
TrueCrypt Volumes are Indistinguishable from Random Data - ef47d35620c1
http://16s.us/software/TCHunt/diff.txt
======
ot
It is true that any strong symmetric encryption generates data that it is
indistinguishable from random for any (efficiently computable) statistical
test, but these tests are extremely weak and don't prove anything.

All but the last two only look at distribution of the bytes, meaning that the
string "\0\1\2...\255" repeated many times would give the same values, but it
doesn't look random at all. The Monte Carlo computation of Pi also ignores the
order (sums are commutative).

The serial correlation coefficient only looks at the correlation between the
sequence and itself shifted by one, ignoring higher-distance correlations, so
it almost as easy to produce very regular sequences that have give very small
coefficients.

------
swordswinger12
It's heartening that TrueCrypt encrypted volumes pass statistical randomness
tests, but it's important to remember that this says essentially nothing about
its cryptographic security.

~~~
pbsd
Indeed. The output of a noncryptographic generator like the Mersenne Twister
would also pass those same tests, and would be not secure at all. This is not
how indistinguishability works.

The 'correct' to make this point would be to analyze the volume format, and
reduce distinguishing the container to distinguishing the underlying block
cipher from a pseudorandom permutation. That is, distinguishing a TC volume
implies distinguishing AES (or whichever block cipher combo TC supports).

------
patcheudor
In doing volume forensics it is exceedingly rare to find a full volume of
random data and when one is found one can be fairly certain that someone is
using TrueCrypt or had a lot of time on their hands when destroying evidence
by using dd to write dev/random to disk. Depending on the technical capacity
of the forensics lab this observation could be sufficient enough evidence in
itself to back additional search warrants or court orders. Remember, it is
absolutely possible to stand out simply by being off the curve of normal,
whether when using HD encryption or anonymizing services.

------
jpablo
The question is, do people usually keep large areas of random data on their
hard disks?

~~~
tlrobinson
It would be nice if the default filesystem on an unsuspicious and relatively
popular operating system (Linux?) normally overwrote erased data with random
data, and worked to maintain a large contiguous area at one "end" of the
drive. You would need to be careful not to fill up your drive to the point
that it overwrote part of your hidden volume, of course.

I think this would allow for true deniability.

~~~
rlanday
Doesn’t FAT do that? Although maybe a Linux user choosing to use FAT for some
other reason isn’t that plausible in itself…

~~~
MertsA
Don't be so quick to judge, I've got a small FAT partition on my boot drive
right now for the EFI system partition. That partition also doesn't frequently
have data written to it, you could in theory hide a small encrypted volume in
the free space and so long as Grub wasn't updated nothing would touch that
free space.

------
the8472
Hypothetical scenario:

    
    
      $iv = rnd();
      $encrypted_header = byte[256];
      $checksum = sha1($iv + $encrypted header);
    
      disk layout: $iv + $encrypted_header + $checksum
    

This would look like random data to any generic statistical test and yet be
easily identifiable for a specific pattern matcher simply by doing the hash
based on the visible data and checking if it matches. Of course this can be
easily prevented, but a statistical test is insufficient to prove that.

------
siliconc0w
That is why I created a service that will securely delete your data if you
don't remind it every day. Just say that is where you keep your passwords (and
maybe add it to your bookmark bar to be more convincing) It's the only service
you don't have to use to be useful!

~~~
unfamiliar
What if you end up in hospital or have a power cut?

~~~
MertsA
I think the idea is just that you say that you used some dead man switch to
store your real password. You could even have it actually overwrite some 1 MB
random file and claim that it was the keyfile for the volume. In reality you
wouldn't use it at all and just memorize the password like normal, no one
would be able to prove if that really was a keyfile or just a decoy and you
couldn't be in contempt of court if you can plausibly claim that you don't
have the information to open the volume anymore.

------
dewiz
iirc there was an article few days ago about tools to detect trucrypt
encryption types in use. The article mentioned the presence of some files
cached by OSes, sometimes disclosing the presence, the type or even part of
the content of TC volumes. Personally that is the most scaring part, having
cached data leftover in the system, which is much more indicative than some
pseudorandomness of TC strings.

------
gburt
This has to be false, no? If there is data encoded there, that is non-random,
then there is also non-randomness encoded there.

~~~
SolarNet
One of the primary goals of encryption is to make the result random, such that
no structure can be determined. However you are correct, there is structure
there, but it's encoded with so much randomness that the structure is
effectively hidden. It's the whole point of encryption.

------
faldore
there are a lot of people who know something that 99.9% of the population does
not.

~~~
throwwit
99.9999999% * 7.14 billion implies seven people and maybe a parrot knows
something.

------
zaptheimpaler
Does this mean that TrueCrypt encryption also works as near-perfect
compression?

~~~
SolarNet
No, quite the opposite, it takes your once compressible data and makes it
uncompressible.

------
haddr
that means you are using truecrypt and now please give us the private key
or...

~~~
asdfologist
[http://en.wikipedia.org/wiki/TrueCrypt#Plausible_deniability](http://en.wikipedia.org/wiki/TrueCrypt#Plausible_deniability)

~~~
RexRollman
I can just image someone getting tortured for access to a hidden volume that
they can't prove to not to exist.

~~~
te
[http://xkcd.com/538/](http://xkcd.com/538/)

