FBI endorses TrueCrypt
Or they at least try to make it look that way, at least. http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/ Brazilian banker's crypto baffles FBI 18 months of failure By John Leyden b" Get more from this author Posted in Enterprise Security, 28th June 2010 11:49 GMT Cryptographic locks guarding the secret files of a Brazilian banker suspected of financial crimes have defeated law enforcement officials. Brazilian police seized five hard drives when they raided the Rio apartment of banker Daniel Dantas as part of Operation Satyagraha in July 2008. But subsequent efforts to decrypt files held on the hardware using a variety of dictionary-based attacks failed even after the South Americans called in the assistance of the FBI. The files were encrypted using Truecrypt and an unnamed algorithm, reportedly based on the 256-bit AES standard. In the UK, Dantas would be compelled to reveal his passphrase under threat of imprisonment, but no such law exists in Brazil. The Brazilian National Institute of Criminology (INC) tried for five months to obtain access to the encrypted data without success before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code, Brazil's Globo newspaper reports. The case is an illustration of how care in choosing secure (hard-to-guess) passwords and applying encryption techniques to avoid leaving file fragments that could aid code breakers are more important in maintaining security than the algorithm a code maker chooses. In other cases, law enforcement officials have defeated suspects' use of encryption because of weak cryptographic trade craft or poor passwords, rather than inherent flaws in encryption packages.
this is more like saying that the FBI endorses AES-256 (assuming the implementation is correct). Then, AES is published as US FIPS 197. Sarad. --- On Fri, 7/2/10, Eugen Leitl <eugen@leitl.org> wrote:
From: Eugen Leitl <eugen@leitl.org> Subject: FBI endorses TrueCrypt To: cypherpunks@al-qaeda.net Date: Friday, July 2, 2010, 2:38 AM Or they at least try to make it look that way, at least.
http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/
Brazilian banker's crypto baffles FBI
18 months of failure
By John Leyden b" Get more from this author
Posted in Enterprise Security, 28th June 2010 11:49 GMT
Cryptographic locks guarding the secret files of a Brazilian banker suspected of financial crimes have defeated law enforcement officials.
Brazilian police seized five hard drives when they raided the Rio apartment of banker Daniel Dantas as part of Operation Satyagraha in July 2008. But subsequent efforts to decrypt files held on the hardware using a variety of dictionary-based attacks failed even after the South Americans called in the assistance of the FBI.
The files were encrypted using Truecrypt and an unnamed algorithm, reportedly based on the 256-bit AES standard. In the UK, Dantas would be compelled to reveal his passphrase under threat of imprisonment, but no such law exists in Brazil.
The Brazilian National Institute of Criminology (INC) tried for five months to obtain access to the encrypted data without success before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code, Brazil's Globo newspaper reports.
The case is an illustration of how care in choosing secure (hard-to-guess) passwords and applying encryption techniques to avoid leaving file fragments that could aid code breakers are more important in maintaining security than the algorithm a code maker chooses. In other cases, law enforcement officials have defeated suspects' use of encryption because of weak cryptographic trade craft or poor passwords, rather than inherent flaws in encryption packages.
On Thu, 1 Jul 2010, Eugen Leitl wrote:
Or they at least try to make it look that way, at least.
http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/
Brazilian banker's crypto baffles FBI
I find it baffling that we aren't hearing anything about key escrow. How in the world did we go through the 9/11 TLA bonanza, and all of the recent Internet Kill Switch gibberish and not once hear about key escrow ? These ideas don't just go away ... I'm suspicious ...
On Sat, Jul 03, 2010 at 05:00:20AM +0000, John Case wrote:
On Thu, 1 Jul 2010, Eugen Leitl wrote:
Or they at least try to make it look that way, at least.
http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/
Brazilian banker's crypto baffles FBI
I find it baffling that we aren't hearing anything about key escrow. How in the world did we go through the 9/11 TLA bonanza, and all of the recent Internet Kill Switch gibberish and not once hear about key escrow ?
These ideas don't just go away ... I'm suspicious ...
Quite simply, because there are many other ways to perform effective intelligence work without requiring key escrow. A few relevant points: 1. It would be hard for the government to force people to use their key escrowed system. 2. With whom you communicate is often more interesting that what you communicate. 3. Humans are bad at storing cryptographic keys. They tend to write them down somewhere, exposing them to various attacks (sneak and peek warrant, installation of covert camera, keylogger, TEMPEST). 4. Cryptography is very, very rarely the weakest point of a system. -- irene
participants (4)
-
Eugen Leitl
-
irene
-
John Case
-
Sarad AV