Qubes default cryptsetup. How strong is it?
67 views
Skip to first unread message
Setup
Jun 21, 2016, 8:28:01 AM6/21/16
to qubes...@googlegroups.com
How "quick" any of available super PCs (10,649,60 cores, 125,435. TFLOP/S ) can find the password (e.g 8-16 chars) encrypted with Qubes default settings cryptsetup?
How can we improve security to prevent this?
Is it a good idea to install some 3th party software tat dom0 to make crypto container to store some VMs and mount it before VM start?
Will Qubes Manager work fine if VMs will not be available at the boot time or some time after that, before user will not mount container?
How can we improve security to prevent this?
Is it a good idea to install some 3th party software tat dom0 to make crypto container to store some VMs and mount it before VM start?
Will Qubes Manager work fine if VMs will not be available at the boot time or some time after that, before user will not mount container?
Arqwer
Jun 21, 2016, 5:54:02 PM6/21/16
to qubes-users, somequ...@qubesgroups.cn
Will Qubes Manager work fine if VMs will not be available at the boot time or some time after that, before user will not mount container?
Yes. I have R3.0, and some vm's are on secondaty, encrypted drive. I mount it using crontab like
@reboot /my/script/to/mount/encrypted/secondary/drive
I used this instruction to move appvms there. But I did it not in purpose of security, but just to have more disk space. I store the key to that drive in dom0.
@reboot /my/script/to/mount/encrypted/secondary/drive
I used this instruction to move appvms there. But I did it not in purpose of security, but just to have more disk space. I store the key to that drive in dom0.
How "quick" any of available super PCs (10,649,60 cores, 125,435. TFLOP/S ) can find the password (e.g 8-16 chars) encrypted with Qubes default settings cryptsetup?
Encryption is the hardest part of chain. If the passphrase is long enough.If password is 16 random lowercase and uppercasr letters, then it is 52^16 combinations, it is about 10^27. If you can crack 100 Peta passwords/S, then it will take 10^(27-17) = 10^(10) seconds to brute the password, which is 316 years. (Really expectation is half of it, so 158 years on average). Of course, if those letters are not "Password12345678".
How can we improve security to prevent this?
If 316 years is not enough, than you can add one more character, to make it 16 thousands of years!
Is it a good idea to install some 3th party software tat dom0 to make crypto container to store some VMs and mount it before VM start?
I don't think so. The more different tools you use, the more there are chances to use something wrong.
After all, there are much easier ways to get your data. For example hardware backdoor called Intel ME.
Robin Schneider
Jun 21, 2016, 6:16:17 PM6/21/16
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 21.06.2016 23:54, Arqwer wrote:
> How "quick" any of available super PCs (10,649,60 cores, 125,435. TFLOP/S
>> ) can find the password (e.g 8-16 chars) encrypted with Qubes default
>> settings cryptsetup?
>>
>
> Encryption is the hardest part of chain. If the passphrase is long
> enough.If password is 16 random lowercase and uppercasr letters, then it
> is 52^16 combinations, it is about 10^27. If you can crack 100 Peta
> passwords/S, then it will take 10^(27-17) = 10^(10) seconds to brute the
> password, which is 316 years. (Really expectation is half of it, so 158
> years on average). Of course, if those letters are not "Password12345678".
>
> How can we improve security to prevent this?
>
>
> If 316 years is not enough, than you can add one more character, to make
> it 16 thousands of years!
Most of those projections about how many years brute forcing a passphrase with
that many bits of entropy may take completely ignore one key aspect, especially
when you are talking about hundreds of years and that is technical advance and
Moore's law. So to be realistic, you would need to take that into
consideration.
Refer to:
*
https://crypto.stackexchange.com/questions/1815/how-to-account-for-moores-law-in
- -estimating-time-to-crack
- --
Live long and prosper
Robin `ypid` Schneider
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXabyzAAoJEIb9mAu/GkD4DhQP/iru7NGtTJ6gVdsdnYlZfLx1
6uTWhX0mwwOYw1TMV4wGC9uW2NDGsiVXHHEJSXpdeLvMwZYdZGfKxu8vv8SRpUQc
SZYI38gybmYn4+wg/fp4oU6cDaHqJ2eh+oOh1YUZhnewOM/jcUMD7kK+sVFcP0Sr
koagcIuEXFC0nRnwZsSMtcfr1DQ3x/rJHQuBwdfQLpKyK6gDOVJEqQ5K1kh0Q2w+
yUEcMVtJiMdFkYyTFu7/pcuVv4Xgssiw+8eUt7tsr8QO5Sqczhr0oxlN3d8EwEeX
2H8poeBIPJ1v++xqiFuglxA2NkS3pi/y5VMWqs4rI8phazSvgPhkcZJ7NOsNpo6k
NkOFZHccwdRAq9KVq8M6OGcFk6ulSU6Y1SayHxkNM9zQ8ofJ4IBoJ4b+zAwcKta6
nPidNlPjhATD1BY0G1wO61TtfCqYqHuEdENvxko+Q2OXuNqaNREs+9+xdQrcwTuJ
hCy+YMC5wS1W25Le4f8Q0oNQrhMiLM92/YNz+tW8JzmLLU1LdzbM4Dz9Kf3aGrqV
Fi0FSj4MdRLzD9lLiZ6zUXpCpfYGlACyP2j58mssa5jLyKqHvEiMt1cSiOAoE16O
Lqxr0D8/M/O4Zx7o9NuQWi86stKK39x1xzbzOTCo0zjK+zwd8L5LspbVZpmW8AQW
q5t6CA096mCC45lflC4F
=0UJ1
-----END PGP SIGNATURE-----
Hash: SHA512
On 21.06.2016 23:54, Arqwer wrote:
> How "quick" any of available super PCs (10,649,60 cores, 125,435. TFLOP/S
>> ) can find the password (e.g 8-16 chars) encrypted with Qubes default
>> settings cryptsetup?
>>
>
> Encryption is the hardest part of chain. If the passphrase is long
> enough.If password is 16 random lowercase and uppercasr letters, then it
> is 52^16 combinations, it is about 10^27. If you can crack 100 Peta
> passwords/S, then it will take 10^(27-17) = 10^(10) seconds to brute the
> password, which is 316 years. (Really expectation is half of it, so 158
> years on average). Of course, if those letters are not "Password12345678".
>
> How can we improve security to prevent this?
>
>
> If 316 years is not enough, than you can add one more character, to make
> it 16 thousands of years!
that many bits of entropy may take completely ignore one key aspect, especially
when you are talking about hundreds of years and that is technical advance and
Moore's law. So to be realistic, you would need to take that into
consideration.
Refer to:
*
https://crypto.stackexchange.com/questions/1815/how-to-account-for-moores-law-in
- -estimating-time-to-crack
- --
Live long and prosper
Robin `ypid` Schneider
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXabyzAAoJEIb9mAu/GkD4DhQP/iru7NGtTJ6gVdsdnYlZfLx1
6uTWhX0mwwOYw1TMV4wGC9uW2NDGsiVXHHEJSXpdeLvMwZYdZGfKxu8vv8SRpUQc
SZYI38gybmYn4+wg/fp4oU6cDaHqJ2eh+oOh1YUZhnewOM/jcUMD7kK+sVFcP0Sr
koagcIuEXFC0nRnwZsSMtcfr1DQ3x/rJHQuBwdfQLpKyK6gDOVJEqQ5K1kh0Q2w+
yUEcMVtJiMdFkYyTFu7/pcuVv4Xgssiw+8eUt7tsr8QO5Sqczhr0oxlN3d8EwEeX
2H8poeBIPJ1v++xqiFuglxA2NkS3pi/y5VMWqs4rI8phazSvgPhkcZJ7NOsNpo6k
NkOFZHccwdRAq9KVq8M6OGcFk6ulSU6Y1SayHxkNM9zQ8ofJ4IBoJ4b+zAwcKta6
nPidNlPjhATD1BY0G1wO61TtfCqYqHuEdENvxko+Q2OXuNqaNREs+9+xdQrcwTuJ
hCy+YMC5wS1W25Le4f8Q0oNQrhMiLM92/YNz+tW8JzmLLU1LdzbM4Dz9Kf3aGrqV
Fi0FSj4MdRLzD9lLiZ6zUXpCpfYGlACyP2j58mssa5jLyKqHvEiMt1cSiOAoE16O
Lqxr0D8/M/O4Zx7o9NuQWi86stKK39x1xzbzOTCo0zjK+zwd8L5LspbVZpmW8AQW
q5t6CA096mCC45lflC4F
=0UJ1
-----END PGP SIGNATURE-----
Andrew David Wong
Jun 21, 2016, 10:51:22 PM6/21/16
to Robin Schneider, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2016-06-21 15:16, Robin Schneider wrote:
> On 21.06.2016 23:54, Arqwer wrote:
>> How "quick" any of available super PCs (10,649,60 cores,
>> 125,435. TFLOP/S
>>> ) can find the password (e.g 8-16 chars) encrypted with Qubes
>>> default settings cryptsetup?
>>>
>
>> Encryption is the hardest part of chain. If the passphrase is
>> long enough.If password is 16 random lowercase and uppercasr
>> letters, then it is 52^16 combinations, it is about 10^27. If
>> you can crack 100 Peta passwords/S, then it will take 10^(27-17)
>> = 10^(10) seconds to brute the password, which is 316 years.
>> (Really expectation is half of it, so 158 years on average). Of
>> course, if those letters are not "Password12345678".
>
>> How can we improve security to prevent this?
>
>
>> If 316 years is not enough, than you can add one more character,
>> to make it 16 thousands of years!
>
>
> Most of those projections about how many years brute forcing a
> passphrase with that many bits of entropy may take completely
> ignore one key aspect, especially when you are talking about
> hundreds of years and that is technical advance and Moore's law.
> So to be realistic, you would need to take that into
> consideration.
>
> Refer to:
>
> * https://crypto.stackexchange.com/questions/1815/how-to-account-
> for-moores-law-in-estimating-time-to-crack
> On 21.06.2016 23:54, Arqwer wrote:
>> How "quick" any of available super PCs (10,649,60 cores,
>> 125,435. TFLOP/S
>>> ) can find the password (e.g 8-16 chars) encrypted with Qubes
>>> default settings cryptsetup?
>>>
>
>> Encryption is the hardest part of chain. If the passphrase is
>> long enough.If password is 16 random lowercase and uppercasr
>> letters, then it is 52^16 combinations, it is about 10^27. If
>> you can crack 100 Peta passwords/S, then it will take 10^(27-17)
>> = 10^(10) seconds to brute the password, which is 316 years.
>> (Really expectation is half of it, so 158 years on average). Of
>> course, if those letters are not "Password12345678".
>
>> How can we improve security to prevent this?
>
>
>> If 316 years is not enough, than you can add one more character,
>> to make it 16 thousands of years!
>
>
> Most of those projections about how many years brute forcing a
> passphrase with that many bits of entropy may take completely
> ignore one key aspect, especially when you are talking about
> hundreds of years and that is technical advance and Moore's law.
> So to be realistic, you would need to take that into
> consideration.
>
> Refer to:
>
> * https://crypto.stackexchange.com/questions/1815/how-to-account-
>
True, but there may also be thermodynamic limitations. As Schneier
wrote in _Applied Cryptography_:
"These numbers have nothing to do with the technology of the devices;
they are the maximums that thermodynamics will allow. And they
strongly imply that brute-force attacks against 256-bit keys will be
infeasible until computers are built from something other than matter
and occupy something other than space."
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXaf0dAAoJENtN07w5UDAwTSIQAJ3kz83tAfbU1JCR9uaCqLHx
AUGBZy1ZQFBMNk3zkz9kA8T3cq28KFqc9o7TQA95aNoQ5Lhya72r+09EH/ADiHxL
SPHgPgHVHSzajpiUFIfJOJYSqdbyzh+45+WXsjCyykXuG514dPHVqQYrCA5hHIww
TwX/ChfyizprTMsrZrrwI4sLcLSaLvrcoRZtb2vWXS97Qa6wY0GsZCPu228bnbV4
p0jRPT271PA6BTLmSRKpKLdRjfznmcX3I+LQIFn9Jp9iwuEWQkZdTocT1/R4f6/C
lbVv7RhgfC6UpaulOP0+zgcZf1+zBqZfsMZCem2sDj7xol0oMg7NCA+nvFz5Smlm
Ax+lCaGjm8tYY7/JJ2Fwbu85Bz6bciHWORdiLo1iuRx6zcKNE47kAbcmHdik0hu0
Oh6khINpwPP1ZbZzcnKhWs5y5jrhDrrJap3gOkRt2kCoOPjAXVA6lsWYNf+lQ91O
Le24p+ZkBZxk4fgpLiEydQOczZl4vxozYKMvJ1PvMLJ8pzywTS4B7svl7Z5foQdS
ce2StirqA23IpEUccbjoraG2X7KXvOJ76ugD+35zTQt8uoVPGfRZAycuuLRWCLLD
1dGF6G5Duj4g2Mo1a2iZv29gj9+bxhiEmP5QnJl6xntTPYdPxcxuJgSGq7LK3gF2
xRTnIWKJmwIXdQ2Nlb4n
=nUJi
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages