Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday May 30 2014, @08:45PM   Printer-friendly [Skip to comment(s)]
from the some-settling-of-contents-may-have-occurred dept.

According to a German researcher, Mattias Schlenker, we are to expect that the reason for TrueCrypt's recent shutdown is not a National Security Letter, but a serious security flaw in how TC container files are created on Windows.

He expects the flaw to become public within a week.

What gives this chap some credibility is that he's one of the developers of "desinfec't", a Knoppix-based live Linux that comes with several virus scanners and is distributed by well-renowned German computer magazine c't (whose mother company/publishing house, Heise, hosts the forum where he made his announcement).

Link to his original German posting: http://www.heise.de/security/news/foren/S-Re-Warum -TrueCrypt-nicht-in-Desinfec-t-enthalten-ist/forum -280432/msg-25289876/read/

See our earlier coverage: TrueCrypt Discontinued, Compromised.

Related Stories

TrueCrypt Discontinued, Compromised? 91 comments

The TrueCrypt website has been changed it now has a big red warning stating "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues". They recommend using BitLocker for Windows 7/8, FileVault for OS X, or (whatever) for Linux. So, what happened? The TrueCrypt site says:

This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

Did the TrueCrypt devs (or SourceForge?) get a NSL? They are offering a "new" version (7.2), but apparently the signing key has changed and a source code diff seems to indicate a lot of the functionality has been stripped out. What's up?

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by AnonTechie on Friday May 30 2014, @09:08PM

    by AnonTechie (2275) on Friday May 30 2014, @09:08PM (#49306) Journal

    It is indeed sad that TrueCrypt, which was trusted by millions to keep their data safe, is no longer secure. I do hope that as good an alternative is made available by the contributors to Open Source software. I understand that Bruce Schneier is now advocating using Symantec Drive Encryption (based on PGP) https://www.schneier.com/blog/archives/2014/05/tru ecrypt_wtf.html [schneier.com]

    What would you use instead of TrueCrypt ??

    --
    Albert Einstein - "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
    • (Score: 4, Insightful) by Ethanol-fueled on Friday May 30 2014, @09:15PM

      by Ethanol-fueled (2792) on Friday May 30 2014, @09:15PM (#49312) Homepage

      > Trusting Symantec
      > 2014

      LOL

    • (Score: 4, Insightful) by wonkey_monkey on Friday May 30 2014, @09:33PM

      by wonkey_monkey (279) on Friday May 30 2014, @09:33PM (#49317) Homepage

      is no longer secure.

      was never secure.

      --
      systemd is Roko's Basilisk
      • (Score: 2) by frojack on Saturday May 31 2014, @01:15AM

        by frojack (1554) Subscriber Badge on Saturday May 31 2014, @01:15AM (#49383) Journal

        That may or may not be true, we don't know when this error slipped in.

        To date, I'm not aware of anyone successfully breaking into it, nor of any exploits in the wild.

        What makes this story sound suspicious, is that the normal response would be to Warn of the issue, so users could take extra care, fix the problem and publish a method of re-creating your encrypted containers.

        Instead, they throw up their hands and walk away. !!!

        Is it THAT broken? Did life get in the way, new jobs, new wife, just pissed off?

        --
        No, you are mistaken. I've always had this sig.
    • (Score: 3, Informative) by stormwyrm on Friday May 30 2014, @10:17PM

      by stormwyrm (717) Subscriber Badge on Friday May 30 2014, @10:17PM (#49331) Journal

      Your link doesn't seem to say that Schneier is advocating Symantec Drive Encryption or any other product in lieu of TrueCrypt. It's just a summary page with links to other coverage of the event. Schneier's only personal comment on that page is to respond to why his name appears in the credits of TrueCrypt, and he denies knowing any of the authors.

      --
      Numquam ponenda est pluralitas sine necessitate.
      • (Score: 2) by AnonTechie on Saturday May 31 2014, @10:35AM

        by AnonTechie (2275) on Saturday May 31 2014, @10:35AM (#49521) Journal

        Sorry for not linking the correct article. I read about Schneier here:

        TrueCrypt turmoil latest: Bruce Schneier reveals what he'll use instead.
        The TrueCrypt project abruptly imploded on Wednesday - leaving folks in the infosec world scratching heads and scrambling to recommend alternatives. In the past hour, crypto-guru Bruce Schneier has told us he's switched back to Symantec's PGPDisk to encrypt his data. "I have no idea what's going on with TrueCrypt," he added on his blog. "Speculations include a massive hack of the TrueCrypt developers, some Lavabit-like forced shutdown, and an internal power struggle within TrueCrypt. I suppose we'll have to wait and see what develops."
        http://www.theregister.co.uk/2014/05/29/truecrypt_ analysis/ [theregister.co.uk]

        --
        Albert Einstein - "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
    • (Score: 2, Insightful) by bryan on Friday May 30 2014, @10:40PM

      by bryan (29) <bryan@pipedot.org> on Friday May 30 2014, @10:40PM (#49341) Homepage Journal

      LUKS encrypted file systems have been natively supported in most Linux distros for 5+ years. These encrypted file systems can be easily created on the command line or with a GUI tool like "gnome-disks". If you, for example, insert a thumb drive formated as a LUKS, the desktop environment pops up a password dialog to automatically mount the file system for you.

      TrueCrypt mainly catered to Windows users. Also, the TrueCrypt license was incompatible with both the free-software and the Open Source Initiative philosophies.

      • (Score: 2, Interesting) by cykros on Saturday May 31 2014, @04:06PM

        by cykros (989) on Saturday May 31 2014, @04:06PM (#49607)

        LUKS is great for crypto, but afaik, it doesn't do the plausible deniability hidden containers thing. Nor does anything else I know of. THIS is what always set Truecrypt apart to me, and is why it seemed relevant even on Linux systems. I'd love for someone to suggest something else that has this functionality, but haven't had any luck there yet.

        /me waits for a fork.

    • (Score: 0) by Anonymous Coward on Sunday June 01 2014, @12:37PM

      by Anonymous Coward on Sunday June 01 2014, @12:37PM (#49889)

      This is an alternative, compatible implementation of truecrypt for Linux and BSD. I'm surprised it is not more widely known and supported.

      https://github.com/bwalex/tc-play [github.com] [github.com]

      Also, for Linux, cryptsetup-LUKS can now mount truecrypt containers.

  • (Score: 3, Informative) by bradley13 on Friday May 30 2014, @09:10PM

    by bradley13 (3053) Subscriber Badge on Friday May 30 2014, @09:10PM (#49308) Homepage Journal

    Heise (the publisher he works for) is very competent, and does good stuff. However, for me the key sentences in his report are the following - and (for me at least) this doesn't make the complete and sudden shutdown of Truecrypt any more understandable:

    "Ich vermute, dass nur mit TrueCrypt unter Windows erstellte Container betroffen
    sind. Ich wage zu behaupten: Die Uhr läuft, in einer Woche werden alle Details offen liegen."

    Translates roughly as:

    "I suspect that only Truecrypt containers for Windows are affected. I bet: the timer is running and in a week all details will be known."

    --
    Everyone is somebody else's weirdo.
    • (Score: 0) by Anonymous Coward on Friday May 30 2014, @09:32PM

      by Anonymous Coward on Friday May 30 2014, @09:32PM (#49316)

      "Ich wage zu behaupten: Die Uhr laeuft, in einer Woche werden alle Details offen liegen."

      "I dare to claim: The clock's ticking, within a week all details will be publicly known."

    • (Score: 1, Informative) by Anonymous Coward on Friday May 30 2014, @09:44PM

      by Anonymous Coward on Friday May 30 2014, @09:44PM (#49322)

      Sorry for posting twice, missed the bug in the first sentence.

      "Ich vermute, dass nur mit TrueCrypt unter Windows erstellte Container betroffen
      sind."

      => "I guess that only Truecrypt containers *created on* Windows are affected."

      Note the difference. So, a container created on e.g. Linux, then used on Windows, would be safe.

    • (Score: 2, Interesting) by SparkyGSX on Friday May 30 2014, @09:50PM

      by SparkyGSX (4041) on Friday May 30 2014, @09:50PM (#49323)

      So far, these are just hollow statements without any substance. If you knew what was wrong with the Truecrypt on windows, he'd say so, and really make a name for himself. I don't know the guy, but making a Linux live CD with software others have written isn't exactly rocket science, and I my opinion doesn't necessarily mean he is qualified to say anything about cryptography.

      C'T magazine isn't exactly the pinnacle of software engineering; it's not even about engineering at all! I think it's best described as a magazine for power users, and the last time I read it (which, admittedly, is quite some years ago), I didn't even really go into technical details about either hardware or software, which is exactly why I stopped reading it. They continuously dumbed it down to try to appeal to a larger crowd, until it became yet another average Joe computer magazine.

      What I think COMPLETELY disqualifies him, is the statement that Bitlocker is just a secure or insecure as Truecrypt on windows, just because it's running on windows. This is typical bullshit of a Linux zealot; if the image is not mounted when the attacker wants to gain access, it doesn't matter what OS it's on. If Bitlocker actually is riddled with backdoors, as many suspect, even a dismounted image would be totally insecure, and it would be completely irrelevant what OS it's running on.

      Short version: I think he's just a megalomaniac idiot.

      --
      If you do what you did, you'll get what you got
      • (Score: 2) by Angry Jesus on Friday May 30 2014, @11:46PM

        by Angry Jesus (182) on Friday May 30 2014, @11:46PM (#49357)

        > if the image is not mounted when the attacker wants to gain access, it doesn't matter what OS it's on.

        It is possible that what matters is the OS that created the image. Off the top of my head I can think of at least one OS-specific vulnerability - the random number generator (RNG). If the RNG that truecrypt uses is OS-specific (as in it uses an OS-provided system call to generate random numbers) then it would be plausible that containers created on just one OS are vulnerable while others are not.

        Truecrypt might uses its own RNG, I don't know. I'm just pointing out a way that the OS might make a difference.

        • (Score: 2) by edIII on Saturday May 31 2014, @12:52AM

          by edIII (791) on Saturday May 31 2014, @12:52AM (#49373)

          You would think that TrueCrypt would use whatever CSPRNG (Cryptographically-Secure-Pseudo-RNG) is available in the Windows cryptographic primitives, but it doesn't.

          Very difficult to find any documentation because TrueCrypt not only crippled the encryption mode, but also removed all documentation of the RNG from their website (interpret that as you may)

          I was able to find an audit paper [privacy-cd.org] that detailed the proprietary RNG used by TrueCrypt to some extent:


          The Random Number Generator of TrueCrypt

          As any other good encryption program TrueCrypt needs random numbers. In the case of TrueCrypt these are 64 bytes of “salt†used to derive the key for the header encryption from the password. Then it needs between 32 and 96 bytes for the master key by which the volume is encrypted. Another 32 to 96 bytes are needed for the XTS key used in the XTS encryption mode. The size of these keys depends on the number of ciphers of the selected encryption algorithm. Besides this TrueCrypt also fills the volume with random data as is explained in the previous section. To create all these random data is the task of the random number generator which TrueCrypt implements. The random number generator of TrueCrypt is based on a paper written by Peter Gutmann in 1998(9). It makes use of mouse positions and times of events like mouse clicks or keyboard entries. These data are practically unpredictable. On a Linux system random values from the pseudo devices /dev/random and /dev/urandom are added to these data. To date there are no known attacks against this random number generator. But a paper by Kelsey, Schneier, Wagner and Hall(10) where similar though simpler pseudo-random number generators were analyzed evinces that such an attack may be possible if an attacker could actively interfere on the system while random numbers are being generated. An inference from this analysis was the development of Yarrow which is definitely a better pseudo-random number generator(11)
          .
          An active attacker with root privileges may also eliminate the randomness from the Linux random devices by the commands
          sudo rm /dev/random /dev/urandom
          sudo mknod /dev/random c 1 5
          sudo mknod /dev/urandom c 1 5
          completely12

          As similarly argued above this is not an objection against the use of these devices by TrueCrypt but minds us that TrueCrypt must only be used in a secure environment. The implementation of the random number generator in TrueCrypt has the disadvantage that there is no estimate on the amount of real randomness gathered. That's why it doesn't block until the mouse has been sufficiently moved or sufficient other random events happened. This corresponds
          to the behavior of the device /dev/urandom on Linux in contrast to /dev/random. By this behavior the user isn't troubled with the need of lengthy mouse movements but then he is less secure. We recommend to move the mouse for at least one minute before clicking the “Format†button on container creation. We also recommend to uncheck the check box for “Show†in this dialog. Otherwise 13 bytes of the current random pool are permanently displayed. Afterwards even
          the first 13 bytes of the header and the master key are displayed. As this could be intercepted by an attacker for example with a receiver for the monitor radiation unchecking this check box is a security demand.

          9 See Peter Gutmann, “Software Generation of Practically Strong Random Numbersâ€, Usenix Security Symposium 1998
          10 John Kelsey, Bruce Schneier, David Wagner and Chris Hall, “Cryptanalytic Attacks on Pseudorandom Number Generatorsâ€, 1998

          However, this is just key generation. Typical usage on a full volume encryption would absolutely have to use the cryptographic primitives found in the OS to provide the performance required. There is simply no way that TrueCrypt could gain enough entropy from the mouse alone.

          Personally, I always found it somewhat suspicious that TrueCrypt refused to use the CSPRNGs available in modern cryptographic primitives... but then again... the NSA did an extremely good job of compromising the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) [wikipedia.org], so their paranoia was not unfounded.

          In any case, the CSPRNGs in cryptographic primitives on both Windows and Linux already make use of many non-deterministic activities within the OS and inputs (need a citation myself) that provide truly random numbers to /Random, which is where (IIRC) that /URandom gets its input to provide much larger amounts of random numbers needed to meet the demands of typical usage.

          Considering that you have to trust your OS anyways (otherwise no reason to be running it or TrueCrypt) it doesn't make a whole heck of a lot of sense to create your own in that way. If they wished to use something different, then they should have proposed a new CSPRNG that could be included in the standard primitives.

          It's a real fucked deal anyways since the NSA has practically committed a "scorched earth" tactic by leaving the entire world with zero confidence whatsoever in either the approval process for the NIST standards, or the current CSPRNGs that are there anyways.

          So in the end, getting TRNG input directly from a source like a mouse to generate the key at least wasn't that crazy. It just could've been implemented a little better, and should have collected the same TRNG data that standard cryptographic primitives do, and then applied it's own CSPRNG to gain more volume if required.

          • (Score: 2) by frojack on Saturday May 31 2014, @01:44AM

            by frojack (1554) Subscriber Badge on Saturday May 31 2014, @01:44AM (#49390) Journal

            However, this is just key generation. Typical usage on a full volume encryption would absolutely have to use the cryptographic primitives found in the OS to provide the performance required. ...
            Personally, I always found it somewhat suspicious that TrueCrypt refused to use the CSPRNGs available in modern cryptographic primitives.

            I suppose it is precisely because the encryption primitives on windows is suspected to be hopelessly compromised that they went their own way on this.

            If the machine was not compromised at the time these containers were created, it should remain uncompromised. So unless the truecrypt people suddenly found out there is a master key in Microsoft's encryption, I still see no reason for them to suddenly walk away from their product in despair. They could just fix their problem, apologize, and move on.

            --
            No, you are mistaken. I've always had this sig.
            • (Score: 2) by edIII on Saturday May 31 2014, @02:52AM

              by edIII (791) on Saturday May 31 2014, @02:52AM (#49414)

              I agree about them fixing the problem and moving on, which is why I'm so troubled that they haven't made a full disclosure about what happened. The silence is deafening over there.

              Without tearing apart the code myself, which is no longer available anyways, I strongly suspect that TrueCrypt *was* using a CSPRNG from the standard primitives, despite evidence to the contrary. It's not like we have access to documentation anymore; It's been removed.

              If the machine was not compromised at the time these containers were created, it should remain uncompromised.

              I'm not sure that is true, and I'm pretty positive that's it not. Unless you are mounting a container as read only.

              Key generation is only one activity related to initialization of a container. During normal use on a container TrueCrypt needs to provide itself with large amounts of random numbers. This is especially true if you are using Blowfish as one of the chained algorithms.

              Moreover, during container creation that requires an incredibly large amount of high entropy random numbers to initialize the container. How could they achieve such volume both during key creation and container operations? TRNGs are wholly incapable of doing so without expensive dedicated equipment to provide it. Commodity hardware has no choice but to rely on CSPRNGs for the volume required in modern encryption use cases. So my gut tells me that they were in fact using the standard primitives.

              Another checkmark in favor of TrueCrypt is that it has survived all kinds of attacks previously in the known literature. I heard rumors that some people claimed they could detect hidden containers, but no actual papers, citations, or proof of concepts. I've not heard one single court case where the government had defeated plausible deniability of the hidden container.

              What changed? I suspect that TrueCrypt containers are at risk regardless of when or if the machine was compromised. I just don't know how.

              --
              Technically, lunchtime is at any moment. It's just a wave function.
              • (Score: 1) by fnj on Saturday May 31 2014, @06:38AM

                by fnj (1654) on Saturday May 31 2014, @06:38AM (#49471)

                ...code myself, which is no longer available...

                The source is still available. Everyone who ever downloaded it potentially has kept a copy. If you really want to reference it, it is no trick at all to find a copy.

            • (Score: 2) by dbot on Saturday May 31 2014, @12:03PM

              by dbot (1811) on Saturday May 31 2014, @12:03PM (#49537) Journal

              I suppose it is precisely because the encryption primitives on windows is suspected to be hopelessly compromised that they went their own way on this.

              Windows can't do it, so let's take our pid, and gettimeofday() and seed rand()? [6]

              Both linux[1] and Windows Vista (onward)[2] are using fortuna[3], for their RNG. RNGs in Windows prior to Vista were vulnerable[4]. XP SP3 received a patch[5].

              Even if you want to roll your own RNG, /which is a really, really bad idea/, you should at least XOR your stream with your OS's RNG. The resultant stream will be as random as the most random source, providing there is no correlation between the two sources (which itself would be hard to prove). You can see this if you take any stream and XOR it with {1}, {0}, or {01}. Using a predictable sequence does not affect the randomness of the stream.

              1. https://www.schneier.com/blog/archives/2013/10/ins ecurities_in.html [schneier.com]
              2. http://eprint.iacr.org/2014/167 [iacr.org] (pp3 in abstract)
              3. http://en.wikipedia.org/wiki/Fortuna_(PRNG) [wikipedia.org]
              4. http://en.wikipedia.org/wiki/Random_number_generat or_attack#Windows_implementation [wikipedia.org]
              5. http://www.computerworld.com/action/article.do?com mand=viewArticleBasic&articleId=9048438 [computerworld.com]
              6. http://opensslrampage.org/post/82975103611/so-the- openssl-codebase-does-get-the-time-add-it [opensslrampage.org]

          • (Score: 2) by maxwell demon on Saturday May 31 2014, @10:30AM

            by maxwell demon (1608) on Saturday May 31 2014, @10:30AM (#49520) Journal

            (Taking the liberty to remove stray characters from the quote and add proper formatting):

            An active attacker with root privileges may also eliminate the randomness from the Linux random devices by the commands

            sudo rm /dev/random /dev/urandom
            sudo mknod /dev/random c 1 5
            sudo mknod /dev/urandom c 1 5

            completely

            I wonder if that would still work with udev. But nevertheless, it's an interesting point; it means that before using /dev/random or /dev/urandom you should first make sure that they have the correct major and minor device number.

            --
            The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 2) by Tork on Saturday May 31 2014, @04:11AM

          by Tork (3914) on Saturday May 31 2014, @04:11AM (#49439)
          I apologize for my ignorance, but isn't the step where you move the mouse around for a while designed the seed the random number generator, thus keeping it disconnected from whatever the OS and/or CPU thinks is random?
          --
          Slashdolt Logic: "23 year old jokes about sharks and lasers are +5, Funny." 💩
          • (Score: 2) by Angry Jesus on Saturday May 31 2014, @05:32AM

            by Angry Jesus (182) on Saturday May 31 2014, @05:32AM (#49459)

            To over-simplfy: A good seed is just a starting point (that's why its called a seed). For any generator, if you start with the same seed you'll get the same list of pseudo-random numbers out of it. If the generator's algorithms are weak or somehow flawed, then even a purely random seed won't be enough to guarantee that the list of "random" numbers really is random.

            Here's an explanation of how a deliberately weakened random number generator can be exploited, you don't really have to follow anything but the most basic math in the explanation to see how the end result is compromised.

            http://numberworld.blogspot.com/2013/09/nsas-sp800 -90-dual-ec-prng.html [blogspot.com]

            • (Score: 2) by Tork on Saturday May 31 2014, @11:08PM

              by Tork (3914) on Saturday May 31 2014, @11:08PM (#49729)
              Although I'd admit to the topic being extremely fuzzy to me... I think I get what your link is saying, at least in a crude-Commander-Riker-sorta-way.

              I appreciate it, thank you.
              --
              Slashdolt Logic: "23 year old jokes about sharks and lasers are +5, Funny." 💩
  • (Score: 0) by Anonymous Coward on Saturday May 31 2014, @07:32AM

    by Anonymous Coward on Saturday May 31 2014, @07:32AM (#49487)

    By: Anon | 05/2014

    Fiction: Do you remember the scene near the end of the movie Scarface where the group of criminals conspired in an attempt to remove an individual speaking out against them before he spoke at the UN? (UN - IIRC)

    Reality: Do you remember the individual who died just shortly prior to speaking out about pacemakers (and possibly other technology) and how they are vulnerable to hacker attacks?

    Possibility: Sn0wd3n and/or others about to deliver a speech which mentions the useful tool TrueCrypt to a wider audience - TrueCrypt project dies.

    I'm interested in the results of the complete TC code audit, but give this comparison some thought.

    However, I was concerned about the project when releases ceased after 7.1a. There were steady releases up until that time and I'm curious if 7.1a was released as low hanging fruit with a backdoor and the site was allowed to operate for a few years before closing shop when the hunger for enough interesting people who downloaded/used TC was satisfied.

    ######

    TrueCrypt WTF @ Bruce Schneier blog
    https://www.schneier.com/blog/archives/2014/05/tru ecrypt_wtf.html [schneier.com]

    Also contains TC posts:
    https://www.schneier.com/blog/archives/2014/05/fri day_squid_bl_426.html [schneier.com]

  • (Score: 2) by Marneus68 on Saturday May 31 2014, @08:09AM

    by Marneus68 (3572) on Saturday May 31 2014, @08:09AM (#49498) Homepage

    >What gives this chap some credibility is that he's one of the developers of "desinfec't", a Knoppix-based live Linux that comes with several virus scanners and is distributed by well-renowned German computer magazine c't (whose mother company/publishing house, Heise, hosts the forum where he made his announcement).

    >Guys, I know a guy whose mom knows the aunt of a colleague of a former TrueCrypt dev. Trust me, I know what I'm talking about.

  • (Score: 2) by maxwell demon on Saturday May 31 2014, @10:38AM

    by maxwell demon (1608) on Saturday May 31 2014, @10:38AM (#49522) Journal

    Some correction about Desinfec't: It is not based on Knoppix, but on Ubuntu. The previous, Knoppix-based tool was called Knoppicillin.

    --
    The Tao of math: The numbers you can count are not the real numbers.