Schneier, UW Team Show Flaw In TrueCrypt Deniability

An anonymous reader writes "Bruce Schneier and colleagues from the University of Washington have figured out a way to break the deniability of TrueCrypt 5.1a's hidden files. What about the spanking-new TrueCrypt 6? Schneier says that 'The new version will definitely close some of the leakages, but it's unlikely that it closed all of them.' Meanwhile, PC World is reporting that the problems Schneier and colleagues found are bigger than just TrueCrypt. Among their discoveries: Word auto-saves the contents of encrypted files to the unencrypted portions of your disk, and this problem should apply to all non-full disk encryption software. Their research paper will appear at Usenix HotSec '08."

And this is exactly why..

[Anonymous Coward]

you run at least full disk encryption. If one needs further plausible deniability, THEN you can run truecrypt. Also, cleaning out temp files should be a regular occurrence, as should running on an encrypted swap file/partition.

Word and what?

[frovingslosh]

Among their discoveries: Word and auto-saves the contents of encrypted files to the unencrypted portions of your disk,...

If you're like me (meaning that you pay attention to what you read), you may be wondering what in the world "Word and auto-saves" means. I wondered so much I even followed the link, and saw that the omitted term was Google Desktop, omitted because of very sloppy cut and paste of the article.

Summary is inaccurate

[TheSpoom]

Schneier et al don't break TrueCrypt's deniability, per se. They simply show that Word, Google Desktop, and other automatically-indexing programs may reveal a hidden partition's possible existence.

This is a concern, of course, but can be avoided by careful use of the software invoked when using a TrueCrypt partition (i.e. killing processes except for TrueCrypt, etc).

I believe there's also a portable version of TrueCrypt that can be used that leaves no traces on the OS install once you're finished.

Re:No Problem Here

[TheSpoom]

Be careful you don't use slocate if you're on Linux either. (Hint: you probably do without knowing it.)

The point of this paper is that any automatically indexing software could reveal a hidden partition's existence; they were simply giving a few hard examples.

Re:Get A Mac

[vux984]

Windows should build in a encryption program like on Mac OS X

Uh... they did... 8 years ago.

They've had EFS (encrypting file system) since Windows 2000.
http://en.wikipedia.org/wiki/Encrypting_File_System [wikipedia.org]

They've added BitLocker Drive Encryption with Vista (Ultimate & Enterprise).
http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption [wikipedia.org]

Re:Get A Mac

[xrayspx]

My bet would be that if you have the DFS filesystem mounted, then Spotlights (or Beagle on Linux) would just index it like any part of the filesystem.

They're not trying to decrypt files here, but just prove that files exist. TrueCrypt lets you put an encrypted volume inside an encrypted volume, such that if you mount the "outer" volume, you can't show evidence that there even exists an "inner" volume. However, if you mount that "inner" volume and use the files in it, Windows will make a Recent Documents shortcut to its location, thus disclosing the fact that there are files there.

I'm a TrueCrypt user, but not a DFS user, since I care more about the encryption than I do about plausible deniability, but I'm interested in trying this out. The test case might be along the lines of:

• Mount a DFS volume on a Mac
• Do a spotlights search for something inside that volume
• Unmount the DFS volume
• See if theres any cached data from Spotlights that still hints at the existence of the file within your hidden filesystem

Since Spotlights also does a full-text search, does it cache any of that full-text data to make the next search faster?

Re:Get A Mac

[blueg3]

Spotlight's index is stored in the root of the volume it's indexing. Encrypted filesystems are independent volumes, so their indexes are stored in their volume root. The index of the primary filesystem isn't altered.

I'm not sure it leaks zero information -- there have been some bugs with Spotlight indexes and FileVault-encrypted home directories.

Re:About Bruce Schneier

[azzuth]

if you asked Bruce Schneier to decript this, he'd crush your skull with his laugh.

He decripted it for me, and I still have my skull. On the other hand, he did take my soul. :( not really a fair trade in retrospect.

Re:HW Encryption - the only way

[Anonymous Coward]

A little more on topic - can you recover old autosaves from disc after a save? can you recover old autosaves after the program is quit? what about after reboot?

Short answer, yes. If Word or OpenOffice in particular (as well as other programs I've seen that have an auto-save feature) crashes I've seen those auto-save files stick around. They're not suppose to, but they do if the app crashes. This is where Word and OpenOffice get their ability to recover files if the app crashes.

BTW, once they've been written to disk unencrypted, even if they get deleted, they can still be potentially recovered.

Re:Get A Mac

[blueg3]

Really?

All of Mac OS X encryption operates on user-managed encrypted disk images (volumes) or "encrypted home directories" (FileVault), which is really an OS-managed encrypted disk image.

FileVault home directories are no stronger than your login password. As this password is stored hashed only once (albeit salted, as of 10.4), it had better be immune to brute-force-guessing. They're also only as strong as your system-wide FileVault recovery keychain, as a copy of the key is stored in that, too.

Non-FileVault encrypted images at least use 1000-round PBKDF rather than a single hash and don't, by default, use a recovery keychain. At only 1k rounds, though, it had still better be immune to brute-force guessing.

None of this addresses the fact that using a Mac OS X system with an encrypted directory still leaks information about the contents of that directory onto the unencrypted parts of the drive. In fact, if anything, TrueCrypt is better about not doing this than the Mac, though neither of them hide their tracks all that well. The best approach is to have TrueCrypt running full-disk encryption so that there's nowhere for data to leak to.

Re:Full-disk is the way

[conspirator57]

you're not a fool per se. everything has deficiencies of one sort or another. but have you looked to see whether there is any configuration guidance for your particular choice?

I know NSA IAD has a security configuration guide for MacOS X. It may include a section on FileVault. If so, it ought to be at least a good place to start from and provide you with good search terms.

http://www.nsa.gov/snac/downloads_macOSX10_4Server.cfm?MenuID=scg10.3.1.1 [nsa.gov]

Re:Deniability on SSD?

[compro01]

the Truecrypt documentation mentions the possible implications of this.

Wear-Leveling

Some storage devices (e.g., some USB flash drives) and some file systems utilize so-called wear-leveling mechanisms to extend the lifetime of the storage device or medium. These mechanisms ensure that even if an application repeatedly writes data to the same logical sector, the data is distributed evenly across the medium (logical sectors are remapped to different physical sectors). Therefore, multiple "versions" of a single sector may be available to an attacker. This may have various security implications. For instance, when you change a volume password/keyfile(s), the volume header is, under normal conditions, overwritten with a re-encrypted version of the header. However, when the volume resides on a device that utilizes a wear-leveling mechanism, TrueCrypt cannot ensure that the older header is really overwritten. If an adversary found the old volume header (which was to be overwritten) on the device, he could use it to mount the volume using an old compromised password (and/or using compromised keyfiles that were necessary to mount the volume before the volume header was re-encrypted). Due to security reasons, we recommend that TrueCrypt volumes are not stored on devices (or in file systems) that utilize a wear-leveling mechanism. If you decide not to follow this recommendation and you intend to use system encryption when the system drive utilizes wear-leveling mechanisms, make sure the system partition/drive does not contain any sensitive data before you fully encrypt it (TrueCrypt cannot reliably perform secure in-place encryption of existing data on such a drive; however, after the system partition/drive has been fully encrypted, any new data that will be saved to it will be reliably encrypted on the fly). To find out whether a device utilizes a wear-leveling mechanism, please refer to documentation supplied with the device or contact the vendor/manufacturer.

oh twitter

[Anonymous Coward]

You know that RNG was put in for NIST 800-90 compliance and is not the default in Vista or any other Microsoft OS, don't you?

You know that even an open source RNG of that type would have the same flaws, don't you?

You know you shouldn't use elliptic curve RNGs, regardless of who is providing them, don't you?

You know linking to Slashdot articles with question marks in the title proves absolutely nothing, don't you?

I said it before, I'll say it again

[Abalamahalamatandra]

Windows caches all types of stuff about filesystems it touches in the registry. Open regedit some time and search for "OpenSaveMRU" and you'll see that pretty much every file you click to open in Windows is in there.

Not that Linux is any better, at least Gnome systems - check out ".nautilus" in your home folder. Same thing going on there with the directory structure, you name it. The first thing I do on a new Ubuntu box is remove ".recently-used.xbel" and create a directory with the same name, and make ".nautilus" owned by root and not world-writable. /tmp is obviously a problem on Unix-type systems as well, along with the swap partition.

Of course if your whole system is encrypted these are not problems, but then you don't exactly have a deniably-encrypted filesystem.

Re:Let me get this straight

[Eighty7]

Something I found amusing, GDS (google desktop search) linux is strictly opt-in on folders while GDS windows is opt out. I use it on my ubuntu box because it beats the hell out of tracker/beagle.

Re: BitLocker Backdoor- Source?

[blueg3]

Yes; some of the tools it has perform live evidence acquisition to powered-on systems. It's not safe to assume a powered-on system where the encrypted drive has been disconnected is safe, as keys may remain in memory. But if the PC is off (and especially if free disk blocks, virtual memory and sleep files, etc. are scrubbed), this doesn't do anything.

Re:Get A Mac

[triffid_98]

Use this l33t HaXX0r tool called regedit?

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer]
Value Name: NoRecentDocsHistory
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable restriction, 1 = enable restriction)

However, if you mount that "inner" volume and use the files in it, Windows will make a Recent Documents shortcut to its location, thus disclosing the fact that there are files there. I'm a TrueCrypt user, but not a DFS user, since I care more about the encryption than I do about plausible deniability, but I'm interested in trying this out. The test case might be along the lines of:

Re:TC has Deniability

[pclminion]

Uh, I don't think you get it. We're talking about evil governments here. If you only had "clean" data on your drive, why was it encrypted? That's evidence of guilt in itself (in these people's minds).

Re:Let me get this straight

[H0D_G]

http://paranoidlinux.org/ [paranoidlinux.org]

inspired by Little Brother by Cory Doctorow

Re:TC has Deniability

[stinerman]

Ding, ding, ding!

In many totalitarian regimes the simple existence of crypto or secure delete software is evidence enough to lock you up.