Truecrypt compromised?
 

A warning for those like me who use Truecrypt to carry copies of passwords, passport scans, etc. on a flash drive or cloud storage. The developer(s) are recommending that we abandon TC in favor of Bitlocker:

http://www.pcworld.com/article/22413...bitlocker.html

MS Bitlocker is not a working substitute since it doesn't come in a standalone version which can be used in business centers, etc. Sure hope it's just the developer(s) backing away from the product.

Don't think anybody knows the details yet, but what seems to be certain is that one should avoid the latest binaries for the time being. Wonder if this is another Lavabit type of thing (which, incidentally, the founder posted awful but hardly surprising details about last week).

Adding to what javabytes said ...

I'd trust Ars more than many other sources, and the message seems to be to "stay tuned"

http://arstechnica.com/security/2014...bruptly-warns/

But where would there be a master key that could be compromised?

It's possible they learned that there's an NSA plant involved or something.

Greenwald contacted them for an upcoming article about a list of compromised encryption tools? Or some government actors didn't like Greenwald associate's use of TC?

Snowden definitely used TrueCrypt; he even recommended using it in late 2012. I would be curious if he stopped using it at any point in late 2012 or early 2013. He certainly wasn't advising all his acquaintances to stop using it in the summer of last year.

Microsoft has more legal resources to fight the government than TrueCrypt developers, and this MSFT CEO may be more useful in defending privacy rights than the prior couple even as MSFT was definitively compromised in multiple ways.

This smells very, very bad.

Among other things, BitLocker doesn't support a lot of the features of TrueCrypt (like deniability, keyfiles, and volume-as-a-file) and on Windows 7 and Vista required the relatively obscure (for consumers) Ultimate or Enterprise editions.

TrueCrypt is the ONLY noncommercial alternative I'm aware of that's cross-platform.

Moreover, the TPM support (and secure boot on 8/8.1) features which make Bitlocker more convenient (although neither is mandatory) keep it from being as secure since it unlocks the volume automatically without a user unlock and can be vulnerable to some attacks on that basis.

The prior version of TrueCrypt, 7.1a was mature and stable for 2+ years without needing a point update. There were a couple of cases of law enforcement being unable to crack it (granted, this was in non-national-security casses).

Deniability is basically useless as the decision matrix always says to use it and thus whoever is trying to get the information will always assume it's in use.

You just have to convince them you're not smart enough to do that.

Certainly a possibility. Even when there is no "master" key to be compromised, the software can always be rewritten to capture the keys of users or otherwise introduce a backdoor. The published source code would theoretically prevent this if you compile it yourself, but realistically very few people do that... and it is difficult to prove the published source code is actually what is used to produce the binaries available for download.

It's also interesting to me that the TrueCrypt crowdfunded audit said earlier this week that they would have "big" news to announce. I think it's particularly important that audit be finished now.

Depends on who is trying to get the information.

If we're talking intelligence services, sure.

If we're talking about guys who are gonna break your kneecaps, then well, if they're smart enough to know about encrypted sub-volumes.

If we're talking about going through the courts, or through customs, it is very easy to tell that a disk (or a volume) is encrypted and they can compel you through legal means to give up a password. It is much harder to prove that there is a separately encrypted sub-volume, and as long as many people don't use that feature (and many don't) they have to be open to the legitimate possibility that no such sub-volume exists.

Creating an empty one is also a good way to f___ with people who might otherwise be snooping.

Here are my two "tin foil hat" scenarios.

First, the NSA/GCHQ/Russian mob/etc approached the TrueCrypt devs to put in a backdoor into future versions. Allow them to decrypt any newly encrypted drive/volume. Instead of bowing to their wishes, the TrueCrypt developers decided to throw in the towel in the most spectacular way. This way, even if they were forced to return to the project, the general public would no longer be using TrueCrypt.

Second, the NSA/GCHQ/Russian mob/etc had previously approached the TrueCrypt devs and there is already a backdoor. Fearing that the TrueCrypt Audit Project (istruecryptauditedyet.com) would discover the backdoor, the developers decided to throw in the towel.

The plausible deniability feature is questionable. I'm not convinced (nor is Bruce Schneier: https://www.schneier.com/blog/archiv...ypts_deni.html ) that one can truly hide the presence of that hidden volume. Of course, the data is still encrypted, regardless of how discoverable it is.

While BitLocker does not support keyfiles in same way TrueCrypt does, it does have an equivalent. A key to unlock an OS (or removable) partition can be stored in a file on a USB stick. All the file has is an identifier for the partition, combined with a random 256 bit key. Cryptographically it is probably more secure than the keyfile system (due to the lack of entropy in most file formats), but unlike keyfiles which can be any file one selects, the BitLocker ones are rather easily discoverable.

How to setup a replacement for file containers in BitLocker is actually described on the TrueCrypt site. Scroll down to the section "If you have a file container encrypted by TrueCrypt:".

While the option to only use the TPM as a boot factor is an option, it not the only one. A startup pin/password and/or USB stick can be combined with the TPM for additional security. When using those additional factors, it will mitigate those vulnerabilities you speak of.

more from Ars Technica about the True Crypt security audit (which is proceeding) ...

http://arstechnica.com/security/2014...-jumping-ship/

Yes, I'm familiar with the critique her referered to. It's still a good tool for the cases where it's good for; it's certainly not a tool most people will want to use casually or assume is sufficient on its own -- for exactly the reasons outlined there.

Rather like the recommendation for BitLocker, that only works in some releases of Windows (not just 7/8 but also varies by edition) and ties you not to a particular encryption software but also to the Microsoft OS features around VHD files.

It also creates the volume in a well-known format, and while the data inside of it is encrypted, the metadata around the container is not. Using the Windows EFS to encrypt a VHD file is going to be more secure in some cases, especially if you are not using full-disk encryption.

The biggest problem for many of us is that it's not cross-platform, and indeed, I'm not aware of any other free, practical cross-platform tool

Yes, as I said, neither is mandatory. OTOH, the use of TPM as the only factor for decryption (then depending on Windows security to prevent access to the drive, effectively already decrypted) is very popular in the corporate environment. It certainly seems to lead many folks in IT to a false sense of security.

Remember, TrueCrypt only offered full disk encryption on Windows. Its container file was the only cross-platform part.

There's not much metadata that's exposed. For non-OS volumes all that's in the clear is a list of methods available to decrypt the volume and a unique identifier. There's nothing about files, folders, etc exposed; all that's encrypted.

For OS volumes, there is a boot loader partition that (out of necessity) is in the clear. But there's nothing in that partition other than the standard Windows boot loader. On UEFI systems with Secure Boot enabled, every bit in that boot loader partition is digitally signed, and verified by hardware before it’s executed.

As for EFS, that’s even less portable. As wherever the VHD is stored, needs to be NTFS and can’t be copied to/from over a network. Plus, the EFS certificate needs to follow the VHD file. Worst of all, you’d have to decrypt the VHD file prior to using it. As VHDs are mounted in the context of System, which doesn’t have access to the user’s certificate store.

I don’t really see much benefit to cross-platform FDE products. For example, how often is a Windows user going to decrypt the contents of a Mac’s boot drive (or vice versa)? If anything, I see much more utility in a tool which can share encrypted files (or collections of files) between different OSes. For that, there’s GPG.

I completely agree.

I was pretty surprised to read about their sudden abandonment. I am eagerly waiting for phase 2 of the audit. I too smell something fishy. I use Truecrypt extensively to store personal information just to keep it safe from theft - and appreciate the fact that its cross platform. I have both iMacs and Windows machines at home and work and being able to mount a common cross platform drive is/was a big advantage to me.

http://truecrypt.ch/

https://opencryptoaudit.org

https://opencryptoaudit.org/reports/...Assessment.pdf

That was published a few months ago... the second phase of the audit is still pending. And the second phase is where the money is.

OK, what the heck is going on with computer security these days... After years of blissful ignorance:

First we get Heartbleed - spend a couple of days updating all my servers/routers/clients to the latest OpenSSH.

Next the venerable TrueCrypt starts a storm of conspiracy stories.

Today another vulnerability in OpenSSH has been identified which potentially affects HTTPS traffic and the OpenSSL foundation is asking us to upgrade again.

http://www.wired.com/2014/06/heartbl...ssl-uncovered/

I can't wait for the results of the TC audit, the computer world isn't that much fun anymore.

This is a prime example of when closed source goes bad. No source = no trust.

dmcrypt or lukscrypt plus GPG is the way to go :)

TrueCrypt is open source - isn't it?

Not quite: http://en.wikipedia.org/wiki/TrueCry...d_source_model

TL;DR - TrueCrypt License != Open Source

TrueCrypt makes source available, and you can build your own version from source easily enough. In practical terms, there is little stopping redistribution or forking.

That's "open source" enough for me.

The term "open source" predates OSI, and they don't have a trademark on it.

In actual fact:

True, but the OSI was founded for a reason, to clear up the term and to impose standards. The web was around in some form or another before the W3C and they don't have a trademark on the term HTML, but we still have web standards.

I may be slightly pedantic, but the mis-communication of the terms "open source" and "free software" are one of my biggest pet hates - it's Freedom vs Gratis, TrueCrypt may be Gratis but it's not Free because it's restricted by the TrueCrypt License. OSI-approved licenses and copyleft are two of the cornerstones of the software freedoms :)

They don't have any power to "impose" standards -- they can (and do) try to build consensus around them, but to suggest that theirs is the only definition out there is simply wrong.

...and browsers have to deal with HTML that doesn't completely comply with the standards, and yet everyone understands that it is HTML.

[/QUOTE]

Truecrypt isn't just free-as-in-beer; in practice as a private individual you're just as free to use the source as anything GPL-ed, and you are free to create and distribute new versions of it or products extended from it.

Indeed, the biggest issues with the license (that it's "viral," like GPL, and that it requires attribution) are both in common with some OSI-approved licenses, and overall, it's a good deal LESS restrictive than some of the approved OSI licenses from commercial entities (notably Sun's CDDL.)

(It's also not clear whether the new license posted with their gimped 7.2 release is retroactive; if so, most of the objections to the older license are moot.)

Moreover, by the FSF's standards, a lot of OSI-recognized licenses aren't free. That level of doctrinal dispute is uninteresting.

Quite a lot of OSI-approved licenses AREN'T copyleft (in the generally accepted sense, including the one use in the OSI's own FAQ; some other people use it to mean all open source.)

OSI-approved licenses are a convenience, and something that post-dates all three of the major general-use licenses (GPL, BSD and Apache.)

Touché ;)

Some audit results resulted in the following article:

https://threatpost.com/audit-conclud...uecrypt/111994

Saw an article about that in The Register. Sounds like the whole situation was ultimately down to either warrant canary, or something more sinister. Doesn't effect me; all my secrets are dancing and singing in front of you.

Oh, so THAT'S what that is. Cut it out, I'm trying to sleep here! :)

how much is not 'compromised' ?

https://opencryptoaudit.org/reports/...OCAP_final.pdf

You can try to make of that what you can.

Nowadays it seems that almost no one knows for sure what is not compromised.

One thing that we do know for sure is that encryption doesn't do a whole lot if you have weak passwords. For an idea on how to have strong passwords that are practical to remember without physical record of the password, look at the following:
https://firstlook.org/theintercept/2...rs-cant-guess/

TrueCrypt is deprecated.

Superseded by Veracrypt.

Yes, but it doesn't mean people aren't still using it.

I'm sure plenty are.

You're right:

http://www.newyorker.com/news/news-d...ncryption-tool

And the above article has some other interesting stuff too.

Veracrypt is based on TC code, and can open old TC volumes:

https://en.wikipedia.org/wiki/VeraCrypt

VeraCrypt has some critical vulnerabilities. It will be interesting to see how quickly all of those identified (at this point) get fixed.

http://www.zdnet.com/article/veracry...ritical-flaws/

Note that some flaws in TrueCrypt were actually fixed with/by/for VeraCrypt.

That article is very badly written. VeraCrypt had actually released an update addressing the audit two day prior to that article going live. And unlike what that article hints at, the remaining issues are not high-priority, but rather low risk bugs that require significant work to correct. Also, I don't believe anything the audit found would meet the industry-accepted definition of "Critical"; again another issues I have with that piece.

If anything, the fact that VeraCrypt is being audited is a good thing. TrueCrypt went years without an audit. Having critical crypto projects regularly audited is the only way to have any confidence in its security.