ElcomSoft Tool Cracks BitLocker, PGP, TrueCrypt In Real-Time 268
An anonymous reader writes "Russian firm ElcomSoft on Thursday announced the release of Elcomsoft Forensic Disk Decryptor (EFDD), a new forensic tool that can reportedly access information stored in disks and volumes encrypted with desktop and portable versions of BitLocker, PGP, and TrueCrypt. EFDD runs on all 32-bit and 64-bit editions of Windows XP, Windows Vista, and Windows 7, as well as Windows 2003 and Windows Server 2008." All that for $300.
Misleading title (Score:5, Insightful)
Unlike the title claims, it doesn't _crack_ in real time, it just allows you to mount the encrypted volume and lets you decrypt it with the keys you found. I.e. make it work just like truecrypt when you mount a partition.
If they were able to _crack_ in real time, then they'd have just solved P = NP.
Re:With a huge exception (Score:5, Insightful)
It requires a memory dump of the system where the keys are used. Bad submitter. Is anyone filtering the submissions? This is starting to look like reddit.
Which you can get VERY easily if the computer has a firewire port.
http://blogs.gnome.org/muelli/2010/04/reading-ram-using-firewire/ [gnome.org]
Re:Not as clever as it sounds (Score:5, Insightful)
I thought Truecrypt, et al were smarter about RAM (Score:5, Insightful)
I thought TrueCrypt,et al were smarter with their RAM-based keys than that and made them more difficult to sniff in RAM, as this has long been a well-known weakness of any encryption software.
Or is there something about whole-disk encryption software that makes this more difficult (which I can see from a performance perspective)?
You would think they would randomize memory locations or have some kind of method of encrypting the keys in-memory and decrypting them and wiping as they did disk I/O. A race condition that would expose them, but with a smaller window for exploitation than leaving them in memory.
Re:Key theft != cracking encryption (Score:5, Insightful)
It's still a key control problem.
If Windows notifies programs about suspends/shutdowns (not sure it really does), TrueCrypt needs to dismount immediately and do whatever it needs to do to protect its key.
None of these processes attack the encryption directly, just control of its keys. Of course, that still means data disclosure, but rather than meaning P=NP or some other news, it simply means that keys are being poorly protected by the software, which in the case of hibernation can hopefully be fixed.
Firewire doesn't matter...it's equivalent to a malicious PCI device, without (as far as I know) the possible protection of VT-d. Epoxy or X-acto. If you can read the system's memory space, you can do a *WHOLE* lot more than just recovering the key...the data itself is likely in there while being read or even the entire unencrypted volume if it's memory mapped. Let alone kernel memory etc. So that is not news really.
Re:Not as clever as it sounds (Score:5, Insightful)
The first thing you think about "PGP encryption cracked" is that a random .pgp file that you got isolated somehow (i.e. intercepting a mail with it attached) could be cracked and decrypted in minutes, no extra hardware required.
But this goes to the RAM of the computer where still resides somehow the passphrase to decrypt the file. Is a bit more serious, but not so much different than claiming that you cracked pgp encryption because you had a keylogger installed.
Re:Not as clever as it sounds (Score:5, Insightful)
Security articles pretty much always dramatically overstate what they are capable of. Generally "cracked" gets used any time something is decrypted and the person who encrypted it didn't intend for it to be.
It sounds like it should be super easy, since the encryption key is "just sitting in memory", but it's not. A lot of those programs actively take steps to try to prevent the key from being captured from memory. Elcomsoft is by no means the first person to demonstrate this attack, but they like to aggressively promote whenever they make tools for applying techniques that researchers have already developed.
Re:Not (Score:4, Insightful)
Net result is the same. If there's a whole in the security, it's a flaw regardless of whether you think it's k3wl or not.
Yes, there's a hole in the security, but not in the WDE products. Identifying the correct attack surfaces allows the security-minded to mount proper defenses.
From this perspective, the article title is misleading and counter-productive.
Better: "ElcomSoft Demonstrates Bypass Tool for BitLocker, PGP, and TrueCrypt".
Re:With a huge exception (Score:5, Insightful)
That article is 2+ years old and deals with XP. Also the author chews on words for the first paragraph or two and makes me want to shoot myself (not to mention being wrong on a few points...) but anyhow..
Does the memory dump apply to Win 7/8? Fully patched XP? FW ports are a niche and rather uncommon. Of more interesting concern - are hibernate files encrypted on a bitlocker encrypted drive?
I agree with GP - this is a terribly written submission (and/or just an advertizement.) Bitlocker, PGP, and trucrypt ALL decrypt in realtime already - if you provide them with keys!!!
Re:Key theft != cracking encryption (Score:4, Insightful)
Or you disable hibernating completely.
Re:Key theft != cracking encryption (Score:5, Insightful)
Or you could, you know, not do anything with the system that would give the feds a reason to be banging on your door.
More, and more, just living free and being vocal about others living free, and god forbid, helping others living free, is more than enough reason to have the feds banging down your door .
Let's not forgot that moron FBI guy that took out hundreds of companies in a data center because he could not understand how hundreds of different companies and legal entities could cohabitate in the same space.
At this point just being innocent and never doing anything wrong is not protection enough to be raided by the feds.