Choosing a Bad Password Has Real-World Consequences

Oops:

Wikileaks has cracked the encryption to a key document relating to the war in Afghanistan. The document, titled "NATO in Afghanistan: Master Narrative", details the "story" NATO representatives are to give to, and to avoid giving to, journalists. An unrelated leaked photo from the war: a US soldier poses with a dead Afghani man in the hills of Afghanistan

The encrypted document, which is dated October 6, and believed to be current, can be found on the Pentagon Central Command (CENTCOM) website.

Posted on March 9, 2009 at 1:19 PM • 41 Comments

Comments

aikimarkMarch 9, 2009 1:36 PM

Strong Pentagon passwords might need to be added to the most famous oxymoron list that starts with "military intelligence".

RandyMarch 9, 2009 1:54 PM

"Military intelligence" jokes aside, what are the odds that this is true?

Why would the Pentagon put *any* files on a publicly accessible internet server that they didn't want to become public?

Once you have the encrypted file, it's only a matter of time before it's decrypted, regardless of password strength. Right?

Randy

HJohnMarch 9, 2009 1:54 PM

Reinforces my opinion that the strength of encryption is less significant than the weakness of how it is used.

That's not to say that weak encryption is not a vulnerability, it is just to say that 1) in most cases it is not th algorithm that is broken and 2) it doesn't matter how strong your "lock" is if the key is under the mat.

For most here, this has been course STO101 (stating the obvious, 101), but clearly some people skipped this class.

mcbMarch 9, 2009 1:54 PM

And never wash your colors with your whites if you're fighting in Afghanistan...

SavikMarch 9, 2009 2:00 PM

Are there not legal ramifications for publicly releasing classified documents - no matter how they were obtained?

ChrisMarch 9, 2009 2:09 PM

In response to Randy:

"only a matter of time before it's decrypted"

I suppose it depends how long you have to wait - strong encryption could take millions of years to crack!

R1ch4rdMarch 9, 2009 2:29 PM

In response to Chris:

"strong encryption could take millions of years to crack!"

or a million or so distributed bots.

Fred PMarch 9, 2009 2:30 PM

@Savik-

That depends on the country. Not in the U.S.A. (for that action alone).

JasonMarch 9, 2009 2:56 PM

Network Timeout
The server at secure.wikileaks.org is taking too long to respond.

Too late.

AnonymousMarch 9, 2009 3:19 PM

wikileaks is still up, it's just been flooded with traffic.

The choice of password is pretty priceless. They didn't even place a 1 at the end for extra anti-brute force goodness.

MarkMarch 9, 2009 3:42 PM

@Randy,

I agree with your statement and have done for quite some time.
I would be interested to hear Bruce's thoughts on the subject.

AnonymousMarch 9, 2009 3:43 PM

Bad passwords are only part of the problem. Key management and handling are always a major PITA, especially with the coming full disk encryption products.

Great, another headache for overworked, overstressed IT departments. More data loss and weird errors will happen.

Bad result, bad consequence is that all data gets stored on a central file server, then disks will be lost, backups corrupted, etc.

Choosing a bad crypto handling policy for data has major consequences for everthing else.

Anon23March 9, 2009 3:59 PM

I used to work with the people maintaining that very site.

The users aren't the most tech-savvy, let me assure you.

Fred PMarch 9, 2009 4:56 PM

@Mark, Randy

- Technically, yes. I'll note that back when I did any cryptology (basic grad-school stuff), we'd assume an attacker with the entire computing resources on the Earth, then calculate the duration such an attacker would take to crack our encryption via "brute force" using the best method we were aware of. We'd stop when we had a sufficiently unreasonably high number.

Even if you assume present growth of processor speeds up to their theoretical limits, and unbelivable computer growth, something like AES-256 is likely to hold up against a "brute force" attack far longer than you, your nation, your civilization, your star, your galaxy, or even your universe will.

You'll also need to power that with at least a good chunk of a nicely sized-galaxy. Remember to account for stellar death, as it will be significant in these time intervals.

While there could be an (as yet unknown) algorithmic weakness that makes these sorts of calculations moot, most likely the encryption algorithm is not going to be the weak point in your security system.

Unless you like ROT-26...

AnonymousMarch 9, 2009 5:28 PM

Fred,

Randy's point stands even in light of your comment, as it wasn't just regarding algorithmic strength. Since it was in reference to a file being put in the public eye being "only a matter of time until it's decrypted", that would also include weaknesses in the software used to do the encryption as well as weaknesses in the key/passcode (both of which are more likely unless we're talking about someone that rolls their own cryptosystem). We've all seen how insidious software implementation issues can be when it comes to cryptography. Something shouldn't be on the public web unless it's something you don't mind being viewed.

Also, shame on them for using a dictionary word as a password (I'll assume it was encrypted using whatever MS Office security functions are built in). And why it's posted on the public internet is somewhat confusing, it's not as if the military doesn't have its own public key infrastructure. I'd think it could be intentional leakage, if it wasn't for the truth of Anon23's statement.

Tangerine BlueMarch 9, 2009 6:34 PM

> Since it was in reference to a file being put in the public eye
> being "only a matter of time until it's decrypted"

I think that you're saying these files should have been posted on NATO's private internet? If there is such a thing, I'm not sure the intended audience for these docs can reliably access it.

nvMarch 9, 2009 6:58 PM

@ anon23 (or others in the know)

Does CENTCOM have dedicated staff to patrol it's servers for possible document leaks of this nature?

oh nvMarch 9, 2009 7:40 PM

One comes to this blog and in short time one learns that security is "difficult". It's probably for our own good as individuals to buy into that.

Supposely, good passwords and encryption really only work when you can be sure no one (upstream) has backdoored your OS or hardware. Certain governments can probably meet this assurance internally. For all practical purposes, however, individuals cannot. Individuals are fckued.

Perhaps CENTCOM personel wasn't too competent, as anon23 would testify. But if all gov personel were really really competent, perhaps we as individuals would then be really really fckued? So is what happened in this story a good sign for a more free society? He he, probably.

AntimediaMarch 9, 2009 10:33 PM

Pretty ironic that wikileaks uses an SSL cert that sets off alarms because it was created with a Debian box with a non-random random number generator.

ChrisMarch 10, 2009 4:25 AM

@Randy. Mark, Fred, and Me

I think also changes in computing power (could quantum computing render all current encryption obsolete?) rather than current botnets could have a greater impact.

I wonder if information that was encrypted 30+ years ago has been re-encrypted with today's stronger algorithms.

kevinmMarch 10, 2009 5:29 AM

Whay type of encryption was used? From what I have read in the blogs the filetype seems to have been ".doc", was it just MS Word encryption? Perhaps RC4? If several versions were put on that website over time, with the same password, then it may not have been difficult to crack the encryption: "The Misuse of RC4 in Microsoft Word and Excel" http://eprint.iacr.org/2005/007.pdf

BF SkinnerMarch 10, 2009 6:01 AM

Let me get this straight.

The DoD spent millions (10's of?) to deploy a public key infrastructure ensuring that everyone, grunt, contractor, janitor, general had a common access card with valid certificates and then - they don't bother to use them to encrypt data?

bobMarch 10, 2009 6:53 AM

@Chris: It wouldn't matter; 'Venona' for example.

Once it's out, it's out; and you can't put the toothpaste back in the tube (or the cipher tape back into the carrier in this case).

PaeniteoMarch 10, 2009 7:01 AM

@Richarchd:
> "strong encryption could take millions of years to crack!"
>
> or a million or so distributed bots.

We're not talking about mere 'millions of years' here...

Assume that you can build an AES cracker out of a single silicium atom.
Assume that said cracker can do 1 million cracking attempts per second.
Assume that earth's silicium reserves (roughly 15% of earth's mass) are transformed into those crackers.

This gives you a cluster of roundabout 10^50 machines (I might be mistaken by a few orders of magnitude here, but we will see that it doesn't really make a difference).
This cluster will be able to do about 4 * 10^63 AES attempts per year, meaning that it will have fully exhausted the AES-256 keyspace in about 28,000,000,000,000 years.

Mark R.March 10, 2009 7:25 AM

Re: MS Word encryption

If the file was .doc, then the encryption used was easily breakable without brute force. I used to break them with a $90 software package, when users on our LAN forgot the passwords to their "super-secure files."

In the new Office 2007 XML formats (.docx would be the equivalent), you can actually use AES256 (though that may require a registry change if I recall).

Mark RMarch 10, 2009 7:27 AM

Re: above comment

Of course, that's assuming they used the built-in Word encryption (which would be RC4 for Office pre-2007). It might have been encrypted using some other method.

Must remember to think before typing.

SteveJMarch 10, 2009 9:37 AM

@Chris: "I wonder if information that was encrypted 30+ years ago has been re-encrypted with today's stronger algorithms."

Doesn't help if the attacker has the copy from 30+ years ago, with the old crypto. And you have to assume the attacker could have that, at least for some documents, since otherwise why did you even bother encrypting them in the first place?

To be honest, I'd be slightly surprised if documents stored encrypted 30 years ago were any easier to recover today by the owner than by an attacker. (a) do you still have a record of the cryptosystem, and (b) do you still have a record of the key?

Fred PMarch 10, 2009 9:43 AM

@chris-

As I attempted to indicate, and Paeniteo also indicates above, brute force shouldn't work to crack AES-256 under any vaguely "realistic" scenario, including having an Earth-massed quantum computer of any chosen design (why? because there are only around 8.87 x 10^49 atoms in the Earth - so assuming that each atom could contain a quantum state, and that the device could do 10^9 calculations per second (impossible for other reasons, such as violating the speed of light), it still would take 42 billion years). The power requirements alone are immense; my assumption of a good chunk of a galaxy for a power source assumes perfect transport of power, perfect capture of power, that non-stellar energy can somehow be captured, and no calculation per brute force attempt, with extremely long timespans (well above the present age of the universe); remove any of those assumptions (all of which are not realistic in the least), and you're going to need a lot more energy. "Realistically", I'd suggest trying to harness the energy output of the entire visible universe just to power your cracker - and taking all the non-energy producing matter in that observable universe to build your computer(s). Yes, this implies billions of years in set-up, alone.

AES-128 is not designed to be crackable via brute force under any reasonable extrapolation of present technology. AES-256 is a little over 3.4*10^38 times more difficult to brute force than AES-128.

SteveJMarch 10, 2009 9:45 AM

@oh nv: "good passwords and encryption really only work when you can be sure no one (upstream) has backdoored your OS or hardware"

Not quite. Good encryption works if nobody actually has backdoored you. You don't have to be sure of no backdoor in order to not in fact be compromised, you just have to be sure of no backdoor in order *to be sure* of no compromise. Theory of knowledge :-)

I can't be sure that Dell (MS, Intel, nVidia, Roxio, whatever other crapware the machine came with) didn't crack my PC before I ever saw it. Or that any of my software suppliers since didn't do the same. But I might be confident enough to take that risk, and if they actually didn't do it, then my messages will in fact not be read. I don't know for certain that they won't, but the risk is worth taking compared with the cost of not using computers to communicate at all.

Fred PMarch 10, 2009 9:50 AM

@Anonymous-

My interpretation of the promise of strong cryptology is that your enemy can intercept all your communications, but still can't access the information in a timespan that makes that information useful. Obviously, individual implementations, uses, etc. can fall flat.

dragonfrogMarch 10, 2009 12:33 PM

One thing to note - if you you look at the documents, they're marked "unclassified" - this was not a leak of classified material, it was a leak of "internal use" material...

The document posted at Wikileaks is a PDF. It's possible that it was Word crypto, or PDF crypto, doesn't really matter materially.

AntimediaMarch 10, 2009 1:17 PM

@Daniel - certainty is the downfall of many.

SSL Blacklist says it's a bad cert. Who do you trust?

AnonymousMarch 10, 2009 1:46 PM

@SteveJ,

Really? I say you are backdoored. If you doubt it, let's put you to a practical test you may not be comfortable with: why don't you start a journal on your PC, detailing crimes you are going to commit, perhaps something terrorist related or something perfect-crime Dostoyevsky style. I know it sounds ridiculous, but just make it believable and enrypt it anyway you want: afterall it's just pretend and nobody will ever know in a million years, right? Nah, b/c: "you are backdoored".

EvanMarch 10, 2009 2:22 PM

@Daniel/Antimedia

wikileaks isn't affected by the Debian SSL issue, it's using an md5 SSL Cert which SSL Blacklist also notifies you about. Because of the recent (couple months ago) additional weaknesses found in md5 hashes, those keys aren't secure either.

So to one extent or another, you are both right.

And yes wikileaks should get a new cert.

Jonadab the Unsightly OneMarch 15, 2009 7:47 PM

> something like AES-256 is likely to hold up
> ... far longer than ... your universe will.

I find this statement naive. You're relying on bare arithmetic to extrapolate its strength based on what is currently known. Furthermore, no encryption is stronger than password you have to enter each time you decrypt it. Almost all humans, with the possible exception of a half dozen rare autistic savants in all recorded history, are either unable or unwilling to memorize and use a password as strong as what you describe.

And that's ignoring all the various alternative ways to get the password other than by brute forcing it.

Did Wikileaks actually brute-force this password, or is that a cover story to protect the person who gave it up? Either is entirely possible. The passwords is quite weak, at only eight lowercase letters that also happen to spell a very common dictionary word, so it could have been brute-forced by a single individual with less than a thousand dollars' worth of computer hardware and a one-line Perl script (five lines if you want the script to be clear and maintainable, fifty lines with comments and POD and command-line argument processing). On the other hand, the Pentagon is a massive organization and thus very likely to have information security leaks, probably on a regular basis; it would not be at ALL surprising to me if the password were leaked by someone who theoretically is not even supposed to have it. (Or perhaps the leaker just sort of hinted... "you know this document over here, which is encrypted? I happen to know that it's got a really weak password. Like, dictionary-word weak.")

And then there's the possibility that the document is a deliberately-leaked plant, a piece of misinformation. This is less likely, but any security guy worth his salt will roll the possibility around in his head for a moment at least.

PoppaMarch 19, 2009 7:34 PM

They didn't even have to brute force the password. The website has a picture of a blackboard with the word "progress" written on it.

sikiş izleApril 17, 2009 5:49 PM

@oh nv: "good passwords and encryption really only work when you can be sure no one (upstream) has backdoored your OS or hardware"

Not quite. Good encryption works if nobody actually has backdoored you. You don't have to be sure of no backdoor in order to not in fact be compromised, you just have to be sure of no backdoor in order *to be sure* of no compromise. Theory of knowledge :-)

I can't be sure that Dell (MS, Intel, nVidia, Roxio, whatever other crapware the machine came with) didn't crack my PC before I ever saw it. sikiş izle Or that any of my software suppliers since didn't do the same. But I might be confident enough to take that risk, and if they actually didn't do it, then my messages will in fact not be read. I don't know for certain that they won't, but the risk is worth taking compared with the cost of not using computers to communicate at all.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..