Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: TrueCrypt Master Key Extraction And Volume Identification

17 Jan 2014   #1

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 
TrueCrypt Master Key Extraction And Volume Identification

Quote:
One of the disclosed pitfalls of TrueCrypt disk encryption is that the master keys must remain in RAM in order to provide fully transparent encryption. In other words, if master keys were allowed to be flushed to disk, the design would suffer in terms of security (writing plain-text keys to more permanent storage) and performance. This is a risk that suspects have to live with, and one that law enforcement and government investigators can capitalize on.

The default encryption scheme is AES in XTS mode. In XTS mode, primary and secondary 256-bit keys are concatenated together to form one 512-bit (64 bytes) master key. An advantage you gain right off the bat is that patterns in AES keys can be distinguished from other seemingly random blocks of data. This is how tools like aeskeyfind and bulk_extractor locate the keys in memory dumps, packet captures, etc. In most cases, extracting the keys from RAM is as easy as this:

$ ./aeskeyfind Win8SP0x86.raw
f12bffe602366806d453b3b290f89429
e6f5e6511496b3db550cc4a00a4bdb1b
4d81111573a789169fce790f4f13a7bd
a2cde593dd1023d89851049b8474b9a0
269493cfc103ee4ac7cb4dea937abb9b
4d81111573a789169fce790f4f13a7bd
4d81111573a789169fce790f4f13a7bd
269493cfc103ee4ac7cb4dea937abb9b
4d81111573a789169fce790f4f13a7bd
0f2eb916e673c76b359a932ef2b81a4b
7a9df9a5589f1d85fb2dfc62471764ef47d00f35890f1884d87c3a10d9eb5bf4
e786793c9da3574f63965803a909b8ef40b140b43be062850d5bb95d75273e41

Keyfind progress: 100%

Several keys were identified, but only the two final ones in red are 256-bits (the others are 128-bit keys). Thus, you can bet by combining the two 256-bit keys, you'll have your 512-bit master AES key. That's all pretty straightforward and has been documented in quite a few places - one of my favorites being Michael Weissbacher's blog.
Source

A Guy

My System SpecsSystem Spec
.

18 Jan 2014   #2

Win7 Pro 32bit
 
 

Very disheartening news on the surface. But on page 8 of the .pdf file, it appears that RAM flush/optimizing/scrubbing programs, such as WinUtilities Free Memory Optimizer, Glary Utilities, Clean RAM, or FreeRAM work to wipe the keys' images remaining in RAM.
I'm also hopeful that it's much more difficult to reconstruct cascaded keys, such as AES-Twofish-Serpent, which I always use.
My System SpecsSystem Spec
Reply

 TrueCrypt Master Key Extraction And Volume Identification




Thread Tools



Similar help and support threads for2: TrueCrypt Master Key Extraction And Volume Identification
Thread Forum
Which volume of Truecrypt for media backup HDD? Backup and Restore
Solved Can you rename a Truecrypt volume? General Discussion
Truecrypt incorrect password or not a truecrypt volume Software
Truecrypt incorrect password or not a truecrypt volume General Discussion
TrueCrypt volume won't dismount unless I do it Forcibly General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 09:22 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33