Can files using AES crypt cracked and brute forced?

Discussion related to AES Crypt, the file encryption software for Windows, Linux, Mac, and Java.
Post Reply
Oscar_Inc
Posts: 2
Joined: Sat Apr 08, 2017 11:09 am

Can files using AES crypt cracked and brute forced?

Post by Oscar_Inc » Sat Apr 08, 2017 11:15 am

Can files using AES crypt cracked and brute forced?
There's some really powerful zip and WinRAR password breaking Softwares on the internet
But most of them can't recognize files using AEScrypt
But will some day there's brute forcing tools that aim for breaking AES encrypted files? I'm very afraid of that security issue
Passware Kit Forensic is a really powerful tool to recover forgotted passwords and some people can use it to perform really bad actions

User avatar
paulej
Posts: 521
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Can files using AES crypt cracked and brute forced?

Post by paulej » Sat Apr 08, 2017 2:56 pm

To date, there are no known exploits of AES, meaning a strong key will produce ciphertext that is presently unbreakable. I say "presently," because it's always possible for a vulnerability to be found one day. Older 56 bit ciphers have been broken, for example.

The biggest weakness is with passwords people use. If I were to try to attack AES Crypt, my only tool is a brute force attack where I try different passwords. If you were to encrypt a file with the password "cat", then I can "break" it. It's not because AES Crypt is broken, but because I guessed at the password.

There are machines out there that specialize in cracking passwords. Some can crank through hundreds of billions of combinations per second (e.g., https://www.cnet.com/news/no-password-i ... r-cluster/). Given hardware like that, I could check every word in the dictionary in a fraction of a second, in theory.

Using those estimates, I created this page that shows how long it might take such a machine to break passwords of certain lengths:
https://secure.packetizer.com/pwgen/.

While the 12 character password in the above examples can theoretically be broken in 292 years, it can be broken far faster if the attacker has 1000 such machines. The bigger problem, though, is that people often use far simpler passwords like "wildcat92" or something. That can be broken in seconds since it's just an English word with a couple of numbers on it. When attacking passwords, use of a 30000 word dictionary and then appending numbers is an obvious check to make. At 350 billion tries per second, you can see that wouldn't take long to check 30,000 (base words) + 30,000*10 (base words plus a digit) + 30,000*100 (base words plus two digits). That just over a million combinations, and I could do that quickly on a standard Intel processor.

That's why longer and more complex passwords are recommended. A password like "cow bird nice green strong fluent" is considerably more complex. Since it's all words, that would require checking the 30,000 word dictionary with 6 combinations. Thus, a check of 30,000^6 combinations (if we knew from the start there were 6 words). If my math is right, that would take 66 million years to crack with that machine in the CNET article. However, note that all those words are basic English words. They would appear in just a 5,000 word dictionary. Using such a dictionary and that same machine, the file can be cracked in 1415 years.

So, it's important not to just use words from a 5,000 word dictionary. Use "words" that don't exist. Put special characters or number in there. This would be far more challenging, for example:

"cow54 &bird nice# gre!en %strong] ¶flu€ent"

Note that I didn't substitute letters for numbers that are similar. People use "g33k" kinds of substitutions thinking it's more secure. It is, but when I've been asked to crack passwords, I create such combinations of words. It just means a larger dictionary. That helps (as you can see from the 5,000 word vs. 30,000 word example), but it's not nearly as helpful as something even more complex and unexpected.

I don't want to mislead you into thinking special characters like "!" are the key to security. They just make the number of combinations larger. You can get same result with foreign words, fake words, backwards words, upper+lower combinations, etc.

So, I don't see any issues with AES. The current weakness is user passwords. That's often the case.

Oscar_Inc
Posts: 2
Joined: Sat Apr 08, 2017 11:09 am

Re: Can files using AES crypt cracked and brute forced?

Post by Oscar_Inc » Sun Apr 09, 2017 1:39 am

Oh I see, so if I use AES crypt and WinRAR archive a file with password more than 50 characters like "fadfaDGEGWK"{}:?>:sdf334HDIENDD!@$*%&#(@_@$"
Will this file almost impossible to brute forced if I only give the password to the trusted people?

User avatar
paulej
Posts: 521
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Can files using AES crypt cracked and brute forced?

Post by paulej » Sun Apr 09, 2017 1:55 pm

If you generate a random password of 43 characters or more from the characters A-Z, A-Z, and 0-9, then that would effectively be 256 bits of entropy (randomness). That's as much as you'd need, since AES uses a 256 bit key. An attacker would do just as well attacking the random key used in encryption than your password.

And to attack either the key or your password of that length or greater (I typically use a 64 character password) would take that password cracking machine I mentioned at least 1.07x10^58 years. In short, it's highly unlikely to be broken. (Trying to crack the 256 bit key directly would take 1.049×10^58 years years. This is why AES is considered so strong.)

On Linux, there's a key generator to do that for you that I wrote, a couple in fact. One day, I'll port that to Windows. But, any good password generator would work.

Post Reply