For whole disk encryption (WDE) or any sort of password protected service where you cannot execute software (primary authentication), I encourage the use of pass phrases. Dice ware is nice. Something such as this:
"lua ham purple day girl"
The challenge with primary authentication passwords is that users typically cannot use a password manager or generator to recall the password and thus must be able to recall something that they can easily type and end-up selecting weak passwords. There are some exceptions to this (yubikey, etc) but most normal users don't or cannot use them for various reasons, so go with a nice pass phrase like the one above.
Forego the cultural references here. (Should be obvious, but you have to assume the attacker is familiar with you in specific and can guess what you'll know.)
If we know the "algorithm" for your password choice (all lowercase, english words, space delimited, at least two words) that greatly reduces the time needed to guess the password. I wonder how much time that would take to crack on modern hardware...
> I wonder how much time that would take to crack on modern hardware...
A very long time. You're still looking at a total of 3-5 words you need to guess (9-25 characters based on 3-5 letters per word), in the right combination, and assuming all words are English or popular colloquialisms...
("greatly reducing" is still not going to make brute forcing a realistic choice).
It would still take a very long time but remember we're not iterating by character anymore. Each word is a 'character' and our alphabet is the english dictionary.
So for the example above, we have to guess 5 slots in the passphrase and each slot has [number of words in english dict] possibilities. And also we'd probably start guessing assuming 2 word passphrases and have to exhaust all of 2, 3 and 4 before we start guessing 5 word combinations.
For those on Windows without access to a *nix machine you can grab a Windows binary of dd at http://www.chrysocome.net/dd the command arguments are the same as on the site.
Can someone explain in plain English what is the purpose of this tool for an actual TrueCrypt user? I'm confused what it does, other than perhaps demonstrating weakness of certain passwords, or maybe some vulnerability in the way TC works.
As I understand it, it attempts to decrypt a TC volume (and any hidden volume contained within) by brute-forcing the password and using a dictionary of some kind.
Essentially it just tries to open the volume with many passwords in quick succession. So there isn't a vulnerability in Truecrypt itself, and complex / long passwords are unlikely to be found with this tool.
For the Header Keys (which I believe this is what the attack is going after - as that is what the password unlocks), TC does use a Salt. See [0]
And for slow hashing schemes that is a fair point, but when you're looking at file decryption, there is nothing to stop parallel attempts happening at once on different machines. Also TC does support using cascading ciphers which can help to slow it down.
Note: I'm not an expert in Cryptography by any means, but this is my current understanding.
It says they are only doing 1000 (or 2000) hash iterations to derive the key, and it seems like it is too few iterations to be much of a brute force deterrent these days. I would have expected something like 100000 iterations, or 1 second or more of calculation time on a modern CPU.
A good system uses a key stretching function, not a hash. (For the same reason we don't call a MAC a hash, we don't call a key stretching function a hash.)
I don't know cryptography in any depth, but I'd think a good password encryption scheme uses a slow function. A good disk encryption scheme needs to be fast to be usable, thus the security becomes much more dependent on choice of passphrase.
The key that is used to decrypt the hard disk is stored inside an area that is encrypted with the passphrase and/or keyfiles. That may use a different algorithm than the actually OTF encryption to the rest of the disk. Thus, you can use a short key with a LONG hash time and protect a LONG key with a short encryption time and voila.
I mean, that's how this service works anyway; you send it the volume header and it attempts to crack it. If it can read the contents of the header, then you can read out the key used to encrypt/decrypt the volume itself.
What qualifies as a "strong password" against such a tool?