Full Disk Encryption – Why Not

Microsoft has implemented a really great full disk encryption technology called BitLocker. It’s incredibly easy to use and on a users computer they estimate the performance hit to be in the single digits – I’ve tested it before and even when gaming I noticed no hit.

Full Disk Encryption (FDE) means that to get onto your system an attacked needs your password. The entire drive looks like gibberish garbage data when it isn’t active. It’s virtually impossible for anyone to get into the system without knowing your phrase.

If you take your computer around with you, if it really ever leaves the house, and if it’s got a decent CPU/HDD I suggest you look into Bitlocker and Truecrypt.

The thing is, on any computer made in the last year or two, there’s basically no noticeable difference in performance but you’ve just ensure no one can get into your computer when it’s off.

Chances are I’ll have a guide up for both in the next week.

nVidia FBI Backdoor – What The Hell?

So apparently this is making its way around the net that Templar is some backdoor in nVidia GPUs that lets the FBI in or some such thing.

I went ahead and downloaded it (as it is potentially malicious or illegal I will not be linking it) and I see nothing “backdoorish” about this. It looks like it’s for RSA Encryption cracking (specifically bruteforcing, as in I see nothing showing it taking advantage of flaws.) A few .txt files reference prime number factoring and sieve. RSA is based on the principle that you it’s really difficult to do this type of math programatically so it just looks like this tries to do it via CUDA and sieve to speed things up.

Update: Skip To The Summary (at the end of the post)

And then I got to Red_Cross_Dress.txt

Templar is an NVIDIA CUDA implementation of the Pollard Rho factoring
method, and includes birthday attack optimizations collectively
referred to as a “reduction sieve” attack.

More details about RSA CUDA, confirming my suspicion. The code looks to do what the txt files are talking about, or at least nothing outright scary but I haven’t looked extensively at it, it’s 6:00AM and I’m too tired. Literally not one line so far has stood out as anything.

There are a lot of references to work done by Jason Papadopoulos and a few other crypto/ math people. A lot of references to optimizing it for CUDA. Absolutely nothing backdoor-ish.

Most of the code is stuff like:

/* find a GPU */

gpu_init(&gpu_config);
if (gpu_config.num_gpu == 0) {
printf(“error: no CUDA-enabled GPUs foundn”);
exit(-1);
}
if (which_gpu >= (uint32)gpu_config.num_gpu) {
printf(“error: GPU %u does not exist ”
“or is not CUDA-enabledn”, which_gpu);
exit(-1);

And then basically a ton of math like A^B -N blah blah blah crypto.

So, not a backdoor. I’m not sure where the FBI thing came from as I see no indication of their involvement or any government involvement (other than their involvement in creating the actual tool, not a backdoor, which I guess is possible.)

This particular attack method should prove effective against public key
encryption methods such as RSA and Diffie Helman, as well as ECDLP key
materials used within elliptical curve encryption methods. In addition,
it would also appear that this method of reducing input candidates can
also be used against the S-boxes of conventional block ciphers such as
DES/3DES and the AES, by analyzing each S-box mod 9 and then reducing
the possibilities for predecessor round S-boxes in this same fashion.

I guess that’s plenty scary. I’ll see if I can contact someone who knows crypto in depth tomorrow. I’ll update this post as I continue to look at the code/ .txt.

If it is actually a backdoor for nvidia I guess it’s masquerading as an RSA cracker but, again, I’ve seen nothing to suggest this. I’m actually pretty sure Templar is a tool already out there.

Update:

It seems the source is http://cryptome.org

FBI Backdoor: Templar NVIDIA GPU Factoring Suite March 29, 2012
 with the attached .zip.
Someone then pastebinned (or some such thing) a message essentially stating “omg im not downloading this but its a backdoor TELL EVERYONE”
Other sites and twitter tweets have picked up the story and linked to the zip archive.

But, what is inside?

No one seems to know or wants to blog/tweet/talk about it on discussion forums, searching the web only reveals links to cryptome's url for the zip archive.

I'm not downloading the zip, but I'd like to know what is inside. Is this a separate program offered by NVidia, a hardware or firmware exploit?

What?

Please begin posting to blogs and discussion forums indexed by Google and other search engines, what this mystery zip archive contains!

Is anybody reading this?
 Summary
This RSA cracking tool Templar is being labeled a backdoor even though it doesn’t exploit any flaws in the encryption or any flaws in any system. I see no evidence of it being FBI driven but I wouldn’t even be remotely surprised as both the FBI and NSA are pretty publicly interested in this type of thing.
Yes, it’s creepy that the tool exists. No, it’s not a backdoor. When people say “backdoor” everyone thinks built in vulnerabilities. The evidence of this being a dozen posts/ tweets about it that I’ve read looking for information that amounted to “The FBI put a backdoor in nVidia” when this does not appear to be true, at least not with the code presented.

LastPass – Secure Password Storage And Syncing

If you’re using a modern browser you very likely have some kind of sync option so that when you log in you’ll have all of your passwords, no matter what computer you access. This is great but the security issues that go along with syncing your passwords, the keys that unlock every important piece of data, should be apparent. Thankfully Chrome and Firefox handle password syncing very securely but if you’re looking for an alternative method  and the highest level of security possible you might want to check out LastPass.

What Is LastPass?

LastPass is a browser extension that will handle all password autofill, autogeneration, and synchronization for the browser. It encrypts the data locally, then transmits it through asymmetric encryption, and then encrypts it again server side. Your master password is never transmitted and it handles it in a cryptographically secure way (PBKF2 stretching with SHA256 and 500+ rounds along with AES.)

See this post on how to create a strong password before reading further.

How Do I Set LastPass Up?

Installation is easy.

https://lastpass.com/misc_download.php

That page will show you the extension you can download.

Once it installs you should be greeted by a page that asks for an email (provide one you actually check) and a master password. See this post on password generation.

It will also ask for a password reminder. I highly suggest you don’t bother with this. Enter in gibberish if you’d like. It’s much more important to actually create a memorable password than give a reminder that will provide valuable information to an attacker. If you feel it’s necessary make it as vague as possible.

After that’s done it’s a matter of:

1) Entering in usernames/ passwords (you can automate this on Windows with the binary extension.)

2) Deleting the passwords from your browser and disabling password sync.

Once you’ve done this I suggest you go to your LastPass ‘Vault’ where you can change a few settings.

Image

You’ll see “Increase Iterations” and I suggest you change it to 1000. Any higher and some mobile devices/ very old systems won’t handle it. I’ve found I can go as high as 25000 before my single core CR48 slows down when I enter the MP. If you don’t use a mobile phone or anything weaker than a 1.6ghz ATOM you might want to try higher than 1,000 rounds.

What increasing the iterations does is slow down bruteforcing. It’s one of the best features of LastPass as you can even increase to as high as 100,000 rounds.

I don’t really mess with the other settings, they’re fine by default. Feel free to check them out though and tweak to your liking. If you think I’ve left out a key feature just leave a comment and I’ll edit it in.

And that’s all there is to it. LastPass will now save, autofill, and synch your passwords. It’ll even make suggestions for new passwords.

Get Free LastPass Premium (for both of us!) for one moth with this link: https://lastpass.com/f?420446