TrueCrypt 6.0 Released 448
ruphus13 writes "While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend. The new version touts two major upgrades. 'First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.' The software has been released under the 'TrueCrypt License,' which is not OSI approved."
OK (Score:2, Interesting)
even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable
In what case would this be useful? If you have an adversary that can force you to give a password, I'm sure they can force you to boot up the correct operating system as well. And if they are in a position to force you to give up the password, it might not be wise to try to play a switcharoo on them.
In the cases where this would actually be useful (with your boss or the government inspections), they will probably have the ability to detect that you are not being entirely truthful. You can hide an operating system in your encryption, but you can't hide gigabytes of hard disk space that is mysteriously missing on probes.
That might betray the presence of a hidden volume (Score:5, Interesting)
- depending upon the file system.
For instance, if you used ext3 then mkfs.ext3 is going to put backup super blocks all over your disk. If you then setup a hidden volume later on, some of those backup super blocks are going to get over written. An attacker - to whom you've been forced to reveal your outer volume password - could easily discover that the backup super blocks aren't the same as the real super block and deduce that you're using a hidden volume that you didn't tell them about. You could, when formating, tell mkfs.ext3 not to use any backup super blocks - but that also might look a bit suspicious. Just food for thought.
Low powered PC (Score:4, Interesting)
A not very powerfull small factor PC (some subnotebook barely good enough to run Linux - no need for the latest über-UMPC able to withstand Vista), with which to decrypt the content on arrival seems to be the only current solution.
At least, as an over-powerful laptop isn't needed, at least this isn't very expensive.
Also, has TrueCrypt been ported to PDAs ?
A PDA running TrueCrypt and dual SD+USB hybrids cards (Sandisk and OCZ produce such beasts) seems another even cheaper solution.
If the data can't be decrypted on the target machine when plugged with the card's USB connector, then plug it into the SD port of the PDA and decrypt data from there.
Re:Only works if it's default install (Score:3, Interesting)
I never heard that. Reading through the documentation, it appears that any TrueCrypt volume can contain one hidden volume. Which means that your hidden volume can itself contain another hidden volume, and that can contain yet another.
If you think your adversary will torture you a second time in order to get your first-order hidden volume, then that's fine. Put the financial stuff in the non-hidden volume, the porn in the first hidden volume, and the Evil Master Plan in the second hidden volume.
The point is that you can have arbitrarily many layers of nesting. The enemy can never be certain he has them all, and most users probably don't even bother using a hidden volume in the first place.
Re:Sad (Score:5, Interesting)
Wow, what Kool-aid have you been drinking? I've been to China many times too, and love the place, but I'm afraid you're being seriously delusional if you think it's safe to be that blasé around the Chinese authorities. The American search procedures at the US border would indeed be unconstitutional were they conducted in the country, but at least you know up front what the rules are. In China, your rights are vague at best and your recourse to law is minimal. If next time you enter China the border officers did decide they are going to take your laptop away, what could you do about it? Oh, but if they're polite, then that's OK, right?
Fanboyism of China is not helpful to the country and unattractive, so please stop it; it's embarrassing, and even potentially dangerous.
Re:Sad (Score:5, Interesting)
This absolutely mirrors my own experience. I live in the EU and I travel mostly around the EU and Africa. When I get to the US I'm treated as a convicted criminal and I'm a US citizen. I am routinely hassled and threatened by petty dictators of nano-dictorships. Which I find completely bizarre... Hell the security & customs agents in Zimbabwe are more polite than the ones in Atlanta.
Another thing I find complete asinine is that little form you fill out saying where you are going stay while you are in the US. I've been staying at 1600 Pennsylvania ave. for going on 6 years and no one has so much a blinked.
Re:Only works if it's default install (Score:0, Interesting)
Unless you keep backups.
The hidden volume is stored in a 'randomised' area of the main volume that appears to be unused, as such its contents should not change over time. Comparison of the TC volume with any backups may reveal changes to the area of the file corresponding to a hidden volume, indicating its presence.
Add to that halo data, filesystem journals, MRU lists, etc. and the chances are something on your disc will give you away.
TrueCrypt is good enough to hide your data from most types of scrutiny, but don't expect TrueCrypt to protect you from the attentions of a computer forensics laboratory.
Re:Only works if it's default install (Score:5, Interesting)
Already a Mr Chris Jones has an issue with my proposal because he seems to think that the UK government would waterboard users in the UK if Ubuntu has a default encrypted partition they might not have a key to.
If Chris Jones is right that the UK Government would do such a thing, then they would be far more likely to waterboard you for voluntarily installing truecrypt, voluntarily creating a encrypted volume (or two) AND not handing over "all" passwords. Even if you don't even have a hidden volume.
If you have a Government willing to mistreat people for using a distro that does what I propose, they would definitely mistreat people who use Truecrypt.
So my proposal makes the most sense.
Re:Only works if it's default install (Score:5, Interesting)
Actually, there was a conversation about this last time the subject of TrueCrypt came up. Unfortunately it went mostly unnoticed, because a forensic investigator can tell if a hidden partition is present [slashdot.org], masquerading as free space:
I think you, and many other Slashdotters have 'Reiser Ego' (coined!) You see TrueCrypt as an extremely clever and infallible tool you can use to circumvent the stupidity of courts and the dunder-heads who work in computer forensics. For the most part however, these people are not stupid, and geeks are not able to avoid prosecution via their l33t h4xX0r skills.
I fear big egos will lead many geeks to underestimate their adversaries. Feel free to prove me wrong, of course. :)
Re:OK (Score:1, Interesting)
So what you're saying is, your mystery interrogator is going to torture you to death, so you've no incentive to give it up?
You're saying you're fucked if you do, and you're fucked if you don't. So we shouldn't talk about TrueCrypt at all then really? None of us really have a practical use for it?
I personally use it for just sensitive documents, and as a nice storage place I can move around, and keep prying eyes from. I have numerous volumes, all of which would take too long to brute force, and none of which look like a TrueCrypt volume (they don't have a .tc extension).
Also, a lot of the people who use this are either security conscious, or are in the scene and such, so they use things like this. They aren't going to be tortured, and plausible deny-ability works well in their instances.
Re:Only works if it's default install (Score:4, Interesting)
Stop being an idiot and read up on it. You can *not* tell. And it certainly does not show up as free space. You can *not* prove OR disprove the existence of another hidden partition.
Actually you can disprove the existence of another hidden volume in the corner case that the visible volume is full.
You can also eliminate the hidden volume by filling the visible one. Be interesting to see if law enforcement would be satisfied with just zeroing out the free space in your 'visible' volumes at the borders, thereby destroying your hidden one(s).
They might not 'catch a criminal' this way, but it could be seen as 'preventative'... no point in smuggling illegal data in a hidden truecrypt volume if they routinely destroy them. They can destroy hidden volumes without knowing they are there.
Re:Only works if it's default install (Score:4, Interesting)
Stop being an idiot and read up on it. You can *not* tell.
Don't offer advice you're unwilling to take.
Circumstances may make this very possible to identify. Allow me to provide an example and suggest some alternatives:
Lets say you have a 100gb hard drive, and have decided to break away 15gb of that for an alternate volume. Since the OS has to be on it, it can't be very small (300mb for example) as you could do normally with an obvious encrypted disk image document. TrueCrypt choses a place somewhere within the 100gb drive to place it. Lets say it's at the 60-75gb region.
The most plausible deniability for this would be to use the "trojan" 85gb of space for your everyday use, and only reboot into the hidden volume when you had "sensitive work" to do. This would provide many examples of consistent access to the trojan, lending it credibility as being used. If you (almost) always booted into the hidden volume, it would be an easy giveaway since files rarely got modified on the trojan, so this behavior is required.
Unfortunately, over time data is spread around on your hard drive. All current OS's move the next available block pointer forward on the drive as it's used. (space is not used on a "closest to start of volume first" basis beause that can be extremely inefficient and lead to severe fragmentation) So eventually disk usage will run into the hidden partition.
If you've provided your 2nd password, truecrypt will "hop" over the hidden partition to avoid damaging it. But that's the problem. If you continue to use your trojan partition, a simple look at used disk space will see a fairly even coverage mix of free and used blocks, except for one conspicuous, contiguous 15gb chunk of unused space, smack in the middle of the "only volume" on the disk. It could be very difficult to explain to someone analyzing your drive.
ya, right. Now lets have the SECOND password please. (points gun)
There are many ways to fix this problem which have not (as of yet) been implemented by truecrypt:
1) instead of mounting an entire new bootable volume, simply mount a small hidden disk image. That could be 300mb or so, enough for quite a few sensitive documents. A 300mb continuous hole in the free space could be a single AVI file that got deleted a month ago. Totally inconspicuous.
2) instead of reserving a contiguous block of 15gb, it could be cut up into many smaller random length parts. (as in, thousands of pieces of 20-200mb in size) In fact, BOTH the trojan and hidden volumes could occupy almost the exact same space except for their directory start. With both passwords provided, whether you booted into the trojan or hidden, it would consider the union of used blocks on both hidden and trojan partitions when looking for free space to allocate. This has many benefits, including breaking up suspicious free areas into small innocent pieces, and removing the restriction of the hidden partition's size. Without this, if you set aside 15gb and find you need a little more space, you'd have to reformat and it'd be a huge mess. Since both partitions "share" the free space until it's all used, by this technique you could slowly use up all 100gb of your hard drive in any combination of trojan/hidden volume you wanted to, making it much more convenient and future-proof.
Both (1) and (2) are still vulnerable to backup analysis, although (1) would be much more difficult and certain. If you can compare the free blocks between two distant states, say a year apart, you could determine with some certainly that there are more blocks that have remained marked unused over time than should be, so "something's preventing writing to these blocks", placing suspicion on the drive.
If you insist on continuing to use truecrypt, you'd be advised to make sure the hidden partition is near the end of the disk, and that you defragment used AND free space often, so that the scattering of newly allocated files never gets very close to your hidden partition. While inconv
Re:OK (Score:3, Interesting)
Anyone who truly has something to hide to the extent of worrying about torture will have an utterly plausible explanation or ten prepared.
No, anyone who truly has something to hide will not send someone through customs with compromising information. That's where compartmentalization comes in. Encrypt your file, break it apart, and mail the parts to yourself separately. If you really want to be paranoid - to different recipients at different addresses. On different days. If one package is intercepted, the data will be meaningless. Also for good measure throw in some CD's/DVD's with truly random data - so if all the CD's are intercepted they will not know which ones are the real ones.
Detecting Truecrypt. (Score:4, Interesting)
Normally, unused blocks on a drive have whatever data pattern the formatting software puts there (typically something like "FFFFFFFFFFFFFFFF..." or "55AAAA5555AAAA55..."), or remnants of other files, or parts of free block lists and empty extents and the like. If you have a big chunk of random noise in the middle that's an indication that you've got an encrypted volume in there somewhere.