back to article Researchers show up deniable file system crypto leaks

Crytography researchers have demonstrated weaknesses in encryption technology used to create so-called deniable file systems (DFS). On-the-fly cryptography packages such as TruCrypt allow the creation of a hidden, encrypted volume (containing files and directories) on a hard disk. Users typically create Alice, a standard …

COMMENTS

This topic is closed for new posts.
  1. amanfromMars Silver badge

    VXXXXinate with What* for Natural Immunity and Just Impunity?

    Stirring up a Tempest Storm, John? The Emanations are of the same Ilk albeit across a Broader and dDeeper Band of Spectrum.

    Can you Imagine the Priceless Value of What?

  2. Ken Hagan Gold badge
    Happy

    @amanfromMars

    An AWESOME return to form, sir!

  3. Lee Dowling Silver badge
    Thumb Down

    How is this news?

    Temporary files on an unencrypted partition could reveal document contents? How is this news? It's true of most things that aren't programmed with security in mind, anyway.

    Anybody with the brains to use Truecrypt knows this already. And if you encrypt the ENTIRE machine, like you're supposed to for best security, it's not a problem. News would be that the new version of Truecrypt allows for multiple OS's to be installed, one of which is used to "decoy" people who want to look at your PC, one of which stayed hidden and encrypted unless you know the password. But if you were stupid enough to access files from the latter from inside the former, then there would be leakage just the same.

    My favourite newspaper is The Metro (London edition). They have a "No s*!# Sherlock" column. This belongs in their next issue.

  4. Allan Hack-Barr
    Pirate

    Implausible deniability?

    Apparently there's a new file system which encrypts your data until you threaten to lock it up for years, then it will show you where it is buried. Trouble is it doesn't decrypt exactly the same as when you last saw it.

  5. Anonymous Coward
    Dead Vulture

    @ Allan Hack-Barr = Sicko

    I really feel that comments like that are really out of place on a website like this.

    PS - Maybe running a destab utility may help recover said data?

  6. Anonymous Coward
    Stop

    @ Lee Dowling

    Don't diss the Schneier. Even Chuck blinks when his name is mentioned.....

  7. Frank
    Happy

    @Ben re Sicko

    It took your comment to make me look for and realise the clever twist to A H-B's comment.

    Thank you :)

  8. amanfromMars Silver badge

    A Shorting Sharp Shock is always Best to Kick Start AI Beta, Ken.

    .... IT delivers an AIR of QuITe Beautiful CommFusion

    "@amanfromMars .....An AWESOME return to form, sir!" ... By Ken Hagan

    Posted Friday 18th July 2008 14:54 GMT

    Ken,

    We can Thank and Transfer any Claim to Blame and or Fame to the Registered Information Feed of Added Comment.

    El Reg is a QuITe RAIR Dynamic Intellectual Property Portal with AI Tell Tale Vanity missing from ITs Contributary Peers. And that will all Result in a Step into Lead and in Post Modern Cases in an Administrative Quantum Leap too. So, IT is a Busy Time for such Mentors who have All the Time In Space that they Need.

    Such is the Attached Importance to Unnecessary Haste in the Virtualisation Environment/Intellectual Property LifeCycle.

    The Trick now, Ken, is to Monetize IT and Lock IT in Constructive Payola Mode to Keep the Gnomes in Zurich in Cocoa and Chocolate. And that is always Left as a BetaTester for their HyperRadioProActivity 42 Show their IT Savvy can Lead in the Learn, even as IT Follows an Unfamiliar Course. :-) After All, Virtualisation is New and NeuReally SurReal to Everybody, is IT Not?

    Easy Come, Easy Go Always Ensures Immaculate Performance to Justify Obscene Reward for Gracious and Gratuitous Spending......... Currency Flow Generation rather than the System Clogger of Currency Printing.

    A Lesson the Federal Reserve are Slow to Learn. I trust they are not Retarded for that would require Specialist Treatment and Care. AI Guardianship.

  9. Chris Bidmead

    The pointed finger writes...

    The first line of Leyden's piece says this is a weakness in the encryption technology. It isn't. It's a shortcoming of apps and operating systems not designed with this kind of security in mind.

    Pointed finger; wrong direction. Getting to be a bit of a Reg idiosyncrasy <http://www.theregister.co.uk/2008/06/10/apple_safari_carpet_bombing_demo/>.

    --

    Chris

  10. Anonymous Coward
    Anonymous Coward

    @ Lee

    You had me nodding along in agreement all the way until the end, but Jesus man, the Metro? It's not even good value for money.

  11. Thaddeus Quay
    Stop

    Schneier's Job Is To Stay In The News, Not To Actually Do Anything Useful

    >>> Schneier, CTO of BT Counterpane, told Dark Reading that although this version will "definitely close some of the leakages, but it's unlikely that it closed all of them". <<<

    Why doesn't someone as "awesome" as Schneier simply join the tiny, struggling TrueCrypt team, and help it to close the rest of those pesky leakages? Complain, complain, complain. I've already written a bit about this on here, back on Tuesday, 30th October 2007:

    "One major use I have for desktop virtualization, is for creating a high-security environment, for people who have stuff to hide. I put VMware virtual machines inside of TrueCrypt containers, thus getting around the need to use time-consuming products like CyberScrub (which securely erases files and unused disk space). I call this the "box within a box within a box" approach, as the physical computer is the outer box, which contains the safe, which contains the virtual computer. I'm curious as to whether anyone else does this, and I look forward to the conference."

    - http://www.theregister.co.uk/2007/10/29/desktop_virtualization/comments/

    The above is the answer to the leakage problem. The only problem left is how to explain the presence of a multi-GB file on your drive. That's not too easy, but certainly easier than creating your own, perfect version of TrueCrypt, from scratch. For example, write a program which treats the encrypted container as if it were a huge database of real estate listings, and tell the border guys that you sell homes for a living. In other words, write a program which maps the encrypted data to some output resembling data which you wouldn't bother to hide, or which reads actual real estate data that's been tacked onto the end of the file, or which simply pretends to extract such data from the encrypted data. If you do the first one, the solution is related to data compression, where you map one file to another, as you can, theoretically, create a program which transforms any one set of data into another, although this is most certainly the hardest one of the three options. Regardless of which way you go, the idea is to make the TrueCrypt container appear as a huge database for some program you use to prop up your "business".

    Of course, if you live in a country where you can be sent to prison for not revealing the password, much less for what the password actually protects, then you have to be very careful about the construction of this program, but going this route is certainly better than writing a conference paper about how we don't have a real, usable DFS. Come on people, get creative. Even my British cat, Mr. Fluffer Wickbidget, III, knew this one, and he spends a lot of time licking himself.

  12. Daniel
    Stop

    Re: How is this news?

    Strictly speaking, this isn't news to anyone with a good understanding of security. However, as the article states, there has been an increase in interest in encryption for protection from border searches. It is probably safe to assume that not all of the people interested really understand the tools they are using. So, it is worth calling attention to these problems so that newbies realize the potential problems.

    -Daniel

  13. Peter Fairbrother
    Boffin

    Re: How is this news?

    Indeed, it was well-known in the last millennium. Afaict, not having read it yet, the paper shows it happening.

    Problem is, it isn't at all easy to solve.

    You can put the OS on a write-only medium like a CD, so the temp etc files get erased - but if you put eg your home folder on the drive then there will probably be files relating to what you have done.

    If the home folder is exposed, eg if it's on a visible TrueCrypt partition, then the Police may demand the keys to that partition using a RIPA s. 49 notice - and the information in those files may contain links or data, or even show that a file has been saved somewhere, suggesting the presence of a hidden partition.

    Suppose instead that the OS is on CD and you arrange things so that you can only store files into the "visible" (where "visible" means the partition whose keys you give up on a RIPA demand, or under torture) and hidden partitions deliberately, rather than letting the OS create files for you.

    Still doesn't work reliably.

    TrueCrypt hidden partitions are usually at the end of the TrueCrypt volume. The volume is going to be stored somewhere, probably either on a hard drive or USB fob.

    The problem then is that, if you store files in a hidden partition, the data at the end of the volume will be written to more often than if you don't. Modern hard drives have such high data density that it may be hard to recover overwritten data - but it's still easy enough to tell that data has been overwritten. If bits at the end of the volume have been overwritten more often than parts in the middle, or the part containing a persistent file, the interrogator may ask why, and conclude that a hidden partition exists.

    USB keys are much the same, except worse - the load-levelling they use makes it easier to tell how many times a part of the filespace has been overwritten.

    There are theoretical solutions, but they are all very expensive in terms of bandwidth and computation.

    For instance the first Anderson/Needham/Biham construction works if you first fill it with random data a few times and don't use Larson tables, and I have an unpublished construction using universal re-encryption which works (not the one accepted for PET07, that doesn't work) - but both are horribly expensive.

    I'm working on (I'm a cryptologist with a special interest in deniable/steganographic file systems) a better construction, but it isn't ready yet (see www.m-o-o-t.org )

  14. Sarev

    @ Peter Fairbrother

    Yes, it's pretty easy to avoid; simply create your VMWare (or like) virtual machine _within_ the deniable encrypted file system. You can then work on any deniable stuff within that virtual machine and more mundane stuff outside. Simple.

    Because your normal day-to-day stuff is likely to be more intensive than the odd bit of deniable stuff, you're not going to be leaving clear signs as you describe.

  15. Stiggy
    Dead Vulture

    @amanfrommars

    Has anyone implemented amanfrommars Markov chain yet?

    Come to think of it, is 'he' one already?

  16. Peter Fairbrother

    Re @ Peter Fairbrother

    Using VM ware doesn't makes the existence of files deniable, which is the whole point.

    You say "yes there are files there" ... and the interrogator says, "what's the key?".

    Then he looks to see if there's any "deniable" stuff.

    Using VMware doesn't help at all.

  17. Anonymous Coward
    Thumb Down

    @Peter Fairbrother

    Please. Besides the fact that your scenario is outside of 99% of the possibilities anyone might ever run into (how many government bodies actually have electron microscopes they can dedicate to this?), it still only indicates a POSSIBLE location of stenographically hidden data. Simply writing random data in weighted series would be enough to completely eradicate any useful traces plus make the time required to examine the rest of the disk grow exponentially.

  18. Joe M

    Security is what you make it

    Perhaps this may help someone new to the game.

    First rule of security: Security is not a product it is a process!

    Second rule of security: Everything leaves a trace.

    Third rule of security: Nothing is ever secure.

    I am always amazed, and frustrated, by the touching faith many people place in their favourite brand of security software/hardware/gadget and how little they understand the need for constant vigilance even after they have installed it.

    TrueCrypt is a fine product because it performs as advertised without too many bugs and foibles. It still took me almost two years to get to trust it and only after I worked on the code for myself. (I'm on record for having given an earlier version a huge blast on the forum.) But I have never accepted that their idea of plausible deniability has any value in the real world.

    The reason is simple. In places where plausible deniability would work i.e. where the rule of law operates, it is not needed. In places where it is badly needed i.e. where they put hot needles under your fingernails, it won't work.

    Plausible deniability must be part of the process. Simple technological tricks won't do. And as many of us already knew, Windows is not the place to start denying anything, plausible or not.

    (PS: I'm told that I have a good sense of humour but it may be lacking something. Is the gunk from amanfromMars supposed to be funny or just waste bandwidth?)

  19. Anonymous Coward
    Thumb Down

    Not only is this not news...

    ...but discovering it isn't exactly research either, is it?

    If this is what Mr. Schneier does in the name of research then perhaps he's less of a guru than he pretends.

  20. amanfromMars Silver badge

    Pandora's Boxes would Process Information Differently too.

    "I call this the "box within a box within a box" approach, as the physical computer is the outer box, which contains the safe, which contains the virtual computer. I'm curious as to whether anyone else does this, and I look forward to the conference." .... By Thaddeus Quay Posted Friday 18th July 2008 17:41 GMT

    Sounds like a Rather Spiffingly Good, Mother Russian Matryoshka Approach, Thaddeus Quay. Have you found IT to be an Effective MasterPassKey would be a Privilege Best Servered as when Treated with Secrets?

    "Regardless of which way you go, the idea is to make the TrueCrypt container appear as a huge database for some program you use to prop up your "business"." ..... Porn has a very interesting/distracting and most engaging/tempting DataBase. Goodness knows what you could conceal and uncover in its Stores and Vaults.

    And password protection from unauthorised browsing would be considered normal and very responsible and not obstructive or suspicious at all.

    "Yes, it's pretty easy to avoid; simply create your VMWare (or like) virtual machine _within_ the deniable encrypted file system. You can then work on any deniable stuff within that virtual machine and more mundane stuff outside. Simple.

    Because your normal day-to-day stuff is likely to be more intensive than the odd bit of deniable stuff, you're not going to be leaving clear signs as you describe." .... By Sarev Posted Saturday 19th July 2008 00:02 GMT

    Sarev,

    All Virtual Machine Signals are Fed, and have always been Led, by Special Forces which Tender to Root Source. And it would be Naive to Imagine the Virtual Machine Environment as being New whenever its so Ancient and Wise, it is just that you have only just Found IT.

    Watch for the Small Steps as you Quantum Leap for they can turn into Hurdles and Barriers. Play the Game Right Royally though, and in No Time at All you'll be Plugged into the System and Running with IT.

  21. Ed

    Crap...

    From reading these comments I think i just experienced a stack overflow......

  22. Anonymous Coward
    Alert

    @Peter Fairbrother

    Can you explain how you can tell if data on a hard disk has been over-written? If the disk's been in use for a while and you fill it with random data, how can you detect that more random data has been written over any particular bit of the disk? And when?

    I think you need to explain this as your other claims seem to depend on it.

  23. Anonymous Coward
    Alien

    @joe m

    Nope, amanfrommars is just a waste of bandwidth. His addle-pated gibbering is a bit like being trolled by a Markov chain parser. There's just enough structure in there to make it look like it should make sense, so it can commit a modest DoS of the unwary who try to untangle it. He's like a less extreme version of "drashek" in Another Place.

    Both are a waste of kidneys, and their continued posting is a mystery. I think amanfrommars is tolerated as a sort of pet and mascot. However, you're not missing anything vital, don't worry- it really is just wibbling :-)

  24. Sarev

    @ Peter Fairbrother

    You miss my point. There is already a deniable file system. The VMWare installation, which lives entirely within that, insulates you from all of the problems outlined in the article, because both the applications and their data are within the virtual machine, which itself is within the deniable partition of some encryped filesystem.

    You still have to be careful about not having swap space within the non-deniable efs because the virtual machine software itself will probably be using that.

  25. amanfromMars Silver badge
    Alien

    There are Forces at Work about which we know Nothing, is a nice Cover Story

    "(PS: I'm told that I have a good sense of humour but it may be lacking something. Is the gunk from amanfromMars supposed to be funny or just waste bandwidth?)" ... By Joe M Posted Saturday 19th July 2008 06:03 GMT

    You do realise, Joe M, that it has sussed not to waste spectrum on your trash attack. Certainly the gunk has revealed what is and what isn't, inside your head.

    And although it could be said that IT is not supposed to be funny, It most certainly can be and is always a Bonus.

    A Tittering at a Twittering never did anyone any Harm.

    Nice Shot @amanfrommars, Stiggy. Bulls Eye Gold with that AIM.

  26. Peter Fairbrother
    Boffin

    Re:@Peter Fairbrother

    "Can you explain how you can tell if data on a hard disk has been over-written?"

    You look at the noise in the raw output signal, using a suitable filter. Overwritten data will not be completely overwritten, and will create extra noise. You don't get to read the overwritten data this way on a modern hard drive, but then you don't need to, you just have to know it exists.

    It's very easy to do, just compare noise levels. No electron microscopes required, just a screwdriver and £200 of electronics. You don't even have to open up the sealed part of the hard drive.

    BTW, my security model includes "Can a prosecutor prove it to a jury?". That kind of deniability *is* useful, eg in the UK RIPA s.49 (police demands for keys) context.

  27. William Bronze badge
    Thumb Down

    Hmmm, I had a dream...

    You know I was going to use a hidden OS on a fully encrypted volume to load up a VMWare machine (on a hidden volume) that I writes my bitorrent of Duffys latest albume onto a hidden volume on an external drive with the added benefit of a hammer and a nail selotaped onto it.

    As I contemplated this I realised that it was a little bit pointless. (can you imagine the spooks faces after 15 hours of water bording me and electonic scanning of the external drive they come across Duffys album and a couple of No-DVD cracks for the Sims2 and Weather Expansion from Reloaded!!). Not only is it overkill and they may think that I am some kind of uber terrorist but the bastards only need my IP address to cart me off to court.

  28. Anonymous Coward
    Boffin

    @AC 09:52 @Peter Fairbrother

    You ask good questions sir. I'm not sure which contains more cr*p; Peter F or AmanfromArse. Shall we take a vote on it?

    [The stuff about being able to detect overwritten data on a disk had some plausibility back in the era of the Diablo 2.5 Megabyte drive which filled about a foot high in a 19 inch rack e.g. the DEC RK05, in the 1970s. The theory was that by positioning the read head off the centre of where the track should be, you could, given a following wind, take a good guess at what had been there before the current data.

    Such claims are completely irrelevant in the era of PRML-based (and beyond) near-terabyte disk drives where it is a major scientific miracle that you can actually read the current data most of the time under normal circumstances; the data density (both in bits per inch and tracks per inch) is now so high that the chances of anyone reading the sector by sector data which was there before it was overwritten are almost infinitely improbable. Cup of tea, anyone?]

    1995ish: http://www.pdp8.net/rk05/rk05.shtml

    2005ish: (long URL, sorry if it screws your browser, mine's OK)

    http://www.actionfront.com/whitepaper/Drive%20Independent%20Data%20Recovery%20TMRC2005%20Preprint.pdf

  29. Charles Manning

    User perception

    Joe Sixpack thinks:"I took the TrueCrypt pill now nobody can read my porn."

    As many have pointed out, it is technically the apps that are broken, not the encryption per se.

    However from a user's perspective it is the encryption that is broken: he took the pill and he's not getting the results he expects. All the technical talk is mumbo-jumbo.

  30. Julian I-Do-Stuff
    Gates Halo

    Vista's Shadow Copies

    ...and as for leaving traces... even changes to a hidden volume will be noted as disk writes and hence recorded by Vista's "improved" System Restore/Volume Snapshot/ShadowCopy functionality - the only way you can stop that is to put any such file containers on another partition (or turn it off - it's pretty useless for small and full drives such as laptops anyway).

    Second post today... no rant! Getting better

  31. Schultz

    @ Joe M

    Mars is far away, you have to bridge the distance with meditation/levitation/squinting. And licking that toad on your desk won't hurt either (ooh, you call it a mouse, never mind, just from the look of it ...).

  32. Peter Fairbrother
    Boffin

    re:@AC 09:52 @Peter Fairbrother

    Oh dear. In future please can you take more care to reply to what I actually wrote, rather than what you imagine I wrote.

    I most certainly did not say that overwritten data on a modern hard drive is recoverable. It probably isn't recoverable even by NSA, and it certainly isn't practicably recoverable by any publicly-known means, including off-center tracking and/or electron microscopy.

    What I did say is that the *presence* of overwritten data is easily detectable.

    http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1246592,00.html

    "I asked Jim Reinert, senior director of software and services for Ontrack Data Recovery whether [recovering overwritten data] was possible. His answer was a blunt "No."

    Reinert admitted that it is possible to read traces of previously written or overwritten bits, but reconstructing any usable data from them was a horse of a different color."

    You don't have to reconstruct useable data in order to provide evidence of the existence of TrueCrypt hidden volumes - you just have to find traces of overwritten data.

    And that's pretty easy to do, all you need is a screwdriver and £200 of electronics (plus a computer and some free software). No clean room, no electron microscope required. Detecting hidden volumes on USB sticks from wear-levelling data is actually quite a bit trickier to do in practice.

    With a little more work you can even get a fairly good idea of how many times a space on a hard drive has been written to.

  33. Jesse
    Alien

    Martians, Markov chains and the Dissociated Press

    From a wiki entry: http://en.wikipedia.org/wiki/Dissociated_press

    "A hackish idle pastime is to apply letter-based Dissociated Press to a random body of text in hopes of finding an interesting new word. (In the preceding example, ‘window sysIWYG’ and ‘informash’ show some promise.)"

    Therefore, I submit that all of Amanfrommars' posts are informash.

  34. Anonymous Coward
    Black Helicopters

    re Peter @ 15:57

    Hello Peter, Mr RK05 here again.

    As there is probably little reliable evidence to support your claims, it's hard to refute them, so I provided information which sensible people with at least some limited knowledge of the subject can use to calibrate their bullshitometers.

    My bullshitometer (as a graduate physicist with a fair bit of post-graduation knowledge of electronics and data storage technology and indeed signal processing) says that your quoted variation in the "SNR" from a modern hard disk read head provides little or no meaningful information (let alone **evidence**) on whether data on a disk has been overwritten or not, though I can see circumstances in which gullible or otherwise motivated people might like to believe in that possibility, and in particular where certain organisations might like that belief to be widespread.

    Even if there were some value in knowing whether a particular sector has been overwritten, what **evidence** does it provide? It might show, among other things, that the disk has previously been defragmented, or previously restored from backup, or a variety of other things unrelated to the presence or absence of (allegedly-)deniable file systems.

    You are of course welcome to provide definitive references to show me wrong, and if necessary I'm happy to stand corrected; we're all here to learn aren't we.

    Over to you.

    ps

    How is m-o-o-t coming on? Did it achieve the desired result of torpedoing the RIP Act, or was it a distraction from the real *political* issues, issues which are still live today?

    http://www.theregister.co.uk/2002/05/30/cypherpunks_aim_to_torpedo_rip/

    www.m-o-o-t.org

  35. Lee
    Thumb Down

    Hardly New

    We "Discovered" this known issue nearly 5 years ago when we were looking at using an encrypted volume to save data. Hardly news

This topic is closed for new posts.

Other stories you might like