Why CryptoSafe requires a Strong Password

[mekDroid]

Hello Folks,

We just released CryptoSafe, an advanced Android security product that gives you the peace of mind of having your confidential information stored securely inside an encrypted database. Unlike similar apps in the Android Market CryptoSafe will force you to create a strong password, and that is the subject of this post.

You can find CryptoSafe in the Android Market at:

https://market.android.com/details?i....cryptosafepro
https://market.android.com/details?i...cryptosafelite

The Lite version is free (but it has ads). The Pro version is only $1 and has no ads.

This is the first of a series of posts on various development and security-related topics for Android devices and applications which I hope you will find either useful or entertaining. Failing that, though, I devoutly hope that this one particular post will basically scare the pants off you, perhaps to the point that you might just consider using a strong password to secure your personal information.

An Android Phone is a really nothing but a fairly competent computer that is posing as a phone: it is computing on the go, computing for people who do not use other computers and computing for people who do use computers every day. When a new Android user buys a phone, though, two things happen right away: first, this new user downloads an absolutely unbelievable amount of software onto this computer, and second, the user goes and enters a heavy chunk of personal information into the phone. This is an explosive combination!

Sooner or later most of these users are going to realize that they need to keep track of more user ids and passwords for websites, applications and so on than they can possibly expect to remember. At this point the said users will go and download some type of password keeping application from the Android Market, install it, and proceed to enter the passwords for every site and app they use, plus their bank accounts and credit cards. The password-keeper application itself needs to have some kind of master password, which brings us to the main topic of this post.

The password of the password keeper is now protecting every other password that was entered into the system, but with one very, very big difference: the password-keeper database, which is encrypted, is local, that is, it sits right inside the phone.

Unlike the passwords used for remote sites, in which the site can lock-out the account after a given number of invalid logins, a local database can be attacked off-line. If your phone is stolen an attacker can first root the phone (this can be done in minutes) to gain access to the password database and then mount a password-guessing attack against the master password that protects your password database.

Password-keeper applications use password-based cryptography. Assuming that the system is properly built (and this is a big assumption!) and does not have any design flaws that could allow an attacker to circumvent the encryption altogether, the security of a password-based cryptosystem will be entirely dependent on the strength of the password. And even the strongest cryptography systems will not be able to protect you if you choose a weak password.

Here, let me give you a few facts about encryption and about attacks against encryption systems. A cryptosystem can be attacked in various ways:

• Brute-Force attack against the encryption keys. In this type of attack the opponent tries all the possible encryption keys (not passwords, keys). Brute-Force attacks are unfeasible against systems that use strong encryption, as the number of possible keys is astronomical. For example, it would take all the computers in the world working together for billions of years to crack a single AES-128 key. Assuming that your system was built using proper cryptographic algorithms you do not need to worry about this type of attack.
• Attacks that circumvent the system. This type of attack goes around the encryption altogether by exploiting weak points in the design or operation of the system. An example of this type of attack is a keystroke logger that intercepts every key even before it goes to the encryption program. The best way to protect yourself against this type of attack is to use a solid cryptosystem and a good anti-virus.
• Attacks against your password. In this type of attack the intruder will try to guess your password (not your key). Password-Guessing attacks are also called "'Dictionary Attacks" in the security literature because here the opponent will use a dictionary of common words to mount an automated attack against your password that tries millions of possible combinations of these words, plus special characters and digits.

Of the three types of attack described above the most likely, and by far the worst one in the sense that it has a reasonably good probability of working is the dictionary attack, and one good reason for it is that human beings are just miserably bad at choosing strong passwords. The other reason why password-cracking attacks work better these days is because the technology has gotten much better, both in terms of hardware (faster systems) and in the capabilities of the software that is used to do the cracking.

Bruce Schneier, perhaps the most respected cryptographer in America, has a terrific article about password-cracking in his blog. I suggest that you read his piece, as it is very much worth reading: Schneier on Security: Choosing Secure Passwords

There are legal password-recovery and forensic products in the market that can be used to mount a password-guessing attack. A good example of this type of software is the AccessData Password Recovery Toolkit:

Decryption & Password Cracking Software | AccessData

AccessData claims to be able to break 55 to 65 percent of all passwords, but please keep in mind that their systems are often used in corporate environments, where the administrators can set some minimum standard for password strength. Users of encryption products in Android phones will be more likely to choose very weak passwords than corporate users. AccessData is not alone, though. Companies like ELCOMSOFT and Passware also have password-recovery systems:

Password recovery, forensic, forensics, system and security software from ElcomSoft : recover or reset lost or forgotten password, remove protection, unlock system

http://www.lostpassword.com

Hackers also have access to (or can build themselves) password-guessing software with similar capabilities. The strength of the password-cracking software used by security agencies is not well understood, but I can happily tell you it will not be any less than that of the commercial products, and in many cases it will be massively higher.

To make things even worse, password-cracking is a computing task that can be trivially distributed, in that an opponent can split the task of trying out candidate passwords among many systems to create a Distributed Dictionary Attack.

AccessData has a legal forensic product called "Distributed Network Attack" that does just this. Hackers also have this type of code, and have (or can rent) access to "Botnets" to carry out distributed attacks. ELCOMSOFT has a similar product, the ElcomSoft Distributed Password Recovery system, which can be scaled up to over 10,000 computers.

A 1,000 machine botnet, which is not particularly large by today's standards (there are reports of botnets with 1.5 million machines) will speed-up a password-guessing attack by a large factor, though not 1,000 times faster, because the hacker cannot use 100% of the processor time in the compromised machines without giving his presence away.

The main reason why dictionary attacks are possible in the first place is that people tend to follow very predictable patterns when choosing their passwords. Believe it or not, the single most popular password in the world is "password1". Other popular choices begin with "qwerty" and "asdf" which are the first two rows of keys on a regular keyboard.

The most popular password digit is 1 (two-thirds of the time, and nearly always at the end of the password). If allowed, 65 percent of all users will create very weak passwords of 8 letters or less. A tiny cracking dictionary of 1,000 common words (stuff like password and letmein) plus 100 common suffixes like "1" and "abc" can be used to break about 24 percent of all passwords.

People consistently use proper names, their own in particular, but also names of movie stars, rock bands (for some reason blink182 seems quite common) and pet names. All these and many more will be in the attackers dictionary. AccessData, for example, uses a 10,000 entry names dictionary for this. Common English words are part of most passwords, and AccessData has a 100,000 word dictionary to break these passwords.

Otherwise, people will use what they think are very clever substitutions, like O for zero, $ for s, @ for a, 1 for l and so on. All of these will be tried by the password-crackers in round 1 of the attack. A complete Round 1 will take less than a day, weak passwords take just hours and the weakest stuff gets broken in minutes, and that is just Round 1.

Assuming that (unaccountably) your password was strong enough to resist Round 1, then Round 2 is even more problematic. In the AccessData product Round 2 uses a much larger dictionary (100,000 words), plus an algorithm that tries non-word combinations of letters that are pronounceable, at least in English, but they are working on the code for other languages. The cracking software will also "walk" digits and special characters through these candidate passwords.

Round 2 can take weeks to months, unless the attacker has a massive amount of computing power, but it will break passwords that are normally considered to be quite strong.

According to AccessData a typical password consists of a "root" and some appendage. In the infamous "password1" the root is password and the appendage is 1. Close to 90 percent of the time the appendage is placed at the end of the password, the other 10 percent is placed at the beginning (i.e. 1password will not protect you either!) and people tend to use very predictable appendages like 1$ and 1234.

The AccessData product can crack passwords at a rate anywhere between 350,000 to over a million passwords per second on a 3-GHz Pentium 4. For a botnet you need to multiply the one-computer rate by the size of the botnet.

By the way, if you use a 6-digit numeric PIN as your password the AccessData product will crack it just in under 3 seconds flat. A hacker might be a bit less efficient, though, and will crack it in, say, 10 seconds. A 10-digit numeric pin will protect you for less than one hour. DO NOT USE NUMERIC PINS WITH PRODUCTS THAT HAVE A LOCAL DATABASE!

But that is not all. There is also a company called Tableau that has a hardware accelerator product, something called the "TACC1441 - A Proven, Trusted Accelerator for Password Recovery" which you can peruse at:

Tableau Forensic Products

A single TACC1441 hardware module can be used to boost the password-cracking speed of the AccessData product anywhere between 6 to 60 times, depending on the design of the cryptosystem (see below for more on this) and multiple TACC1441 units can be connected to a single host. For your convenience, the TACC1441 units can also be rack-mounted ...

An opponent armed with a TACC1441 can crack your 6-digit numeric PIN in about 1/50th of a second, a 10-digit numeric PIN in less than a minute and a 12 digit numeric PIN (which will be very hard to remember!) in just over an hour and a half. AGAIN: DO NOT USE NUMERIC PINS WITH PRODUCTS THAT HAVE A LOCAL DATABASE.

A PIN is adequate only when the database is remote, like an ATM machine, and the attacker does not have any way of trying millions of possibilities without getting the account locked-out. Use a numeric PIN with a product that has a local database, like a password-keeper Android app, and your password is Round-1 road kill.

A sophisticated opponent armed with racks of these systems (or else a very large botnet) can probably crack passwords at the rate of 100,000,000 per second. Please understand that when I say "Opponent" I am not talking about a Security Service. For that type of organization your estimate needs to begin at least 1,000 times higher. For the most capable organizations (the security services of industrialized countries) it will be much, much higher than that, but nobody really knows by how much.

But all of this is really immaterial, as the real danger to most people comes from hackers, not security services. The problem is that for even a common hacker with a botnet the achievable rate of millions of passwords per second will render many passwords that one would normally consider to be fairly strong crackable in days or weeks.

However, not all is bad news: if your password makes it past round 2 then you should be fairly safe, at least from a hacker. The reason is that even hacking is not free from the laws of economics. Once a password goes beyond the first day or two of cracking the attacker will be faced with a large, open-ended expense.

Botnets are costly to rent; there are reports of hackers earning thousand of dollars a day from renting their botnets. For a hacker that is "renting" a botnet cracking a Round 3 password becomes a financial risk. A hacker that "owns" a botnet and uses it to try to crack your password will lose an equivalent amount of "rental" income. Small-time hackers will not have the required hardware or money to mount a Round 3 attack. For the ones that do, you would have to be a very high-value target in order to justify this kind of expense, and even if you are, there is no guarantee that the attack will succeed.

Now, please do yourself a big favor: go back and check the passwords that you have used in other places. Chances are that the cracking rules above will apply to most, if not all of them! (yes, they probably need to be changed)

[Ads]

Android.net is the premier Android Forum on the internet.

[SLAG IT!]

Wow! That's a lot of information. Good write up but, wow. Hopefully people will read this in it's entirety. I will check it out.

[mekDroid]

Hi Slag it! Yep, there is quite a bit of stuff there ... I do hope people read it and learn how and why they can protect their confidential data. Before I started work on CryptoSafe I went ahead and did a quick security audit of the password apps in the Android Market (I am a Ph.D. student) and found vulnerabilities in practically every app I reviewed, although not with the encryption, it was always with ways to bypass the encryption altogether to get at the data, and the worst stuff is when people use numeric PINs (like an ATM) and think it is safe (it is not!).

[SLAG IT!]

I understand that all to well. I am currently enrolled in college and one of our projects for class had to pertain to possible security holes. People thought I was crazy for having a 17 character password until they saw how quickly their's were compromised in under a minute.

[mekDroid]

LOL! (but 17 characters is a Round 3 password and just about as safe as it gets!)

Which University do you go to? I am going to Nova Southeastern University, a great school and they have both "ground" and web programs, although not for the doctorate :-(

[SLAG IT!]

UW.. University of Washington. My first semester there. I also am at a community getting an AAS in networking.