Encryption question inspired by another thread

[blackangst1]

In another thread I apparently didnt understand a certain part of TrueCrypt's file setup. Thats cool, I got it now But it left me wondering a few things.

I dont necessarily need THAT high of protection, so talking theoretically. When talking about hidden volumes, bsobel you mentioned if law enforcement took a look they would see a hiddem volume. Im wondering how? TC's hidden volume leaves no headers identifying a second volume, and appears as random encrypted data...same as what the outer, or main volume would show. My understanding is it's seamless.

So then I was thinking, well, if the total size of the volume is say 10 gigs, and the hidden volume is 8 gigs, that obviously leaves 2 gigs for the honeypot, or outer volume. One could see the entire volume is 10 gigs, therefore theoretically try and a move a 9 gig file onto the volume and because the outer volume is only 2 gigs, would say not enough space. BUT! When mounting the outer volume WITHOUT volume protection, you could indeed move a 9 gig file, as it would simply use up space designated for the hidden volume. Yes, it would overwrite and corrupt the hidden volume, but it would still not reveal the actual presence of that volume. I've tried the file move experiment succesfully, and it did corrupt data inside the hidden volume, but it also moved the larger file onto the outer volume.

So my question is...how could anyone know it existed? I havent found any white papers or real life examples of a hidden volume being detected. In fact, I've found the opposite based on white papers published by Black Hat. What am I not understanding?

Second, how can we be sure the NSA, for example, could detect and decrypt anything? Because theyre the NSA? One would think there would be prosecutions of people with this scheme they have broken, but I havent found anything. With an agency THAT large, you would think SOME kind of info would leak about them breaking modern encryption. Also, with open source software, someone somewhere would detect a backdoor or beloved patriot in the armor so to speak.

Could these "hidden" files be compromised? Sure. Brute force the passcode if it's weak. Keyloggers to capture it. Lots of ways. But actually using forensics to decrypt it, or even detect it, seems very unlikely to me.

Can you provide links to explain how I am wrong? I would love to learn more.

 

[bsobel]

Originally posted by: blackangst1
In another thread I apparently didnt understand a certain part of TrueCrypt's file setup. Thats cool, I got it now But it left me wondering a few things.

I dont necessarily need THAT high of protection, so talking theoretically. When talking about hidden volumes, bsobel you mentioned if law enforcement took a look they would see a hiddem volume. Im wondering how? TC's hidden volume leaves no headers identifying a second volume, and appears as random encrypted data...same as what the outer, or main volume would show. My understanding is it's seamless.

We were talking about two different things, in this scenario you are correct. Its in the first scenario where you just 'hide' the trucrypt volume in the fat volume it's easy to detect. In this scenario your basically talking about a trucrypt volume inside another trucrypt volume. In that case its still easy to detect the outer volume, but you are correct it is a bruteforce attack (as far as we currently know) to detect the inner volume.

Second, how can we be sure the NSA, for example, could detect and decrypt anything? Because theyre the NSA? One would think there would be prosecutions of people with this scheme they have broken, but I havent found anything. With an agency THAT large, you would think SOME kind of info would leak about them breaking modern encryption. Also, with open source software, someone somewhere would detect a backdoor or beloved patriot in the armor so to speak.

We probably won't know for another 70 to 100 years (literally) what the NSA is capable of breaking today. From the rumors that float we presume they have a pretty good handle on consumer type encryption today. Now, thats not to say they are going to turn around and use that in some mafia prosecution case. The FBI doesnt have the tech to break the encryption (that we know of) and they tend to go the keylogger route (break in, plant it, extract data later).

As for it being open source and the proving it doesnt have back door, there are only a handful of mathameticians that can do the work required to determine that. It doesnt matter if thousands of others look at, those folks would need to take a deep hard look to have a chance of really knowing. For example the algorithim discussed here is entirely public and a backdoor was found. The question is, how many other public algorithims exist where the backdoor hasn't yet been found.

Bill

 

[blackangst1]

Thanks for the reply bsobel I was looking forward to it.

And yes. On the earlier thread, as I've admitted, I was mistaken on the format thing. Acknowledged.

But the outer/hidden volume scenario is what I was interested in. Of course, a TC volume in and of itself can be found pretty easily. Thus, if required to do so, one would provide the outer volume's passcode to reveal...well...things like bank statements, resume's etc. The good stuff would be in the inner volume. Im not sure it's possible to even know there's an inner volume, even if the outer volume is open. That was my question. AFAIK it's never been done. Yes, the NSA has capabilities beyond our belief probably, but OTOH, I wouldnt dismiss the capabilities of the private sector. Know what I mean? Who knows. Ive also read speculation about whether or not they could even begin to break something like AES or twofish. *shrug* I honestly dont think it's possible.

Anyhow, interesting stuff to me

 

[bsobel]

Originally posted by: blackangst1
Thanks for the reply bsobel I was looking forward to it.

And yes. On the earlier thread, as I've admitted, I was mistaken on the format thing. Acknowledged.

But the outer/hidden volume scenario is what I was interested in. Of course, a TC volume in and of itself can be found pretty easily. Thus, if required to do so, one would provide the outer volume's passcode to reveal...well...things like bank statements, resume's etc. The good stuff would be in the inner volume. Im not sure it's possible to even know there's an inner volume, even if the outer volume is open. That was my question. AFAIK it's never been done. Yes, the NSA has capabilities beyond our belief probably, but OTOH, I wouldnt dismiss the capabilities of the private sector. Know what I mean? Who knows. Ive also read speculation about whether or not they could even begin to break something like AES or twofish. *shrug* I honestly dont think it's possible.

Anyhow, interesting stuff to me

Correct, as designed you can't know their is an inner volume by unlocking the outer volume without volume protection (with volume protection one can infer your protecting something, therefor its probably a volume). Their are two attacks here, one is brute force (inprobable) the second is weakness or backdoors in the algorithm. If there are any than determining their is a volume gets alot easier. Basically we know what section of the inner volume contains the volume header *if* its a volume, if we can decrypt that we know their is a volume there (and by nature of said decrypt it we have the key).

As for private parties doing this, none that I'm aware of. As for government agencies, consider where AES and Skipjack came from

Bill

 

[blackangst1]

Originally posted by: bsobel

Originally posted by: blackangst1
Thanks for the reply bsobel I was looking forward to it.

And yes. On the earlier thread, as I've admitted, I was mistaken on the format thing. Acknowledged.

But the outer/hidden volume scenario is what I was interested in. Of course, a TC volume in and of itself can be found pretty easily. Thus, if required to do so, one would provide the outer volume's passcode to reveal...well...things like bank statements, resume's etc. The good stuff would be in the inner volume. Im not sure it's possible to even know there's an inner volume, even if the outer volume is open. That was my question. AFAIK it's never been done. Yes, the NSA has capabilities beyond our belief probably, but OTOH, I wouldnt dismiss the capabilities of the private sector. Know what I mean? Who knows. Ive also read speculation about whether or not they could even begin to break something like AES or twofish. *shrug* I honestly dont think it's possible.

Anyhow, interesting stuff to me

Correct, as designed you can't know their is an inner volume by unlocking the outer volume without volume protection (with volume protection one can infer your protecting something, therefor its probably a volume). Their are two attacks here, one is brute force (inprobable) the second is weakness or backdoors in the algorithm. If there are any than determining their is a volume gets alot easier. Basically we know what section of the inner volume contains the volume header *if* its a volume, if we can decrypt that we know their is a volume there (and by nature of said decrypt it we have the key).

As for private parties doing this, none that I'm aware of. As for government agencies, consider where AES and Skipjack came from

Bill

If I remember correctly, NSA just certified AES as proficient to use with top secret. I believe the base of AES was created by...hmm....finjel? something like that. AFAIK he was a private guy. I think he created a DES standard too. Memory foggy

I think I read the only theoretical attack on AES was a side channel via leaky cache, and not on the cipher itself. In a perfect world, these leaks wouldnt exist. But, alas, stuff has to pass through a CPU, memory, etc which CAN leak. But again, this would only reveal that a hidden volume WAS indeed there, and to anyone's knowledge its never been done. *shrug*

Anyway. Although I have a basic understanding, at this point its over my head lol. I understand how cipher blocks work, although I dont know why. But it makes for interesting chatting. I appreciate your input

 

[bsobel]

If I remember correctly, NSA just certified AES as proficient to use with top secret. I believe the base of AES was created by...hmm....finjel? something like that. AFAIK he was a private guy. I think he created a DES standard too. Memory foggy

Your thinking of Rijndael which isn't a single person, its a combination of two peoples names. That said, my point was simply its still an algorithim chosen by NIST certified for TS by the NSA. Both are US government agencies. If there are attacks against them, they are the folks most likely to know. We are unlikely to know for many many years

 

[blackangst1]

Originally posted by: bsobel

If I remember correctly, NSA just certified AES as proficient to use with top secret. I believe the base of AES was created by...hmm....finjel? something like that. AFAIK he was a private guy. I think he created a DES standard too. Memory foggy

Your thinking of Rijndael which isn't a single person, its a combination of two peoples names. That said, my point was simply its still an algorithim chosen by NIST certified for TS by the NSA. Both are US government agencies. If there are attacks against them, they are the folks most likely to know. We are unlikely to know for many many years

thats it! I guess I coulda looked on wiki but Im too lazy lol

 

[stevem326]

Originally posted by: blackangst1
Thanks for the reply bsobel I was looking forward to it.

And yes. On the earlier thread, as I've admitted, I was mistaken on the format thing. Acknowledged.

But the outer/hidden volume scenario is what I was interested in. Of course, a TC volume in and of itself can be found pretty easily. Thus, if required to do so, one would provide the outer volume's passcode to reveal...well...things like bank statements, resume's etc. The good stuff would be in the inner volume. Im not sure it's possible to even know there's an inner volume, even if the outer volume is open. That was my question. AFAIK it's never been done. Yes, the NSA has capabilities beyond our belief probably, but OTOH, I wouldnt dismiss the capabilities of the private sector. Know what I mean? Who knows. Ive also read speculation about whether or not they could even begin to break something like AES or twofish. *shrug* I honestly dont think it's possible.

Anyhow, interesting stuff to me

I read an article a year ago explaining how the Secret Service, to help them investigate counterfeiting and other crimes, was networking all of their computers together in every single SS field office to create a distributed computing network (sort of like a super computer). The main goal of this network was to conduct brute force attacks on encrypted HD's that they had seized during search warrants. They had software installed on every single SS computer in all of their field offices (networked together) that just hurled passwords at the hard drive(s) in an attempt to guess the correct password. The software just ran in the background on each field office PC using very little system resources but networking thousands of computers together at once made it very powerful. I forget the exact number but it was capable of guessing something like 60 passwords per second. In one case, they had been trying for more than a year to crack the encryption code on a HD without any luck.

So, the point is, at least in the case of the Secret Service, it doesn't seem like their is some secret backdoor built into commercially available encryption software (PGP, TruCrypt, etc.) or that someone has been able to crack the cipher. I have no idea what the NSA is capable of, though.

 

[blackangst1]

Originally posted by: stevem326

Originally posted by: blackangst1
Thanks for the reply bsobel I was looking forward to it.

And yes. On the earlier thread, as I've admitted, I was mistaken on the format thing. Acknowledged.

But the outer/hidden volume scenario is what I was interested in. Of course, a TC volume in and of itself can be found pretty easily. Thus, if required to do so, one would provide the outer volume's passcode to reveal...well...things like bank statements, resume's etc. The good stuff would be in the inner volume. Im not sure it's possible to even know there's an inner volume, even if the outer volume is open. That was my question. AFAIK it's never been done. Yes, the NSA has capabilities beyond our belief probably, but OTOH, I wouldnt dismiss the capabilities of the private sector. Know what I mean? Who knows. Ive also read speculation about whether or not they could even begin to break something like AES or twofish. *shrug* I honestly dont think it's possible.

Anyhow, interesting stuff to me

I read an article a year ago explaining how the Secret Service, to help them investigate counterfeiting and other crimes, was networking all of their computers together in every single SS field office to create a distributed computing network (sort of like a super computer). The main goal of this network was to conduct brute force attacks on encrypted HD's that they had seized during search warrants. They had software installed on every single SS computer in all of their field offices (networked together) that just hurled passwords at the hard drive(s) in an attempt to guess the correct password. The software just ran in the background on each field office PC using very little system resources but networking thousands of computers together at once made it very powerful. I forget the exact number but it was capable of guessing something like 60 passwords per second. In one case, they had been trying for more than a year to crack the encryption code on a HD without any luck.

So, the point is, at least in the case of the Secret Service, it doesn't seem like their is some secret backdoor built into commercially available encryption software (PGP, TruCrypt, etc.) or that someone has been able to crack the cipher. I have no idea what the NSA is capable of, though.

Well...being a network engineer I find that very inneficient as well as unlikely...but then it IS the feds lol. Even so...Im not sure the reason for doing this. to run brute force for passwords is...well...erm...I guess people who use this kind of security may use dictionary passwords, pet names, etc. *shrug* If its a strong password (30+ charactors) they'll almost never brute force it.

Also, NSA and DoD have about the most powerful mainframes available...it would be 1. more effiecient, and 2. faster to just hand the HD/server over to them to process. Cracking a password is a tricky thing depending on what theyre trying to crack.

Often, people/companies who are somewhat security saavy store their passcodes encrypted. So, one must first break that encryption. Then there are password hashes to deal with.

Anyway. Im not an expert at anything but an amateur of all, so of course it goes deeper than this. But, the bottom line IMHO, is IF they did this, it is VERY inefficient compared to other resources that are available. For instance there is a Hitachi mainframe system DoD uses which is comprised of 32 linked, 56 processor servers. Im not even sure all of the SS computers in the world combined could even come close to something like this *shrug*

But who knows.

 

[bsobel]

Well...being a network engineer I find that very inneficient as well as unlikely...but then it IS the feds lol. Even so...Im not sure the reason for doing this. to run brute force for passwords is...well...erm...I guess people who use this kind of security may use dictionary passwords, pet names, etc. *shrug* If its a strong password (30+ charactors) they'll almost never brute force it.

"The Washington Post has an interesting story about how the Secret Service is using 4,000 of their computers in a Distributed network attack. The attack is to break passwords on encryption keys. We all know that getting software to encrypt our computers is simple and the software is powerful. Breaking into the encryption itself is not simple but the Secret Service has found that the real Achilles Heel of a suspect?s encrypted computer is their passwords. The Secret Service has found that by using all the emails and plain text documents they find on the suspect's computers, they can create a brute force word list that will normally find the password for the encryption in no time at all. Lesson learned? Create strong passwords unrelated to anything on your computer. "

Also, NSA and DoD have about the most powerful mainframes available...it would be 1. more effiecient, and 2. faster to just hand the HD/server over to them to process. Cracking a password is a tricky thing depending on what theyre trying to crack.

Your under the mistaken impression that the NSA and DoD lend their capabilities to federal law enforcement. They do not. Think about it, if the capabilities of those groups became obvious then those wishing to hide their secrets would change methods.

Anyway. Im not an expert at anything but an amateur of all, so of course it goes deeper than this. But, the bottom line IMHO, is IF they did this, it is VERY inefficient compared to other resources that are available. For instance there is a Hitachi mainframe system DoD uses which is comprised of 32 linked, 56 processor servers. Im not even sure all of the SS computers in the world combined could even come close to something like this *shrug*

Thats 1792 procs which last time I checked was less than 4k

Bill

 

[stevem326]

Thanks, bsobel...it was the Washington Post where I read that article...appreciate the quote. What was somewhat funny from the article was one HD they couldn't crack. They had been trying literally for more than a year to crack the encryption code without any luck (using their network of 4,000 computers). However, the guy they were investigating was pretty wealthy and owned several race horses. I'm not a horse expert, but apparently saddles have several small parts that make up the stirrup (where you put your foot in I believe when you mount the horse).

Anyway, the saddles this guy had were custom made in Spain and the SS got the name of every single part of the saddle...all the pins, bolts, screws, buttons, etc...and they tried each one of those names for the password. Sure enough, the guy's password turned out to be the name of some obscure lynch pin that was part of the stirrup. They put that name in and it worked...pretty amazing stuff!

 

[blackangst1]

Bah it's OT, but 4k procs doesnt necessarily mean > 1792

The advantage of the multicore/multi CPU mainframe is shared resources. They can essentially share the same cache and memory, a smaller amount shares the same bus, and much lower latency. The processing latency on 4k computers spanning how many thousands of miles? is huge. The long haul travels on fiber, of course, but a link is only as fast as its slowest-in this case last mile copper. Sure, the times are small...but multiply it by 4k and you got some inefficiency. Ever work in an environment where people try and connect to share drives via a WAN connection? It's HORRID. For the most part, it's the same rules as a quad core processor far exceeds four seperate processors

 

[bsobel]

Originally posted by: blackangst1
Bah it's OT, but 4k procs doesnt necessarily mean > 1792

The advantage of the multicore/multi CPU mainframe is shared resources. They can essentially share the same cache and memory, a smaller amount shares the same bus, and much lower latency. The processing latency on 4k computers spanning how many thousands of miles? is huge. The long haul travels on fiber, of course, but a link is only as fast as its slowest-in this case last mile copper. Sure, the times are small...but multiply it by 4k and you got some inefficiency. Ever work in an environment where people try and connect to share drives via a WAN connection? It's HORRID. For the most part, it's the same rules as a quad core processor far exceeds four seperate processors

Not really in a case like this, you initially distribute the workload to each PC. Sure you can argue that a single unit could get some cache hit benefit, but the goal of the system is obvious, use existing resources effeciently. And besides, your initial point was you doubted the SS even had that many procs, I simply pointed out you were wrong

 

[blackangst1]

Originally posted by: bsobel

Originally posted by: blackangst1
Bah it's OT, but 4k procs doesnt necessarily mean > 1792

The advantage of the multicore/multi CPU mainframe is shared resources. They can essentially share the same cache and memory, a smaller amount shares the same bus, and much lower latency. The processing latency on 4k computers spanning how many thousands of miles? is huge. The long haul travels on fiber, of course, but a link is only as fast as its slowest-in this case last mile copper. Sure, the times are small...but multiply it by 4k and you got some inefficiency. Ever work in an environment where people try and connect to share drives via a WAN connection? It's HORRID. For the most part, it's the same rules as a quad core processor far exceeds four seperate processors

Not really in a case like this, you initially distribute the workload to each PC. Sure you can argue that a single unit could get some cache hit benefit, but the goal of the system is obvious, use existing resources effeciently. And besides, your initial point was you doubted the SS even had that many procs, I simply pointed out you were wrong

/concede