11

In the context of protecting access to local encrypted files or devices against a determined (and competent) adversary, is there any reason to believe that the use of a key file actually presents a significant hurdle that a strong (pseudo-random, long) password does not?

I've been using them myself for a while as a poor-man's two-factor authentication scheme, but after reading some of the recent security news, I'm starting to wonder if they actually add any meaningful value - so I did some quick math, and the more I look into it, the less convinced I am that they add any value against anyone with more resources or talent than a simple script kiddie. The more I think about it, the more I think that anyone who could crack or otherwise obtain one of the very long passwords I use to encrypt files or drives isn't going to have any difficulty getting their hands on my keyfiles, and determining the keyfiles from the rest would be possible with a brute-force attack and a good GPU rig.

As far as the math goes, a 20 character, psuedorandom password containing the 4 standard character sets yields 9520 or 3.58*1039 possibilities, which is a little more than 10 times better than 128 bits of entropy (which would yield 3.40*1038 possibilities). In order to get a similar degree of entropy with keyfiles, I'd need to select 9 files from a list of 100,000 if the order doesn't matter (2.75*1039 possibilities) or 8 files from a list of 100,000 if the order does matter (9.997*1039 possibilities).

Even ignoring the practical difficulty obtaining and maintaining such a large list of static files that could serve as potential keyfiles, and obscuring which ones are the actual files in question, it seems to me like the keyfile approach requires more effort than committing another ~20 random characters to memory.

The only advantage I can see from using keyfiles would be in protection against a keylogger... from 10 years ago. They come with screen capture capabilities these days, and I don't imagine that someone who can get malicious code onto a given machine would be unable to copy the keyfiles when they were accessed for authentication purposes, even if they were offline and completely physically inaccessible the rest of the time.

So, am I missing something, doing the math wrong, or are keyfiles not effective as a second authentication factor in respect to a determined adversary, and local encryption protected by secure passwords?

HopelessN00b
  • 3,385
  • 1
  • 19
  • 27
  • In addition to having some misconceptions about password entropy (it doesn't come from the password itself, rather from _how_ it is formed) and brue-forcing in TrueCrypt and similar solutions (Brute-Forcing a key is hopeless, and brute-forcing a password is painfully slow because of slow key derivation functions), you're also missing the whole point of keyfiles. Check ["TrueCrypt and Keyfiles hidden among 500,000 other .pdf files"](http://security.stackexchange.com/q/35017/) to clarify at least the last point. I hope someone would address the other points in a good answer. – Adi May 29 '13 at 23:21
  • 1
    @Adnan Yeah, I did read that question you linked when searching for an answer to this, but it seems to me like keyfiles as "something you have" don't serve that function any better than a second password - generate and record a random, maximum-character-length password (or put it into a YubiKey), store it offline, and... you've created a keyfile without using keyfiles. Right? – HopelessN00b May 30 '13 at 02:23

4 Answers4

9

Yes, keyfiles add some security. That added security may or may not be useful depending on the circumstances, but it's there.

A (properly randomly generated) keyfile has at least 128 bits of entropy. That's a lot more than a decently memorable password. With proper hashing, a long enough but still memorable password cannot be cracked in a reasonable time at a reasonable cost. However a keyfile is more future-proof than a memorable password.

More importantly, combining a password with a keyfile means that you have two authentication factors. (That's assuming you type the password rather than storing it in a file on the same machine, otherwise the password and the keyfile play the same role.) A password is “something you know”, whereas a keyfile is “something you have” — you have the storage media containing the password.

Multi-factor authentication is useful because different factors are subject to different threats. Malware running on the machine where you use the credentials is the worst case scenario: it can snoop on any credential you enter in any way whatsoever — and it can impersonate or subvert the application anyway, so you've lost regardless of what happens to your credentials. Many other attacks only affect one vector. For example, an attacker who steals backup tapes can obtain the keyfile but not the password. Conversely, there are many attacks that can reveal a password but not a keyfile, such as an shoulder surfing (possibly helped by a camera), or a hardware keylogger, or any other form of physical snooping (e.g. through sound or radio emissions).

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
2
  1. GPUs are not useful in attacking keyfiles. GPUs are generally used to perform attacks that require relatively little memory per hash, keyfiles obviously require much more.
  2. There's no reason you have to keep your keyfile on your computer, accessible to an attacker. A keyfile can easily be kept on a flash drive, making it harder to retrieve via malware. (Yes, specialized malware could look for the keyfile, but that would likely have to target you specifically.)
  3. Most users don't have good passphrases. Yes, if your passphrase really has 128 bits of entropy, a keyfile may not add much, but you'd be quite the exception there.
David
  • 15,939
  • 3
  • 50
  • 73
1

Yes keyfiles make a huge difference. The person would have to:

  1. Know you used a keyfile in the first place
  2. Know the location of the files you chose for your keyfile
  3. Know how many files you chose
  4. Then crack the password at the same time

This makes it much more difficult to crack.

Azteca
  • 1,116
  • 7
  • 16
ZCat
  • 11
  • 2
0

By storing keyfiles elsewhere, perhaps on an SD card, you can make it much more complicated and a lot less likely that anyone can learn your keyfiles. I suggest using a secondary drive which you also encrypt with a hidden volume.

The outer volume can contain "adult themed" videos (I'm not sure if we are allowed to use the "p-word" here or not) and/or other files you "want to encrypt".

In the hidden volume, you can store a library of music or whatever large set of files your like. You can create 20 gigs containing a countless array .pdfs and text files. Because you can select and use multiple keyfiles at once, the attacker would have to access the encrypted hidden volume, figure out the exact files you chose to use for your keyfile set (I suggest using 10 or more files at once for your keyfile), and then obviously crack your password in conjunction.

I HIGHLY suggest using this method because it helps to future-proof your encrypted files. I may be wrong but personally, I have no doubt in my mind that in 20 years, brute forcing even the best of passwords (meaning the maximum 60 charters allowed by most encryption software) will be possible. In 30 years, passwords will likely be a thing of the past. However, even though someone will likely be able to crack a password fairly easily in the future, cracking keyfiles by having to get the correct set of 10 or more files will still be very difficult if not impossible, especially if they don't even know where to locate your keyfiles.

So, yes, yes, yes. Keyfiles absolutely increase your security. However, even if they only increased it by, let's say, 20%, is it not still well worth taking the extra 20 seconds to load your set of keyfiles? I think so. Doing so could be the difference between your files get cracked or not.