Thread for TrueCrypt alternatives [FOSS preferred]

Discussion in 'privacy technology' started by Morthawt, May 29, 2014.

Thread Status:
Not open for further replies.
  1. Morthawt

    Morthawt Registered Member

    Joined:
    Jul 10, 2008
    Posts:
    79
    Location:
    UK
    Here is the benchmark on my system for DiskCryptor:
    https://i.imgur.com/L2ZyjZV.png

    Serpent is the most secure algorithm, but it is not the fastest. However in all the time I have used it on Truecrypt I have never felt any negative impact on my drive's speed.
     
  2. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Perfect. I wasn't going to use it anyway :p

    "Never been broken" could also mean "never been tested enough". You never know. It's best to use the most known and well-tested ciphers.

    I'm not quite sure what they meant with "single on-track erasure". Is it a single pass of zeroes or a single pass of random numbers? I'm leaning twards the last option.
     
  3. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    If you reall don't notice any negative impacts, then why not use it? It's proably going to keep your data secure for a longer period of time than AES and Twofish :)
     
  4. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    They mean either, if you could overwtite with the heads slightly misaligned left and right of centre in addition, you could theoretically reduce slightly off-track traces, however, they have showed that the fact you can't doesn't amount to enough leakage to be useful for data recovery.
     
  5. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Sorry I posted the wrong content. Disregard my last quote.

    I always use the following command to erase my drivers. I'm note sure I have my Host-protected-area enabled, but I'll research if the following command erases it, though I highly doubt it.

    Code:
    # dd if=/dev/zero of=/dev/sda bs=4096
     
  6. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    It wouldn't if you have one enabled but hdparm can be used to determine or change that, and also to use to the ATA secure erase or enhanced secure erase function(s) (which tend to be faster than dd) should you wish to use either of those in preference and the drive supports them.
     
  7. Haggishunter

    Haggishunter Guest

    O.k. here an "alternative" to TC. It is called "VeraCrypt" https://veracrypt.codeplex.com/ , is freeware and comes from a Monsieur Mounir Idrassi :cool:. His company is called Idrix and located in Paris. You can even look up the building on Google Maps :argh: . "VeraCrypt" seems to be around for some years. I use BestCrypt :thumb:, so DO NOT TELL ME that I recommended "VeraCrypt" WHEN IT HITS THE FAN AGAIN :eek:. Just an idea for you out there. I did not google him. I DO NOT know this gent.
     
  8. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    @Haggishunter
    Previously mentioned, as early as post #8 on this thread

    There doesn't seem much enthusiasm for it:
    Either the warning about Truecrypt's security on the TC site is valid.. in which case this is so similar it's valid for this too.

    Or that warning is meaningless, and this is so similar there's no point changing to it, might as well stick with TC.
     
    Last edited: Jun 5, 2014
  9. Paranoid Eye

    Paranoid Eye Registered Member

    Joined:
    Dec 15, 2013
    Posts:
    175
    Location:
    io
    Yup spotted that thanks but bestcrypt does not seem to support a hidden os feature like tc or dc does.

    Perhaps one can use Diskcryptor and bestcrypt in combination so you could have the best of both worlds ie FDE with dc and hidden containers with bc.
     
  10. Paranoid Eye

    Paranoid Eye Registered Member

    Joined:
    Dec 15, 2013
    Posts:
    175
    Location:
    io
    by the way does anyone know of a separate program which does the same feature as SecureStars drivecrypt does its a
    "password-protected screen saver" you can press say F12 and it instantly activates a screensaver with a password option.

    Hmm guess no difference from a regular screensaver with password, I clearly never use screensavers lol ?
     
  11. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Exactly what I was saying. :)
    Which is why I never understand all these people who use unknown or antiquated (and many times deprecated) products and standards, and then when challenged on it go "but xyz has never been broken!!!"

    Yes, I'm aware that there is no known practical attack on Blowfish. That doesn't mean you should be using it. And it certainly doesn't mean it's "safer" or "better" or somehow "more secure" than something like the AES finalists. Even Bruce Schneier (the guy who designed it) said he's surprised anyone still uses Blowfish and recommends they go to Twofish.


    FWIW,
    HTG Explains: Why You Only Have to Wipe a Disk Once to Erase It
    http://www.howtogeek.com/115573/htg-explains-why-you-only-have-to-wipe-a-disk-once-to-erase-it/
     
  12. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Actually Schneier recommends using Rijndael (AES).
     
  13. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    I used DriveCrypt and loved the functionality of that screensaver. Never found another like it. Later I did find that various freeware that would automatically turn off my system after a specified time of inactivity -- and with a fast booting system that's pretty close in functionality. Also have used 'hibernate' to achieve a similar result but of course that approach carries the hibernate file in Windows that could turn minor mistakes into major mistakes...
     
  14. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Oh yeah, in general yes. (I suppose just because AES has the widest use and therefore the most real-world testing/experience.) I suppose there's also an advantage there because as the standard, a lot of hardware and systems are designed/optimized for use with it.

    But in the interview where he specifically said he's amazed people still use Blowfish, he specifically said that if people ask, he recommends Twofish instead (I guess meaning for people who are specifically looking for something other than AES, which is why they would have gone with Blowfish I assume.)
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Interesting how people keep bringing up the age of Blowfish, 21 years old, when AES is 13 years old, the same as XP.
    Regarding Schneier's recommendation of AES, his statement:
    His opinion of AES
    It's also interesting that AES supports fewer block sizes and key lengths than Rijndael. Rijndael wasn't demonstrated to be any stronger than Blowfish or Twofish. On a lot of platforms, it was faster. Keep in mind that these are platforms from 2001 and earlier.
     
  16. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Who brought up it's age? Regarding Blowfish specifically, the most I did was call it "deprecated."

    He said that when Rijndael was selected as AES, almost 14 years ago.

    That's because AES specifically called for a 128-bit block size and keys of 128, 192 and 256 bits.

    But as I said in the last post, the advantage of being the standard is that hardware and systems get designed with it in mind, offering the ability to optimize performance. Like with the AES instruction set, for example. I haven't looked for any benchmarks, but I noticed a mention that after Rijndael was selected as the standard, Twofish became even slower (I assume in relative terms, but maybe in real terms too) on CPUs that support the instruction set.

    FWIW, David Wagner, another designer on the Twofish team also recommends AES for the same reasons I mentioned in the last post.
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    For me, it comes down to one simple fact. The NSA had their hands in the selection process. Schneier and other expressed their concerns that the structure of AES opens it up to a whole class of algebraic attacks. Given what we now know about their encryption weakening activities, can we really trust what they recommend? Given that AES was not demonstrated to be any more secure than Blowfish or Twofish, I consider NSA involvement a negative factor in the choice. It also stands to reason that an agency that wants to defeat encryption will focus their efforts on the one that's used the most, the standard that they helped to select. AFAIC, using their recommendations is the equivalent of fighting on their terms.

    IMO, speed and performance are very minor criteria for encryption. How often does one need fast performance with encrypted partitions or containers? I've used Blowfish encrypted partitions on external hard drives with no issues at all. The encrypted partition felt the same as the unencrypted partitions, even on very old hardware. Once the partition or container is mounted, the difference isn't that much.
     
  18. Nixx

    Nixx Registered Member

    Joined:
    Jun 7, 2014
    Posts:
    3
    I've decided that DiskCryptor is what I'm am going to put my faith in from now on. It's not cross platform, but it will be my primary encryption software on my Windows machines. I'll keep using LUKS/Dmcrypt on my Linux servers.

    I'm planning on compiling my own version DiskCryptor for personal use. The compilation process seems updated and streamlined which nice.

    I looked into Symantec PGP, however they state in their latest version that their encryption might be regulated by US export policy. I didn't want to take the chance at using a neutered piece of software. Symantec PGP also costs $110 a year.

    I think DiskCryptor is a solid choice.
     
    Last edited: Jun 7, 2014
  19. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    @noone_particular
    Yeah I've heard that one before too. There's a few problems with it though...

    1) Being the standard, AES is use to encrypt government documents up to the highest level. The idea that they could have two strings of AES, one that is secure and one that isn't, and ensure that every single government employee in every department at every level uses the "special version" 100% of the time, is pretty far fetched, just as a practical matter.

    But more importantly than that,

    2) We're talking about a national standard cipher. This isn't some specific tool that the government is recommending everyone use, it's just an algorithm. You can't hide a security flaw in an algorithm that is the national standard of the most powerful country in the world and with a population of 300 million. Certainly not for 15 years. You might as well say the moon landing was faked. (Actually I would argue even that is more likely than the cipher being insecure.)

    And you see evidence of this time and again...the government is constantly foiled by encryption every day. And you see their methods for getting at the information...it's all about getting around the encryption. Swiping keys, grabbing the data when it's not encrypted, weakening the implementation of the encryption, etc. All sorts of side channel attacks that have nothing to do with actually cracking any codes. If they had a way in, you wouldn't see the hundreds of millions (and assuredly billions of dollars over the last 15 years...and not to mention the hundreds of thousands of man hours) wasted in devising methods, technologies, and tactics for getting around encryption.

    Just look through the TAO catalog. Pretty much that whole thing wouldn't exist if they had a way to decrypt AES.

    The cipher itself is not the weak point. It's going to be the random number generator, or the device itself, or the person trying to hide something, or any one of scores of things along the chain.

    But to speak specifically to the concerns you mentioned that experts raised, as he said in that quote, his criticisms are basically academic, not practical. For example, one of Schneier, et al's problem with AES was the key schedule, mostly for the 256-bit version, which he referred to as "pretty lousy." But related-key attacks aren't a threat to the kind of encryption we're talking about. They require access to plaintexts encrypted with multiple keys that are related in a specific way. You don't really see this happening in protocols where AES is used, and resistance to this kind of attack was not even a design criterion for the AES competition.

    And actually in those quotes you mentioned, he said a few other things that you left out, which I think are relevant here...

    Regarding "makes us uneasy", he and Ferguson did say it was an "extremely unfair" criticism of AES, as they don't have an attack on it, and every cipher, could be attacked in the future.

    As for the AES process:

    https://www.schneier.com/crypto-gram-0010.html#8
     
  20. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    @blainefry

    Thanks for the information and your solid logic.

    Still, I wonder whether things might have changed. Most significantly we now live in the post-Snowden era. We, and more importantly, cryptologists and security experts, know that NSA had their fingers in the AES selection; in the RNG standards, etc., and at least in some cases have mucked up or tried to muck up cryptography strength. It seems logical that cryptlogists and security experts would now be subjecting all of the cryptology algorithms to new and more stringent analysis in view of what we have learned.

    Second, even before the Snowden revelations, the experts had discovered some unexpected weaknesses in AES. See Bruce Schneier's article, "New Attack on AES" (https://www.schneier.com/blog/archives/2011/08/new_attack_on_a_1.html) where he wrote:

    "This is what I wrote about AES in 2009. I still agree with my advice:

    Cryptography is all about safety margins. If you can break n round of a cipher, you design it with 2n or 3n rounds. What we're learning is that the safety margin of AES is much less than previously believed. And while there is no reason to scrap AES in favor of another algorithm, NST should increase the number of rounds of all three AES variants. At this point, I suggest AES-128 at 16 rounds, AES-192 at 20 rounds, and AES-256 at 28 rounds. Or maybe even more; we don't want to be revising the standard again and again.

    And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change.

    The advice about AES-256 was because of a 2009 attack, not this result."​

    In view of such concerns, coupled with NSA knowledge not available to the public, it wouldn't be surprising if we find out at some time in the future that govt security in fact has used a higher level of security at least for the past several years -- call it AES-II, or some such for lack of better terminology.

    Obviously, I don't know, and have no way of knowing, or of finding out. But in light of Snowden revelations and actual concerns and recommendations that AES should be modified, it seems reasonable if not likely, that high security govt standards could have been quietly changed to adapt to the times.

    Regards.

    __
     
  21. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    @S.B.
    Yes I'm familiar with that one, but for one thing, it wasn't really "unexpected" as you said. Schneier and the Twofish team were calling for more rounds in Rijndael even before it was selected as the standard. No one made any claims of Rijndael being without security qualms. The process was very open, and even NIST itself stated multiple times that the cipher had an "adequate" security margin (as opposed to the "high" security margin of Serpent and Twofish (and MARS, for that matter).)

    And of course, as always, the authors explicitly state their attacks "do not threaten the practical use of AES in any way."

    While I'll admit Rijndael was seemingly chosen with more weight on performance as opposed to security, I don't think that would even qualify as circumstantial evidence that it's vulnerable even today, 15 years later. And it certainly doesn't suggest that it is somehow secretly or purposefully flawed, and somehow the entire world security/crypto community has missed it for a decade and a half. (And not for a lack of trying. Find me an algorithm that has had more eyes on it and received more scrutiny than the Advanced Encryption Standard...and for anywhere near that long.)

    And since we're on Schneier, let's not forget he explicitly said he does not think they can break it (let alone that it was their fatally flawed dark horse candidate all along), even as late as 2 years ago. "That is, they don't have a cryptanalytic attack against the AES algorithm that allows them to recover a key from known or chosen ciphertext with a reasonable time and memory complexity."

    https://www.schneier.com/blog/archives/2012/03/can_the_nsa_bre.html

    Granted that was B.S. (before Snowden), but I don't really doubt he'd say the same thing, even if with a bit more reservation. Again, math is math. And the NSA is not magic. "Having a hand" in the open selection process (again whatever that means) does not mean that they can somehow weaken a publicly audited algorithm or get an insecure cipher selected and used as the national standard (for the United States, no less) for 15 years without anyone ever figuring it out. Again this is not some tool or piece of software, it's just an algorithm. Any weakness is going to be in the implementation. (And as I was saying, this is exactly what we see...when the NSA gets past encryption, it's by getting around it...often times by futzing with its implementation, and most often, just swiping the key.)

    If there was a fatal flaw in Rijndael, it would have been found a long time ago. (I doubt it would have even made the final round of the competition.) You just can't hide a flaw like that in an algorithm.

    To anyone who keeps insisting "NIST is a quasi-govt organization, and the NSA was 'involved' in the AES selection process, therefore there is reason to be concerned about the security of the AES algorithm," I say: "Okay, explain to me exactly how that could work."

    I have yet to hear anyone even attempt to offer a proposal for how govt involvement in the selection process could result in Rijndael being insecure. I'm honestly interested in an explanation because I honestly don't see a way it would work, or why they would even bother. To be frank, I think people just say "govt involvement! ergo, it must be compromised," without even considering if it can be compromised like they're talking about.

    I just can't write that story in a way that makes any sense.
     
  22. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    I used to have Truecrypt. Now I use BitLocker.:thumb:
     
  23. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    "The NSA had a hand in Rijendael." This is so ridiculous. They also "had a hand" in all the other finalists in they evaluated them all and gave their approval - not just for Rijendael, but for the other ciphers as well. If your selecting a standard to be used by the government for confidential information, who is going to evaluate them? The NSA has the best Cryptanalysts in the world and would of course be the ones to determine if the finalists are solid. You wouldn't have the Department of Urban Development look at it - you would have the NSA. Remembering all of that 14-15 years ago, the selection process was widely praised and every finalist felt that their cipher had been given a fair shot.

    14 years is old? Not quite. For example, Gost was introduced in 1974 as the Soviet standard. After the fall of the USSR, the Russian government accepted it as the standard. Academic attacks aside, has anyone cracked the standard Gost with its strong S-box functions? No. It's forty years old.

    Bruce Schneier still recommends AES. Remember what academic attacks are: in theory, on paper, with X power, over X time, with X doing this while Y does that. We can put a man on Mars using academic theory we have today. At least on paper - and that's the key (no pun intended). But try putting a man on Mars just using all of that theoretical goodness. Having attacks and grand schemes on paper and it actually working and falling into place is so far from reality that it's negligible. No, it's not even measurable.
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Did you miss the release and the news regarding the NSA spying on our own congress? Why would you think that they wouldn't want access to everything our own government officials have? Try looking at their pattern of behavior to date. They have no qualms with weakening standards and compromising equipment, even when it can result in harm to our own interests. Why would you expect AES to be an exception?

    We're just going to have to agree to disagree on this one.
     
  25. Nixx

    Nixx Registered Member

    Joined:
    Jun 7, 2014
    Posts:
    3
    @noone_particular
    But are they cracking the encryption or just eavesdropping through bugged phones or laptops?
    Installing government approved spyware on government phones and laptops isn't exactly anything new. That would give them access even if the encryption is sound.

    Personally I use Twofish on storage media and AES on System media where i need the speed.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.