how come we cant brute force crack encryptions?

It would need to be a weak hashing routine for the danger of collisions to greatly aid a rainbow attack such as perhaps MD5.

Truecrypt and most other up to day security programs also add salt in doing the hashing.

DrewDad here is a short section on truecrypt salting/hashing function.

=====================================================
512-bit salt is used, which means there are 2512 keys for each password. This decreases vulnerability to 'off-line' dictionary attacks (pre-computing all the keys for a dictionary of passwords is very difficult when a salt is used) [7]. The salt consists of random values generated by the TrueCrypt random number generator during the volume creation process. The header key derivation function is based on HMAC-SHA-512, HMAC-RIPEMD-160, or HMAC-Whirlpool (see [8, 9, 20, 22]) " the user selects which. The length of the derived key does not depend on the size of the output of the underlying hash function. For example, a header key for the AES-256 cipher is always 256 bits long even if HMAC-RIPEMD-160 is used (in XTS mode, an additional 256-bit secondary header key is used; hence, two 256-bit keys are used for AES-256 in total). For more information, refer to [7]. 1000 iterations (or 2000 iterations when HMAC-RIPEMD-160 is used as the underlying hash function) of the key derivation function have to be performed to derive a header key, which increases the time necessary to perform an exhaustive search for passwords (i.e., brute force attack) [7].

Header keys used by ciphers

Another interesting thing to consider is that there are few places outside of major governments that are going to have the resources to deal with a strong cipher system. Even most major companies are not going to have the in-house resources to try to break pgp or truecrypt.

No teenage hacker with a rainbow table or two is going to be a threat.

Now if you happen to do something that annoy a large government but not to the point they would go outside the legal framework even if they could break into your files they are surely not going to tell the world in an open court that they can do so.

There been a number of cases where western governments law enforcement had ran into strongly cipher files and had bounce off them.

My understanding is that using PGP and IDEA is pretty damn secure. We know how long a brute force attack will take, and there is no known way to take a short cut.

Of course no one knows if the NSA has found a shortcut they are not telling us about. But lots of very smart people have spent significant amounts of time trying to find one and as of yet, no one has.

Use PGP with a fairly large key. If you don't do something else stupid (which is easier than you would think) this will be plenty secure enough unless someone has the use of all the computers of the world for 100 years or so.

Correct. Robert specifically mentioned rainbow tables in the context of cracking passwords, which is what I was discussing.

Ebrown p ff you are unlucky enough to get the government interested enough to use NSA level of assets on you, you are in a world of hurt in any case.

A van with a few million dollars of electronic park in your neighborhood or breaking in and placing a hardware/software key logger in your computers systems would be just the start.

For most of us the risk model is having the computer stolen as over 600,000 laptops are every year at our airports for example and even a bio hardware drive lock turn on should deal with that threat very nicely less alone truecrypt.

Second common threat is taking the computer in for some form of repair If you do not think that the technicians is not going to be looking to at the very least to copy your music and your porn you are living in a dream world. With some chance they will also be looking for credit cards and bank passwords.

The last time I did needed to take a computer in for some work on boot up the computer ask for a pass phrase to open a volume on my drive and the technician then ask me what this was about. I told him with a smile that is where I kept my music and porn collection that I do not wish to share with the Greek squad<grin>.

The very worst case for most of us is that for some reason local law enforcement would get interest enough to seize our computer systems and in that case pgp and truecrypt once more would be enough to deal with that level of threat a few hundred times over.

I happen to have a boot disk with a rainbow table able to break the so call secure administrated windows passwords in less then a minute or so.

But that is not an indication of the power of a rainbow table but instead the very low and poor security put in place by Microsoft.

A solid hash routine and adding salt to the hash will stop a rainbow table attack in it track.

Are you sure that's how it works? The one I use for work simply sets the local administrator password to be blank. No rainbow table needed.

Rainbow tables are typically used for cracking domain passwords.

Unlucky enough? Actually, I would consider that a sign that my life was worthwhile .

But you are of course correct... there are lots of ways that a well endowed attacker, such as the NSA, could compromise your security without knowing a flaw in RSA.

I was reading recently that they don't even need to attach a key logger. They can now divine your key presses from a distance by analyzing the RF interference from you keyboard. Pretty scary stuff.

Are you sure that's how it works? The one I use for work simply sets the local administrator password to be blank. No rainbow table needed.
-------------------------------------------------------------------------------------------
http://sourceforge.net/projects/ophcrack/

Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.