Slashdot Log In
Schneier, UW Team Show Flaw In TrueCrypt Deniability
Posted by
timothy
on Thu Jul 17, 2008 04:29 PM
from the can't-prove-that-you-didn't-not-not-write-that dept.
from the can't-prove-that-you-didn't-not-not-write-that dept.
An anonymous reader writes "Bruce Schneier and colleagues from the University of Washington have figured out a way to break the deniability of TrueCrypt 5.1a's hidden files. What about the spanking-new TrueCrypt 6? Schneier says that 'The new version will definitely close some of the leakages, but it's unlikely that it closed all of them.' Meanwhile, PC World is reporting that the problems Schneier and colleagues found are bigger than just TrueCrypt. Among their discoveries: Word auto-saves the contents of encrypted files to the unencrypted portions of your disk, and this problem should apply to all non-full disk encryption software. Their research paper will appear at Usenix HotSec '08."
Related Stories
[+]
IT: TrueCrypt 6.0 Released 448 comments
ruphus13 writes "While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend. The new version touts two major upgrades. 'First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.' The software has been released under the 'TrueCrypt License,' which is not OSI approved."
Submission: Schneier and UW Team Take on TrueCrypt by Anonymous Coward
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
usenix what? (Score:5, Funny)
HotSex 08? Where do I sign up!
Lucky for me... (Score:5, Funny)
I encrypt using a one way algorithm know as "fire" that transforms all my secrets into ashes.
Since matter can not be destroyed, only changed, decryption is just around the corner. Also, AJAX will be used somehow.
Bay area venture capital welcome!
Sorry, dude... (Score:5, Funny)
Seems that someone found a semi-reliable decryption mechanism that can not only stand up to that, but can reverse an even stronger algorithm known as "volcano" [byu.edu].
Didn't mean to dash your dreams, but you know how the security game goes...
Parent
Re:Sorry, dude... (Score:5, Funny)
"Volcano" is, indeed, a stronger algorithm than "fire", but it's also much coarser-grained. Further research shows that the decrypted portions were not completely encrypted, merely provided with a partially-encrypted wrapper.
We can also discuss the even more advanced "Thermonuclear ground-zero" algorithm, but the ultimate form of this type of encryption (matter-antimatter annihilation) is only theoretically possible with our current technology.
Parent
Re:Sorry, dude... (Score:5, Funny)
Thermonuclear ground-zero encryption is unnecessary, you just need good a good Brownian crypto device.
On a serious note, there's also steganography. I wrote up a tool that works like shred(1), except instead of DoD-compliant type over-writes, it uses blocks of harmless text from Project Gutenberg. Theoretically it's weaker than a 35-pass algorithm, but the advantage is that it's now much harder to retrieve the original data, since it's much harder to tell apart.
I really want to do something that would get my computer seized by the NSA so I can laugh while imagining them trying to find the data they're looking for. "Aha! I've found some unencrypted text... it says, 'Of all the cants which are canted in this canting world, â" though the cant of hypocrites may be the worst, â" the cant of criticism is the most tormenting...' Never mind, it's just some crap again...."
Anyone know how to get in touch with Osama bin Laden?
Parent
Re:Lucky for me... (Score:5, Funny)
I encrypt using a one way algorithm know as "fire" that transforms all my secrets into ashes.
Is that the algorithm invented by the Greek hacker, Prometheus? I heard he got in a bit of trouble over it, he ended up somewhere like Guantanamo, but eventually was rescued.
Parent
And this is exactly why.. (Score:2, Informative)
Re:And this is exactly why.. (Score:5, Insightful)
you run at least full disk encryption. If one needs further plausible deniability, THEN you can run truecrypt. Also, cleaning out temp files should be a regular occurrence, as should running on an encrypted swap file/partition.
This is why secutiry needs to be left to the professionals and requires scrutiny. It is very hard to get right and very easy to leave holes. You run full disk encryption, but in many parts of the world, you can be compelled to disclose your keys. So, since your keys are disclosed, you now may as well assume that you never had the encryption in the first place. That puts you right back to square 1 and there is now evidence that you have a hidden volume.
Full disk encryption protects you against the consequences of theft, and for this, deniability has no utility. Deniability protects you against certain governments, and for this, full disk encryption often provides little utility.
Parent
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Ding, ding, ding!
In many totalitarian regimes the simple existence of crypto or secure delete software is evidence enough to lock you up.
Let me get this straight (Score:4, Funny)
Re:Let me get this straight (Score:5, Interesting)
Anyway, now Im rambling, but I use truecrypt only on my secure linux box, which doesnt have these problems
Are you sure? Have you checked your ~/.bash_history file? Are you sure your editor isn't leaving autosaves in /tmp? There could even be plain text in your swap partition. It's hard to really know.
If I needed plausible deniability I'd put a virtualbox image in the deniable container. Then I'd turn off swap and link ~/.bash_history to /dev/null. And I'm sure I've forgotten something.
Parent
Re:Let me get this straight (Score:4, Insightful)
If you want _plausible_ deniability, which is what this is about, then having no history file is only going to arouse suspicion. Open a shell with HISTFILE=/dev/null only when you're running the secret VM, and run the shell command using a GUI+script or some other method that doesn't keep tracks.
Parent
Re:Let me get this straight (Score:5, Interesting)
It seems to me that the best way to get this done would be for a bunch of guys (ideally with the paranoia of the OpenBSD guys) set about creating a Linux distro with all these things built in. It would obviously not be one built for performance, but it would be fully secured out of the box with encrypted swap, /tmp set as a ramdisk (optionally for users with enough ram or encrypted for those who don't), all installed apps (from vim to OpenOffice) configured to use secure areas for temp files etc etc.
Such a distro would mean having that level of paranoia would not arouse as much suspicion, as you could just say "Meh, I run Paranoia Linux coz I heard it was secure" and not look like you put much effort into it.
So, any takers on this project? I would, but I'm sucky at this kind of thing.
Parent
Re:Let me get this straight (Score:4, Informative)
http://paranoidlinux.org/ [paranoidlinux.org]
inspired by Little Brother by Cory Doctorow
Parent
Re: (Score:3, Interesting)
So Vista, Word, and Google Desktop make truecrypt less viable? Im Shocked I tell you! Shocked. Please..If you are serious about using truecrypt please tell me that you are savy enough to know how to get around some of these holes. Googledesktop?-aka, I spy on everyone and read your brain desktop? Its like saying my iron has a security hole if someone installs a hardware keylogger on my system. Duh!
When you've wiped the flecks of foam away from your mouth... the whole point of TrueCrypt is it makes encryption easy to use. If the first thing you have to do is go around disabling a whole bunch of things and basically getting very intimate with what applications may be saving things in plaintext, then the authors have failed.
The general thrust of the article is that without an OS (and very possibly hardware) which provides a mechanism for the application to say "I'm security-sensitive, don't let anyth
Word and what? (Score:5, Informative)
If you're like me (meaning that you pay attention to what you read), you may be wondering what in the world "Word and auto-saves" means. I wondered so much I even followed the link, and saw that the omitted term was Google Desktop, omitted because of very sloppy cut and paste of the article.
Re:Word and what? (Score:4, Funny)
Parent
About Bruce Schneier (Score:5, Funny)
Some of you may not be aware of the stature of Bruce Schneier in the field of computer security, so here is some background information:
http://geekz.co.uk/schneierfacts/facts/top [geekz.co.uk]
Bruce Schneier once decrypted a box of AlphaBits.
Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.
Bruce Schneier knows Alice and Bob's shared secret.
Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.
Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.
Bruce Schneier knows the state of schroedinger's cat
Bruce Schneier writes his books and essays by generating random alphanumeric text of an appropriate length and then decrypting it.
When Bruce Schneier observes a quantum particle, it remains in the same state until he has finished observing it.
If we built a Dyson sphere around Bruce Schneier and captured all of his energy for 2 months, without any loss, we could power an ideal computer running at 3.2 degrees K to count up to 2^256. This strongly implies that not only can Bruce Schneier brute-force attack 256-bit keys, but that he is built of something other than matter and occupies something other than space.
Though a superhero, Bruce Schneier disdanes the use of a mask or secret identity as 'security through obscurity'.
Re:About Bruce Schneier (Score:5, Funny)
Personally, I like "Bruce Schneier already has a backup plan for when the second person discovers P=NP."
Parent
Re:About Bruce Schneier (Score:5, Funny)
I ran into Bruce Schneier at an airport once. While we were waiting for a plane, I asked him if he would show me a "cool computer trick". He popped the RAM out of my laptop and quickly tasted the edge with the gold leads. He then told me that at 11:23pm the previous night I had visited ideepthroat.com with Firefox. Damn he's good.
Parent
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.
With his what? It could probably cause a cave-in as everything oozes out, with the right frequency of course, but physically crushing?
Summary is inaccurate (Score:5, Informative)
Schneier et al don't break TrueCrypt's deniability, per se. They simply show that Word, Google Desktop, and other automatically-indexing programs may reveal a hidden partition's possible existence.
This is a concern, of course, but can be avoided by careful use of the software invoked when using a TrueCrypt partition (i.e. killing processes except for TrueCrypt, etc).
I believe there's also a portable version of TrueCrypt that can be used that leaves no traces on the OS install once you're finished.
Won't really matter (Score:4, Interesting)
Turtles all the way down. (Score:4, Interesting)
Depends, but then you can do turtles all the way down.
So, have an encrypted (obviously visible volume) that has "boring" stuff in it, like your basic groceries accounting and letters to grandma. Have a hidden volume that has embarassing but non-incriminating stuff (porn folders). Have a hidden volume inside THAT that contains embarassing stuff that you'd pretend people shouldn't really want to find out (eg. gay porn). Have a hidden volume inside that that contains your master plan of converting all WoW players into your army of midgets to take over the world...add as many layers as you want.
That's the idea with the deniability, They can never know if there actually is a hidden volume in there. So assuming torture, you are probably so lost yourself that you cannot even remember the scheme yourself anymore...Even if they go with the assumption that since you are using Truecrypt there MUST be a hidden volume - but there's no way to know how many nested hidden volumes there are.
Parent
Re: (Score:3, Funny)
This algorithm takes care of that:
do {
NextVolumePassword = EnhancedInterrogation.output;
if ( Subject.dead ) throw EndInterrogationException;
NewVolume = MountNextVolume( NextVolumePassword );
cd NewVolume;
VolumeSize = GetVolumeSize;
} while ( VolumeSize > 0 )
Deniability on SSD? (Score:5, Interesting)
This has been bugging me and I wonder if anyone out there can answer this: would the write-leveling used by flash drives defeat deniability as well? After all, if the most recently written-to portions of the drive are in a supposedly unused block, isn't that a bit of a giveaway?
Re:Deniability on SSD? (Score:5, Informative)
the Truecrypt documentation mentions the possible implications of this.
Wear-Leveling
Some storage devices (e.g., some USB flash drives) and some file systems utilize so-called wear-leveling mechanisms to extend the lifetime of the storage device or medium. These mechanisms ensure that even if an application repeatedly writes data to the same logical sector, the data is distributed evenly across the medium (logical sectors are remapped to different physical sectors). Therefore, multiple "versions" of a single sector may be available to an attacker. This may have various security implications. For instance, when you change a volume password/keyfile(s), the volume header is, under normal conditions, overwritten with a re-encrypted version of the header. However, when the volume resides on a device that utilizes a wear-leveling mechanism, TrueCrypt cannot ensure that the older header is really overwritten. If an adversary found the old volume header (which was to be overwritten) on the device, he could use it to mount the volume using an old compromised password (and/or using compromised keyfiles that were necessary to mount the volume before the volume header was re-encrypted). Due to security reasons, we recommend that TrueCrypt volumes are not stored on devices (or in file systems) that utilize a wear-leveling mechanism. If you decide not to follow this recommendation and you intend to use system encryption when the system drive utilizes wear-leveling mechanisms, make sure the system partition/drive does not contain any sensitive data before you fully encrypt it (TrueCrypt cannot reliably perform secure in-place encryption of existing data on such a drive; however, after the system partition/drive has been fully encrypted, any new data that will be saved to it will be reliably encrypted on the fly). To find out whether a device utilizes a wear-leveling mechanism, please refer to documentation supplied with the device or contact the vendor/manufacturer.
Parent
Don't forget Windows Explorer, too (Score:4, Insightful)
I said it before, I'll say it again (Score:5, Informative)
Windows caches all types of stuff about filesystems it touches in the registry. Open regedit some time and search for "OpenSaveMRU" and you'll see that pretty much every file you click to open in Windows is in there.
Not that Linux is any better, at least Gnome systems - check out ".nautilus" in your home folder. Same thing going on there with the directory structure, you name it. The first thing I do on a new Ubuntu box is remove ".recently-used.xbel" and create a directory with the same name, and make ".nautilus" owned by root and not world-writable. /tmp is obviously a problem on Unix-type systems as well, along with the swap partition.
Of course if your whole system is encrypted these are not problems, but then you don't exactly have a deniably-encrypted filesystem.
Just use a VM (Score:3, Interesting)
Fortunately, there's an easy way around this problem.
Instead of having just your "sensitive" data in a DFS, just use put an entire OS in there, which you can use with for example VMWare. So, you boot up your machine, type in your encryption password and end up in your safe and clean "nothing to see here" OS, with some decoy applications and VMWare. Then when you want to actually do something with your system, decrypt the DFS, start the VMWare image found there and do your normal work.
All they could prove in this case is that you use VMWare. Just make sure VMWare has no leaks pointing to the image in DFS, but that's trivial compared to cleaning up behind Vista and it's myriad of ways it keeps track of whatever you do (for your benefit usually, but not always).
Re: (Score:3, Interesting)
True Crypt has a problem eh... Windows should build in a encryption program like on Mac OS X. It would stop a lot problems and it would be Microsoft managed and it would work better because they have all the code for the OS and can provide a better service. In the Mac OS, there are no bugs that I have discovered yet on the built in encryption program. I would hope that True Crypt fixes this bug because it is a great program.
I know there's often mindless maclove on /., but please try to think before posting.
Re:Get A Mac (Score:5, Funny)
So, just to play along, what software do you propose to use on the mac to provide deniable encryption?
You could try this program called TrueCrypt [truecrypt.org]. It seems to work okay.
Parent
Re:Get A Mac (Score:4, Funny)
So, just to play along, what software do you propose to use on the mac to provide deniable encryption?
You could try this program called TrueCrypt [truecrypt.org]. It seems to work okay.
yup, ...until some folks showed flaws in TrueCrypt deniability [slashdot.org]
Now that's an attempt for infinite mod points!
Parent
Re: (Score:3, Funny)
yup, ...until some folks showed flaws in TrueCrypt deniability [slashdot.org]
You should just use a Mac. I've never experienced any bugs with its built-in encryption options.
Re:Get A Mac (Score:5, Funny)
And what about deniability, then?
You could try TrueCrypt [truecrypt.org]. I think it works on Macs.
Parent
Re: (Score:3, Interesting)
The address for Apple H.Q. is "1 Infinite Loop." So this conversation is kind of appropriate....
Re:Get A Mac (Score:5, Informative)
Windows should build in a encryption program like on Mac OS X
Uh... they did... 8 years ago.
They've had EFS (encrypting file system) since Windows 2000.
http://en.wikipedia.org/wiki/Encrypting_File_System [wikipedia.org]
They've added BitLocker Drive Encryption with Vista (Ultimate & Enterprise).
http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption [wikipedia.org]
Parent
Re: (Score:3, Interesting)
I prefer Axcrypt [axantum.com] over Windows Compressed Folders password protection. AxCrypt is free and open-source.
From their FAQ:
Why is AxCrypt better than Windows Compressed Folders password protection?
In the July 2003 issue of PC World magazine, there is a description of how to password protect files using the built-in Windows Compressed Folders of Windows XP and ME. This is a WinZip compatible extension of the Windows Shell (Windows Explorer). The problem is that since it's WinZip-compatible it suffers from the sa
Re:Get A Mac (Score:5, Informative)
They're not trying to decrypt files here, but just prove that files exist. TrueCrypt lets you put an encrypted volume inside an encrypted volume, such that if you mount the "outer" volume, you can't show evidence that there even exists an "inner" volume. However, if you mount that "inner" volume and use the files in it, Windows will make a Recent Documents shortcut to its location, thus disclosing the fact that there are files there.
I'm a TrueCrypt user, but not a DFS user, since I care more about the encryption than I do about plausible deniability, but I'm interested in trying this out. The test case might be along the lines of:
Since Spotlights also does a full-text search, does it cache any of that full-text data to make the next search faster?
Parent
Re:Get A Mac (Score:5, Informative)
Spotlight's index is stored in the root of the volume it's indexing. Encrypted filesystems are independent volumes, so their indexes are stored in their volume root. The index of the primary filesystem isn't altered.
I'm not sure it leaks zero information -- there have been some bugs with Spotlight indexes and FileVault-encrypted home directories.
Parent
Re:Get A Mac (Score:5, Informative)
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer]
Value Name: NoRecentDocsHistory
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable restriction, 1 = enable restriction)
Parent
Re:Get A Mac (Score:5, Informative)
Really?
All of Mac OS X encryption operates on user-managed encrypted disk images (volumes) or "encrypted home directories" (FileVault), which is really an OS-managed encrypted disk image.
FileVault home directories are no stronger than your login password. As this password is stored hashed only once (albeit salted, as of 10.4), it had better be immune to brute-force-guessing. They're also only as strong as your system-wide FileVault recovery keychain, as a copy of the key is stored in that, too.
Non-FileVault encrypted images at least use 1000-round PBKDF rather than a single hash and don't, by default, use a recovery keychain. At only 1k rounds, though, it had still better be immune to brute-force guessing.
None of this addresses the fact that using a Mac OS X system with an encrypted directory still leaks information about the contents of that directory onto the unencrypted parts of the drive. In fact, if anything, TrueCrypt is better about not doing this than the Mac, though neither of them hide their tracks all that well. The best approach is to have TrueCrypt running full-disk encryption so that there's nowhere for data to leak to.
Parent
Re: BitLocker Backdoor- Source? (Score:5, Interesting)
[...] it captures live data on the computer, which is why it's important for agents not to shut down the computer first, Fung said. A law enforcement agent connects the USB drive to a computer at the scene of a crime and it takes a snapshot of important information on the computer. It can save information such as what user was logged on and for how long and what files were running at that time, Fung said. It can be used on a computer using any type of encryption software, not just BitLocker.
So it looks like COFEE is a USB device that performs monitoring once Vista has been booted and logged in. Not having your BitLocker USB drive plugged in and not leaving your PC on would seem to defeat an attack by COFEE.
Parent
Re: (Score:3, Informative)
Yes; some of the tools it has perform live evidence acquisition to powered-on systems. It's not safe to assume a powered-on system where the encrypted drive has been disconnected is safe, as keys may remain in memory. But if the PC is off (and especially if free disk blocks, virtual memory and sleep files, etc. are scrubbed), this doesn't do anything.
Re: (Score:3, Informative)
Be careful you don't use slocate if you're on Linux either. (Hint: you probably do without knowing it.)
The point of this paper is that any automatically indexing software could reveal a hidden partition's existence; they were simply giving a few hard examples.
Re:No Problem Here (Score:5, Funny)
"Keep in mind, though, that you can simply add exceptions to your updatedb.conf file, such that the directories/partitions you list will not be indexed (and hence will not be locatable by slocate)."
yes, put your hidden directories/partitions in /etc/slocate then slocate will not reveal their existence.
It seems to me there is something wrong with this sheme but I cannot put my finger on it. Hum ... but then again I'm not a security specialist.
Parent
Re:My Iron (Score:4, Funny)
I was wondering about that, I was thinking your security flaw was as simple as someone saying: "Hey, you left your iron on!" then they just rummage through your shit while yer distracted.
"It's ok, im completely secure as long as my iron is off"
Parent
Re: (Score:3, Interesting)
A more sane conclusion (without that stupid "propritary software" nag at the end) would be:
If you want _deniability_, you have to encrypt _everything_ belonging to the system you want to deny knowledge of.
Have another OS, and page file/partition around. But keep _everything_ that can be accessed by the other OS encrypted.
Otherwise, usage statistics, paged out memory, crash dumps, index files, any of a million different items could give you away.