September 8, 2015
A few weeks ago, I wrote about A Puzzling Encryption Story. The post reported a news story about a Florida man who had kept classified material on his computer protected by the TrueCrypt encryption program. According to the news story, the FBI had "cracked" the encryption. I asked our readers for their thoughts on this -- particularly because I had understood that TrueCrypt was not crackable. I speculated that some endpoint attack might have been used, but wondered what sort of such attack it might be.
Our readers responded. They all agreed that the mathematics behind TrueCrypt made it highly unlikely that the encrypted volume had been decrypted by some brute force attack. Beyond that they seemed to divide into two groups -- those who saw the problem as a technical one and those who saw it as a social one.
I learned a great deal about technical attacks on TrueCrypt at the end points. Here are some of the possibilities our readers mentioned:
One reader noted that encryption passwords are stored in RAM and that thepasswords are retained for seconds (if not minutes) even after the computer is turned off. He speculated that the password might have been recovered that way.
Several readers suggested that the FBI might have been on the system at the time the TrueCrypt volume was open and the decrypted contents visible, in effect looking over the user's shoulder. This sort of surveillance with some form of Remote Action Trojan program was, in fact, suggested by several readers.
A number of other readers adopted my suggestion that a keylogger program had recorded the password when it was entered by the user, making reopening it by the FBI pretty trivial.
Of course, some readers pointed to TrueCrypt's own warning -- when the developers closed the program down they said the program was not secure. The exact nature of the insecurity was never specified, but if we take the developers at their word, there is a hole somewhere. The conspiracy minded readers said that this closure was actually the death of a warrant canary, suggesting that the FBI (or someone) was inside TrueCrypt for a while.
Many readers, including our own Bruce Schneier, speculated that, despite the claim that the password in question was 30-characters long, it involved something personal and specific to the owner that gave it away: "The attacker will feed any personal information he has access to about the password creator into the password crackers. A good password cracker will test names and addresses from the address book, meaningful dates, and any other personal information it has. Postal codes are common appendages."
Indeed, I was only a bit surprised to learn that there actually is a commercial product that says it will break TrueCrypt. It does so by using one of three technical methods:
By analyzing the hibernation file (if the PC being analyzed is turned off);
By analyzing a memory dump file *
By performing a FireWire attack ** (PC being analyzed must be running with encrypted volumes mounted).
* A memory dump of a running PC can be acquired with one of the readily available forensic tools such as MoonSols Windows Memory Toolkit
** A free tool launched on investigator’s PC is required to perform the FireWire attack (e.g. Inception)
Of course many other readers simply thought it was likely that the user was not as smart as he thought he was. As one of them said "my bet would be that the guy was less clever than he thought (billions of years!) and either wrote down the password somewhere obscure or picked a password that was guessable after analyzing whatever else the FBI turned up in their search. They probably did crack Glenn's code; probably didn't crack TrueCrypt."
In short, almost everyone agrees that this was a case of misreporting -- and that the suggestiong that True Crypt had been cracked was misleading. I suppose the statement is accurate to the extent that it includes hacking some aspect of the TrueCrypt endpoint, but the way the story was written it had the implication of something that our readers agree is highly unlikely. We will likely never know of course -- but that's the best assessment I can make of it.
No comments:
Post a Comment