Researchers show up deniable file system crypto leaks

Peter Fairbrother ukcrypto at chiark.greenend.org.uk
Fri, 18 Jul 2008 23:24:16 +0100 

http://www.theregister.co.uk/2008/07/18/dfs_crypto_flaw/

Bruce has shown how this very old vulnerability (that the OS creates 
files which you wouldn't want to give up, as they reveal data about your 
do-ing's) still exists:

http://www.theregister.co.uk/2008/07/18/dfs_crypto_flaw/

My comments (I'm a bit Friday-nighted):

Re: How is this news?
By Peter Fairbrother
Posted Friday 18th July 2008 20:13 GMT
Boffin

Indeed, it was well-known in the last millennium. Afaict, not having 
read it yet, the paper shows it happening.

Problem is, it isn't at all easy to solve.

You can put the OS on a write-only medium like a CD, so the temp etc 
files get erased - but if you put eg your home folder on the drive then 
there will probably be files relating to what you have done.

If the home folder is exposed, eg if it's on a visible TrueCrypt 
partition, then the Police may demand the keys to that partition using a 
RIPA s. 49 notice - and the information in those files may contain links 
or data, or even show that a file has been saved somewhere, suggesting 
the presence of a hidden partition.

Suppose instead that the OS is on CD and you arrange things so that you 
can only store files into the "visible" (where "visible" means the 
partition whose keys you give up on a RIPA demand, or under torture) and 
hidden partitions deliberately, rather than letting the OS create files 
for you.

Still doesn't work reliably.

TrueCrypt hidden partitions are usually at the end of the TrueCrypt 
volume. The volume is going to be stored somewhere, probably either on a 
hard drive or USB fob.

The problem then is that, if you store files in a hidden partition, the 
data at the end of the volume will be written to more often than if you 
don't. Modern hard drives have such high data density that it may be 
hard to recover overwritten data - but it's still easy enough to tell 
that data has been overwritten. If bits at the end of the volume have 
been overwritten more often than parts in the middle, or the part 
containing a persistent file, the interrogator may ask why, and conclude 
that a hidden partition exists.

USB keys are much the same, except worse - the load-levelling they use 
makes it easier to tell how many times a part of the filespace has been 
overwritten.

There are theoretical solutions, but they are all very expensive in 
terms of bandwidth and computation.

For instance the first Anderson/Needham/Biham construction works if you 
first fill it with random data a few times and don't use Larson tables, 
and I have an unpublished (not the one accepted for PET07, that doesn't 
work) construction using universal re-encryption which works  - but both 
are horribly expensive.

I'm working on (I'm a cryptologist with a special interest in 
deniable/steganographic file systems) a better construction, but it 
isn't ready yet (see www.m-o-o-t.org )


-- Peter Fairbrother