Here's a question that I never see brought up. For those experienced users who use TrueCrypt hidden volumes, how do you know that the hidden volume is in fact indistinguishable from the rest of the outer volume? I'm asking this especially for the case where different types of encryption are used for the hidden and outer volume. Different algorithms could theoretically yield minor differences.

I'm asking for a line of reasoning or a testing procedure that would indicate to you that all hidden volumes are indistinguishable from all outer volumes. If it's a testing procedure, I'd like to know if you've actually tried it or know of someone who has.

I've done experimentation in the past, and I do believe that TrueCrypt's claims are in fact correct. But I'm wondering if anyone else actually questions those claims or whether people just basically believe whatever's in the documentation. I've done some Google searches and come up with very little (except for some stuff I've written in the distant past and very few other tidbits here and there).

Thanks

Edit: I'm asking this question to see if my line of reasoning is similar to other people, and I'm curious about how many people that use TrueCrypt hidden volumes actually ask these types of questions. My reasoning is that the more people that ask these questions, the better off we all are.

But, sadly, I'm beginning to feel that the developers basically do everything, including the testing. And we're all just sheep. All these thousands of people that review the source code seem like a myth because most of the people I've talked to know very little outside of what's in the documentation.

I don't use hidden volumes, but I do. Let me explain...

While reading the TC Forums a few months ago I came across posts asking things like, "Hidden volumes are known to law enforcement, etc. so why bother?" The obvious answer on the forum is the plausible deniability. They can't actually prove you use a hidden volume and all they see is in your outer volume. Well, like you, I've wondered just how well these hidden volumes are truly "hidden."

I then came across an excellent post from somebody on the TC forums that said they used the hidden volume feature for one reason - to PROVE they don't use the feature! Something along the lines of how they created a very small hidden volume with one file inside. A text message that said something like "This is a simple text message to prove that I do not use the hidden features of TrueCrypt - except for this disclaimer."

You can only create one hidden container. LEA and rubber hosers of whatever stripe know this as well. BRILLIANT! It seemed so simple, but I now have done the same thing. There were posters who also don't use the feature (but fear somebody will think they do) were writing, "Duh, why didn't I think of that?" I use TC for legitimate security purposes against laptop/identity theft, etc., I don't use the hidden volume feature and I want to be able to prove that if at anytime that were to be necessary. Call it "absolute deniability" that, one never knows, may save me a lot of grief and suspicion someday.

-{ Quote: "I don't use hidden volumes, but I do. Let me explain... " }-


I agree it's a nice solution for those that don't want to use hidden volumes. But if those hidden volumes weren't really hidden, you wouldn't even need to do that. Hence my question.

My question is related to the technical testing of claims that TrueCrypt hidden volumes can't be detected. I have my methodology for testing, but, unfortunately, I've never found anyone to talk to or compare techniques (or anything of that sort). I basically just answer other peoples' questions based on my own experimentation, but I've never really found someone who does the equivalent and who questions what I say. People seem to take everything in the documentation as gospel truth. But now that I bring that up, people seem to take everything I say as gospel truth.

I'm just a little disillusioned about the lack of questioning. :(

Sorry about that. I know that wasn't directly related to your question and it IS a good one. I often wonder the same thing. Just who ARE these people actually looking at the code and would they know a backdoor or a minor coding error if it hit them in the face? I'm with you because I read that, "people can read the source code," but have never actually read of a single person doing so. Does the hidden volume look different under a hex editor? Not to me (I've looked) but I could very easily miss something.

-{ Quote: "Sorry about that. I know that wasn't directly related to your question and it IS a good one. I often wonder the same thing. Just who ARE these people actually looking at the code and would they know a backdoor or a minor coding error if it hit them in the face? I'm with you because I read that, "people can read the source code," but have never actually read of a single person doing so. Does the hidden volume look different under a hex editor? Not to me (I've looked) but I could very easily miss something." }-

Yeah, a hex editor may tell you if there are any "unfilled" areas or gaps by TrueCrypt, but it doesn't tell you anything about the quality of the data.

I guess I'll explain how I would look at it yet AGAIN if no one responds. But, keep in mind that I actually haven't done this over the last several versions. I trust the developers, but we really need some more eyes on this stuff. And I really would like to know if what I'm saying is actually correct. The only reason I think I'm right is because no one has ever questioned me. I really would like for someone to lay down the law here.

I do consider this type of situation different than a backdoor though. While I don't think every version is being comprehensively tested, I'm sure some versions were. That's probably sufficient. I don't think they're backdooring their product. If even one is ever discovered, you can kiss TC goodbye permanently.

There was a vuln a few years ago that allowed one to prove a hidden volume existed. This forum post (http://www.security-forums.com/viewtopic.php?t=35150) goes into great detail about it (and has links to even more discussion). Apparently this issue was fixed in TC 4.1, so it has been long resolved.

Then there are tools like "TCHunt" which are a total fraud and joke. All they do is look for random data and then flag any random data as a TC container. You can read more about the fraud here. (http://forums.truecrypt.org/viewtopic.php?t=14585&postdays=0&postorder=asc)

To answer your question, I know of no way to prove that a TC hidden volume exists on a hard drive. And I don't see how it could be proven without breaking the encryption cipher itself (and subsequently winning a Fields Medal in mathematics).

-{ Quote: "There was a vuln a few years ago that allowed one to prove a hidden volume existed. This forum post (http://www.security-forums.com/viewtopic.php?t=35150) goes into great detail about it (and has links to even more discussion). Apparently this issue was fixed in TC 4.1, so it has been long resolved." }-

Yes, I was familiar with that. In fact, I'm still using volumes created prior to TC 4.1 (in CBC mode). But they're AES-Blowfish, which are completely safe from this attack, and still incredibly safe period.

-{ Quote: "Then there are tools like "TCHunt" which are a total fraud and joke. All they do is look for random data and then flag any random data as a TC container. You can read more about the fraud here. (http://forums.truecrypt.org/viewtopic.php?t=14585&postdays=0&postorder=asc)
" }-

Agreed.

-{ Quote: "To answer your question, I know of no way to prove that a TC hidden volume exists on a hard drive. And I don't see how it could be proven without breaking the encryption cipher itself (and subsequently winning a Fields Medal in mathematics)." }-

I disagree. It definitely wouldn't be necessary to break the cipher itself to prove that one set of data encrypted by one cipher is different from a set of data encrypted by another cipher. It may still be impossible to do, but theoretically much easier than breaking the cipher itself. There may be some incredibly tiny difference between the two ciphers that could possibly be found (without ever even coming close to breaking either of them).

I doubt such a difference would be found, but it could.

Edit: If you've never played with the current crop of statistical tests for randomness, I would suggest you start. You might be surprised at how good they are. I was posting on the TrueCrypt forums years ago about how I could tell you, with some of the bad PRNGs, exactly which PRNG produced which set of data. And, believe me, if you used just a hex editor to compare them to TrueCrypt volumes, you wouldn't be able to see any difference.

And these tests have only gotten better. Fortunately, TrueCrypt uses cryptographically secure algorithms. But I don't believe there is anything inherent in an algorithm that makes it cryptographically secure. There's no proof. It has to be tested. And when new tests come along, you have to test again.

Let me expand on this further.

There's a PRNG called Mersenne Twister. It was never believed to be cryptographically secure, but it always passed all statistical tests. In fact, it's hard to find a test suite that finds any statistical anomaly in it.

Then came TestU01. Mersenne Twister still passed most tests, but it failed a couple. Currently, TestU01 is considered the best statistical test suite. Of note, they did find one potential anomaly in AES in CTR mode (internal algorithm and not produced by TrueCrypt). However, they couldn't reproduce this anomaly in any further tests.

I don't know about you, but I don't take anything for granted. I always test to the best of my ability. Prior to 2006, TrueCrypt always advertised how they passed all statistical tests (such as Diehard). But the tests currently available are much, much better than back then. However, TrueCrypt still passes everything, but they don't advertise that anymore.

http://www.iro.umontreal.ca/~lecuyer/myftp/papers/testu01.pdf

I thought one way to avoid people thinking that maybe you have a hidden volume is just to avoid letting them you know you have truecrypt at all. So if you create the encrypted volume on your local hard drive and only install TrueCrypt on an external drive, then assuming there are no traces of TrueCrypt on your computer, they will never be able to say maybe you have a hidden TrueCrypt volume.

Does that work?

-{ Quote: "I thought one way to avoid people thinking that maybe you have a hidden volume is just to avoid letting them you know you have truecrypt at all. So if you create the encrypted volume on your local hard drive and only install TrueCrypt on an external drive, then assuming there are no traces of TrueCrypt on your computer, they will never be able to say maybe you have a hidden TrueCrypt volume.

Does that work?" }-


There are ways to do what you want, but you haven't provided enough information on your setup. The trick is, as you said, not to have any copy of TrueCrypt for anyone to find.

As far as your TrueCrypt volume is concerned, you have to be able to replicate that pattern with some other non-cryptographic program in such a way that no one can prove which program produced the data. That pretty much rules out a file-based TrueCrypt volume. I know of no other program that will produce a file that has as much entropy as a TrueCrypt volume without any sign of a header. Other programs that produce files with as much entropy as TrueCrypt volumes are often other encryption programs, but they usually have unencrypted headers.

Some people in the mathematics field may claim that they need a random set of data for study (which is often true). But they would need a program which is capable of doing this. And for the rest of us, I don't think this would work.

With partition or device encryption, it's possible to replicate it with a disk wiping program. But you have to find the right program with the right algorithm to make sure it can be replicated exactly. It really all depends on how thorough an investigation of the hard drive would be. If an investigator is meticulous to a fault, then you have to be meticulous too. If the investigator is sloppy, then maybe you don't have to do much except make sure no trace of the TrueCrypt program is found while not using file-based volumes.

Provide more detail if you want to and if you don't mind those details becoming public knowledge.

-{ Quote: "

Then there are tools like "TCHunt" which are a total fraud and joke. All they do is look for random data and then flag any random data as a TC container. You can read more about the fraud here. (http://forums.truecrypt.org/viewtopic.php?t=14585&postdays=0&postorder=asc)
" }-


I'm going to revise what I said in light of my response to SundariDevi. TCHunt in fact cannot prove that a file is a TrueCrypt volume. But here on planet Earth, when you have a 1GB file that's a multiple of 512 bytes with no header and is completely random, you don't have to be a rocket surgeon to figure it out. I guess it depends on what your standard of proof is. If I found this file and the owner of the drive couldn't explain it, I would assume it was a TC volume, even without a copy of TrueCrypt.

Unless someone can find ANY program that can duplicate this. ???

Edit: People always say that if a TrueCrypt volume cannot be differentiated from random data, then it can't be proven to be a TrueCrypt volume. This is entirely the wrong way to look at it. There is only one thing that matters. Can another non-cryptographic program duplicate this pattern beyond anyone's capability to prove otherwise? If the answer is no then you have effectively proven it is a TrueCrypt volume. This may not be entirely true in an ideal world, but that's probably the reality. So, TCHunt, while doing nothing really innovative is making it easier to locate volumes that could be TrueCrypt volumes. So, it's not a fraud in that sense, although I could probably do the same thing by using Windows built in search function (looking for large files). I don't particularly care about TC volumes that are 19KB.

If you're using Windows, I think it's a complete waste of time to try to "hide" the fact that Truecrypt (the program itself) is on your computer. If you have confidential information - put it in another volume or another drive other than what you use for your primary TC partition/volume which you use for everyday Truecrypt protection of personal information (to prevent ID Theft, etc.). Hiding Truecrypt completely is nearly impossible on Windows and triggers more questions than if it were on the system for purposes as described above. To me, this is basic. Truecrypt developers have stressed that they never developed TC for the program itself to be hidden.

-{ Quote: "If you're using Windows, I think it's a complete waste of time to try to "hide" the fact that Truecrypt (the program itself) is on your computer. If you have confidential information - put it in another volume or another drive other than what you use for your primary TC partition/volume which you use for everyday Truecrypt protection of personal information (to prevent ID Theft, etc.). Hiding Truecrypt completely is nearly impossible on Windows and triggers more questions than if it were on the system for purposes as described above. To me, this is basic. Truecrypt developers have stressed that they never developed TC for the program itself to be hidden." }-

I don't know how to respond to this except by getting into a whole world of technical mumbo jumbo that I'm not prepared to spend weeks writing about.

Suffice it to say, I think it's possible to entirely hide the presence of TrueCrypt beyond the capability of anyone to detect. It requires some outside the box thinking. It doesn't really matter what the developers designed it to do. It only matters what you can do with it.

For the purposes of this discussion, let's just assume that the existence of the program itself is hidden. Better yet, let's get off this tangent entirely and discuss the true topic of this thread. Namely, I would like to hear from anyone period who has done ANY analysis of TrueCrypt from a security standpoint. This could include looking at the code or any other type of testing. Absolutely anything goes as long as it's not a rehash of the documentation.

I know what you would write and I still think it's impossible with Windows. Why try when Truecrypt has perfectly valid uses? You can put any truly confidential material on a removable disk or something.

As for your OP, I think you know you're not going to get the info here. sci.crypt would be the obvious place if its still active, I haven't visited there in years.

Come to think of it, Justin was going to look at it and report back here, you might drop him a PM.

-{ Quote: "I know what you would write and I still think it's impossible with Windows." }-

::) Enlighten me.


p.s. I highly, highly, highly doubt you know what I would write considering that some of my techniques, to my knowledge, have never been written about.

That's the whole point. There are so many possible approaches that I would be up to my eyeballs in this as soon as the conversation started.

But, yes, feel free to tell me what I would say.

I find yourself arguing with yourself in this thread. The original question was asked with almost a dare. You seem to already know everything you need to know, so is your original question simply disingenuous? I didn't mean anything negative toward you when I said I knew what you would write. I thought it was the same old rehashed stuff from the TC forums. I've read it all. You seem to have a chip on your shoulder and daring somebody to knock it off and I'm not sure why. It's really not that big a deal. Any other thoughts on this should be PM, unless it's for the purposes of your original question, which I think you probably already know will not get an acceptable response.

-{ Quote: "You seem to have a chip on your shoulder and daring somebody to knock it off ." }-

Good call. I really do.

The purpose of the thread is to challenge the way I view TrueCrypt. I do my best to study the currently available data and do some of my own independent analysis, but I don't really know if I'm right. I answer people's questions based on my analysis, but it never really goes further than that. I feel like at least I'm trying.

I just get the impression that very few people would even know if something was obviously wrong with TrueCrypt or if wasn't performing to spec. I guess I'm trying to figure out how paranoid I should be.

Edit: Please link to those threads on the TC forums if this is a re-hash. Let me just warn you that I might be in those threads as well. I don't use the same name. I didn't post this thread on the TC forums because all threads there show up according to the date posted. So, even if it's active, it still falls off the face of the Earth. Also, I didn't want to risk it being deleted.

-{ Quote: "Good call. I really do.

The purpose of the thread is to challenge the way I view TrueCrypt. I do my best to study the currently available data and do some of my own independent analysis, but I don't really know if I'm right. I answer people's questions based on my analysis, but it never really goes further than that. I feel like at least I'm trying.

I just get the impression that very few people would even know if something was obviously wrong with TrueCrypt or if wasn't performing to spec. I guess I'm trying to figure out how paranoid I should be.

Edit: Please link to those threads on the TC forums if this is a re-hash. Let me just warn you that I might be in those threads as well. I don't use the same name. I didn't post this thread on the TC forums because all threads there show up according to the date posted. So, even if it's active, it still falls off the face of the Earth. Also, I didn't want to risk it being deleted." }-

I hear you, completely. The TC forums have almost died from the regulars of several years ago; run off by heavy-handed moderation and an arrogant attitude that isn't exactly welcoming.

I don't want to go over there and look up all those old threads and besides, my research fees are probably too steep for 'ya. (just kidding)

For many years I have been happily using TrueCrypt to protect my personal data, but I don't consider it to be proof against all attacks. I think it's entirely possible that TC could contain a cleverly-hidden built-in weakness that could be exploited by an insider (e.g. a government agency) that has preknowledge of the flaw and sufficient computational power to take advantage of it. Yes, I'm aware that TC is open-source, but this doesn't mean all flaws of this nature would be revealed. It could be something very subtle. For example, an exhaustive brute-force analysis might still be required in order to crack the key, but due to the flaw this might require only 3% of the computational resources that would otherwise be necessary. This would still put the solution far out of reach of most attackers unless they had access to massive resources and knew where to look.

Bottom line: Although TC works beautifully and under most circumstances it appears to provide excellent protection, I would definitely not recommend it (or any other off-the-shelf software) for use against a three-letter agency.

And no, I don't consider myself to be a paranoid person.

-{ Quote: "For many years I have been happily using TrueCrypt to protect my personal data, but I don't consider it to be proof against all attacks. I think it's entirely possible that TC could contain a cleverly-hidden built-in weakness that could be exploited by an insider (e.g. a government agency) that has preknowledge of the flaw and sufficient computational power to take advantage of it. Yes, I'm aware that TC is open-source, but this doesn't mean all flaws of this nature would be revealed. It could be something very subtle. For example, an exhaustive brute-force analysis might still be required in order to crack the key, but due to the flaw this might require only 3% of the computational resources that would otherwise be necessary. This would still put the solution far out of reach of most attackers unless they had access to massive resources and knew where to look.

Bottom line: Although TC works beautifully and under most circumstances it appears to provide excellent protection, I would definitely not recommend it (or any other off-the-shelf software) for use against a three-letter agency.

And no, I don't consider myself to be a paranoid person." }-

I hear you, but if you're talking about TLA's in the USA - you give them wayyy too much credit. Unless you're talking the highest levels of the NSA and the computer is from a terrorist, most TLA's couldn't do squat with TC. Inept is the word that comes to mind for most of these agencies. Don't believe the movies - read the newspaper.

-{ Quote: "TC could contain a cleverly-hidden built-in weakness that could be exploited by an insider (e.g. a government agency) that has preknowledge of the flaw and sufficient computational power to take advantage of it. " }-

I don't know what to say to this either. I suppose anything is possible, but I think it really does a disservice to the developers who have brought us such an excellent product for no cost. I think on their part, they've done everything right, including giving us the full source code. So, I prefer to discuss potential unintentional flaws.

-{ Quote: "I hear you, but if you're talking about TLA's in the USA - you give them wayyy too much credit. Unless you're talking the highest levels of the NSA and the computer is from a terrorist, most TLA's couldn't do squat with TC. Inept is the word that comes to mind for most of these agencies. Don't believe the movies - read the newspaper." }-For purposes of national security these agencies are required to keep their capabilities secret. They are highly funded, well-equipped and well-staffed. Forget the newspaper, read your history.

-{ Quote: "I don't know what to say to this either. I suppose anything is possible, but I think it really does a disservice to the developers who have brought us such an excellent product for no cost. I think on their part, they've done everything right, including giving us the full source code. So, I prefer to discuss potential unintentional flaws." }-There could be unintentional flaws. We know very little about the cryptographic expertise of TrueCrypt's developers. I do give them credit for an excellent product, but there's only so much trust I can put into an unreviewed black box that has been provided to me for free by an anonymous developer.

But we aren't likely to get very far discussing hypothetical situations for which we have no proof, so we might as well move on to specific facts, if we have any.

-{ Quote: "For purposes of national security these agencies are required to keep their capabilities secret. They are highly funded, well-equipped and well-staffed. Forget the newspaper, read your history." }-

History tells me the CIA and FBI have bungled as often as achieved. Just my opinion, but I respect yours.

-{ Quote: "I know what you would write and I still think it's impossible with Windows. Why try when Truecrypt has perfectly valid uses? You can put any truly confidential material on a removable disk or something." }-

Regarding denying the existence of TrueCrypt, while it's not impossible, it is extremely difficult. Unfortunately, the way it should be done and the way most people will do it are entirely different. So, I agree with you in not recommending it.

It's much better to use the hidden OS feature. That way you don't have to worry about OS leaks, which are unfortunately incredibly difficult to control.

Here's an article by Bruce Schneier on the topic:

http://www.schneier.com/paper-truecrypt-dfs.pdf

I still have no idea why he wrote it since it was all public knowledge and extremely obvious many years before he wrote it. Even on the TrueCrypt forums, all of this was already openly discussed (probably every single topic he mentions and more). The fact that these topics were never deleted from the TC forums really says something. Nonetheless, here it is in consise pdf format. Keep in mind this was an old version of TC, and many improvements have been made since this was written. Of note, the hidden OS feature was added after this was written.

-{ Quote: "

Bottom line: Although TC works beautifully and under most circumstances it appears to provide excellent protection, I would definitely not recommend it (or any other off-the-shelf software) for use against a three-letter agency.

" }-

What would you recommend?

-{ Quote: "There are ways to do what you want, but you haven't provided enough information on your setup. The trick is, as you said, not to have any copy of TrueCrypt for anyone to find. /snip/
Provide more detail if you want to and if you don't mind those details becoming public knowledge." }-

I don't have any specific application in mind, other than a hypothetical, if I had files I didn't want somebody to find if they seized my computer, how would I do it. Last time I installed TrueCrypt on my laptop I had the program on the computer and the volume on a flash drive. But I was thinking, then if somebody was looking for something they would be looking for a TrueCrypt volume. So I thought is would be better to hide the existence of TrueCrypt.

I like the suggestion that you install TrueCrypt, make a TC volume on the hard disk to show that there is one, and put any "special" data on an external drive. If the "special" data is not too large you could also store it on an FTP server and get it when you need it and wipe it when you're done I guess.

-{ Quote: "What would you recommend?" }-

I think he means you're screwed if you go up against them, regardless of what you use.

If you're concerned about backdoors, then there's nothing better than TrueCrypt (because of the full source code release).

-{ Quote: "I don't have any specific application in mind, other than a hypothetical, if I had files I didn't want somebody to find if they seized my computer, how would I do it. Last time I installed TrueCrypt on my laptop I had the program on the computer and the volume on a flash drive. But I was thinking, then if somebody was looking for something they would be looking for a TrueCrypt volume. So I thought is would be better to hide the existence of TrueCrypt." }-

I'm still not 100% sure what your threat model is. Most of what you say makes it seem like you're protecting against a casual observer. In that case you're talking about much lower standards than hiding something from a competent forensic examiner. But then I re-read what you said, and you used the word "seized", which now makes me think your adversary might be someone with greater skill and authority.

If it's just a casual observer you're concerned about, then you probably don't need to hide the existence of TrueCrypt. And if you do, you probably don't need to worry about every last trace. Your standards don't have to be all that high, and a little sloppiness probably won't hurt.

If it's an adversary who has resources, then you might have to up your game. If you really want to hide the existence of TrueCrypt from a skilled adversary, you've got your work cut out for you. It's not easy at all. Sloppiness could definitely be a problem.

So, you should define your threat model. If you have multiple threats, then you should prepare for the one with the greatest skill.

-{ Quote: "I like the suggestion that you install TrueCrypt, make a TC volume on the hard disk to show that there is one, and put any "special" data on an external drive. If the "special" data is not too large you could also store it on an FTP server and get it when you need it and wipe it when you're done I guess." }-

If you're going to install TC and create a volume, why not just use the hidden volume and/or hidden OS feature. You get no advantage by placing the sensitive data "externally" (unless you're planning to follow LockBox's suggestion and disclose both an outer and hidden volume just so no one will have any doubt ???). If you plan to install TC (and not hide its presence), then you might as well go with a hidden OS. It takes care of all potential leaks from the operating system.

This statement here also makes me think your adversary has some skill and authority. You might want to try the TC forums if you're serious about these questions.

-{ Quote: "I'm still not 100% sure what your threat model is. Most of what you say makes it seem like you're protecting against a casual observer. In that case you're talking about much lower standards than hiding something from a competent forensic examiner. But then I re-read what you said, and you used the word "seized", which now makes me think your adversary might be someone with greater skill and authority.

If it's just a casual observer you're concerned about, then you probably don't need to hide the existence of TrueCrypt. And if you do, you probably don't need to worry about every last trace. Your standards don't have to be all that high, and a little sloppiness probably won't hurt.

If it's an adversary who has resources, then you might have to up your game. If you really want to hide the existence of TrueCrypt from a skilled adversary, you've got your work cut out for you. It's not easy at all. Sloppiness could definitely be a problem.

So, you should define your threat model. If you have multiple threats, then you should prepare for the one with the greatest skill.



If you're going to install TC and create a volume, why not just use the hidden volume and/or hidden OS feature. You get no advantage by placing the sensitive data "externally" (unless you're planning to follow LockBox's suggestion and disclose both an outer and hidden volume just so no one will have any doubt ???). If you plan to install TC (and not hide its presence), then you might as well go with a hidden OS. It takes care of all potential leaks from the operating system.

This statement here also makes me think your adversary has some skill and authority. You might want to try the TC forums if you're serious about these questions." }-

I don't have anything illegal on my computer, I put truecrypt on my computer to put data I don't necessarily want people to see, somewhere where they can't see it. That's easily done. Otherwise, my interest is primarily academic. If at some point I had to provide a solution to somebody who wanted protection against government level authorities uncovering certain data, I would really tighten up my game, as you say.

I haven't dug that deeply into true crypt, so maybe that is why my strategies sound sloppy. I like obfuscation, so Lockbox's solution along with another external volume that has the real "special data" sounds very interesting. I wouldn't put a note in the hidden volume, I would put some (adult) porn or internet dating photos in there. Anything I might have a reason to hide.

-{ Quote: "If at some point I had to provide a solution to somebody who wanted protection against government level authorities uncovering certain data, I would really tighten up my game, as you say.
" }-

Just to be clear, I wasn't talking about you being sloppy. I meant that if the drive was being examined by any random person (e.g. spouse, boss, etc.), you could afford to be a little sloppy. If your adversary were a trained forensic examiner, then you would have to up your game (when compared to your level of preparation for the former).

I wasn't implying you were doing anything illegal. Also, illegal doesn't necessarily mean wrong. Different countries have wacky definitions of what's legal and what's not. Illegal only means violating the arbitrary laws of some country. It's not my place to judge.

I didn't take it in any bad way!

Thank you for finally saying something that I really wish I'd brought up before on here.

The problem is that NO PRNG produces a perfectly random output, and so it follows, that no two algorithms produce cyphertext with exactly the same entropy. With enough bytes of output from any two algorithms, it will always be possible to distinguish them. The question is just how many bytes are "enough", and I have a bad feeling that the answer may end up coming as a shock to people considering how hundred GB - multi-TB volumes have become commonplace over the last few years. Remember that these algorithms were developed in the days when a few tens of gigabytes was considered a very large volume of data.

I was actually banned from Truecrypt's forums back in '07 after making a topic about this and my emails to the developers remain unanswered to this day. My worries were actually for a different situations (hiding a hidden volume in a non-encrypted partition, using DBAN as a cover - the Mersenne Twister in particular bothered me), but the same issue applies here. Theoretically, in a 2 terabyte colume encrypted with Blowfish, containing a 1 terabyte hidden volume encrypted with blowfish, what would an entropy analysis of the first and second halves yield?

-{ Quote: "
The problem is that NO PRNG produces a perfectly random output" }-

See my signature ;D

-{ Quote: "Thank you for finally saying something that I really wish I'd brought up before on here.

The problem is that NO PRNG produces a perfectly random output, and so it follows, that no two algorithms produce cyphertext with exactly the same entropy. With enough bytes of output from any two algorithms, it will always be possible to distinguish them. The question is just how many bytes are "enough", and I have a bad feeling that the answer may end up coming as a shock to people considering how hundred GB - multi-TB volumes have become commonplace over the last few years. Remember that these algorithms were developed in the days when a few tens of gigabytes was considered a very large volume of data.

I was actually banned from Truecrypt's forums back in '07 after making a topic about this and my emails to the developers remain unanswered to this day. My worries were actually for a different situations (hiding a hidden volume in a non-encrypted partition, using DBAN as a cover - the Mersenne Twister in particular bothered me), but the same issue applies here. Theoretically, in a 2 terabyte colume encrypted with Blowfish, containing a 1 terabyte hidden volume encrypted with blowfish, what would an entropy analysis of the first and second halves yield?" }-

My problem with the whole "cryptographically secure" and "statistically random" issue is that there doesn't appear to be any proof. It requires testing to prove it. But my real problem with it is that not many people understand that and simply view it as magic. But, to be honest, if you can prove a hidden volume exists using this method, then you've found a way to detect the ciphertext of one of the ciphers. So, you can detect the ciphertext of that particular cipher no matter where it may be. Thankfully, that doesn't seem to be very likely to happen any time soon.

From my understanding, there are some mitigating factors. The first is that I don't believe any of the well-known ciphers have ever had problems with statistical testing (correct me if I'm wrong), not even old ones like DES. The second is that the plaintext itself is a big factor in the ciphertext you obtain. If detecting one of these ciphers alone is so difficult (if not impossible), then how much more difficult is it if you cascade ciphers. If you take the ciphertext from AES then use that as the plaintext for Twofish, you've likely reached the point where it's not humanly possible to find any statistical anomaly. For all the talk about reasons to use or not to use cascades, this is actually my favorite reason (and one that I've never seen discussed).

The third mitigating factor is that you can always create a hidden volume with the exact same algorithms as the outer volume. Even if you can prove that the ciphertext was created by a certain cipher, you can't prove that there's a hidden volume. The headers themselves would likely be too small to interfere with this.

Of course, even if TrueCrypt's output is perfectly random but you find a problem with the output of wiping programs like DBAN (specifically ISAAC), then it doesn't really matter much if TrueCrypt is perfectly random. If you can't find any other program that can do what TrueCrypt does, then you have a problem. And this problem would clearly be caused not by TrueCrypt but by the lack of other good programs that can produce cryptographically secure data.

It's good to see someone else interested in this. I personally try to choose my words carefully when talking about this because TrueCrypt is still my favorite. I don't want it to seem like I'm criticizing them rather than trying to improve my understanding. I believe I was probably the first person to ever talk about this stuff on the TrueCrypt forums, but I always went out of my way to show that I wasn't criticizing them. They are a little jumpy about comments that might seem like excessive criticism.

-{ Quote: "
http://www.random.org/analysis/dilbert.jpg " }-

:)

I have a friend who got his computer seized in a police raid. He used two hard drives, one as a Windows partition (unencrypted), and the other one as TC partition. During the investigation they asked him about the second drive, the Police asked:
-"... the whole drive contains random bytes, is this an encrypted partition?"
My friend replied:
"No, this is a new drive that I recently installed, I have not formatted it yet".

They could not prove that it was an encrypted partition.

However he did use some easy tricks when he installed the Truecrypt software on the Windows partition, he first renamed the truecrypt software & driver files to something completely different, and if I remember correctly; he re-compiled them, and of course he did not installed them to a Program folder called "Truecrypt". This was enough, in this case.

-{ Quote: "
"No, this is a new drive that I recently installed, I have not formatted it yet".
" }-

It's good to know that worked, but new drives don't look like that, at least none that I've ever seen. I wish they did. New drives are either zeroed or have another repeating character (other than zero).

I've always suspected that you don't have to be absolutely perfect in these situations, but it's always best to strive for it.

If you bought the drive from someone else, it is reasonable to think that the seller erased the drive before he sold it. If the HDD was new, that is another story.

Here's an interesting article on the topic. It's actually a thesis paper.

http://lantana.tenet.res.in/website_files/thesis/MS/sreenivasuluNR_thesis.pdf

Hypothetically speaking...

Why not hide in plain sight? I actually made a thread about this that didnt get answered, but this seems an appropriate discussion.

Setup: 2 (or more, doesnt matter) partitions. One standard Windows with TC installed in plain view. Create a container (call it whatever you want) and put financial stuff, pr0n, whatever into it. Encrypt the second partition fully with no hidden container. Put sensitive data in that.

Now, should the computer be seized, simply unencrypt your container, let them see your checking statements, etc. If asked about the partition, simply say you are thinking of dual booting Linux, and you wiped that partition in anticipation of using it for Linux. Of course in this case you should have a copy of DBAN and a few Linux live CD's laying around for supporting evidence.

Now, the OP brings up an interesting topic here. Should said PC get to the higher level of 3 lettered agency, they could say the random pattern on said partition doesnt match output from, say, DBAN. Therein would lie the problem.

I am confused about something concerning decrypting hard drives. I saw Michael Chertoff on TV once talking about seizing laptops at the border. He nonchalantly stated that if the laptop was encrypted and they refused to open it, they would take the laptop and decrypt it. He said this with such a casual, matter of fact tone of voice that I assumed that they can do this with no problem. He sure seemed to think so anyway.

But then someone here posted a story about some guy who was accused of having child porn on his laptop at an airport. He was ordered to decrypt it but refused. The last I heard this they were going back and forth about this in court. So what confuses me is, if they can decrypt a laptop, why didn't they decrypt the child porn guy's laptop? Or do they save that technique for terrorists only?

I have been thinking about this discussion a little. Someone mentioned hiding the fact that truecrypt was used. What if you never installed truecrpt on the computer?.....using it from a USB stick only. Then activate Returnil, connect your USB stick, create your folder, move it, restart your computer and then put the truecrypt folder in a photo album with a bunch of pictures for storage. And give it a .jpg or .gif ext. Maybe put it in a folder with a bunch of random animated gifs, and videos, walpapers, audio boooks, and music etc... If you only opened it with Returnil activated, would there be any trace that truecrpt was used? Just a thought.

You could also create a free mediafire acct. and upload it for storage. If you created a Mediafire acct using a good VPN like xerobank, and never login or download from it unless you're connected, wouldn't that be pretty secure. Or even a special email acct. One that will never be used for anything else. If your TrueCrypt file is too large for the email acct., you could split it with winrar or hjsplit. I use both of those programs for movies and they work great!

Oh....another thought. Say you split the files..., you could temporarily rename them. If they are not named properly, they will not join. You could make them appear to be unassociated.

So how did I do? Was that clever? Or are those old ideas that have been tossed aside ages ago?

I just had another interesting thought. A keylogger would be a big problem. Maybe you have one on there and you can't detect it. Or maybe you suspect that one might be there. If Returnil is activated, and you disconnect your internet before you use TrueCrypt, then anything that the keylogger records would be lost whenever you reboot....so nothing would be transmitted because you are not connected to the internet.:argh:

-{ Quote: "Here's a question that I never see brought up. For those experienced users who use TrueCrypt hidden volumes, how do you know that the hidden volume is in fact indistinguishable from the rest of the outer volume? I'm asking this especially for the case where different types of encryption are used for the hidden and outer volume. Different algorithms could theoretically yield minor differences.

I'm asking for a line of reasoning or a testing procedure that would indicate to you that all hidden volumes are indistinguishable from all outer volumes. If it's a testing procedure, I'd like to know if you've actually tried it or know of someone who has.

I've done experimentation in the past, and I do believe that TrueCrypt's claims are in fact correct. But I'm wondering if anyone else actually questions those claims or whether people just basically believe whatever's in the documentation. I've done some Google searches and come up with very little (except for some stuff I've written in the distant past and very few other tidbits here and there).

Thanks

Edit: I'm asking this question to see if my line of reasoning is similar to other people, and I'm curious about how many people that use TrueCrypt hidden volumes actually ask these types of questions. My reasoning is that the more people that ask these questions, the better off we all are.

But, sadly, I'm beginning to feel that the developers basically do everything, including the testing. And we're all just sheep. All these thousands of people that review the source code seem like a myth because most of the people I've talked to know very little outside of what's in the documentation." }-



This topic breaks up a good question:

Can you ever be legally forced to un-encrypt your encrypted data? (E.g Search warrant? Subpoena? Probable cause?)

I mean, is it rare or common for the authorities to force someone to un-encrypt their data? I tried to google cases but it seemed like this was more of a rare tactic used by authorities...

And if so, what is the maximum penalty for not un-encrypting your data? (E.g. obstruction of justice?)

-{ Quote: "
And if so, what is the maximum penalty for not un-encrypting your data? (E.g. obstruction of justice?)" }-
Five years of prison if you live in the UK. I expect other countries to follow this practice sooner or later.

In the United States, all courts (with one exception, but reversal is widely expected) have ruled that LE or any prosecuting agency cannot force anyone to reveal a password that may incriminate them in any way (a violation of the Fifth Amendment to the Constitution). One day, though it may be many years, this will surely end up in the Supreme Court.

For those of you from outside the USA, the Fifth Amendment reads (with relevant portion bolded):

"No person shall be held to answer for a capital, or otherwise infamous crime, unless on presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation."
http://finduslaw.com/us_constitution_5th_and_14th_amendments#1