TrueCrypt |
Monday, 23 August 2010 02:26 |
TrueCrypt is a software application used for on-the-fly encryption (OTFE). It is distributed without cost and the source code is available. It can create a virtual encrypted disk within a file or encrypt a partition or (under MS Windows except Windows 2000) the entire storage device (pre-boot authentication). Cryptographic algorithms Individual algorithms supported by TrueCrypt are AES, Serpent and Twofish. Additionally, five different combinations of cascaded algorithms are available: AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES and Twofish-Serpent. The cryptographic hash functions used by TrueCrypt are RIPEMD-160, SHA-512 and Whirlpool.
TrueCrypt currently uses the XTS mode of operation. Prior to this, TrueCrypt used LRW mode in versions 4.1 through 4.3a, and CBC mode in versions 4.0 and earlier. XTS mode is thought to be more secure than LRW mode, which in turn is more secure than CBC mode. Security concerns TrueCrypt is vulnerable to various known attacks. To prevent them, the documentation distributed with TrueCrypt requires users to follow various security precautions. Some of those attacks are also detailed below in this section.
TrueCrypt supports a concept called plausible deniability, by allowing a single "hidden volume" to be created within another volume. In addition, the Windows versions of TrueCrypt have the ability to create and run a hidden encrypted operating system whose existence may be denied.
TrueCrypt volumes do not contain known file headers and their content is indistinguishable from random data, so while it is theoretically impossible to prove that certain files are TrueCrypt volumes, their presence can provide reasonable suspicion (probable cause)[13] that they contain encrypted data. TrueCrypt volume files have file sizes that are evenly divisible by 512 and their content passes chi-square randomness tests. These features give reason to suspect a file to be a TrueCrypt volume[14].
TrueCrypt stores its keys in RAM; on an ordinary personal computer the DRAM will maintain its contents for several seconds after power is cut (or longer if the temperature is lowered). Even if there is some degradation in the memory contents, various algorithms can intelligently recover the keys. This method (which would apply in particular to a notebook computer stolen while in power-on, suspended, or screen-locked mode) has been successfully used to attack a file system protected by TrueCrypt.
TrueCrypt documentation states that TrueCrypt is unable to secure data on a computer if an attacker physically accessed it and TrueCrypt is used on the compromised computer by the user again (this does not apply to a common case of a stolen or lost computer).[16] The attacker having physical access to a computer can, for example, install a hardware/software keylogger, a bus-mastering device capturing memory, or install any other malicious hardware or software, allowing the attacker to capture unencrypted data (including encryption keys and passwords), or to decrypt encrypted data using captured passwords or encryption keys. Therefore, physical security is a basic premise of a secure system.
The "Stoned" bootkit, an MBR rootkit presented by Austrian software developer Peter Kleissner at the Black Hat Technical Security Conference USA 2009, has been shown capable of tampering TrueCrypt's MBR effectively bypassing TrueCrypt's full volume encryption.[19][20] (but potentially every hard disk encryption software is affected too if it does not rely on hardware-based encryption technologies like TPM, or—even if it does—if this type of attack is made with administrative privileges while the encrypted operating system is running). |