Hi Paul and Members:
Does the AESCrypt provide mechanism to prevent Brute Force Attack or password-cracking attack? Since user supplied password is used for encrypting and also as password protect, if someone uses sophisticated way of cracking password, the encrypted file can be opened.
If AESCrypt does not prevent that, my second question is: Are there any restrictions on password length and type?
Thank you,
Sri
Preventing Brute Force Attacks
-
paulej
- Posts: 593
- Joined: Sun Aug 23, 2009 7:32 pm
- Location: Research Triangle Park, NC, USA
- Contact:
Re: Preventing Brute Force Attacks
AES Crypt does not take any steps to prevent brute force attack. It can't really, since the .aes file is separate and anyone could attack the file directly.
A brute force attack is the only way I know to crack AES. So, definitely longer passwords help. The Windows version allows up to 1024 unicode characters in the password. The Linux version allows up to 1024 8-bit characters. (As mentioned in other threads, Unicode support issues exist in the Linux code that we still need to address.)
The key used in encryption is actually 256 bits, regardless of the password length. The password is hashed using sha256 along with random data. The random data is in the clear, so it's still the password that is the key to security.
An improvement on the wish list is to add the ability to have keys stored in files. So, rather than have a password that is prone to user error, we want to allow AES Crypt to generate a password file (that would be 256 bits long). The file would then be the key used to encrypt the data. Until then, it's just recommended to make passwords as reasonable long as possible
Typically, a user will type characters in the range from 32 to 127 (95 characters). There are many characters people would not usually type, so let's just assume there are 64 characters. So, each character is effectively a strength of not more than 6 bits. Thus, a strong password would be about 42 characters. I make mine even longer
A brute force attack is the only way I know to crack AES. So, definitely longer passwords help. The Windows version allows up to 1024 unicode characters in the password. The Linux version allows up to 1024 8-bit characters. (As mentioned in other threads, Unicode support issues exist in the Linux code that we still need to address.)
The key used in encryption is actually 256 bits, regardless of the password length. The password is hashed using sha256 along with random data. The random data is in the clear, so it's still the password that is the key to security.
An improvement on the wish list is to add the ability to have keys stored in files. So, rather than have a password that is prone to user error, we want to allow AES Crypt to generate a password file (that would be 256 bits long). The file would then be the key used to encrypt the data. Until then, it's just recommended to make passwords as reasonable long as possible
Typically, a user will type characters in the range from 32 to 127 (95 characters). There are many characters people would not usually type, so let's just assume there are 64 characters. So, each character is effectively a strength of not more than 6 bits. Thus, a strong password would be about 42 characters. I make mine even longer