TrueCrypt 4.3 Released

RedBear writes "A new update to the best open source transparent encryption software has been released. TrueCrypt is (the only?) open source encryption software capable of creating and mounting encrypted virtual disk images that can then be worked with transparently like any other storage drive, with data encrypted and decrypted in real-time. These virtual disks can be created as files, or entire partitions or physical drives can be encrypted and mounted transparently. Sadly there is still no Linux GUI or Mac OS X port in sight. If you are one of the thronging hordes who have been patiently awaiting ubiquitous multi-platform encryption, please consider donating time or money to the cause, and add your voice to the forum." From the site:"Among the new features [are] full compatibility with 32-bit and 64-bit Windows Vista, support for devices and file systems that use a sector size other than 512 bytes (such as new hard drives, USB flash drives, DVD-RAM, MP3 players, etc.), auto-dismount when a host device (e.g., a USB flash drive) is inadvertently removed, and many more." Read on for more features of TrueCrypt and cached versions of all the links above.
Also including features like plausible deniability, steganographically hidden volumes, unidentifiable partition headers, traveler mode, and your choice of the strongest available encryption algorithms up to and including multi-algorithm cascades. TrueCrypt is practically the Holy Grail for advocates of free ubiquitous encryption. Now, if only it were platform independent.

To reduce load on their servers here are some Coralized versions of all the links:

TrueCrypt home page
Future development goals
Forum thread about Mac OS X version
Donations page
General forum
Plausible deniability
Hidden volumes
Traveler mode
Encryption algorithms
Multi-algorithm cascades
Version history

The coolest part.

[Lumpy]

you dont have to install it. so there is no way that any researcher can discover it was used.

I can not believe that the other encryption software out there is not even 1/20 as good as truecrypt.

you can hide your data pretty easy with it.

Re:The coolest part.

[computer_guy57]

Also, IIRC when you use it on Windows, even in traveler mode, it might make registry entries that might linger around. It is possible that soneone dedicated enough could find out that you've been using it.

One other downside worth mentioning is that on Windows you have to have administrator rights on the machine to use it.

No OS X Port?

[CheeseburgerBrown]

What are the advantages of this software over using an encrypted disk image created with Tiger's build-in Disk Utility?

Re:No OS X Port?

[fbjon]

It has some advantages: it's portable, and it has plausible deniability (hidden partitions).

Re:No OS X Port?

[Simon+Garlick]

Why don't you download the source code for Truecrypt, and the source code for OS X Disk Utility, and compare how they implement their respective algorithms. The advantage will be pretty obvious.

Re:No OS X Port?

[Sancho]

Ah ha! Therein lies the obvious advantage!

Re:No OS X Port?

[Simon+Garlick]

That, believe it or not, is my point. We have no way of knowing how secure OS X Disk Utility is. For all we know every encrypted .dmg can be decrypted with one master passphrase. For all we know the algorithms are deliberately crippled. We'll never know, because we can't audit the source.

Re:No OS X Port?

[bendodge]

They only have to force the user password, not the actual monster key.

Re:No OS X Port?

I might just be naive (as I have never used TrueCrypt), but I don't understand why you can't just look for the true TrueCrypt driver, run the appropriate TrueCrypt version and brute-force the user password until you get to see everything.

Brute forcing true crypt takes a LONG TIME. Just using the standard truecrypt executable, it takes about 2.26 seconds per guess on my Athlon 2500+. To put that in perspective, it would take my machine nearly 70 days to brute force a 4 charactor password (Aprox 14 million combos using all the keys normally typeable on the keyboard). Why does it take so long? Because the header contains no hints the app has to try:
  * 11 Encryption methods.
  * 3 hash methods (per encryption method)
  * Try to mount as a normal volume, if that fails, try as a hidden volume (2 choices)

So each passphrase/keyfile has to be computed and least 33 times and applied 66 times before the app knows it failed.

If one knew any of the above settings (except the passphase/keyfile) one could gain 10-30 times the speed. Making even my machine able to crack it in a few days.

Of course a 4 charactor password is weak, and Truecrypt allows passwords of 64 charactors + the use of key files. A proper passphrase/keyfile combo will be un-bruteforceable for the useful life of the protected data.

Not to say that a more intellegent approach to trying to break the password won't work, but brute force is not that intellegent.

Re:No OS X Port?

Encrypted data looks random. If they use a cryptographic pseudo-random number generator to fill up empty space, AFAIK it should be indistinguishable from encrypted data or (if the algorithms used are good enough) truly random numbers.

Re:No OS X Port?

[Mr2001]

If your encrypted data doesn't look random, you need to replace your encryption program ASAP. Any patterns in the output are failures in the algorithm.

Re:Nothing to see here

[wile_e_wonka]

I keep the family meatloaf recipe on a TruCrypt partition. No one has discovered it yet!

Anyway--I think there are legitimate reasons to want to encrypt data. How about a doctor wanting to ensure patient records are private? Or a corporation that has done some research that it doesn't want to get out? Or what about your personal diary (some people, believe it or not, don't think MySpace is the best place for a private diary)? Or what if you work for the CIA and have been stealing data from a small quiet--a little too quiet--Scandinavian company for a couple years...and they find you out and take your computer after breaking your legs? (ok, that last one's a stretch).

I'm sure commenters will add many more legitimate items to this list.

Re:Algorithm Cascades == BAD?

If multi-algorithm cascades weakened the protection, that's what the codebreakers would do: encrypt the data again and crack the "weakened" data.

Re:Dangerous feature

[cptgrudge]

If you're going to be indefinitely held while being tortured, until you die or are killed, all the software features in the world aren't going to help you. It's more useful in places where "plausible deniability" can be used to get you out of trouble, not in countries or organizations where the concept is irrelevant.

Re:Linux downloads available

[ink]

Yep, I've been using luks under Linux for ages. It works transparently, and is portable from system to system. I don't think that the article submitter has ever used OSX or Linux; both have nice, mature encrypted block systems.

Hell, I used PGPdisk back in the '90s, and it was "all that".

Re:Nothing to see here

[dtzWill]

Only pirates, terrorists, and criminals need encryption. :) ...which according to the media industry and the US government is just about everyone. :-D

Re:Algorithm Cascades == BAD?

Well, first of all, see 3DES.

The general idea against stacking is that it really doesn't help, but it *shouldn't* hurt. Shouldn't being the key word here. If you truly trust algorithm1, what do you gain by adding algorithmX? If algorithm1 is crackable, then it is likely so is your chosen algorithmX. You gain no benefit, but you *might* be causing the data to be less secure, especially if there is a known-plaintext attack against BOTH algorithms. If there is a known-plaintext attack against only one, you may be adding security. However, do you know if there are known-plaintext attacks against either? Probably not, or you wouldn't be using them.

So in essence, don't add levels of complexity that may theoretically degrade the strength of either algorithm alone. Trust your algorithm, or use a different one. Adding layers simply adds the possibility to be able to crack any one of them, or perhaps all of them. Most people do not know the true strengths of these algorithms, so at least narrow the field of attacks to a single algorithm, instead of allowing a broader range of attacks by stacking.

It really all depends on how secure the chosen algorithms REALLY are, but not many truly know that info except for potential attackers. In theory, two totally independent algorithms that are truly secure, should not degrade each other by stacking.

Re:Nothing to see here

[fatphil]

... including the media industry and the US government.

Re:Linux downloads available

[Bishop]

plausible deniability, hidden volumes and all that other good stuff talked about on the TrueCrypt site. That is because real security experts know that plausible deniability and hidden volumes are script kiddie features that don't work in the real work. Both "features" assume unrealistic attackers. In the real world there is little point in pretending that an encrypted volume isn't. The attacker is going to assume that it is regardless of what you claim.

Re:Linux downloads available

[drinkypoo]

When a court of law sees random data they are going to assume cryptography. It is going to be tough to convince a court differently. Hidden volumes may give an out, but counting on that is foolish.

The point is that your actual volume is hidden within a decoy volume. You give them the key to open the decoy volume, and they find a bunch of files that won't get you incarcerated.

Assuming that an attacker is going to be able to find all the encrypted data and planning for it is a saner course of action.

There is no plan that will cover you if (for a horrible, horrible example) the law finds your kiddie porn stash.

Actually, along those lines, you might elect to store any naked baby pictures of your children on such an encrypted volume, since the "think of the children" DAs have actually been going after people for crap like that. I know my mom has pictures of me as a naked baby. I'm pretty sure that it's not pornography, yet people have been hauled into court for that kind of shit. Pathetic.