About two weeks ago, Truecrypt 6.0 was released. Several changes were made like 'When a hidden operating system is running, all other operating systems/partitions are read-only.'
This has all to do with Truecrypt's Deniable Filesystem (or Hidden Operating System) feature. Bruce Schneier, Tadayoshi Kohno, Steve Gribble, and three of their students at the University of Washington, have released a new paper that breaks the deniable encryption feature of TrueCrypt.
ABSTRACT: We examine the security requirements for creating a Deniable File System (DFS), and the efficacy with which the TrueCrypt disk-encryption software meets those requirements. We find that the Windows Vista operating system itself, Microsoft Word, and Google Desktop all compromise the deniability of a TrueCrypt DFS. While staged in the context of TrueCrypt, our research highlights several fundamental challenges to the creation and use of any DFS: even when the file system may be deniable in the pure, mathematical sense, we find that the environment surrounding that file system can undermine its deniability, as well as its contents. Finally, we suggest approaches for overcoming these challenges on modern operating systems like Windows. (Source: Cryptogram blog)The good news is that most of the vulnerabilities discussed were present in version 5.1a and have been resolved in Truecrypt 6.0.
We analyzed the most current version of TrueCrypt available at the writing of the paper, version 5.1a. We shared a draft of our paper with the TrueCrypt development team in May 2008. TrueCrypt version 6.0 was released in July 2008. We have not analyzed version 6.0, but observe that TrueCrypt v6.0 does take new steps to improve TrueCrypt’s deniability properties (e.g., via the creation of deniable operating systems, which we also recommend in Section 5). We suggest that the breadth of our results for TrueCrypt v5.1a highlight the challenges to creating deniable file systems. Given these potential challenges, we encourage the users not to blindly trust the deniability of such systems. Rather, we encourage further research evaluating the deniability of such systems, as well as research on new yet light-weight methods for improving deniability.The bad news is that Truecrypt 6.0 has not been investigated in detail by the same research team and is not covered by the paper. The Truecrypt has a page with some precautions that you can take. Don't trust blindly in the deniability feature, even if it's not proven to be broken in version 6. But encrypting sensitive information, especially on mobile devices (laptops, ultra portables, smartphones,...) is highly recommended.
Previous posts:
- Truecrypt 6.0 released
- Airport Security: All your data are belong to us
- SSL Guardian will detect weak SSL certificates in real time
- Online Tool to test SSL certificates
- Belgian University constructs desktop PC that equals processing power of a Cluster
- Fun: xkcd on the debian openssl issue and the consequences
- Debian or Ubuntu users, regenerate those crypto keys now!
- Video on harddisk encryption cold boot attack
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
1 comments:
For a VERY low-level explanation of Truecrypt see this video:
http://reviews.cnet.com/2001-12576_7.html?tag=hdr;snav
For we should not forget that there are also non-specialist readers of this blog.
Grtz,
Garth
PS: Benny embed die video ff, bij voorbaat dank.
Post a Comment