Schneier research team cracks TrueCrypt

Researchers led by BT security expert Bruce Schneier have shown that deniable file systems — designed to hide data so effectively that there is no trace of its existence on a user's system — may not be so deniable after all, due to the interference of standard applications and of the operating system itself.

The researchers found that TrueCrypt, one of the best known deniable file system (DFS) products, left evidence of its existence in ways that would be straightforward for investigators to spot. This was due not to flaws in TrueCrypt itself but rather to the fact that the surrounding software is not designed to keep deniability intact, Schneier said.

The principle of deniability, also known as steganography, is to go one step further than encryption, hiding evidence that there is any encrypted data to search for in the first place.

Systems such as TrueCrypt are designed, for example, to allow users to store sensitive information on a laptop passing through increasingly invasive border controls, as detailed in a recent article on ZDNet.co.uk sister site CNET News.com, cited in Schneier's research.

TrueCrypt uses the AES-256, Serpent and Twofish encryption algorithms, and it has been claimed that its hidden volumes cannot be distinguished from random data. The system offers two levels of 'plausible deniability', in case the user is forced to reveal the password; one set of data is revealed by one password, while the truly hidden data is revealed by a separate password.

Schneier's research, however, focused on whether a user can plausibly deny that there is in fact any hidden data on the system, arguing that, if clear evidence can be found of hidden data, the system has failed.

"Deniability, even under a very weak model, is fundamentally challenging," Schneier said in the report. "Even when the file system may be deniable in the pure, mathematical sense, we find that the environment surrounding that file system can undermine its deniability, as well as its contents."

At the operating-system level, the team found that, by default, Windows Vista creates shortcuts to files as they are used, storing the shortcuts in the Recent Items folder. An investigator examining this folder would immediately know that the user had been editing a file, even if that file were protected by TrueCrypt. The shortcut also provides information about the volumes where the files are located, giving more evidence of the existence of hidden volumes.

Schneier argued that this fact could also be used to determine whether the user had revealed all of their hidden volumes — effectively getting around the second level of plausible deniability offered by TrueCrypt.

At the application level, researchers found that Microsoft Word's auto-saves in effect transfer hidden files to the primary volume. While the auto-recovery files are deleted after use, they can be easily recovered with a free data-recovery tool, Schneier said.

The research also found that Google Desktop's Enhanced Search feature stores cached versions of recently changed files, another compromise of deniability.

The researchers suggested ways around each of these weaknesses, such as using the same volume serial number for all hidden volumes, but argued that the real problem is more fundamental.

"Addressing it will require rethinking and re-evaluating how to build a true DFS in the context of modern operating systems and applications," Schneier wrote. "To create a DFS, it seems inevitable that the operating system (and perhaps the underlying hardware) must assist in the deniability."

He noted that the latest version of TrueCrypt, 6.0, includes a deniable operating-system feature, which TrueCrypt's developers have said they believe solves the problems raised in the paper. The team analysed TrueCrypt 5.1a.

Another approach would be to use a file system filter that would prevent applications from transferring protected data to unprotected volumes, although this might break many applications, Schneier said.

Schneier said he remains sceptical that any DFS can be made truly watertight, an opinion shared by other security researchers.

"I have a rather negative opinion about steganographic file systems," said PGP chief technology officer Jon Callas in recent comments to CNET News.com. "I just flat don't believe they work. I don't believe you can hide the data so that nobody can find it."

He said implementing such a system could even be dangerous for users. "It is unsafe to use a product that has a steganographic file system, since you can never prove you have no steganographic data," Callas said.

The study was co-authored by Schneier and University of Washington researchers Alexei Czeskis, Steven Gribble, David St Hilaire, Tadayoshi Kohno and Karl Koscher, and will be presented at the Usenix HotSec '08 conference next week in San Jose, California.