How the Secret Services Cracks Encrypted Evidence

Eugen Leitl eugen at leitl.org
Mon Mar 28 22:53:11 PST 2005 

Link: http://slashdot.org/article.pl?sid=05/03/28/2026226
Posted by: timothy, on 2005-03-28 21:22:00

   from the throw-at-wall-see-what-sticks dept.
   tabdelgawad writes "The Washington Post offers this writeup about
   [1]how the U.S. Secret Service uses a Distributed Network Attack
   program to crack encryption on computers and drives seized as
   evidence. How can brute force still succeed with 256-bit encryption,
   you ask? Customized password dictionaries from the seized computer's
   email files and browser cache: People still use non-random passwords."


References

   1. http://www.washingtonpost.com/wp-dyn/articles/A6098-2005Mar28.html

----- End forwarded message -----

DNA Key to Decoding Human Factor
Secret Service's Distributed Computing Project Aimed at Decoding Encrypted
Evidence

By Brian Krebs
washingtonpost.com Staff Writer
Monday, March 28, 2005; 6:48 AM

For law enforcement officials charged with busting sophisticated financial
crime and hacker rings, making arrests and seizing computers used in the
criminal activity is often the easy part.

More difficult can be making the case in court, where getting a conviction
often hinges on whether investigators can glean evidence off of the seized
computer equipment and connect that information to specific crimes.

The wide availability of powerful encryption software has made evidence
gathering a significant challenge for investigators. Criminals can use the
software to scramble evidence of their activities so thoroughly that even the
most powerful supercomputers in the world would never be able to break into
their codes. But the U.S. Secret Service believes that combining computing
power with gumshoe detective skills can help crack criminals' encrypted data
caches.

Taking a cue from scientists searching for signs of extraterrestrial life and
mathematicians trying to identify very large prime numbers, the agency best
known for protecting presidents and other high officials is tying together
its employees' desktop computers in a network designed to crack passwords
that alleged criminals have used to scramble evidence of their crimes --
everything from lists of stolen credit card numbers and Social Security
numbers to records of bank transfers and e-mail communications with victims
and accomplices.

To date, the Secret Service has linked 4,000 of its employees' computers into
the "Distributed Networking Attack" program. The effort started nearly three
years ago to battle a surge in the number of cases in which savvy computer
criminals have used commercial or free encryption software to safeguard
stolen financial information, according to DNA program manager Al Lewis.

"We're seeing more and more cases coming in where we have to break
encryption," Lewis said. "What we're finding is that criminals who use
encryption usually are higher profile and higher value targets for us because
it means from an evidentiary standpoint they have more to hide."

Each computer in the DNA network contributes a sliver of its processing power
to the effort, allowing the entire system to continuously hammer away at
numerous encryption keys at a rate of more than a million password
combinations per second.

The strength of any encryption scheme is based largely on the complexity of
its algorithm -- the mathematical formula used to scramble the data -- and
the length of the "key" required to encode and unscramble the information.
Keys consist of long strings of binary numbers or "bits," and generally the
greater number of bits in a key, the more secure the encryption.

Many of the encryption programs used widely by corporations and individuals
provide up to 128- or 256-bit keys. Breaking a 256-bit key would likely take
eons using today's conventional "dictionary" and "brute force" decryption
methods -- that is, trying word-based, random or sequential combinations of
letters and numbers -- even on a distributed network many times the size of
the Secret Service's DNA.

"In most cases, there's a greater probability that the sun will burn out
before all the computers in the world could factor in all of the information
needed to brute force a 256-bit key," said Jon Hansen, vice president of
marketing for AccessData Corp, the Lindon, Utah, company that built the
software that powers DNA.

Yet, like most security systems, encryption has an Achilles' heel -- the
user. That's because some of today's most common encryption applications
protect keys using a password supplied by the user. Most encryption programs
urge users to pick strong, alphanumeric passwords, but far too often people
ignore that critical piece of advice, said Bruce Schneier, an encryption
expert and chief technology officer at Counterpane Internet Security Inc. in
Mountain View, Calif.

"Most people don't pick a random password even though they should, and that's
why projects like this work against a lot of keys," Schneier said. "Lots of
people -- even the bad guys -- are really sloppy about choosing good
passwords."

Armed with the computing power provided by DNA and a treasure trove of data
about a suspect's personal life and interests collected by field agents,
Secret Service computer forensics experts often can discover encryption key
passwords.

In each case in which DNA is used, the Secret Service has plenty of
"plaintext" or unencrypted data resident on the suspect's computer hard drive
that can provide important clues to that person's password. When that data is
fed into DNA, the system can create lists of words and phrases specific to
the individual who owned the computer, lists that are used to try to crack
the suspect's password. DNA can glean word lists from documents and e-mails
on the suspect's PC, and can scour the suspect's Web browser cache and
extract words from Web sites that the individual may have frequented.

"If we've got a suspect and we know from looking at his computer that he
likes motorcycle Web sites, for example, we can pull words down off of those
sites and create a unique dictionary of passwords of motorcycle terms," the
Secret Service's Lewis said.

DNA was developed under a program funded by the Technical Support Working
Group -- a federal office that coordinates research on technologies to combat
terrorism. AccessData's various offerings are currently used by nearly every
federal agency that does computer forensics work, according to Hansen and
executives at Pasadena, Calif.-based Guidance Software, another major player
in the government market for forensics technology.

Hansen said AccessData has learned through feedback with its customers in law
enforcement that between 40 and 50 percent of the time investigators can
crack an encryption key by creating word lists from content at sites listed
in the suspect's Internet browser log or Web site bookmarks.

"Most of the time this happens the password is some quirky word related to
the suspect's area of interests or hobbies," Hansen said.

Hansen recalled one case several years ago in which police in the United
Kingdom used AccessData's technology to crack the encryption key of a suspect
who frequently worked with horses. Using custom lists of words associated
with all things equine, investigators quickly zeroed in on his password,
which Hansen says was some obscure word used to describe one component of a
stirrup.

Having the ability to craft custom dictionaries for each suspect's computer
makes it exponentially more likely that investigators can crack a given
encryption code within a timeframe that would be useful in prosecuting a
case, said David McNett, president of Distributed.net, created in 1997 as the
world's first general-purpose distributed computing project.

"If you have a whole hard drive of materials that could be related to the
encryption key you're trying to crack, that is extremely beneficial," McNett
said. "In the world of encrypted [Microsoft Windows] drives and encrypted zip
files, four thousand machines is a sizable force to bring to bear."

It took DNA just under three hours to crack one file encrypted with WinZip --
a popular file compression and encryption utility that offers 128-bit and
256-bit key encryption. That attack was successful mainly because
investigators were able to build highly targeted word lists about the suspect
who owned the seized hard drive.

Other encrypted files, however, are proving far more stubborn.

In a high-profile investigation last fall, code-named "Operation Firewall,"
Secret Service agents infiltrated an Internet crime ring used to buy and sell
stolen credit cards, a case that yielded more than 30 arrests but also huge
amounts of encrypted data. DNA is still toiling to crack most of those codes,
many of which were created with a formidable grade of 256-bit encryption.

Relying on a word-list approach to crack keys becomes far more complex when
dealing with suspects who communicate using a mix of languages and alphabets.
In Operation Firewall, for example, several of the suspects routinely
communicated online in English, Russian and Ukrainian, as well as a mishmash
of the Cyrillic and Roman alphabets.

The Secret Service also is working on adapting DNA to cope with emergent data
secrecy threats, such as an increased criminal use of "steganography," which
involves hiding information by embedding messages inside other, seemingly
innocuous messages, music files or images.

The Secret Service has deployed DNA to 40 percent of its internal computers
at a rate of a few PCs per week and plans to expand the program to all 10,000
of its systems by the end of this summer. Ultimately, the agency hopes to
build the network out across all 22 federal agencies that comprise the
Department of Homeland Security: It currently holds a license to deploy the
network out to 100,000 systems.

Unlike other distributed networking programs, such as the Search for Extra
Terrestrial Intelligence Project -- which graphically display their
number-crunching progress when a host computer's screen saver is activated --
DNA works silently in the background, completely hidden from the user. Lewis
said the Secret Service chose not to call attention to the program, concerned
that employees might remove it.

"Computer users often experience system lockups that are often inexplicable,
and many users will uninstall programs they don't understand," Lewis said.
"As the user base becomes more educated with the program and how it
functions, we certainly retain the ability to make it more visible."

In the meantime, the agency is looking to partner with companies in the
private sector that may have computer-processing power to spare, though Lewis
declined to say which companies the Secret Service was approaching. Such a
partnership would not endanger the secrecy of their operations, Lewis said,
because any one partner would be given only tiny snippets of an entire
encrypted message or file.

Distributed.net's McNett said he understands all too well the agency's desire
for additional computing power.

"There will be such a thing as 'too much computing power' as soon as you can
crack a key 'too quickly,' which is to say 'never' in the Secret Service's
case."

B) 2005 TechNews.com

--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net

[demime 1.01d removed an attachment of type application/pgp-signature]

More information about the cypherpunks-legacy mailing list