Marie till RiksdagenStart: 14:37
What: Agent endrazine
Full disk encryption : distributed (via cloud computing) brute forcing preboot authentication passwords using x86 real mode bootloader instrumentation. This talk attempts to provide orders of magnitude regarding what is and what is not computingly breakable (and at what price !) regarding HD encryption. Featuring a heavy load of harcore 16b real mode assembly and live demos of the brute forcing of Lilo,Grub (MD5 mode) and Truecrypt. I will also cover the Bitlocker/Truecrypt plain text password leakage I previously disclosed at Defcon, briefly.
Watch it: on Bambuser
The only way to keep data secret is to encrypt it. The best way to keep it is full way full disk encryption.
Introduction
Goals of the talk is to demonstrant that there is to brute force a preboot authentication password. The ones in bios, or in bootloaders.
Give an estimation of how much it would cost in cracking on full encryption software using a generic instrumention methodology.
Cryptographic softare is mostly legalized in both North and south america and europe.
Wikipedia: In China, a license is still required to use cryptography. Many countries have tight restrictions on the use of cryptography. Among the more restrictive are laws in Belarus, Kazakhstan, Mongolia, Pakistan, Russia, Singapore, Tunisia, and Vietnam.
Cryptography from a government point of view is a superinteresting target. DES was designed to be resistant to differential cryptanalysis, a power ful and general cryptanalytic technique knwon to NSA and IBM, became publicly known when it was rediscovered in the late 1980s.
Cryptographic softwhere can be backdoored, this is a reality.
Non Tech people will say: “if it fails just go for brutefroce.
But how do you do it? There are no public tools. If you want to bruteforce it you will have to write your own operating system to brute forice it.
Keyboards internals
Endrazine gives us a Boot sequence overview, in order to further explain the full disk encryption.
CPU – > Bios EEprom – > IVT, RAM, Bootloader, Kernel.
Bios internals for keyboard management
Interaction with the keyboard, we need to understand the whole chain from the computer to the keyboard.
In your keyboard there’s a Pic, in the motherboard as well. Unified key scan codes. The data from the keyboard is stored in the bios keyboard buffer.
The password will be saved in physical memory forever.
Brute forcer design
The challanges are instalation and initial control flow modification (bios firmware, other media, mbr replacling/patching)
maintaining control (bp, ivt hijack, reroutning)
Get the source code.
Experimental Results
It is doable
The cost of hashing algorithms (md5..) is negligible in the cracking process
hashing algorithms: we tried 700 passwords in 30s. truecrypt: 10s/password (wohw!)
Time taken: Irrelevant (cloud computing)
With enough computer power you can break any given password within 1 hour.
Check the slides for more results.
Conclusion & bonus!
Bruteforcing is physically doable for both hashing algorithms and complex symetric systems
Bruteforcing remains unpratical against truecrypt so far (6 passwords / minutes, recommended pass phrases of length 20)
Not using TPM like technologies allows attackers to take advantages of distrubuted comput ing making the brute time irrelevant.
