Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
TrueCrypt
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Plausible deniability == TrueCrypt supports a concept called [[plausible deniability]],<ref name=deniability>{{cite web | title =Plausible Deniability | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=plausible-deniability | archive-url =http://arquivo.pt/wayback/20080226032737/http://www.truecrypt.org/docs/?s=plausible-deniability | url-status =dead | archive-date =26 February 2008 | access-date = 24 May 2014}}</ref> by allowing a single "hidden volume" to be created within another volume.<ref>{{cite web | title =Hidden Volume | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=hidden-volume | access-date =24 May 2014 }}</ref> In addition, the Windows versions of TrueCrypt have the ability to create and run a hidden encrypted operating system whose [[deniable encryption|existence may be denied]].<ref name=hiddenOS>{{cite web | title =Hidden Operating System | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/hidden-operating-system | archive-url =https://archive.today/20130416074157/http://www.truecrypt.org/docs/hidden-operating-system | url-status =dead | archive-date =16 April 2013 | access-date =24 May 2014 }}</ref> The TrueCrypt documentation lists many ways in which TrueCrypt's hidden volume deniability features may be compromised (e.g. by third-party software which may leak information through temporary files, thumbnails, etc., to unencrypted disks) and possible ways to avoid this.<ref>{{cite web | title =Security Requirements for Hidden Volumes | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/?s=hidden-volume-precautions | archive-url =https://archive.today/20120917175346/http://www.truecrypt.org/docs/?s=hidden-volume-precautions | url-status =dead | archive-date =17 September 2012 | access-date =24 May 2014 }}</ref> In a paper published in 2008 and focused on the then latest version (v5.1a) and its plausible deniability, a team of security researchers led by [[Bruce Schneier]] states that [[Windows Vista]], [[Microsoft Word]], [[Google Desktop]], and others store information on unencrypted disks, which might compromise TrueCrypt's plausible deniability. The study suggested the addition of a hidden operating system functionality; this feature was added in TrueCrypt 6.0. When a hidden operating system is running, TrueCrypt also makes local unencrypted filesystems and non-hidden TrueCrypt volumes read-only to prevent data leaks.<ref name=hiddenOS/> The security of TrueCrypt's implementation of this feature was not evaluated because the first version of TrueCrypt with this option had only recently been released.<ref>{{cite conference |book-title=3rd USENIX Workshop on Hot Topics in Security |title=Defeating Encrypted and Deniable File Systems: TrueCrypt v5.1a and the Case of the Tattling OS and Applications |url=http://www.cs.washington.edu/homes/supersat/paper-truecrypt-dfs.pdf |author1=Alexei Czeskis |author2=David J. St. Hilaire |author3=Karl Koscher |author4=Steven D. Gribble |author5=Tadayoshi Kohno |author6=Bruce Schneier |date=18 July 2008 |url-status=dead |archive-url=https://web.archive.org/web/20081227025727/http://www.cs.washington.edu/homes/supersat/paper-truecrypt-dfs.pdf |archive-date=27 December 2008 |df=dmy-all }}</ref> There was a functional evaluation of the deniability of hidden volumes in an earlier version of TrueCrypt by Schneier et al. that found security leaks.<ref name="yro.slashdot.org">[http://yro.slashdot.org/story/08/07/17/2043248/schneier-uw-team-show-flaw-in-truecrypt-deniability Schneier, UW Team Show Flaw In TrueCrypt Deniability]. Accessed on: 12 June 2012</ref> === Identifying TrueCrypt volumes === When analyzed, TrueCrypt volumes appear to have no header and contain random data.<ref>Piccinelli, Mario, and Paolo Gubian. "Detecting Hidden Encrypted Volume Files via Statistical Analysis." International Journal of Cyber-Security and Digital Forensics (IJCSDF) 3.1 (2014): 30-37.</ref> TrueCrypt volumes have sizes that are multiples of 512 due to the block size of the cipher mode<ref name=modes/> and key data is either 512 bytes stored separately in the case of system encryption or two 128 kB headers for non-system containers.<ref>{{cite web | title =TrueCrypt Volume Format Specification | work =TrueCrypt Documentation | publisher =TrueCrypt Foundation | url =http://www.truecrypt.org/docs/volume-format-specification | archive-url =https://archive.today/20130619023456/http://www.truecrypt.org/docs/volume-format-specification | url-status =dead | archive-date =19 June 2013 | access-date =24 May 2014}}</ref> Forensics tools may use these properties of file size, apparent lack of a header, and [[randomness test]]s to attempt to identify TrueCrypt volumes.<ref>{{cite web |url=http://16s.us/software/TCHunt/tchunt_faq.txt |title=Archive |url-status=dead |archive-url=https://archive.today/20140507093925/http://16s.us/software/TCHunt/tchunt_faq.txt |archive-date=7 May 2014 |access-date=2 March 2017 |df=dmy-all }}</ref> Although these features give reason to suspect a file to be a TrueCrypt volume, there are, however, some programs which exist for the purpose of securely erasing files by employing a method of overwriting file contents, and free disk space, with purely random data (i.e. "shred" & "scrub"<ref>{{cite web | title = diskscrub - disk overwrite utility - Google Project Hosting | url= http://code.google.com/p/diskscrub/ |access-date=16 July 2014}}</ref>), thereby creating reasonable doubt to counter pointed accusations declaring a file, made of statistically random data, to be a TrueCrypt file.<ref name=deniability/><ref>{{cite web | title =Plausible Deniability | publisher =[[FreeOTFE]] | url =http://www.freeotfe.org/docs/Main/plausible_deniability.htm#level_3_heading_2 | archive-url = https://web.archive.org/web/20130124091432/http://freeotfe.org/docs/Main/plausible_deniability.htm#level_3_heading_2 | archive-date = 24 January 2013}}</ref> If a system drive, or a partition on it, has been encrypted with TrueCrypt, then only the data on that partition is deniable. When the TrueCrypt [[boot loader]] replaces the normal boot loader, an offline analysis of the drive can positively determine that a TrueCrypt boot loader is present and so lead to the logical inference that a TrueCrypt partition is also present. Even though there are features to obfuscate its purpose (i.e. displaying a BIOS-like message to misdirect an observer such as, "Non-system disk" or "disk error"), these reduce the functionality of the TrueCrypt boot loader and do not hide the content of the TrueCrypt boot loader from offline analysis.<ref>[http://www.truecrypt.org/faq TrueCrypt FAQ] - see question ''I use pre-boot authentication. Can I prevent a person (adversary) that is watching me start my computer from knowing that I use TrueCrypt?''</ref> Here again, the use of a hidden operating system is the suggested method for retaining deniability.<ref name=hiddenOS/>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)