• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Possible detection of hidden volumes in Truecrypt

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware

View previous topic :: View next topic  
Author Message
mxb
Trusted SF Member
Trusted SF Member


Joined: 30 Mar 2004
Posts: 6


Offline

PostPosted: Thu Nov 10, 2005 8:09 pm    Post subject: Possible detection of hidden volumes in Truecrypt Reply with quote

Truecrypt is a free open-source disk encryption software for Windows and Linux which has been discussed and recommended previously here on SFDC. It enables the user to create virtual disks through which all read / writes are encrypted. It also allows the formation of hidden volumes inside the container. From what I understand, which volume appears depend on which master key you supply. As total number of volumes are not known, plausibile deniability is achieved.

From reading this post on the gnupg-users list it appears that it is possible to detect the presence of a hidden volume in Truecrypt. This post references this huge discussion on sci.crypt, but most specificially this post. It appears to be a problem with certain values appearing on sector boundaries. The attack is real and has been demonstrated as this post details. Note that this attack doesn't allow decryption and recovery of the plaintext, but allows discovery of hidden volumes only.

Edit - Extra Information:

Just found this nice summary of some of the details on this recent slashdot discussion about the defeation of the proposal for holding suspects for 90 days without charge.

Anonymous wrote:
Basically, certain files leak information out of the "hidden" volume. The problem is that truecrypt uses a linear combination of the sector number with a static secret to generate IVs for CBC encryption, so data at the start of two sectors n sectors apart that differs by a factor of n will have equivalent ciphertext. They add whitening to the ciphertext, but generate it from the same IV, so it can be removed with four sectors. Some normal files have these occurrences in them, and it's trivial to generate files that exploit the flaw. If you can get the victim to save those files to a truecrypt volume, it makes it visible. No decryption is possible from the attack, but hidden volumes are pretty much useless.


Just keeping everyone informed.
Martin


Last edited by mxb on Fri Nov 11, 2005 6:59 am; edited 1 time in total
Back to top
View user's profile Send private message
sam.spade
Just Arrived
Just Arrived


Joined: 03 Sep 2005
Posts: 0


Offline

PostPosted: Fri Nov 11, 2005 5:09 am    Post subject: Reply with quote

Thank you!

I didn't think TrueCrypt got much peer review, but I guess I was wrong. Very informative.
Back to top
View user's profile Send private message
jeshim
Just Arrived
Just Arrived


Joined: 19 Nov 2004
Posts: 0


Offline

PostPosted: Fri Nov 11, 2005 7:26 am    Post subject: Reply with quote

TrueCrypt doesn't get much review/discussion on its own forum due to the admin there frequently shutting criticism/risky questioning down by deletions/bans. Confused

However, luckily there are experts discussing its features in other forums. Tho the average user would have no idea of these issues from visiting the TrueCrypt forum.

TC is still only 1.5yrs old, despite being v4.0. I guess there's still time for it to mature.
Back to top
View user's profile Send private message
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlāndia, MG, Brazil

Offline

PostPosted: Sat Nov 12, 2005 10:29 am    Post subject: Distinguishers. Reply with quote

Thanks for posting such a nice summary of what's going on. Out of humor, I followed the thread when it first began, as feathers are sometimes ruffled and fur usually flies, when TrueCrypt's security is questioned. The unsubstantiated retorts that hailed "there's nothing wrong" were silenced with valuable cryptanalysis. It's important not to be so defensively uptight about things, as it can truly hinder progress in scrutiny. It's nice to finally see some interest in scrutinizing TrueCrypt, and suggesting some potentially good directions for where to go for improvements.

Basically, as has been shown and stated, this is what you would define as a distinguisher; it distinguishes the ciphertext from a random permutation. Such distinguishers, which would be nontrivial, can be used to develop attacks, such as, for example, Gilbert and Minier's four-round distinguisher that leads to a collision attack on Rijndael, when reduced to seven rounds. We can simplify things if we define a very broad term - that term being, "distinguishing attack." To understand how broad this term is, let's look at two models: ideal and realized.

This is generally defined in terms of designing a cryptographic primitive, but I'll show the correlation between this and the case with TrueCrypt. The "ideal" model defines the outcome you hope for; that is, ideally, one that meets the criteria you set for it (i.e., very loosely, we could say that the "ideal" block cipher would be a random permutation). The "realized" model is what you end up with; this is the actual primitive itself, as we use it today (i.e., AES). The basic, primal goal of an attack is to demonstrate a difference between the ideal model you began with and the realized model that you ended up with; in this regard, we can say that an "attack" is a way to form this distinguishability between the two. (Note, I'm being loose with things, here, and can explain further, but this should get the point across in layman's terms.)

So, how does this correlate to TrueCrypt? One of the properties that TrueCrypt is advertised as retaining is that of plausible deniability; this relies on the assumption that an encrypted volume cannot be distinguished from random data. The distinguisher recently given shows that this is not the case; that is, TrueCrypt does not provide plausible deniability in this regard, and is "broken" in that particular sense. Plausible deniability can be referred to as a property of the ideal model; the realized model aims to retain this property. The fact that it doesn't is a distinguisher, because it demonstrates a difference between the ideal model and realized model. One promising proposal for TrueCrypt is the LRW-AES transform, which would be implemented like a mode of operation for AES, basically. It's specifically well-suited for sector-level encryption, and carries a security proof with it.

I'm not going to say that TrueCrypt is good, but I will say that this doesn't make it inherently bad; that's ultimately going to be determined by the direction the designers take. There are areas that can be "trimmed" up and simplified, and implications that deal with security, such as this attack, that need to be properly assessed and addressed. Again, some good suggestions were made (i.e., LRW), and I hope to see progression with it, to the extent where we can see TrueCrypt being rendered as a good cryptographic implementation. Call this "maturity", if you'd like. Good directions have been given, so let's hope they'll be followed.

The first step is to dismiss the ignorant notion that to be considered an "attack", it has to recover the key or plaintext; this is hardly the case. By collectively encompassing all attacks as nontrivial distinguishers, we don't ignore certain attacks and take them all seriously. This kind of conservatism leads to good security practice; the smallest little thing you overlook may be a fissure that leads to one canyon of a problem for that component of the system, and even between different components. You simply cannot ignore distinguishers.
Back to top
View user's profile Send private message Visit poster's website
brumwald
Just Arrived
Just Arrived


Joined: 26 Nov 2005
Posts: 0


Offline

PostPosted: Sat Nov 26, 2005 3:00 pm    Post subject: Reply with quote

TrueCrypt 4.1 seems to have 'solved' the issue (among other minor changes, see the changelog for more info about that).

From the changelog ( http://www.truecrypt.org/history.php ):
Quote:
New mode of operation implemented: LRW.

LRW mode is more secure than CBC mode and is suitable for disk encryption. LRW mode is to become an IEEE standard for sector-based storage encryption. (For more information on LRW mode, see chapter Technical Details, section Modes of Operation in the documentation).

Volumes created by this version of TrueCrypt can be encrypted only in LRW mode. However, volumes created by previous versions of TrueCrypt can still be mounted by this version of TrueCrypt.

To prevent a recently discovered attack, we strongly recommend that you move data from your old volume to a new volume created by this version. Description of the attack: If plaintext blocks produced by an adversary are written to a mounted volume (i.e., if they are correctly encrypted) and if such plaintext blocks are written to the correct volume sectors chosen by the adversary, it is possible to distinguish the volume from random data (by XORing first two blocks of the chosen sectors and comparing the results). This affects volumes created by all versions of TrueCrypt prior to 4.1, except volumes encrypted with AES-Blowfish or AES-Blowfish-Serpent.


Seems to me (just as a warning though, I'm new to all of this Smile) that they've resolved the situation as good as one can expect. And pretty fast too. Though I'd be glad to hear some comments on it since I don't value my own judgment when it comes to things like this yet Smile

But I guess that only time will tell if this solution was implemented in a good way.
Back to top
View user's profile Send private message
solara
Just Arrived
Just Arrived


Joined: 26 Sep 2005
Posts: 0


Offline

PostPosted: Sat Nov 26, 2005 5:58 pm    Post subject: Reply with quote

From the discussion thread at sci.crypt on TrueCrypt, the use of LRW was the suggestion by the crypto folks to fix the problem.
Back to top
View user's profile Send private message
jansson_markus
Just Arrived
Just Arrived


Joined: 28 Dec 2004
Posts: 0
Location: Finland

Offline

PostPosted: Sat Nov 26, 2005 10:28 pm    Post subject: Reply with quote

Way to go Truecrypt team! Smile
Back to top
View user's profile Send private message Visit poster's website
jeshim
Just Arrived
Just Arrived


Joined: 19 Nov 2004
Posts: 0


Offline

PostPosted: Sun Nov 27, 2005 9:55 am    Post subject: Reply with quote

brumwald wrote:
Seems to me (just as a warning though, I'm new to all of this Smile) that they've resolved the situation as good as one can expect. And pretty fast too. Though I'd be glad to hear some comments on it since I don't value my own judgment when it comes to things like this yet Smile

But I guess that only time will tell if this solution was implemented in a good way.


Well, good? maybe - I'll wait till the experts dissect the new thing
fast? not really, it's just that most users didn't know of the defect since the 'official forum' was censored/closed 'temporarily for maintenance' to prevent discussion.

From their history, never try a .0 release. Every .0 release was followed up in a few weeks with a .1 release full of fixes.
Normally that's fine, nobody's perfect, but the forum censoring takes all the trust out of the team.

Don't get me wrong. I appreciate the TC team's work, and they ARE the only free offer in town. But some of their PR guys aren't acting professionally. Crying or Very sad

I've never used a hidden volume, but I'd never have known of this defect if I hadn't been here. Truly, how many TC users would search for forums like this if there's an official one?

So for non hidden volume users, should we move to the new LRW mode? Maybe when the forum reopens we can find out.
Back to top
View user's profile Send private message
solara
Just Arrived
Just Arrived


Joined: 26 Sep 2005
Posts: 0


Offline

PostPosted: Sun Nov 27, 2005 11:26 am    Post subject: Reply with quote

According to their changelog, the LRW mode mainly addresses the problem with an attacker being able to identify a TrueCrypt volume as being a TrueCrypt volume and NOT some random data by XORing two values placed by the attacker at specific sectors. This in effect defeats one of TrueCrypt's deniability features - that no TrueCrypt volume can be identified as a TrueCrypt volume. But this implies that the attacker has FULL access to your computer - and if such a scenario were true, then they could just as easily install a keylogger or something else to find your password - which would compromise security far more than finding out that a certain file is actually a TrueCrypt volume.

Should you create another volume and move your data over using the new 4.1? It depends on how paranoid you are. Every user has different security needs - is your need so high that you can't afford to have someone discover that a certain file/partition is actually a TrueCrypt volume? I would say most users don't really need this level of deniability, and so most people would be fine not upgrading their old volumes to LRW.
Back to top
View user's profile Send private message
mxb
Trusted SF Member
Trusted SF Member


Joined: 30 Mar 2004
Posts: 6


Offline

PostPosted: Sun Nov 27, 2005 12:36 pm    Post subject: Reply with quote

solara wrote:
According to their changelog, the LRW mode mainly addresses the problem with an attacker being able to identify a TrueCrypt volume as being a TrueCrypt volume and NOT some random data by XORing two values placed by the attacker at specific sectors.


This is not what the changelog says. The adversary only needs to craft a file with certain properties and get you to store it on a hidden volume. The attacker doesn't need to store it themselves, you do that step for them. Basically, they make a file with a specific byte pattern, you store it on your hidden volume, then they take a copy of your truecrypt file and the hidden volume should be identified. The attacker does not need full access to your computer at any time.

solara wrote:
Should you create another volume and move your data over using the new 4.1? It depends on how paranoid you are. Every user has different security needs - is your need so high that you can't afford to have someone discover that a certain file/partition is actually a TrueCrypt volume? I would say most users don't really need this level of deniability, and so most people would be fine not upgrading their old volumes to LRW.


It is true that every user has their own specific security needs, but if they are using a hidden volume, and this can be proved, they the security advantage of having one is eliminated. If they are so security concious that they are using one, they should be making sure they are using it correctly.

Cheers,
Martin
Back to top
View user's profile Send private message
jeshim
Just Arrived
Just Arrived


Joined: 19 Nov 2004
Posts: 0


Offline

PostPosted: Sun Nov 27, 2005 2:47 pm    Post subject: Reply with quote

so then there's no danger if we don't use hidden volumes Question
Back to top
View user's profile Send private message
solara
Just Arrived
Just Arrived


Joined: 26 Sep 2005
Posts: 0


Offline

PostPosted: Sun Nov 27, 2005 7:49 pm    Post subject: Reply with quote

Quote:
To prevent a recently discovered attack, we strongly recommend that you move data from your old volume to a new volume created by this version. Description of the attack: If plaintext blocks produced by an adversary are written to a mounted volume (i.e., if they are correctly encrypted) and if such plaintext blocks are written to the correct volume sectors chosen by the adversary, it is possible to distinguish the volume from random data (by XORing first two blocks of the chosen sectors and comparing the results). This affects volumes created by all versions of TrueCrypt prior to 4.1, except volumes encrypted with AES-Blowfish or AES-Blowfish-Serpent.


So what does the above statement in the changelog refer to then? From that statement, it sounds like it's to prevent discovery of a TrueCrypt volume, and not just a hidden volume? I haven't read the entire manual so maybe it gives more details in there....

You're saying they really don't need full access to your computer because the adversary just has to somehow make you store a certain file with certain properties on your encrypted volume - and at certain sectors from the statement above -- so just how could an adversary do that without either pointing a gun to my head (in which case they could just get the password from me anyways since I'd have to open/mount the volume) or fooling me into putting a strange file into my "super-sensitive" encrypted volume (in which case I'd be a complete idiot)?
Back to top
View user's profile Send private message
mxb
Trusted SF Member
Trusted SF Member


Joined: 30 Mar 2004
Posts: 6


Offline

PostPosted: Sun Nov 27, 2005 8:35 pm    Post subject: Reply with quote

solara wrote:
From that statement, it sounds like it's to prevent discovery of a TrueCrypt volume, and not just a hidden volume?


After doing a little more research, it appears neither normal or hidden truecrypt volumes are identified by a signature, so the attack will work on either of these two types. If this was not clear then I apologize. However, the attack revealing the existence of a hidden volume is worse.

Lets assume you have your computer seized for whatever reason. If you have truecrypt installed and a large seemingly random file existing on your computer, you will need a good reason for it to exist without it being assumed to be a truecrypt volume. This is just a case of 2 + 2 = 4. One may argue that they have no evidence even with the file present, but that is a different matter.

If you co-operate and decrypt said volume to show them that it only contains your teapot image collection then they should have no reasonable evidence of anything. Because truecrypt allows the existence of hidden volumes inside the same file, they might think one exists, but they cannot prove it. However, with this attack they can prove its existence. They cannot look at the files stored upon it, nor can they work out the password from this attack, but they are able to prove it is there. This means that they can possibly force you to reveal the second, hidden password.

The alternative to this is if you store the file inside your normal truecrypt volume. This means they can prove it's a truecrypt volume and so you cannot say it's just a file of randomness. This means they could make you reveal your password just to see what else is contained inside.

solara wrote:
... or fooling me into putting a strange file into my "super-sensitive" encrypted volume (in which case I'd be a complete idiot)?


This would probably be the route chosen, as it is the easiest. However, you don't have to be an idiot for the attack to work. What if someone actually places their whole 'My Documents' or their home directory inside a truecrypt volume? They might have a 'normal' innocent partition containing no incriminating evidence, and a hidden alternative partition where they store all their questionable material. Which one they choose to use depends on their objective at the time. Crafting the identifying file to be a juicy jpeg or an attack program probably isn't that difficult, and the user would only store said file inside the hidden partition, as they would want its existence to be a secret.

Basically you are correct, in that the user must store the file inside the hidden volume themselves. But if you make the file appear to be something they might want, then they will do it. One approach, which I think you are suggesting, is not to store any 'third-party' files inside the hidden volume. This is a good and secure approach, but it reduces the usefullness of the hidden volume, and when push comes to shove, most users will probably choose usefullness over security.

Cheers,
Martin
Back to top
View user's profile Send private message
solara
Just Arrived
Just Arrived


Joined: 26 Sep 2005
Posts: 0


Offline

PostPosted: Tue Nov 29, 2005 12:17 am    Post subject: Reply with quote

I'm just implying that anyone who would purposely store a file in their encrypted volume without knowing anything about the file or where it came from surely has other security problems/concerns than the TrueCrypt program itself - their brain.

But I suppose an adversary - who would have to be known to the target - could send them a specific jpeg/mpeg/mp3/doc/zip file that is an actual valid, working file, and which they know the target would keep confidential. But even then, the adversary would have to know exactly which sectors this file was written to - then XOR two sectors to reveal that it's an encrypted volume.

I mentioned that the adversary would have to be known to the target because I can't imagine someone foolish enough to accept something "questionable" or "sensitive" from a total stranger and then put that in their very secret and very important encrypted volume. And we're not talking about some random, anonymous download from the internet or a filesharing network - an adversary would have no way to target someone through such an anonymous route.

Maybe someone could give a plausible scenario that this could be a real security threat - but again, the user has to place the file in their volume, AND the adversary will have to know which sectors it was written to in order to XOR it to prove that it's an encrypted volume.
Back to top
View user's profile Send private message
brumwald
Just Arrived
Just Arrived


Joined: 26 Nov 2005
Posts: 0


Offline

PostPosted: Tue Nov 29, 2005 12:49 am    Post subject: Reply with quote

solara: Well, the attacker might infiltrate whatever the user gets his sensitive data from. I think it would be possible lure the victim to an website and then let the victim by himself download the content 'by his own will'.

Of course storing something sensitive on an open website might not sound as a great idea but you get the picture. Could just as well be a closed site or whatever.

And why wouldn't he store the file in an encrypted volume? If he thinks TC is doing it's job it's not like you'd think it make a difference if you'd not even execute the file but only store it. If you don't trust it to that I wouldn't trust it to encrypt the files correctly either. The whole point with the encrypted volume is that noone could ever get access to whatever was in there so seems to me like thats the perfect place to put it. He might not even know what it is but just to be safe he stores it there.

Maybe a bit overkill just to find out whether there is an encrypted volume or not but as I said, the victim probably has no reason to believe that storing anything special will have any way of exposing anything, and make him store a certain file might not be that hard. Social engineering comes a long way and especially if the victim thinks he makes the call and that he thinks that there is no difference in terms of security if he would store another file in his encrypted volume (and I think that would be the common thing to think. You wouldn't rely on that application to store your sensitive files if you didn't).

I must say that I wouldn't hesitate on storing 'unknown' (where I didn't know the origin) files on my encrypted volume. Of course I wouldn't just accept any file but if I thought the file was relevant I would not hesitate, until now atleast. (that of course depends on what the information is and many other things but generally speaking)
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register