Solution to TrueCrypt Threat!!!

Discussion in 'privacy technology' started by truthseeker, Aug 22, 2008.

Thread Status:
Not open for further replies.
  1. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    As you may all have been reading, there is videos and chats about how someone can gain your TC password by accessing your RAM, even if you turn your PC off.

    http://news.cnet.com/8301-1009_3-10003167-83.html?tag=bl

    Well I have an easy solution.

    Simply add a keyfile to your TC encrypted HDD, partition or container and place the keyfile on a USB stick. Then whenever you leave your PC or laptop unattended take the USB stick and put it in your pocket. Carry it with you wherever you go and not leave it in your PC or laptop.

    So if a person gains your TC password by freezing your RAM or by accessing it when its in hybernation mode etc, then that password is useless to them because they would still need your keyfile as well to decrypt your partition, HDD or container. But seeing you have the keyfile in your pocket, they cannot decrypt anything.

    Hope this is helpful.
     
  2. Overwriter

    Overwriter Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    35
    Hi truthseeker

    Sorry, but it doesn’t work like that.

    The key obtained from RAM is the decryption key. The keyfile and password you are talking about are only used to encrypt / decrypt the decryption key.
     
  3. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    There are some videos and chats that say that your password is in ram for up to 1 hour after your computer is powered down.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Let me ask for a definition here. How do you define turning off your computer.

    With both my desktops, when I shut them down, the mobo is still powered. But I kill AC to them totally, and it is obvious (I can see them) that the mobo's are off. I doubt in this situation RAM can hold something for as long as an hour. o_O

    Pete
     
  5. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Do you have any solid evidence that your comments are accurate?

    As far as I know the TC password is stored in RAM, but not the seperate keyfile. Proof I am wrong?

    because my keyfile that I use is a very large file on my USB stick, too big to fit in my RAM.
     
    Last edited: Aug 22, 2008
  6. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Turning off your computer happens in two parts, First is shutdown where the programs quit then it is power down where the OS and the HDs and Motherboard shutdown. It used to take my computer 4+ minutes to fully turn off, I traced the problem to one of 4 OS updates from the ms update site. The OS File has since been updated/changed and turns off in less than 1 and 1/2 minutes.
     
    Last edited: Aug 22, 2008
  7. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Not currently possible.

    System Encryption at this time does NOT support Keyfiles. Its passwords only.

    Additionally, they are extracting the Master Key, which is used by TC for all the data en/decryption. If you have the Master Key, the header can theoretically be ignored (which is what you need the password/header for) to access the data area directly.

    Sorry, this is not a solution.
     
  8. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    I created TC container in travelers mode, and unless I have my USB stick in, it wont decrypt it. It is 100% using my TC keyfile which is a large data file stored on my USB stick. It won't just accept my password, it also needs the keyfile.

    So it is a solution for me as nobody can decrypt my container without the separate USB keyfile
     
    Last edited: Aug 23, 2008
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Equally the same here. No matter which units i been using, after i power down i reach to the wall switch and completely disengage any current/voltage at all. That's my way of relieving the stress of the activity i place on them on a daily basis.

    Don't know if theres any alternate way to break current any better short of maybe pulling the memory module after switching off the juice.

    I like that idea about the keyfile, however i use two batch files that completely change the folder which contains the container with the lead TC app and a few other tricks i like to use, like setting them inside Returnil Premium with a password for a total of 5 different passwords all time-consuming because they are well scrambled.
     
  10. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Yep me too. Without my keyfile that is located on my USB stick which I take with me once I leave my laptop, it's impossible to decrypt my TC container, even if they knew the password.
     
  11. Overwriter

    Overwriter Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    35
    It’s common knowledge.

    You are misunderstanding what the password and keyfile you are using actually do.

    You are wasting your time with such a large keyfile, only its first 1,048,576 bytes (1 MB) are processed.

    I suggest you read the contents of this before posting any further to avoid misleading others here.
     
  12. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Truth,

    The way you had that phrased, I thought you were suggesting using a keyfile with system encryption, not just containers.

    And the best defense against power off attacks is to dismount the drive properly. Set up a hot key for wipe and force dismount.

    The one mistake your making is you think that a keyfile will make it impossible to get the master key out of ram, it doesn't.

    TC doesn't save your password in memory. It uses it once and throws it out, UNLESS you have caching enabled. If you have caching enabled, it stores your password in RAM. It also stores either the path to your keyfile or the hash of the keyfile in RAM. I'll assume that you are not using caching.

    So you enter your password, point to your keyfile. TrueCrypt takes the two(or more) pieces of data and creates a hash out of it plus the header salt, then attempts to decrypt the Header. If successful, at this point the Master Key is read from the header, and then the password and keyfile are thrown out as they are no longer needed. TC uses the Master Key to begin en/decryption of the data area. That Master Key now stays in memory until TC wipes it. TC will securely wipe it when the drive is dismounted. Not dismounting the drive and simply hitting the power button is what opens up vulnerability of the "Frozen Ram" attack. (this is essentially the same as a power off, freezing it just slows down the degradation of data in the RAM).

    As you can see, the only way to prevent the (cold) ram attack is to always make sure your containers are properly dismounted before shutting the power off. Using key files will provide no protection against this style of attack.
     
  13. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    1. It is not "common knowledge" at all as not everyone agrees with that claim or would know about it.

    2. Are you suggesting that someone can decrypt my TC encrypted container without the needed keyfile, even if it's been properly dismounted and laptop shut down without power for ages?

    3. Maybe it's you who have not fully understood how it works.

    4. Are you suggesting that someone can decrypt my TV container even without knowing the 1,048,576 bytes (1 MB) keyfile data?

    5. According to TC, it says, "WARNING, if you lose your keyfile it will be IMPOSSIBLE to mount the volumes that need the keyfile". So are you claiming the guys at TC are "misleading" the public with that statement and that they are wrong and that you are right?
     
    Last edited: Aug 23, 2008
  14. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    So are you saying that the keyfile data + main password are both stored in RAM?

    Also, I do NOT have "Cache password and keyfile in memory" + "Cache passwords in driver memory" enabled. They are both DISABLED! And I always take the usb keyfile with me. And when I am finished using my Laptop, I use a hotkey combo to "Force dismount ALL, Wipe Cache & Exit".

    But I have a question... When it refers to "Wipe Cache" does that refer to cache on hard drive, or RAM? Does TC store my keyfile or password somewhere on the hard drive?

    And when I use this hotkey combo, does it tell TC to wipe the contents of RAM too?

    Would you suggest I do anything else to protect myself? Is there anything else I should do?

    Thank you KookyMan for your comments.
     
    Last edited: Aug 23, 2008
  15. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    No, what I'm saying is your Master Key is stored in RAM. It has absolutely nothing to do with your password and keyfile. The ONLY thing your password and keyfile decrypts is the volume header, the first 512bytes (v5.0 and earlier) or the first 128K (v6.0 and later) of the container. Stored within that itty bitty encrypted area is the Master Key. This is what is used to encrypt the rest of the container. That MUST be in ram 100% of the time otherwise you'd not be able to access the container.

    Everything you've said so far only protects against accessing the Master Key on the disk, but it is in RAM. If they do the frozen ram attack on you, they aren't after your password. They are after that Master Key. And then yes. once they have that they do not need your password OR your keyfile, since they have no use for the header. They have the Master Key (stored in the header) which gives them direct access to the main container data itself.

    Think of it this way. You have a safe sitting in front of you. There are two steps to entry. You need a combination (your password) to open the door on the left(the header). Then within that safe door on the left is a 20 turn combination. (The Master Key.) You keep your key very safe, insert it and open the door, and pull out a copy of the 20 turn combination. You close the door and lock it again. The original combination is safe behind the locked door. You only have a copy of it. Now you read from that paper you just made a copy of and spin the combination on the right hand door and open it. (The data area of the container).

    I hope your with me so far.

    Now a thief comes in and knocks you over the head, and renders you unconscious. (Pulls plug on PC) He then picks up the paper and makes his own copy of the combination. Now if he comes back later, he already has the combination, so he doesn't need a copy of your key (password/keyfiles) since he already has a copy of the Master Key.

    And before you ask, if you change your password/keyfiles, all your doing is changing the key you use to get to the combination.. The only way to change the combination itself is to create a new container and transfer all your data too it.

    I don't know any other way to explain it to you.

    Oh, and to answer, its RAM. Contents of ram? entirely, no. Just the Master Key to my knowledge. There's nothing else you can do. At this time, the frozen ram attack is generally undefendable, all you can do is keep containers that you are not actively using dismounted. Theres no HD cache. You really should read the manual cuz I'm sure all this is covered.

    Just saw that late addition:
    No. We're saying that they are right, and so are we. They are right in so far that in so far as the way the program is designed, when used properly, it IS impossible to mount the container without the keyfile. We (Overwriter and myself) are write in so far that it IS possible to do it if you do NOT properly use the program. IE: Power off/Hard Reboot without dismounting containers, allowing your memory to be directly read after such a reboot, they can access the Master Key directly from memory. This has absolutely nothing to do with passwords and keyfiles.
     
    Last edited: Aug 23, 2008
  16. Overwriter

    Overwriter Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    35
    It is common knowledge to anyone who has taken the time to read the link I provided you with.

    Yes, if they have the master key. In fact if they have the master key (taken from RAM in this situation) they don't even need to know your password !

    Just because you don't understand something there is no need to be rude to others taking time to help you. I have read through this thread and there have been some good posts here. I suggest you pay particular attention to what KookyMan and I have written. You should be able to see where you are going wrong with this from our posts alone.

    This is just a repeat of your second question.

    truthseeker I suggest you refrain from accusing others of not understanding this subject until you take the time to read the link I sent you and KookyMan’s posts. I appreciate we all have to start somewhere but being plain rude to people helping you is not going to get you very far.

    I suggest you “seek the truth” truthseeker and find out the difference between passwords, keyfiles and master keys. Here is a little something to help you.

    Your password and keyfile are not the master key !!

    Your password and keyfile simply decrypt the master key !!

    Your simplistic “fix” will not work as it is the master key that is in RAM, so please stop misleading other members here !
     
  17. Overwriter

    Overwriter Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    35
    I see you have added these last two little gems since my post.

    To be honest after reading your rant I wish I hadn’t taken the time to try to help you. I suggest you read the link I have provided you with, read KookyMan’s very detailed and simplistic explanation and consider your “solution”.

    Until you have grasped what we have been trying to tell you please do not mislead other people who don’t understand this attack.

    I believe this is a case of a little knowledge is dangerous.
     
  18. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Thanks KM, that made perfect sense, and it helped me to finally understand now. Gotcha :) Cheers.
     
  19. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Yes Overwriter, I realise now I had not fully understood this about the master password and keyfile and normal password.

    Thanks, I get it now :) I was wrong, sorry. And it was never my intention to mislead anyone. I initially posted what I did out of good intent and genuinly wanting to help. Sorry to any readers that may have been misled with what I said, I made a mistake.
     
  20. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Yes, thank you for your patience and time to explain this to me. I understand now.

    Last question.. something which I am still not 100% certain about. If my laptop was to be shutdown without TC being dismounted, will that be a security risk, even if the laptop has been shut down for over 1 hour?

    Or does TC dismount itself when Windows is shut down, even if a person didn't properly dismount it through TC?

    TC doesn't leave any traces behind on the HDD anyway does it? So once windows shuts down, the container is dismounted anyway?

    I have a 5GB container yet I only have 2 GB RAM. So once it's mounted, where does all the decrypted 5GB of data go? Where is it stored? Or is the whole 5GB container still encrypted on my HDD and only the data that I access on the fly is decrypted into RAM?

    Yes. I have read the manual, but even after reading the manual I do not have 100% perfect understanding of the whole program, so I hope you dont mind to clarify for me. Thanks.
     
  21. Nagib

    Nagib Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    21
    I knew about freezed RAM attack before. However, there are a few things that I do not understand.

    Lets assume that I do system shut down without dismounting the volumes in a proper way. Master key will remain in RAM. For how long? In what time is theoretically possible to get the master key from RAM?

    Is it really a matter of minutes or a few hours? Or the master key can remain in RAM for a longer time? Or forever?

    Also, what kind of the equipment they need to do a freezed RAM attack? I would like to read about it. Hope somebody can answer my questions.
     
  22. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Nagib, search the forum here, I know its been discussed, alot. Will find some good explanations and links.


    Truth, in order:

    Hour? No.

    Yes.

    Right.

    Yes. (last Q.)

    Hope that helps.
     
  23. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Yes that helped a lot. I learned a lot today :)
     
  24. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    I guess the best way out is to use some mighty bond!
    and make the memory bar impossible to be seperated from my PC.
    they seperate it(without damaging the chips), they lose time, they lost chance.
    =) Isnt this a simple way?
     
  25. cafeshop

    cafeshop Former Poster

    Joined:
    Feb 20, 2008
    Posts:
    36
    We use GhostSecurity Inc.' CryptoSuite even though Jason does not have time to make some convenient features like with TC (tunnel, wrapper, outside container, hidden container)
    :thumb:
     
Loading...
Thread Status:
Not open for further replies.