[dm-crypt] Tcrypt hidden volume

[dm-crypt] Tcrypt hidden volume

[Jan Janssen]

Hi,

while testing how the tcrypt passphrase + keyfile logic works, I
realized that there doesn't seem to be a way to protect the hidden
volume from being damaged by writes to a mounted outer volume like
truecrypt does. I think this deserves a warning in the man page
since this is a potential data loss.

Thanks,
Jan

Re: [dm-crypt] Tcrypt hidden volume

[Milan Broz]

On 1.7.2013 12:33, Jan Janssen wrote:
> Hi,
>
> while testing how the tcrypt passphrase + keyfile logic works, I
> realized that there doesn't seem to be a way to protect the hidden
> volume from being damaged by writes to a mounted outer volume like
> truecrypt does. I think this deserves a warning in the man page
> since this is a potential data loss.

Yes, you are right. There is no protection of hidden volume once
outer volume is mounted.
(BTW the protection itself reveals hidden volume existence.)

Protection can be done on DM (kernel level) quite easily
(map this linear part to virtual zero or error target masking
out the data underneath) but it would require quite big changes
in cryptsetup wrapper (which was meant to be simple 1:1 mapping).
So I decided to ignore this problem for now...

But yes, there should be some note in man page.

Milan

Re: [dm-crypt] Tcrypt hidden volume

[Arno Wagner]

On Mon, Jul 01, 2013 at 09:17:03PM +0200, Milan Broz wrote:
> On 1.7.2013 12:33, Jan Janssen wrote:
> >Hi,
> >
> >while testing how the tcrypt passphrase + keyfile logic works, I
> >realized that there doesn't seem to be a way to protect the hidden
> >volume from being damaged by writes to a mounted outer volume like
> >truecrypt does. I think this deserves a warning in the man page
> >since this is a potential data loss.
> 
> Yes, you are right. There is no protection of hidden volume once
> outer volume is mounted.
> (BTW the protection itself reveals hidden volume existence.)
> 
> Protection can be done on DM (kernel level) quite easily
> (map this linear part to virtual zero or error target masking
> out the data underneath) but it would require quite big changes
> in cryptsetup wrapper (which was meant to be simple 1:1 mapping).
> So I decided to ignore this problem for now...
> 
> But yes, there should be some note in man page.

I have just added one. It seems to me that the TrueCrypt
documentation itself is fuzzy in this issue. The page
at http://www.truecrypt.org/docs/hidden-volume
does describe how it works and it is easy to conclude 
that opening the outer volume can compromise the inner 
one, but there is no clear warning to that effect. 
Also missing is a warning that having an outer volume 
that has not been mounted forever and only has old data
is suspicuous in itself. I think the idea of hidden volumes
is not too useful at this time. There would need to be a 
way to regularly use the outer volume to change that.
Not that I have any idea how to do that without giving 
away that there _is_ a hidden volume.

Anyways, added both warnings to the man-page in git.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

Re: [dm-crypt] Tcrypt hidden volume

[Arno Wagner]

On Tue, Jul 02, 2013 at 03:05:38AM +0200, Arno Wagner wrote:
> On Mon, Jul 01, 2013 at 09:17:03PM +0200, Milan Broz wrote:
> > On 1.7.2013 12:33, Jan Janssen wrote:
> > >Hi,
> > >
> > >while testing how the tcrypt passphrase + keyfile logic works, I
> > >realized that there doesn't seem to be a way to protect the hidden
> > >volume from being damaged by writes to a mounted outer volume like
> > >truecrypt does. I think this deserves a warning in the man page
> > >since this is a potential data loss.
> > 
> > Yes, you are right. There is no protection of hidden volume once
> > outer volume is mounted.
> > (BTW the protection itself reveals hidden volume existence.)
> > 
> > Protection can be done on DM (kernel level) quite easily
> > (map this linear part to virtual zero or error target masking
> > out the data underneath) but it would require quite big changes
> > in cryptsetup wrapper (which was meant to be simple 1:1 mapping).
> > So I decided to ignore this problem for now...
> > 
> > But yes, there should be some note in man page.
> 
> I have just added one. It seems to me that the TrueCrypt
> documentation itself is fuzzy in this issue. The page
> at http://www.truecrypt.org/docs/hidden-volume
> does describe how it works and it is easy to conclude 
> that opening the outer volume can compromise the inner 
> one, but there is no clear warning to that effect. 
> Also missing is a warning that having an outer volume 
> that has not been mounted forever and only has old data
> is suspicuous in itself. I think the idea of hidden volumes
> is not too useful at this time. There would need to be a 
> way to regularly use the outer volume to change that.
> Not that I have any idea how to do that without giving 
> away that there _is_ a hidden volume.
> 
> Anyways, added both warnings to the man-page in git.

I just saw that there is a way in TrueCrypt to protect
the hiden volume:
http://www.truecrypt.org/docs/hidden-volume-protection

Not that this is really better, as it will leave filesystem
annomalies and possible error messages that indicate the
presence of a hidden volume. The TrueCrypt documentation
claims as they make both volumes read-only immediately
after a write that would have damaged the hidden volume,
they preserve plausible deniability. I seriously doubt
the validity of that. Looks more like their will
be truncated files and metadata that indicates a 
setting to read-only. If, for example, the disk this is
on has no CRC or other errors in its SMART log, then 
a device suddenly set read-only is not plausible.

Added a warning about this as well in the man-page.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare

Re: [dm-crypt] Tcrypt hidden volume

[Milan Broz]

On 2.7.2013 3:25, Arno Wagner wrote:
> I just saw that there is a way in TrueCrypt to protect
> the hiden volume:
> http://www.truecrypt.org/docs/hidden-volume-protection
>
> Not that this is really better, as it will leave filesystem
> annomalies and possible error messages that indicate the
> presence of a hidden volume.

I think you cannot use hidden protection for other filesystem
(outer) than VFAT reliably (e.g. superblock backups are in hidden
disk area).

Cryptsetup TCRYPT support was meant to provide tool to be able
to fully access data on TrueCrypt volume, with source code under
clear common licence (GPL/LGPL).
I do not think we should provide every feature they provides
- if you need that, just install and use Truecrypt.

Milan

Re: [dm-crypt] Tcrypt hidden volume

[Justin Tracey]

On 07/01/2013 06:25 PM, Arno Wagner wrote:
> I just saw that there is a way in TrueCrypt to protect
> the hiden volume:
> http://www.truecrypt.org/docs/hidden-volume-protection
>
> Not that this is really better, as it will leave filesystem
> annomalies and possible error messages that indicate the
> presence of a hidden volume. The TrueCrypt documentation
> claims as they make both volumes read-only immediately
> after a write that would have damaged the hidden volume,
> they preserve plausible deniability. I seriously doubt
> the validity of that. Looks more like their will
> be truncated files and metadata that indicates a
> setting to read-only. If, for example, the disk this is
> on has no CRC or other errors in its SMART log, then
> a device suddenly set read-only is not plausible.
>
> Added a warning about this as well in the man-page.
>
> Arno
Maybe this is a bit nit-picky, but as is I think the man entry goes too 
into too much detail as to why and doesn't make clear enough as to what 
is going to happen. IMO, it should just clearly state something to the 
effect of "There is no protection of hidden volumes. If you mount a 
TrueCrypt outer volume and write to it, expect data in the hidden volume 
to be lost." and maybe a brief blurb about how the secrecy of hidden 
volumes is questionable. The rest of the information can go into the FAQ 
or somewhere.

  - Justin

Re: [dm-crypt] Tcrypt hidden volume

[Arno Wagner]

On Tue, Jul 02, 2013 at 02:45:36AM -0700, Justin Tracey wrote:
> On 07/01/2013 06:25 PM, Arno Wagner wrote:
> >I just saw that there is a way in TrueCrypt to protect
> >the hiden volume:
> >http://www.truecrypt.org/docs/hidden-volume-protection
> >
> >Not that this is really better, as it will leave filesystem
> >annomalies and possible error messages that indicate the
> >presence of a hidden volume. The TrueCrypt documentation
> >claims as they make both volumes read-only immediately
> >after a write that would have damaged the hidden volume,
> >they preserve plausible deniability. I seriously doubt
> >the validity of that. Looks more like their will
> >be truncated files and metadata that indicates a
> >setting to read-only. If, for example, the disk this is
> >on has no CRC or other errors in its SMART log, then
> >a device suddenly set read-only is not plausible.
> >
> >Added a warning about this as well in the man-page.
> >
> >Arno
> Maybe this is a bit nit-picky, but as is I think the man entry goes
> too into too much detail as to why and doesn't make clear enough as
> to what is going to happen. IMO, it should just clearly state
> something to the effect of "There is no protection of hidden
> volumes. If you mount a TrueCrypt outer volume and write to it,
> expect data in the hidden volume to be lost." and maybe a brief
> blurb about how the secrecy of hidden volumes is questionable. The
> rest of the information can go into the FAQ or somewhere.

I thought about this. But the problem is that when security
properties are concernet, the intuition of many people fails.
For this reason I like to be a bit more verbose in the man-page 
than strictly needed.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare