Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt Master Key Extraction and Volume Identification

Posted by Soulskill on from the be-sure-to-use-it-the-right-way dept.

An anonymous reader writes "The Volatility memory forensics project has developed plugins that can automatically find instances of Truecrypt within RAM dumps and extract the associated keys and parameters. Previous research in this area has focused specifically on AES keys and led to the development of tools such as aeskeyfind. The Volatility plugin takes a different approach by finding and analyzing the same data structures in memory that Truecrypt uses to manage encryption and decryption of data that is being read from and written to disk. With the creation of these plugins a wide range of investigators can now decrypt Truecrypt volumes regardless of the algorithm used (AES, Seperent, combinations of algos, etc.). Users of Truecrypt should be extra careful of physical security of their systems to prevent investigators from gaining access to the contents of physical memory."

7 of 222 comments (clear)

  1. Burn after reading? by bazmail · · Score: 3, Insightful

    Don't people burn memory blocks any more? This is sensitive data handling 101.

    1. Re:Burn after reading? by DigitAl56K · · Score: 5, Insightful

      TrueCrypt has to keep the keys somewhere so long as a volume is mounted. Whatever happens, so long as it's not currently on the CPU (and potentially even if it is), something that can read its data structures is always going to be able to find the keys in RAM if the structure is known. Maybe if TrueCrypt has some crazy polymorphic engine and corresponding polymorphic data structure that changed on every run it could get very difficult, but probably not impossible, to extract them.

    2. Re:Burn after reading? by Anonymous Coward · · Score: 4, Insightful

      Upon unmount, TC should write (and overwrite) lots of random junk to the ram it was using to store keys so you don't have to worry about stale ram recovery techniques.

  2. What would be sweet... by DigitAl56K · · Score: 5, Insightful

    Given that we're in an era of low-cost portable devices (Raspberry-Pi, BeagleBoard, etc.), it would be really nice if TrueCrypt could implement a driver that passed data off to an external, open-source device for processing that held the keys in its own memory, and provided no other service than to perform the cryptographic functions and hand back the data. It would be slower, but at least then you don't have the keys in memory on a general purpose computer running browsers, java, flash, adobe reader, etc. etc.

    Take one of those devices and attach a small screen to them and you could enter your passphrase using a keyboard attached directly to them, and use a keyfile on a flash stick plugged into the USB port too. The distro powering all of this could be minimal and audited.

    1. Re:What would be sweet... by DigitAl56K · · Score: 3, Insightful

      There's already a market for Pi cases, I don't see why not..

  3. In other words by msobkow · · Score: 4, Insightful

    Shut your machine OFF before you get to the border; don't put it to sleep.

    --
    I do not fail; I succeed at finding out what does not work.
    1. Re:In other words by TapeCutter · · Score: 3, Insightful

      can the border goons compel someone to boot the machine (supplying whatever passwords are necessary to do so) to enter?

      No legal power to compel, but refusal is "suspicious behaviour" and is going to fuck up your trip until some real lawyers show up and say the court battle isn't worth the prize. Your name will go on a watch list and goons the world over will give you grief for years to come, but your porn collection will remain private.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.