Breaking TrueCrypt/AES

[newjersian1]

I have had this question rolling around in my head for several months now. I attended a presentation by a police officer who specialized in computer security. One of his main jobs is to scan computers for child pornography. He said he did this by inserting a flash drive given to the police department by a federal agency (I believe it was the NSA) and looking at what the flash drive came up with. I raised my hand and asked him what he did if the computer's owner had encrypted files and he said that it didn't matter. He specifically referenced TrueCrypt when he said, " Some people use encryption programs such as TrueCrypt to try to hide their files, but all it does is make the flash drive run a little longer."

So how can this work? I am not looking to start an argument about the overreaching powers of the federal government or what may have backdoors built into it. I am just curious as to how this little flash drive can detect hidden TrueCrypt volumes and then see if there is illegal pornography on them

 

[PrincessFrosty]

It cannot.

When a drive, partition or container file is unmounted the only way to read the plaintext on the drive (the unencrypted data) is to know the correct password. If you use a weak password that for example is contained inside a common password dictionary then it could be guessed relatively quickly, if you use a strong password then the only attack from a software point of view is to brute force every combination which is unfeasible for strong passwords.

More over, if you encrypt an entire drive including the partition table you cannot even say for certain if there's a True Crypt partition there, although data analysis of the drive would reveal pseudo-random data that hints at encryption you wouldn't know for sure, or any specifics. You can only make inferences about likely scenarios.

If the USB key is inserted and the encrypted drive is currently mounted then obviously you're screwed.

This is either law enforcement bending the truth as a scare tactic, or genuine inept technical staff, I'd guess the former.

 

[SecurityTheatre]

He said he did this by inserting a flash drive given to the police department by a federal agency (I believe it was the NSA) and looking at what the flash drive came up with. I raised my hand and asked him what he did if the computer's owner had encrypted files and he said that it didn't matter. He specifically referenced TrueCrypt when he said, " Some people use encryption programs such as TrueCrypt to try to hide their files, but all it does is make the flash drive run a little longer."

So how can this work?

This guy doesn't know what he's talking about. In fact, I am rather horrified that this is his answer, because it's obviously false and/or reflects a pretty profound lack of knowledge. Or, he was being deliberately misleading, inferring that he would have access to a computer that had a CURRENTLY MOUNTED TrueCrypt. Most police departments go to ENORMOUS lengths to get at computers before they can be shut down. This can include doing things like using explosives to make an incursion as close to the computers as possible.

I have read about several cases where they got someone downloading child porn by coming in through the second-floor windows (presumably rappelling from the roof?) There was another case (in suburban Atlanta) where the FBI set explosives to tear through a living room wall in order to end up closer to running computers, and simultaneously lobbed flash grenades through the windows to prevent the suspect from being able to get to his computer to shut it down. This behaviour strongly indicates that they have no little magic flash disk with which they can crack TrueCrypt.


In fact, as far as I'm aware, The forensics toolkits that are "given out" to field agents are just search software that resembles EnCase, though I think the FBI has some custom stuff in there, most state/regional police do not and use standard Encase or even simpler tools.

Even the NSA can't crack Truecrypt, even though they might want criminals to think they can, to discourage its use. I've been involved in computer forensics (on the periphery) for awhile and I can tell you with some certainty that the best attack against TrueCrypt is a brute-force passphrase (permuted dictionary) attack.

It's slow and difficult and very seldom works, because people who bother with TrueCrypt also tend to have decent passwords.

In the field, agents simply do a cursory look for files. If they find nothing, they will shut the computer down, and cart it off to the forensics lab. In some areas, there is a huge backlog of computers waiting for detailed examination, sometimes as long as 3 months wait, because, frankly, the FBI is short on staff who are good with this stuff. They actually have ongoing trouble teaching field agents to identify when encryption is in place, because if it is, and they shut down the computer, they've likely destroyed all the evidence in the case (and this happens more than they would like to admit).

It was estimated not too long ago, that almost 50% of the FBI's technology resources are dedicated to finding child porn. They still sorta fail at it. It's a bit disheartening if you're a law-and-order sort.

 

[ch33zw1z]

shens. next time, tell him to prove it. unmount your volume and let him have at it.

 

[John Connor]

I have a portable program that can crack truecrypt, but like everyone has mentioned it uses brute forcing. If you're using a key file forgetaboutit!

 

[PrincessFrosty]

It's slow and difficult and very seldom works, because people who bother with TrueCrypt also tend to have decent passwords.

This is really the key factor, you can brute truecrypt passwords at a few hundred thousand a second with good GPUs so you could go through a large password dictionary in a reasonable time frame but that relies on the use of bad passwords.

Most people smart enough to install truecrypt are going to know to use "good" passwords, in fact truecrypt instructions actually encourage strong password use. Right now with the technology we have, encryption is an intractable problem, quantum computers may change that but we're not quite there yet.

 

[bononos]

.....
I have read about several cases where they got someone downloading child porn by coming in through the second-floor windows (presumably rappelling from the roof?) There was another case (in suburban Atlanta) where the FBI set explosives to tear through a living room wall in order to end up closer to running computers, and simultaneously lobbed flash grenades through the windows to prevent the suspect from being able to get to his computer to shut it down. This behaviour strongly indicates that they have no little magic flash disk with which they can crack TrueCrypt.
...........

Was the explosive entry through the living room wall case a child porn case or was it for something more serious like terrorism?

 

[SecurityTheatre]

Was the explosive entry through the living room wall case a child porn case or was it for something more serious like terrorism?

100% certain it was child porn.

Can't find the news article, it was probably 2010 or even 2009. It was down the street from an old friend of mine and he emailed me the article. Said he heard the explosives from his house.

I specifically remember it because it did seem a bit overkill. I assumed those sorts of things were reserved for cases of folks with large caches of arms or terrorists, etc.

Who knew..

 

[MrColin]

I have had this question rolling around in my head for several months now. I attended a presentation by a police officer who specialized in computer security. One of his main jobs is to scan computers for child pornography. He said he did this by inserting a flash drive given to the police department by a federal agency (I believe it was the NSA) and looking at what the flash drive came up with. I raised my hand and asked him what he did if the computer's owner had encrypted files and he said that it didn't matter. He specifically referenced TrueCrypt when he said, " Some people use encryption programs such as TrueCrypt to try to hide their files, but all it does is make the flash drive run a little longer."

So how can this work? I am not looking to start an argument about the overreaching powers of the federal government or what may have backdoors built into it. I am just curious as to how this little flash drive can detect hidden TrueCrypt volumes and then see if there is illegal pornography on them

RSA has recently come forward with a warning that the previously trusted dual-elliptic curve random number generator should no longer be used (RNG's are a crucial component of encryption algos) as it had been produced by the NSA, and likely leaves encrypted data open to attacks that are more efficient than the exhaustive search (aka brute force attack). It is highly likely that similar tactics have been deployed against other parts of the crypto ecosystem and shared with the rest of the police state/plutocracy.
Additionally, numerous executives at various companies are being threatened with prison if they do not provide back doors for the NSA and its private contractors to get rectal access to whatever they want.

 

[alkemyst]

The type of encryption doesn't really matter if one seeds with weak passwords.

The police officer was more than likely incorrectly trained and told the flash drive can defeat everything.

Fortunately, most don't use encryption on their drives and even more freely share what they have.

 

[Nintendesert]

I use TrueCrypt, but I think some of you are putting too much faith in this software.

For nearly a decade, TrueCrypt has been one of the trusty tools in a security-minded user’s toolkit. There’s just one problem: no one knows who created the software. Worse still, no one has ever conducted a full security audit on it—until now.

http://arstechnica.com/security/201...crypt-raises-over-16000-in-a-few-short-weeks/


Considering the NSA leaks and the attempts to create backdoors and undermine encryption techniques the world over there is a very real possibility that there are backdoors built into TrueCrypt that allow easier access by the NSA or enforcement officials. As easy as plugging in a thumbdrive? I have my doubts. But until the audits are done I won't discount that it is very susceptible to government intrusion.

 

[Chiefcrowe]

Great point.. just read about that too and you can follow the auditing project here:

http://istruecryptauditedyet.com

 

[ch33zw1z]

Thanks for the heads up guys.

 

[Chiefcrowe]

How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries

https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis

 

[PrincessFrosty]

I use TrueCrypt, but I think some of you are putting too much faith in this software.

http://arstechnica.com/security/201...crypt-raises-over-16000-in-a-few-short-weeks/

Considering the NSA leaks and the attempts to create backdoors and undermine encryption techniques the world over there is a very real possibility that there are backdoors built into TrueCrypt that allow easier access by the NSA or enforcement officials. As easy as plugging in a thumbdrive? I have my doubts. But until the audits are done I won't discount that it is very susceptible to government intrusion.

It's not been audited for sure, but the fact that it's open source and anyone could theoretically audit it gives the project a lot of credit.

The problem is that if an application like truecrypt did have back doors it's really a lot of work to build such a complex application only to have the back door be used at most a few times, once it's used to bust encryption it's going to go public and people are going to know specifically that it vulnerable and to avoid the application.

Now if you wanted to mitigate that issue you'd make it closed source, that way no one would be able to independently check for security issues and claims leveraged against it would be speculative at best.

If it really did have a backdoor and someone knew about it, they'd realise that it's probably a one shot deal, once they'd pulled that trump card it's much less likely to be usable in future, and of course it can only be pulled speculatively, as you don't know what someone is hiding until you've revealed it.

Other factors like reputation of security experts analyzing the code means that there's good reasons why security experts and hackers would take at least pieces of the code apart in the hope of finding flaws as that would lead to a boost in their reputation.

It's for these reasons I'm happy to trust it despite there being no publicly known audit done on the code, I'm extremely confident that it doesn't have a back door and that even if it did it probably wouldn't be leveraged to bust a random citizen like myself, if you had a trump card like that you'd save it for terrorists threatening your country or something more serious.

Finally there's also the issue of trusting who does the audit, you could have truecrypt audited but you have no possible way of knowing if the auditors are both trustworthy and competent. Auditing the code is a good thing and I'm all for that but it doesn't tell us anything for certain, the best you can ever hope for is getting educated in encryption and audit the code yourself.

 

[stockwiz]

truecrypt with a file disguised as something like an ISO or music file, with a good password and a couple of keyfiles, say music files from your collection. If you are really paranoid boot to your system using "hiren's bootcd" and run truecrypt.. then all the content is on your system RAM only and doesn't touch your hard disks. I did it just out of curiousity, but now I just put my passwords, tax return forms, or whatever, in an encrypted 7z executable file labelled "passwords.exe" with a good password smack dab in the root folder of one of my drives. I don't lose sleep over it. If someone were to steal my computer, it's unlikely they'd have the skill to crack the 15 character password, and if they did, I could put a lid on the accounts pretty quick with a couple phone calls.

 

[deniveau]

He specifically referenced TrueCrypt when he said, " Some people use encryption programs such as TrueCrypt to try to hide their files, but all it does is make the flash drive run a little longer."

Hi. I'm a French user of TrueCrypt, not a geek, and joined the forum just to post this !
The biggest danger for normal users may be hibernation files.
http://www.truecrypt.org/docs/hibernation-file
Is there just one reader of this with TrueCrypt who has never seen his/her PC go into hibernation with a volume mounted.
If you have, then deleted the file, then emptied the dustbin, you would still have a memory image on disk sectors. If I was your policeman, that's where I would look for the volume password.

After that, somebody being followed by the police would maybe have a keystroke logger installed by them and probably deserves what he gets. Anyway, there would be a list of download IPs from his Internet provider. Even as an honest user, I type my password adding bogus characters then mousover to change.
Several answers mentionned backdoors used by the NSA. Well, TrueCrypt has several institutional users such as (please check this) the CIA. Those users would have done a thorough check of the source code before trusting TrueCrypt.

When encrypting, your precautions depend on who you are. Political opponant under a dictature ? I'm not, but If I was, I'd give the keys, including hidden volumes before they tested "plausible denial" with the help of medical devices.

 

[oynaz]

What are the odds of the NSA having managed to install a backdoor in a widely used open-source encryption, then deciding to risk blowing their cover by handling out USB sticks to random police officers?

Occam's razor: Your police officer was probably misinformed and/or incompetent.

 

[John Connor]

I never use hibernation anymore. Just fills the disk and with an SSD it's not recommended.

 

[deniveau]

What are the odds of the NSA having managed to install a backdoor in a widely used open-source encryption, then deciding to risk blowing their cover by handling out USB sticks to random police officers?

Occam's razor: Your police officer was probably misinformed and/or incompetent.

Yep, but look at the question.The police officer never mentionned a back door. It's just a reader's inference.

he said, " Some people use encryption programs such as TrueCrypt to try to hide their files, but all it does is make the flash drive run a little longer."
So how can this work?

See the junior member's suggestion #17

 

[deniveau]

I never use hibernation anymore. Just fills the disk and with an SSD it's not recommended.
This is John Connor. If you're listening to this, you are the resistance.

Did you also apply "terminator" to the last memory image file ? See eraser (I've never had any reason to install this and cannot vouch for its reliability).
For the SSD issue, I've a similar situation using an SD card on a netbook as main file support. Reading around, people are talking of a lifetime of 100 000 rewrites. For SSD under continuous heavy use, over ten years !
For privacy, I don't worry when hibernates happen automatically as the battery runs low. The average computer thief won't be doing disk forensics

 

[John Connor]

Whaa? Oo

Referring to erasing SSDs, ( don't know why) Parted Magic is what you would use. Platter wise Darik's Boot And Nuke is what I would use.

I just don't have a need for hibernation. Laptop wise there's a back up battery and on the desktop I use a UPS.