Encryption is not an impenetrable safeguard. With some effort, you can access data that has been encrypted. Encryption is far from worthless, though. As a computer investigator , you will be called on to access information that a suspect has encrypted. You will have to break the encryption.
Before you are ready to defeat file encryption, you need to have a better understanding of the strengths and weaknesses of encryption. This knowledge will provide a better awareness of where to start and what steps to take for each unique situation.
The length of the encryption key is directly related to the security of the encryption algorithm. Although there are differences in the relative strength of each algorithm, the key length choice has the greatest impact on how secure an encrypted object will be. Simply put, longer keys provide a larger number of possible combinations used to encrypt an object.
A key that is 4 bits in length can represent 16 different key values, because 2 4 = 16. A key length of 5 bits allows 32 key values, and so on. Although it may be easy to try to decrypt a file or message with 32 different key values, larger keys mean more possible key values.
Some older algorithms that were approved for export by the U.S. government used 40-bit keys. These algorithms are considered to be unsecure by today's standards because of the small key length. A 40-bit key can hold one of 2 40 values, or 1,099,511,627,776 (1 trillion). Assuming that you have a computer that can make 1.8 million comparisons per second, it would take about a week to evaluate all possible key values.
The DES algorithm uses 56-bit keys. Although DES is considered to be too weak for most security uses, it is far stronger than a 40-bit key algorithm. A DES key can store one of 2 56 , or 72,057,594,037,927,936 (that's 72 quadrillion) values. Using the same computer as before, it would take about 1,260 years to evaluate all possible key values.
As key values increase in size , the computing power required to crack encryption algorithms becomes exponentially large. At first glance, it looks like an algorithm with a key length that requires over 1,000 years to crack is sufficient. Unfortunately, that's not the case. Today's supercomputers can evaluate far more than 1.8 million comparisons per second. When you introduce parallel- processing capability, you can realistically create a unit that can crack DES in a matter of minutes (or even seconds). That is the reason key lengths have grown to routinely be over 100 bits. Longer keys provide more security by reducing the possibility of using a brute force attack to discover the encryption key.
Because the encryption key is crucial to the encryption process, it must be protected at all costs. After the key is disclosed, the encrypted data is no longer secure. Symmetric algorithms use a single key. The sender and receiver must both posses the key to encrypt and decrypt the data. For local file encryption, the same person is likely to encrypt and decrypt the data. The purpose of encryption in such a case is to protect file contents from any unauthorized access.
You may find encrypted files both on hard disks and removable media. In fact, suspects with a basic knowledge of security will often encrypt files before archiving them to removable media. In many such cases, you will find the encryption utility on the main computer. Look for a stored copy of the key. Many people keep copies of important information in ordinary text files. Look for a file with an obvious name (such as key.txt or enc.txt ) or one that contains a single large number and little else. You can also look in personal notes or other personal information manager files for an unusually large number that seems to have no other meaning. Your task in such a situation is similar to finding passwords.
The next section addresses proper handling of encrypted data by first identifying encrypted files and then decrypting them to extract the data.