx. I'm not claiming that I'm clever than anybody :) – kelalaka May 27 '20 at 16:07
  • 2
    Downvoting for the bit about the hidden volume. The TrueCrypt/VeraCrypt hidden-volume functionality only provides plausible deniability if your adversary is a mathematician. If instead you're facing a data forensics expert, the hidden volume sticks out like a sore thumb. – Mark May 27 '20 at 19:44
  • @Mark thank you for the insight. I've updated the answer. Maybe one day we can see a real idea/implementation that is not detectible. – kelalaka May 27 '20 at 19:57
1

Obviously using such a short password is bad. However, you may possibly benefit from security-by-obscurity here. If the attacker has no knowledge of the password and the data doesn't seem valuable at first you have a pretty good chance of them not trying BF attacks at all.

kiler129
  • 111
  • 1
  • Is there anything about the file itself that would give away the fact that it was a TrueCrypt/VeraCrypt container? Is such knowledge necessary in order to break the encryption? – chancellorofpaphos May 27 '20 at 23:15
  • 1
    First of all, there's nothing hinting for password length. Also, the design choices within TC original code make sure there's no unique signature to tell with 100% confidence a file is a container. However, 50GB of random file without any recognizable signature gives out a strong suggestion of being an encrypted volume. There also other techniques: https://www.raedts.biz/forensics/detecting-truecrypt-veracrypt-volumes/ – kiler129 May 28 '20 at 00:36