User Controls

How does encryption software like TrueCrypt handle passwords?

  1. #1
    Sophie Pedophile Tech Support
    TrueCrypt is just an example here. What i am really curios about is how does software like this go about keeping the passwords safe, or storing them in a safe manner.

    Of course with a web application you create an account and put in your password, that password will be hashed and stored in the database. Then when you go to log in and provide your password, it's hash is calculated and if it matches the hash in the DB to your username you are logged in.

    In this example the password is stored in the database and someone first will have to get into the database somehow in order to get the hash.

    Now with something like TrueCrypt when yo go to set up an encrypted volume you're going to have to provide a password, whereby the encrypted volume gets decrypted later. However what happens to the password once you enter it as the one that will encrypt and decrypt the volume?

    Does it get hashed and passed to the encryption function to be used as Key in AES-256 for instance? If so then the hash needs to be stored somewhere right? Which seems like an obvious flaw in security because once someone finds the hash they can simply provide it as a key to the decryption function. Or does the password simply serve as the key to the encryption function?

    Or maybe, say we have a password like: "sooperlittyp4ssw0rd!" does the string get encoded with base64 or RSA or whatever and then that gets passed as a key to the encryption function?

    If someone knows, i'd love to hear how this works and is accomplished securely.
  2. #2
    Rivotril Houston
    I think it's stored in system files in machine language, I just think because I've got no idea.
  3. #3
    Grimace motherfucker [my enumerable hindi guideword]
    I don't know the mechanisms of it myself.

    Encryption/Security is a whole separate realm outside of IT/hardware, where I specialize. I have my CompTIA Security+, but honestly, that's a badge of jokes. You know more than what the Sec+ teaches. It does provide neat counter-malware tactics for administrators, though.

    All of that said, I would bet that the TrueCrypt key is encoded and passed on to decryption, but this is entirely a guess and honestly, outside the scope of most (if not all) people on this website.
  4. #4
    Sophie Pedophile Tech Support
    Originally posted by Grimace I don't know the mechanisms of it myself.

    Encryption/Security is a whole separate realm outside of IT/hardware, where I specialize. I have my CompTIA Security+, but honestly, that's a badge of jokes. You know more than what the Sec+ teaches. It does provide neat counter-malware tactics for administrators, though.

    All of that said, I would bet that the TrueCrypt key is encoded and passed on to decryption, but this is entirely a guess and honestly, outside the scope of most (if not all) people on this website.

    Well, cryptography is a whole different ball game than security itself even. I am trying to make a crypto app, now, i am not rolling my own algorithm, that would be stupid. I am using existing libraries but i just need to know a secure way to handle the process that goes into creating a password, storing it safely(Or not storing it at all) and then deriving a key from that to run some AES-256 encryption/decryption with.

    With ransomware i don't really care, i just generate a big ass string and use that as a key and send it off to the command and control server. But i want to be able to use a password in the app.
  5. #5
    Grimace motherfucker [my enumerable hindi guideword]
    Originally posted by Sophie Well, cryptography is a whole different ball game than security itself even. I am trying to make a crypto app, now, i am not rolling my own algorithm, that would be stupid. I am using existing libraries but i just need to know a secure way to handle the process that goes into creating a password, storing it safely(Or not storing it at all) and then deriving a key from that to run some AES-256 encryption/decryption with.

    With ransomware i don't really care, i just generate a big ass string and use that as a key and send it off to the command and control server. But i want to be able to use a password in the app.

    u makin' a cryptowall REBORN version, nigga?
  6. #6
    Sophie Pedophile Tech Support
    Originally posted by Grimace u makin' a cryptowall REBORN version, nigga?

    Nah just posting about ransomware for comparison.
  7. #7
    Grimace motherfucker [my enumerable hindi guideword]
    I specialize in REMOVING malware and DECRYPTING what ransomware I can with removal tools available (outside of hardware repair, my mainstay). Lots of malware show tell-tale signs that the average user would never know something weird is going on. Zeus malware comes to mind. Huge spike in svchost.exe, which Windows uses for lots of things. Changes host file data and establishes a proxy.

    I think it's neat you're so into malware. That's a whole world in it's own. Glad you enjoy it. I might have questions for you sometime.
  8. #8
    Sophie Pedophile Tech Support
    Originally posted by Grimace I specialize in REMOVING malware and DECRYPTING what ransomware I can with removal tools available (outside of hardware repair, my mainstay). Lots of malware show tell-tale signs that the average user would never know something weird is going on. Zeus malware comes to mind. Huge spike in svchost.exe, which Windows uses for lots of things. Changes host file data and establishes a proxy.

    I think it's neat you're so into malware. That's a whole world in it's own. Glad you enjoy it. I might have questions for you sometime.

    Sure thing fam. And yeah, malware is neat. Also if svchost.exe doesn't have services.exe as process that started it, you're fucked. Lol. Something to look out for at least, in any case i haven't worked with Zeus so IDK how it invokes processes.
    The following users say it would be alright if the author of this post didn't die in a fire!
  9. #9
    Grimace motherfucker [my enumerable hindi guideword]
    Had a client with original CryptoLocker malware. Lost 10 years of data. Absolutely devastating. I backed up all his data, reinstalled his OS, and kept his data isolated on a hard drive I have. His version of cryptolocker became decryptable through Kaspersky Labs some 2 years later. I decrypted his data and called him up, 2 years after the fact. He was so happy.

    I hold data for customers that is cryptolocked and no modern means of decryption. I charge them for that, too. Malware is good business for me. :)
  10. #10
    Sophie Pedophile Tech Support
    Originally posted by Grimace Had a client with original CryptoLocker malware. Lost 10 years of data. Absolutely devastating. I backed up all his data, reinstalled his OS, and kept his data isolated on a hard drive I have. His version of cryptolocker became decryptable through Kaspersky Labs some 2 years later. I decrypted his data and called him up, 2 years after the fact. He was so happy.

    I hold data for customers that is cryptolocked and no modern means of decryption. I charge them for that, too. Malware is good business for me. :)

    Malware is good business for everyone except the common person lmao. But good on you, it's a good thing to keep that data for them. A fee is quite reasonable for your dedication.
  11. #11
    Grimace motherfucker [my enumerable hindi guideword]
    Originally posted by Sophie Malware is good business for everyone except the common person lmao. But good on you, it's a good thing to keep that data for them. A fee is quite reasonable for your dedication.

    I do what I would want my PC repair store to do, if I were a customer. That's how I try to think and make decisions based on.
  12. #12
    Sophie Pedophile Tech Support
    Originally posted by Grimace I do what I would want my PC repair store to do, if I were a customer. That's how I try to think and make decisions based on.

    A good philosophy.
  13. #13
    benny vader YELLOW GHOST
    Originally posted by Sophie just need to know a secure way to handle the process that goes into creating a password, storing it safely(Or not storing it at all) and then deriving a key from that to run some AES-256 encryption/decryption with.

    first of all, i have to emphasize that i know nothing about any wares, hard or soft, so consider this just a curiosity question.

    how about mandating a 12character password and then use the first and third 3characters to hash and unhash the password itself ???

    therefore whatever hashes thats stored on the computer are useless without the exact password ???

    idk.
Jump to Top