truecrypt_7.0a-analysis-en.pdf

(216 KB) Pobierz
Security Analysis of TrueCrypt 7.0a
with an Attack on the Keyfile Algorithm
Ubuntu Privacy Remix Team < info@privacy-cd.org >
August 14, 2011
Contents
Preface.............................................................................................................................................1
1. Data of the Program.....................................................................................................................2
2. Remarks on Binary Packages of TrueCrypt 7.0a..........................................................................3
3. Compiling TrueCrypt 7.0a from Sources.......................................................................................3
Compiling TrueCrypt 7.0a on Linux..............................................................................................3
Compiling TrueCrypt 7.0a on Windows........................................................................................4
4. Methodology of Analysis...............................................................................................................5
5. The program tcanalyzer................................................................................................................6
6. Findings of Analysis......................................................................................................................7
The TrueCrypt License.................................................................................................................7
Website and Documentation of TrueCrypt...................................................................................7
Cryptographic Algorithms of TrueCrypt........................................................................................8
Cryptographic Modes used by TrueCrypt.....................................................................................9
TrueCrypt Volume and Hidden Volumes.....................................................................................11
The Random Number Generator of TrueCrypt...........................................................................11
The Format of TrueCrypt Volumes.............................................................................................12
7. An Attack on TrueCrypt Keyfiles.................................................................................................14
The TrueCrypt Keyfile Algorithm................................................................................................14
The Manipulation of TrueCrypt Keyfiles.....................................................................................14
Response to the Attack by the TrueCrypt Developers................................................................16
8. Conclusion..................................................................................................................................17
Preface
We previously have analyzed versions 4.2a, 6.1a and 6.3a of the TrueCrypt program in source
code without publishing our results. Now however, for our new analysis of version 7.0a we decided
to publish it. We hope that it will help people to form their own sound opinion on the security of
TrueCrypt. Moreover, we solicit help in correcting any mistakes that we've made. To this end, we
1
would like to encourage everyone reading this to send criticism or suggestions for further analysis
to us.
While preparing the analysis for publication we reassessed our previous results. In doing so we
discovered major weaknesses in the TrueCrypt keyfile algorithm. This could even be turned into a
successful attack on TrueCrypt keyfiles. We present that attack in section 7. We want to stress that
the security of TrueCrypt containers which do not use keyfiles is in no way affected by this weak-
nesses and the attack.
TrueCrypt is a multi-platform program. Up to now there are versions for Windows, Linux and Mac
OS X. Our analysis mainly focuses on the Linux version. The Windows version has been analyzed
to a lesser extent, the Mac OS X version not at all. In large parts the code basis is the same for all
operating systems on which TrueCrypt runs. On the other hand there is some special code for
each of these operating systems. This is even reflected in slightly diverging behavior of the pro-
gram on different operating systems here and there.
In the source code of TrueCrypt 7.0a there are, moreover, folders for the operating systems Free-
BSD and Solaris. Apparently the source code in these folders hasn't reached a point where a pro-
gram could be built and distributed from it. Therefore, we completely neglected them.
The report at hand explains the results of our analysis. It is organized as follows: Section 1 lists
some data of the analyzed program. Section 2 contains remarks on binary TrueCrypt packages.
Section 3 deals with compiling TrueCrypt from the sources. Section 4 explains the methodology of
our analysis. In section 5 we describe our program tcanalyzer which has been written for this
analysis. Section 6 contains our findings in detail except for the attack on keyfiles to which section
7 is devoted. Finally section 8 presents our conclusions. The rational for the conclusions in section
8 is mainly presented in section 6. In sections 6 and 7 some elaborated technical or mathematical
facts have been documented in the footnotes. Readers who don't have the special skills to under-
stand them may safely ignore them.
1. Data of the Program
Website:
Analyzed version:
TrueCrypt 7.0a
Analyzed source code (Unix):
TrueCrypt 7.0a Source.tar.gz
MD5 fingerprint:
0a61616bc5c5ad90e876b4014c004ac9
SHA1 fingerprint:
42be0f333e6791e7a122b3e1183e014cd3860198
Alternative source code (Windows):
TrueCrypt 7.0a Source.zip
MD5 fingerprint:
752479c674bc18d6bcf55d056560f0a7
SHA1 fingerprint:
8f9bf2ae13461fb3bfb4d1f7acb76c7c1c7ed29d
2
2. Remarks on Binary Packages of TrueCrypt 7.0a
As for Windows binary packages of TrueCrypt 7.0a are distributed as executable installation pro-
grams for Linux too although they are packed once more in a .tar.gz archive. After unpacking an
installation program its execution offers the options of either directly installing TrueCrypt 7.0a or
extracting another .tar.gz archive which would be put into the /tmp folder.
Despite the fact that executable installation programs are uncommon on Linux anyway this behav-
ior is a further move away from the usual Linux package management of software. Up to TrueCrypt
6.3a the installation program extracted or installed a .deb or .rpm package. Thus it could be unin-
stalled or updated with the package management of the Linux distribution which is no longer possi-
ble with TrueCrypt 7.0 or 7.0a. As a compensation TrueCrypt 7.0 or 7.0a now installs the script
/usr/bin/truecrypt­uninstall.sh by which it could be uninstalled again.
3. Compiling TrueCrypt 7.0a from Sources
Compiling TrueCrypt 7.0a on Linux
We tested compiling TrueCrypt 7.0a on Linux on an Ubuntu 10.04 LTS desktop system. In addition
to the packages of the default system installation the following packages are needed for building
TrueCrypt
g++
nasm
libwxgtk2.8­dev
libfuse­dev
and all the packages of which they are dependent. Furthermore, as the file Readme.txt in the
sources tells, the three header files
pkcs11.h
pkcs11f.h
pkcs11t.h
must be downloaded from ftp://ftp.rsasecurity.com/pub/pkcs­11/v2­20 and copied
to /usr/include . If you don't want to have them in this standard include directory you may put
them somewhere else and define and export the environment variable PKCS11_INC with the con-
tents of the complete path of the directory where you put them. Then we called
tar xvzf "TrueCrypt 7.0a Source.tar.gz"
cd truecrypt­7.0a­source
make
The compiler run went through without any errors or warnings and in the sub-folder Main the exe-
cutable program truecrypt was found. Compiled like that the program supports the command
line as well as a GUI.
If you want to build a Debian package you additionally need the package fakeroot and may do
the following:
mkdir ­p truecrypt_7.0a/DEBIAN
mkdir ­p truecrypt_7.0a/usr/share/applications
mkdir ­p truecrypt_7.0a/usr/share/pixmaps
mkdir ­p truecrypt_7.0a/usr/share/truecrypt/doc
3
mkdir ­p truecrypt_7.0a/usr/bin
echo "Package: truecrypt" > truecrypt_7.0a/DEBIAN/control
echo "Version: 7.0a" >> truecrypt_7.0a/DEBIAN/control
echo "Section: utils" >> truecrypt_7.0a/DEBIAN/control
echo "Priority: optional" >> truecrypt_7.0a/DEBIAN/control
echo "Architecture: i386" >> truecrypt_7.0a/DEBIAN/control
echo 'Maintainer: name <email>' >> \
truecrypt_7.0a/DEBIAN/control
echo "Depends: libwxgtk2.8­0, libfuse2" >> \
truecrypt_7.0a/DEBIAN/control
echo "Description: Software for on­the­fly­encrypted volumes" >> \ 
truecrypt_7.0a/DEBIAN/control
cp Main/truecrypt truecrypt_7.0a/usr/bin
echo "[Desktop Entry]" > \ 
truecrypt_7.0a/usr/share/applications/truecrypt.desktop
echo "Encoding=UTF­8" >> \ 
truecrypt_7.0a/usr/share/applications/truecrypt.desktop
echo "Name=TrueCrypt" >> \ 
truecrypt_7.0a/usr/share/applications/truecrypt.desktop
echo "Exec=/usr/bin/truecrypt" >> \ 
truecrypt_7.0a/usr/share/applications/truecrypt.desktop
echo "Icon=truecrypt" >> \ 
truecrypt_7.0a/usr/share/applications/truecrypt.desktop
echo "Terminal=false" >> \ 
truecrypt_7.0a/usr/share/applications/truecrypt.desktop
echo "Type=Application" >> \ 
truecrypt_7.0a/usr/share/applications/truecrypt.desktop
cp "Release/Setup Files/TrueCrypt User Guide.pdf" \ 
truecrypt_7.0a/usr/share/truecrypt/doc
cp License.txt truecrypt_7.0a/usr/share/truecrypt/doc
cp Resources/Icons/TrueCrypt­48x48.xpm \ 
truecrypt_7.0a/usr/share/pixmaps/truecrypt.xpm
fakeroot dpkg­deb ­­build truecrypt_7.0a
The result is a package truecrypt_7.0a.deb in your current working directory. The architecture
must be amd64 instead of i386 if you are building on a 64-bit system. The name and email of the
maintainer have to be adapted according to your preferences.
Compiling TrueCrypt 7.0a on Windows
In addition to the Linux build we tested compiling TrueCrypt 7.0a on a Windows XP system. Follow-
ing the instructions in the file Readme.txt in the sources we installed “Visual Studio 2008 Profes-
sional Edition” in standard configuration. A trial version of this may be downloaded from Microsoft
and is valid for 90 days. We also tried building TrueCrypt 7.0a with “Visual Studio 2008 Express
Edition with SP1" but it missed the folder atlmfc with libraries and header files and therefore did-
n't work.
Next we installed “ Microsoft Windows SDK 7.0 for Windows 7 and .NET Framework 3.5 SP1” . It is
important to install this after the installation of Visual Studio because otherwise the variable Win­
dowsSdkDir has the wrong value C:\Programme\Microsoft SDKs\Windows\v6.0A in the
end and the wrong SDK would be used.
Furthermore, we installed “Microsoft Visual C++ 1.52c” and set the environment variable
MSVC16_ROOT to the value C:\MSVC which was the directory where it was installed. Finally we
installed “Microsoft Windows Driver Kit 7.1.0” in standard configuration and “NASM 2.08” for Win-
4
dows. We also added the path to the program nasm.exe to our PATH variable.
We put the three above-mentioned PKCS-11 header files in a newly created directory. And we
assigned this path as value to a new environment variable PKCS11_INC . TrueCrypt 7.0a refuses
to build if the project file is placed in a folder the path of which contains spaces. Therefore, we
have chosen a path without spaces where we unpacked the archive “ TrueCrypt 7.0a 
Source.zip ”.
After these preparations we loaded TrueCrypt.sln in “Visual Studio 2008” as project, selected
“All” as sub-projects to be built and started building TrueCrypt with F7 . It went through without
errors and in the sub-folder Release\Setup Files of our project folder the executable True­
Crypt Setup.exe has been created. This, however, is not the desired TrueCrypt installer. The
installer must be created by calling
TrueCrypt Setup.exe /p
within this sub-folder. This call creates TrueCrypt Setup 7.0a.exe which finally is the desired
installer.
4. Methodology of Analysis
We carefully read the source code of the Unix source code archive. The parts common to all oper-
ating systems and the special part for Linux were completely read. It helped to create diffs to the
source code of version 6.3a which we analyzed in 2010 in the same way. Thereby we could focus
our attention on code that has changed substantially.
For the XTS mode–which is used by TrueCrypt 5, 6 and 7–we have studied the mathematical the-
ory in relevant cryptographic publications as we did in 2006 for the LRW mode used by TrueCrypt
4.2a. The XTS mode is state of the art in cryptography for disk or volume encryption and replaces
the LRW mode in this respect.
We then have written the program tcanalyzer which analyzes headers of TrueCrypt containers.
It makes use of the libraries of ScramDisk for Linux (see http://sd4l.sourceforge.net/ ) which is an
independent development which could read and also create TrueCrypt containers. For this purpose
linked our program against the libraries built from this source code. Our tcanalyzer program is
put under the GNU General Public License version 3 and published together with this analysis in
source code.
We created test containers as well with the binaries we built ourselves on Linux and Windows as
with the binary packages downloaded from the TrueCrypt website. All ciphers and all digests have
been chosen at least once for a test container. Hidden containers within outer containers were also
among the test containers created. They were created sometimes directly together with the outer
container and sometimes within a previously created outer container. We analyzed all headers of
all theses test containers with our tcanalyzer program. In the end we were convinced that there
were no mistakes or back doors in the encryption or its header format.
On Windows TrueCrypt 5, 6 and 7 can encrypt the entire operating system. We only once have
created such a system encryption with TrueCrypt 7.0a and analyzed an image of the encrypted
disk with tcanalyzer . In this case we also convinced ourselves that the format of system encryp-
tion differing from the usual TrueCrypt encryption format is correct. We haven't analyzed or even
read the TrueCrypt boot code that decrypts such a system encryption in the boot process when the
computer starts.
5
 

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin