Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier, UW Team Show Flaw In TrueCrypt Deniability

Posted by timothy on from the can't-prove-that-you-didn't-not-not-write-that dept.

An anonymous reader writes "Bruce Schneier and colleagues from the University of Washington have figured out a way to break the deniability of TrueCrypt 5.1a's hidden files. What about the spanking-new TrueCrypt 6? Schneier says that 'The new version will definitely close some of the leakages, but it's unlikely that it closed all of them.' Meanwhile, PC World is reporting that the problems Schneier and colleagues found are bigger than just TrueCrypt. Among their discoveries: Word auto-saves the contents of encrypted files to the unencrypted portions of your disk, and this problem should apply to all non-full disk encryption software. Their research paper will appear at Usenix HotSec '08."

31 of 225 comments (clear)

  1. usenix what? by hostyle · · Score: 5, Funny

    HotSex 08? Where do I sign up!

    --
    Caesar si viveret, ad remum dareris.
  2. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  3. Let me get this straight by carp3_noct3m · · Score: 4, Funny

    So Vista, Word, and Google Desktop make truecrypt less viable? Im Shocked I tell you! Shocked. Please..If you are serious about using truecrypt please tell me that you are savy enough to know how to get around some of these holes. Googledesktop?-aka, I spy on everyone and read your brain desktop? Its like saying my iron has a security hole if someone installs a hardware keylogger on my system. Duh! But just because Schneier is involved, the hacking gods must bow and agree with every word he says. Anyway, now Im rambling, but I use truecrypt only on my secure linux box, which doesnt have these problems. I hide all my stuff that would get me into lots of trouble if!@#@!#%T^GD no carrier

    --
    "It's ok, I'm completely secure as long as my iron is off"
    1. Re:Let me get this straight by Hal_Porter · · Score: 2, Funny

      You could do it by trolling Theo on the OpenBSD mailing lists. Propose lots of stuff and implement the bits that make him least angry. If you make him so angry he murders his wife, at least she died for something worthwhile.

      Hell if that happens name the Linux distro after her.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  4. About Bruce Schneier by dwalsh · · Score: 5, Funny

    Some of you may not be aware of the stature of Bruce Schneier in the field of computer security, so here is some background information:

    http://geekz.co.uk/schneierfacts/facts/top

    Bruce Schneier once decrypted a box of AlphaBits.

    Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.

    Bruce Schneier knows Alice and Bob's shared secret.

    Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.

    Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.

    Bruce Schneier knows the state of schroedinger's cat

    Bruce Schneier writes his books and essays by generating random alphanumeric text of an appropriate length and then decrypting it.

    When Bruce Schneier observes a quantum particle, it remains in the same state until he has finished observing it.

    If we built a Dyson sphere around Bruce Schneier and captured all of his energy for 2 months, without any loss, we could power an ideal computer running at 3.2 degrees K to count up to 2^256. This strongly implies that not only can Bruce Schneier brute-force attack 256-bit keys, but that he is built of something other than matter and occupies something other than space.

    Though a superhero, Bruce Schneier disdanes the use of a mask or secret identity as 'security through obscurity'.

    --
    ${YEAR+1} is going to be the year of Linux on the desktop!
    1. Re:About Bruce Schneier by EvanED · · Score: 5, Funny

      Personally, I like "Bruce Schneier already has a backup plan for when the second person discovers P=NP."

    2. Re:About Bruce Schneier by kwabbles · · Score: 5, Funny

      I ran into Bruce Schneier at an airport once. While we were waiting for a plane, I asked him if he would show me a "cool computer trick". He popped the RAM out of my laptop and quickly tasted the edge with the gold leads. He then told me that at 11:23pm the previous night I had visited ideepthroat.com with Firefox. Damn he's good.

      --
      Just disrupt the deflector shield with a tachyon burst.
    3. Re:About Bruce Schneier by oahazmatt · · Score: 2, Funny

      Vs lbh nfxrq Oehpr Fpuarvre gb qrpelcg guvf, ur'q pehfu lbhe fxhyy jvgu uvf ynhtu.

      With his what? It could probably cause a cave-in as everything oozes out, with the right frequency of course, but physically crushing?

      --
      Those who believe the Internet is private,
      find their privates are on the Internet.
    4. Re:About Bruce Schneier by Eighty7 · · Score: 3, Funny

      We really need that -1 Informative mod...

  5. Re:Word and what? by jd · · Score: 3, Funny

    Damn. I thought someone had found a neat new extension to Word, called "and", that bypassed your security.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  6. Re:My Iron by Vectronic · · Score: 3, Funny

    I was wondering about that, I was thinking your security flaw was as simple as someone saying: "Hey, you left your iron on!" then they just rummage through your shit while yer distracted.

    "It's ok, im completely secure as long as my iron is off"

  7. Sorry, dude... by Penguinisto · · Score: 5, Funny

    Seems that someone found a semi-reliable decryption mechanism that can not only stand up to that, but can reverse an even stronger algorithm known as "volcano".

    Didn't mean to dash your dreams, but you know how the security game goes...

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
    1. Re:Sorry, dude... by jeiler · · Score: 5, Funny

      "Volcano" is, indeed, a stronger algorithm than "fire", but it's also much coarser-grained. Further research shows that the decrypted portions were not completely encrypted, merely provided with a partially-encrypted wrapper.

      We can also discuss the even more advanced "Thermonuclear ground-zero" algorithm, but the ultimate form of this type of encryption (matter-antimatter annihilation) is only theoretically possible with our current technology.

      --

      If you haven't been down-modded lately, you aren't trying.

      Sacred cows make the best hamburger.

    2. Re:Sorry, dude... by A440Hz · · Score: 2, Funny

      As Jack Handey rightly said, "If you drop your keys into a river of molten lava, forget 'em, 'cause man, they're gone."

    3. Re:Sorry, dude... by menace3society · · Score: 4, Funny

      Thermonuclear ground-zero encryption is unnecessary, you just need good a good Brownian crypto device.

      On a serious note, there's also steganography. I wrote up a tool that works like shred(1), except instead of DoD-compliant type over-writes, it uses blocks of harmless text from Project Gutenberg. Theoretically it's weaker than a 35-pass algorithm, but the advantage is that it's now much harder to retrieve the original data, since it's much harder to tell apart.

      I really want to do something that would get my computer seized by the NSA so I can laugh while imagining them trying to find the data they're looking for. "Aha! I've found some unencrypted text... it says, 'Of all the cants which are canted in this canting world, â" though the cant of hypocrites may be the worst, â" the cant of criticism is the most tormenting...' Never mind, it's just some crap again...."

      Anyone know how to get in touch with Osama bin Laden?

  8. Re:Lucky for me... by nategoose · · Score: 2, Funny

    I've been using fire 2.0 for a year already.

  9. Re:Lucky for me... by xaxa · · Score: 4, Funny

    I encrypt using a one way algorithm know as "fire" that transforms all my secrets into ashes.

    Is that the algorithm invented by the Greek hacker, Prometheus? I heard he got in a bit of trouble over it, he ended up somewhere like Guantanamo, but eventually was rescued.

  10. Re:No Problem Here by McGiraf · · Score: 4, Funny

    "Keep in mind, though, that you can simply add exceptions to your updatedb.conf file, such that the directories/partitions you list will not be indexed (and hence will not be locatable by slocate)."

    yes, put your hidden directories/partitions in /etc/slocate then slocate will not reveal their existence.

    It seems to me there is something wrong with this sheme but I cannot put my finger on it. Hum ... but then again I'm not a security specialist.

  11. Re:A visit from the NSA by Anonymous Coward · · Score: 1, Funny

    The only thing backdoored around here is your mom.

  12. Re:Get A Mac by Chris+Burkhardt · · Score: 4, Funny

    So, just to play along, what software do you propose to use on the mac to provide deniable encryption?

    You could try this program called TrueCrypt. It seems to work okay.

    --
    "And there be unix which have made themselves unix for the kingdom of heaven's sake." - Matt. 19:12
  13. Re:Turtles all the way down. by onemorechip · · Score: 2, Funny

    This algorithm takes care of that:

    do {
          NextVolumePassword = EnhancedInterrogation.output;
          if ( Subject.dead ) throw EndInterrogationException;
          NewVolume = MountNextVolume( NextVolumePassword );
          cd NewVolume;
          VolumeSize = GetVolumeSize;
    } while ( VolumeSize > 0 )

    --
    But, I wanted socialized health insurance!
  14. Opps by Anonymous Coward · · Score: 2, Funny

    You lost me after the first "M$".

  15. Re:Lucky for me... by Anonymous Coward · · Score: 2, Funny

    You mean it's a one way hash function!

  16. Re:Bruce = Chuck! by badboy_tw2002 · · Score: 2, Funny

    And you're a captain in the obvious army!

  17. Re:Get A Mac by linhares · · Score: 4, Funny

    So, just to play along, what software do you propose to use on the mac to provide deniable encryption?

    You could try this program called TrueCrypt. It seems to work okay.

    yup, ...until some folks showed flaws in TrueCrypt deniability

    Now that's an attempt for infinite mod points!

  18. Re:Won't really matter by PottedMeat · · Score: 2, Funny
    I'm starting to think that I'd be better off learning to resist torture techniques than trying to protect my privacy...

    *ouch!* Give it to me *ow!* not that hard! damn...

    PM

  19. Re:Get A Mac by Chris+Burkhardt · · Score: 2, Funny

    yup, ...until some folks showed flaws in TrueCrypt deniability

    You should just use a Mac. I've never experienced any bugs with its built-in encryption options.

    --
    "And there be unix which have made themselves unix for the kingdom of heaven's sake." - Matt. 19:12
  20. Re:Get A Mac by Anonymous Coward · · Score: 1, Funny

    yup, ...until some folks showed flaws in TrueCrypt deniability

    You should just use a Mac. I've never experienced any bugs with its built-in encryption options.

    And what about deniability, then?

  21. Re:Get A Mac by Chris+Burkhardt · · Score: 4, Funny

    And what about deniability, then?

    You could try TrueCrypt. I think it works on Macs.

    --
    "And there be unix which have made themselves unix for the kingdom of heaven's sake." - Matt. 19:12
  22. That's why i *double* encrypt by AP31R0N · · Score: 2, Funny

    i double encrypt EVERYTHING, even my /. posts, with ROT 13! /Bruce Schneier whistles white noise.

    --
    Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
  23. Re:TC has Deniability by ShannaraFan · · Score: 2, Funny

    Replying to your sig... Get out of Ohio... Leaving there 10 years ago was the smartest thing I've ever done.