|17 Jan 2014||#1|
| || |
TrueCrypt Master Key Extraction And Volume Identification
One of the disclosed pitfalls of TrueCrypt disk encryption is that the master keys must remain in RAM in order to provide fully transparent encryption. In other words, if master keys were allowed to be flushed to disk, the design would suffer in terms of security (writing plain-text keys to more permanent storage) and performance. This is a risk that suspects have to live with, and one that law enforcement and government investigators can capitalize on.
The default encryption scheme is AES in XTS mode. In XTS mode, primary and secondary 256-bit keys are concatenated together to form one 512-bit (64 bytes) master key. An advantage you gain right off the bat is that patterns in AES keys can be distinguished from other seemingly random blocks of data. This is how tools like aeskeyfind and bulk_extractor locate the keys in memory dumps, packet captures, etc. In most cases, extracting the keys from RAM is as easy as this:
$ ./aeskeyfind Win8SP0x86.raw
Keyfind progress: 100%
Several keys were identified, but only the two final ones in red are 256-bits (the others are 128-bit keys). Thus, you can bet by combining the two 256-bit keys, you'll have your 512-bit master AES key. That's all pretty straightforward and has been documented in quite a few places - one of my favorites being Michael Weissbacher's blog.
|My System Specs|
|18 Jan 2014||#2|
| || |
Very disheartening news on the surface. But on page 8 of the .pdf file, it appears that RAM flush/optimizing/scrubbing programs, such as WinUtilities Free Memory Optimizer, Glary Utilities, Clean RAM, or FreeRAM work to wipe the keys' images remaining in RAM.
I'm also hopeful that it's much more difficult to reconstruct cascaded keys, such as AES-Twofish-Serpent, which I always use.
|My System Specs|
|Similar help and support threads for2: TrueCrypt Master Key Extraction And Volume Identification|
|Which volume of Truecrypt for media backup HDD?||Backup and Restore|
|Can you rename a Truecrypt volume?||General Discussion|
|Truecrypt incorrect password or not a truecrypt volume||Software|
|Truecrypt incorrect password or not a truecrypt volume||General Discussion|
|TrueCrypt volume won't dismount unless I do it Forcibly||General Discussion|
|Our Sites ||Site Links ||About Us ||Find Us |
© Designer Media Ltd
All times are GMT -5. The time now is 01:20 AM.