dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
share rss forum feed

scottp99

join:2010-12-11
reply to Brano

Re: Truecrypt question

Ok, how about if I encrypt my whole USB Flash drive key? Would that have any leaks too? If yes, then I will go with full drive HDD encryption. And one more question, is RIPEMD-160 safe enough with AES-256 for whole drive local HDD or USB encryption?

Also, I am backing up my OS drive as we speak (before the encrytpion process) in case something gets "hosed"....

Thanks again.



sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1

The only ways to be sure are whole-disk encryption and booting off a liveusb/cd.

"Portable" software can be used, but some of it leaves traces, some doesn't. Most of the software on portablefreeware.com is marked whether it does or not. LibreOffice Portable is stealthy, according to them. GnuCash portable isn't.
--
Think Outside the Fox.


scottp99

join:2010-12-11

3 edits

Click for full size
Now wait a second here. Look at this.
Its now telling me that it does not support SHA-512 when creating a whole full system HDD disk encryption.
Now this is very very odd. However, when I created the virtual encrypted TC container volume, it did allow me to select the SHA-512 option. But why doesnt it support this when creating a whole system disk encryption?

It does however support this only for Standard TC virtual Volumes, but NOT for whole system encryption.

Is RIPEMD-160 secure enough? Because it will not support Whirlpool either.

If this is the case, then shame on TC. Because I really tend to lean more on SHA-512 which is approved by the NSA and NIST standards of compliance.

scottp99

join:2010-12-11

What if I just only do a full USB flash drive encryption instead of encrypting the local HDD? Is this better or it can still leak data even when you encrypt the entire USB flash drive?

When creating an entire full USB disk encryption, at least Im able to select the SHA-512 option.



Ian
Premium
join:2002-06-18
ON
kudos:3
reply to scottp99

said by scottp99:

You see, I just dont like to have a whole disk encryption because I am afraid that would "hose" my system partitions and that sort of stuff. I had read horror stories of people encrypting their entire HDDs and had some issues along with it and not to mention not backing up data before encrypting
But this was not with TC, some other program.

I'm having trouble seeing a large distinction between the danger of disk damage to your entire drive (encrypted) and damage to your entire drive (unencrypted), or for that matter to your Truecrypt container.

In both cases, if the contents are important enough to encrypt, wouldn't they be important enough to properly backup? I would backup your whole system with a drive-mirroring application, try out your new scheme and verify backup method.

said by scottp99:

Is RIPEMD-160 secure enough? Because it will not support Whirlpool either.

If this is the case, then shame on TC. Because I really tend to lean more on SHA-512 which is approved by the NSA and NIST standards of compliance.

The hash function is not about how it's encrypting your files, it's about how Truecrypt is storing your password.

As a hash algorithm, both SHA-512 and RIPEMD-160 have been shown to be "vulnerable" to a collision attack. A collision attack is the theoretical creation of two identical messages with the same hash value. And if that's troubling....so has WHIRLPOOL. But they vary in the complexity of the attack. And SHA-512 has been shown to be vulnerable to a pre-image attack, whereas RIPEMD-160 has not. I'm really not sure why Truecrypt isn't letting you hash your password with SHA-512. Works for me. Licensing? Patent? Not sure.

But that's deliberately creating two messages with the same hash value. As a practical consideration finding a message (password2) that has the same hash value as the unknown message to the attacker (your actual password) is no easier than simply guessing your actual password under those hash functions.

So brute-forcing your password, assuming a hacker wanted to is no easier or hard under any of the three hashing schemes in my opinion. And assuming you picked a good password, would require trillions of centuries on a super-computer to do so.

Easier for the hacker to install a key-logger on your system, a hidden camera, or to bash you over the head until you told him (or her) the password.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong

scottp99

join:2010-12-11

What about encrypting my whole entire USB flash drive rather than creating a separate TC container within the USB drive? Would that still leak some data when I open for example an Excel file from that fully encrypted USB flash drive?



Ian
Premium
join:2002-06-18
ON
kudos:3

said by scottp99:

What about encrypting my whole entire USB flash drive rather than creating a separate TC container within the USB drive? Would that still leak some data when I open for example an Excel file from that fully encrypted USB flash drive?

From what I can gather, as mentioned, Excel stores the temp files and auto-recover in the same directory as the original. So if they are kept in a Truecrypt container they are secure regardless of encrypting the whole USB key or not. This is an application specific thing of course.

The biggest weakness to Truecrypt or any encryption application is leaving the encrypted volume mounted. Passwords and/or keys can be recovered from memory if it is mounted.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong

scottp99

join:2010-12-11

1 recommendation

Well, in that case, I ALWAYS dismount whenever I am done editing or saving a file within that encrypted TC container.

So will dismounting the uSB device or volume container should not leave any traces of the encrypted files read in plain view on my local HDD?



sbconslt

join:2009-07-28
Los Angeles, CA

If you're this concerned about traces of the sensitive files ending up elsewhere on the unencrypted areas of the drive - a completely legitimate concern - then you should encrypt the whole drive. That way you cover the pagefile, hibernation file (if any), temporary directories, etc., etc.

It's also operationally more convenient for you than managing (perhaps multiple) file-container volumes.
--
Scott Brown Consulting


scottp99

join:2010-12-11

Ok, fine. Since I have my OS image build, without any important data on it, if anything goes wrong with the encryption process, then I will just reimage my PC.

I just do not trust these encryption programs. If one does not know what their doing, then their system can be "hosed"



sbconslt

join:2009-07-28
Los Angeles, CA

The full disk encryption procedure has certain protective safeguards built into it. For example, it tests the boot loader by making you reboot through it successfully before encrypting any drive contents. And, it forces you to burn and verify a rescue CD that gives you crisis workarounds like repairing a broken boot sector, removing encryption without having to boot into the OS, etc. All of this is required before a single block is encrypted.
--
Scott Brown Consulting


scottp99

join:2010-12-11

I always keep a clean OS image build without any important stuff on there just incase things go wrong.

One more question here - Is there any way for TC to automatically enable the NUMLOCK on my USB keyboard whenever the TC bootloader appears to enter the password?



sbconslt

join:2009-07-28
Los Angeles, CA

That's controlled from BIOS Setup, if anywhere.


scottp99

join:2010-12-11

So, I did it. Installed full disk encryption. So far not noticing any system slowness. I could of posted this thread on the TC Forums but they do not accept any Internet based emails.

I guess TC is adequate enough for me as opposed to WinMagic.
»www.winmagic.com/products/full-d···andalone

But thanks for the support on this.