TrueCrypt hidden volumes, how do you know?

Here's a question that I never see brought up. For those experienced users who use TrueCrypt hidden volumes, how do you know that the hidden volume is in fact indistinguishable from the rest of the outer volume? I'm asking this especially for the case where different types of encryption are used for the hidden and outer volume. Different algorithms could theoretically yield minor differences.

I'm asking for a line of reasoning or a testing procedure that would indicate to you that all hidden volumes are indistinguishable from all outer volumes. If it's a testing procedure, I'd like to know if you've actually tried it or know of someone who has.

I've done experimentation in the past, and I do believe that TrueCrypt's claims are in fact correct. But I'm wondering if anyone else actually questions those claims or whether people just basically believe whatever's in the documentation. I've done some Google searches and come up with very little (except for some stuff I've written in the distant past and very few other tidbits here and there).

Thanks

Edit: I'm asking this question to see if my line of reasoning is similar to other people, and I'm curious about how many people that use TrueCrypt hidden volumes actually ask these types of questions. My reasoning is that the more people that ask these questions, the better off we all are.

But, sadly, I'm beginning to feel that the developers basically do everything, including the testing. And we're all just sheep. All these thousands of people that review the source code seem like a myth because most of the people I've talked to know very little outside of what's in the documentation.

 

I don't use hidden volumes, but I do. Let me explain...

While reading the TC Forums a few months ago I came across posts asking things like, "Hidden volumes are known to law enforcement, etc. so why bother?" The obvious answer on the forum is the plausible deniability. They can't actually prove you use a hidden volume and all they see is in your outer volume. Well, like you, I've wondered just how well these hidden volumes are truly "hidden."

I then came across an excellent post from somebody on the TC forums that said they used the hidden volume feature for one reason - to PROVE they don't use the feature! Something along the lines of how they created a very small hidden volume with one file inside. A text message that said something like "This is a simple text message to prove that I do not use the hidden features of TrueCrypt - except for this disclaimer."

You can only create one hidden container. LEA and rubber hosers of whatever stripe know this as well. BRILLIANT! It seemed so simple, but I now have done the same thing. There were posters who also don't use the feature (but fear somebody will think they do) were writing, "Duh, why didn't I think of that?" I use TC for legitimate security purposes against laptop/identity theft, etc., I don't use the hidden volume feature and I want to be able to prove that if at anytime that were to be necessary. Call it "absolute deniability" that, one never knows, may save me a lot of grief and suspicion someday.

 

I agree it's a nice solution for those that don't want to use hidden volumes. But if those hidden volumes weren't really hidden, you wouldn't even need to do that. Hence my question.

My question is related to the technical testing of claims that TrueCrypt hidden volumes can't be detected. I have my methodology for testing, but, unfortunately, I've never found anyone to talk to or compare techniques (or anything of that sort). I basically just answer other peoples' questions based on my own experimentation, but I've never really found someone who does the equivalent and who questions what I say. People seem to take everything in the documentation as gospel truth. But now that I bring that up, people seem to take everything I say as gospel truth.

I'm just a little disillusioned about the lack of questioning.

 

Sorry about that. I know that wasn't directly related to your question and it IS a good one. I often wonder the same thing. Just who ARE these people actually looking at the code and would they know a backdoor or a minor coding error if it hit them in the face? I'm with you because I read that, "people can read the source code," but have never actually read of a single person doing so. Does the hidden volume look different under a hex editor? Not to me (I've looked) but I could very easily miss something.

 

Yeah, a hex editor may tell you if there are any "unfilled" areas or gaps by TrueCrypt, but it doesn't tell you anything about the quality of the data.

I guess I'll explain how I would look at it yet AGAIN if no one responds. But, keep in mind that I actually haven't done this over the last several versions. I trust the developers, but we really need some more eyes on this stuff. And I really would like to know if what I'm saying is actually correct. The only reason I think I'm right is because no one has ever questioned me. I really would like for someone to lay down the law here.

I do consider this type of situation different than a backdoor though. While I don't think every version is being comprehensively tested, I'm sure some versions were. That's probably sufficient. I don't think they're backdooring their product. If even one is ever discovered, you can kiss TC goodbye permanently.

 

There was a vuln a few years ago that allowed one to prove a hidden volume existed. This forum post goes into great detail about it (and has links to even more discussion). Apparently this issue was fixed in TC 4.1, so it has been long resolved.

Then there are tools like "TCHunt" which are a total fraud and joke. All they do is look for random data and then flag any random data as a TC container. You can read more about the fraud here.

To answer your question, I know of no way to prove that a TC hidden volume exists on a hard drive. And I don't see how it could be proven without breaking the encryption cipher itself (and subsequently winning a Fields Medal in mathematics).

 

Yes, I was familiar with that. In fact, I'm still using volumes created prior to TC 4.1 (in CBC mode). But they're AES-Blowfish, which are completely safe from this attack, and still incredibly safe period.

Agreed.

I disagree. It definitely wouldn't be necessary to break the cipher itself to prove that one set of data encrypted by one cipher is different from a set of data encrypted by another cipher. It may still be impossible to do, but theoretically much easier than breaking the cipher itself. There may be some incredibly tiny difference between the two ciphers that could possibly be found (without ever even coming close to breaking either of them).

I doubt such a difference would be found, but it could.

Edit: If you've never played with the current crop of statistical tests for randomness, I would suggest you start. You might be surprised at how good they are. I was posting on the TrueCrypt forums years ago about how I could tell you, with some of the bad PRNGs, exactly which PRNG produced which set of data. And, believe me, if you used just a hex editor to compare them to TrueCrypt volumes, you wouldn't be able to see any difference.

And these tests have only gotten better. Fortunately, TrueCrypt uses cryptographically secure algorithms. But I don't believe there is anything inherent in an algorithm that makes it cryptographically secure. There's no proof. It has to be tested. And when new tests come along, you have to test again.

 

Let me expand on this further.

There's a PRNG called Mersenne Twister. It was never believed to be cryptographically secure, but it always passed all statistical tests. In fact, it's hard to find a test suite that finds any statistical anomaly in it.

Then came TestU01. Mersenne Twister still passed most tests, but it failed a couple. Currently, TestU01 is considered the best statistical test suite. Of note, they did find one potential anomaly in AES in CTR mode (internal algorithm and not produced by TrueCrypt). However, they couldn't reproduce this anomaly in any further tests.

I don't know about you, but I don't take anything for granted. I always test to the best of my ability. Prior to 2006, TrueCrypt always advertised how they passed all statistical tests (such as Diehard). But the tests currently available are much, much better than back then. However, TrueCrypt still passes everything, but they don't advertise that anymore.

http://www.iro.umontreal.ca/~lecuyer/myftp/papers/testu01.pdf

 

I thought one way to avoid people thinking that maybe you have a hidden volume is just to avoid letting them you know you have truecrypt at all. So if you create the encrypted volume on your local hard drive and only install TrueCrypt on an external drive, then assuming there are no traces of TrueCrypt on your computer, they will never be able to say maybe you have a hidden TrueCrypt volume.

Does that work?

 

There are ways to do what you want, but you haven't provided enough information on your setup. The trick is, as you said, not to have any copy of TrueCrypt for anyone to find.

As far as your TrueCrypt volume is concerned, you have to be able to replicate that pattern with some other non-cryptographic program in such a way that no one can prove which program produced the data. That pretty much rules out a file-based TrueCrypt volume. I know of no other program that will produce a file that has as much entropy as a TrueCrypt volume without any sign of a header. Other programs that produce files with as much entropy as TrueCrypt volumes are often other encryption programs, but they usually have unencrypted headers.

Some people in the mathematics field may claim that they need a random set of data for study (which is often true). But they would need a program which is capable of doing this. And for the rest of us, I don't think this would work.

With partition or device encryption, it's possible to replicate it with a disk wiping program. But you have to find the right program with the right algorithm to make sure it can be replicated exactly. It really all depends on how thorough an investigation of the hard drive would be. If an investigator is meticulous to a fault, then you have to be meticulous too. If the investigator is sloppy, then maybe you don't have to do much except make sure no trace of the TrueCrypt program is found while not using file-based volumes.

Provide more detail if you want to and if you don't mind those details becoming public knowledge.

 

I'm going to revise what I said in light of my response to SundariDevi. TCHunt in fact cannot prove that a file is a TrueCrypt volume. But here on planet Earth, when you have a 1GB file that's a multiple of 512 bytes with no header and is completely random, you don't have to be a rocket surgeon to figure it out. I guess it depends on what your standard of proof is. If I found this file and the owner of the drive couldn't explain it, I would assume it was a TC volume, even without a copy of TrueCrypt.

Unless someone can find ANY program that can duplicate this.

Edit: People always say that if a TrueCrypt volume cannot be differentiated from random data, then it can't be proven to be a TrueCrypt volume. This is entirely the wrong way to look at it. There is only one thing that matters. Can another non-cryptographic program duplicate this pattern beyond anyone's capability to prove otherwise? If the answer is no then you have effectively proven it is a TrueCrypt volume. This may not be entirely true in an ideal world, but that's probably the reality. So, TCHunt, while doing nothing really innovative is making it easier to locate volumes that could be TrueCrypt volumes. So, it's not a fraud in that sense, although I could probably do the same thing by using Windows built in search function (looking for large files). I don't particularly care about TC volumes that are 19KB.

 

If you're using Windows, I think it's a complete waste of time to try to "hide" the fact that Truecrypt (the program itself) is on your computer. If you have confidential information - put it in another volume or another drive other than what you use for your primary TC partition/volume which you use for everyday Truecrypt protection of personal information (to prevent ID Theft, etc.). Hiding Truecrypt completely is nearly impossible on Windows and triggers more questions than if it were on the system for purposes as described above. To me, this is basic. Truecrypt developers have stressed that they never developed TC for the program itself to be hidden.

 

I don't know how to respond to this except by getting into a whole world of technical mumbo jumbo that I'm not prepared to spend weeks writing about.

Suffice it to say, I think it's possible to entirely hide the presence of TrueCrypt beyond the capability of anyone to detect. It requires some outside the box thinking. It doesn't really matter what the developers designed it to do. It only matters what you can do with it.

For the purposes of this discussion, let's just assume that the existence of the program itself is hidden. Better yet, let's get off this tangent entirely and discuss the true topic of this thread. Namely, I would like to hear from anyone period who has done ANY analysis of TrueCrypt from a security standpoint. This could include looking at the code or any other type of testing. Absolutely anything goes as long as it's not a rehash of the documentation.

 

I know what you would write and I still think it's impossible with Windows. Why try when Truecrypt has perfectly valid uses? You can put any truly confidential material on a removable disk or something.

As for your OP, I think you know you're not going to get the info here. sci.crypt would be the obvious place if its still active, I haven't visited there in years.

Come to think of it, Justin was going to look at it and report back here, you might drop him a PM.

 

Enlighten me.


p.s. I highly, highly, highly doubt you know what I would write considering that some of my techniques, to my knowledge, have never been written about.

That's the whole point. There are so many possible approaches that I would be up to my eyeballs in this as soon as the conversation started.

But, yes, feel free to tell me what I would say.

 

I find yourself arguing with yourself in this thread. The original question was asked with almost a dare. You seem to already know everything you need to know, so is your original question simply disingenuous? I didn't mean anything negative toward you when I said I knew what you would write. I thought it was the same old rehashed stuff from the TC forums. I've read it all. You seem to have a chip on your shoulder and daring somebody to knock it off and I'm not sure why. It's really not that big a deal. Any other thoughts on this should be PM, unless it's for the purposes of your original question, which I think you probably already know will not get an acceptable response.

 

Good call. I really do.

The purpose of the thread is to challenge the way I view TrueCrypt. I do my best to study the currently available data and do some of my own independent analysis, but I don't really know if I'm right. I answer people's questions based on my analysis, but it never really goes further than that. I feel like at least I'm trying.

I just get the impression that very few people would even know if something was obviously wrong with TrueCrypt or if wasn't performing to spec. I guess I'm trying to figure out how paranoid I should be.

Edit: Please link to those threads on the TC forums if this is a re-hash. Let me just warn you that I might be in those threads as well. I don't use the same name. I didn't post this thread on the TC forums because all threads there show up according to the date posted. So, even if it's active, it still falls off the face of the Earth. Also, I didn't want to risk it being deleted.

 

I hear you, completely. The TC forums have almost died from the regulars of several years ago; run off by heavy-handed moderation and an arrogant attitude that isn't exactly welcoming.

I don't want to go over there and look up all those old threads and besides, my research fees are probably too steep for 'ya. (just kidding)

 

For many years I have been happily using TrueCrypt to protect my personal data, but I don't consider it to be proof against all attacks. I think it's entirely possible that TC could contain a cleverly-hidden built-in weakness that could be exploited by an insider (e.g. a government agency) that has preknowledge of the flaw and sufficient computational power to take advantage of it. Yes, I'm aware that TC is open-source, but this doesn't mean all flaws of this nature would be revealed. It could be something very subtle. For example, an exhaustive brute-force analysis might still be required in order to crack the key, but due to the flaw this might require only 3% of the computational resources that would otherwise be necessary. This would still put the solution far out of reach of most attackers unless they had access to massive resources and knew where to look.

Bottom line: Although TC works beautifully and under most circumstances it appears to provide excellent protection, I would definitely not recommend it (or any other off-the-shelf software) for use against a three-letter agency.

And no, I don't consider myself to be a paranoid person.

 

I hear you, but if you're talking about TLA's in the USA - you give them wayyy too much credit. Unless you're talking the highest levels of the NSA and the computer is from a terrorist, most TLA's couldn't do squat with TC. Inept is the word that comes to mind for most of these agencies. Don't believe the movies - read the newspaper.

 

I don't know what to say to this either. I suppose anything is possible, but I think it really does a disservice to the developers who have brought us such an excellent product for no cost. I think on their part, they've done everything right, including giving us the full source code. So, I prefer to discuss potential unintentional flaws.

 

For purposes of national security these agencies are required to keep their capabilities secret. They are highly funded, well-equipped and well-staffed. Forget the newspaper, read your history.

 

There could be unintentional flaws. We know very little about the cryptographic expertise of TrueCrypt's developers. I do give them credit for an excellent product, but there's only so much trust I can put into an unreviewed black box that has been provided to me for free by an anonymous developer.

But we aren't likely to get very far discussing hypothetical situations for which we have no proof, so we might as well move on to specific facts, if we have any.

 

History tells me the CIA and FBI have bungled as often as achieved. Just my opinion, but I respect yours.

 

Regarding denying the existence of TrueCrypt, while it's not impossible, it is extremely difficult. Unfortunately, the way it should be done and the way most people will do it are entirely different. So, I agree with you in not recommending it.

It's much better to use the hidden OS feature. That way you don't have to worry about OS leaks, which are unfortunately incredibly difficult to control.

Here's an article by Bruce Schneier on the topic:

http://www.schneier.com/paper-truecrypt-dfs.pdf

I still have no idea why he wrote it since it was all public knowledge and extremely obvious many years before he wrote it. Even on the TrueCrypt forums, all of this was already openly discussed (probably every single topic he mentions and more). The fact that these topics were never deleted from the TC forums really says something. Nonetheless, here it is in consise pdf format. Keep in mind this was an old version of TC, and many improvements have been made since this was written. Of note, the hidden OS feature was added after this was written.