FBI and police are losing the encryption war

Password cracking can now be done at a reasonable price with enormous computing resources. At the same time encryption is getting better, is used more widely, and brute force will lose in the long term.


If you're concerned about your privacy, you should be encouraged at the increasing power and accessibility of encryption. If you're with law enforcement, you're worried. It's a real problem for you.

Read this

FBI Director: Mobile encryption could lead us to 'very dark place'

Apple's and Google's encryption plans have not gone down well with US law enforcement, and the agency's director says the companies are leading us down a dark path.

Read More

Think about how different encryption is: The law has always allowed the authorities, with a proper warrant signed by a judge, to enter your house and search all your belongings including all records, paper and electronic. If you won't give them the key, they will break down doors and force open locked filing cabinets and safes. Because sometimes the police need to do these things in order to apprehend criminals we allow it and we put protections in place to prevent the abuse of that power. The ability for them to do these things under proper circumstances isn't very controversial in the US.

But to gain access to information which has been encrypted well the government may be up against mathematics, a tool which can't be pushed around.

Law enforcement turns to forensics tools and password cracking software when suspects are uncooperative or, as in the case of the San Bernardino terrorists, unavailable. Passware is one of the top companies in this business and has many customers in law enforcement, according to Dmitry Sumin, Founder & CEO at Passware. Sumin says that law enforcement agencies are running into the problem of encrypted records more and more often and the strength of the encryption is steadily increasing.

Much of the improvement in encryption encountered by law enforcement just comes from having bigger encryption keys and eliminating weak algorithms. In some cases, brain-dead encryption systems, such as those in Intuit Quickbooks and Quicken, can be instantly cracked by Passware. But other vendors have fixed these problems. Many years ago the default encryption for password-protected Microsoft Office files was similarly weak and could be cracked easily, but the last few versions are strong. I once tried to crack a password-protected Excel file using Passware's software and was told that it would take up to 1,300 years on that system.

Passware has tools to decrypt over 280 file types, encrypted hard disks and images from mobile devices (like the one over which the FBI and Apple are fighting in court). If a law enforcement agency is smart and lucky and can get a system that is still running, they can extract encryption keys for many products on it by analyzing the system memory.

For static decryption there are special hardware setups optimized to password cracking, usually using GPUs (Graphical Processing Units) which are also good at the sort of math used in password cracking. But these are expensive, not off-the shelf items that can only be justified by agencies (NSA for instance) with a constant need for decryption horsepower.

What's a smaller agency to do? Go to the cloud. Passware offers AMIs, which are Amazon Machine Images, instances in the AWS EC2 service for password cracking in the cloud. Not only can you spin up numerous high-powered servers for the task, but Amazon has GPU instances that you can use to accelerate the task.

So law enforcement has a powerful and affordable set of tools at its disposal. But the arc of cryptographic competence in commercial software is upward. On the whole, their jobs are getting harder. It's all good news for us ordinary folk who want to protect our privacy, but it's also good for criminals.