WaywardGeek wrote:For example, it has a CRC-32 checksum rather than something stronger like SHA1 or better. There's a similar problem with the key files, which result in a CRC code rather than something stronger.
eaglgenes101 wrote:the initial derived key fails but has a recognisable pattern that encodes a method of stronger key derivation and its parameters. Then Ciphershed 7.3+ can recognise this pattern, read it, and go on with the stronger key derivation method to decrypt the drive.
“Hello,
First, thank you for reviewing our software–we really welcome and appreciate all independent reviews. It should be noted that when we designed the keyfile processing
algorithm, we had been very well aware of the properties of the CRC-32 algorithm that you mentioned in the document.
Below is our response to the attack you reported to us:
No matter what keyfile processing algorithm is used, if the attacker can modify the content of your keyfile before you create your volume, he can reduce the entropy/strength
of the keyfile. Just as you cannot allow an attacker to modify or prepare your password
when you create a volume, you cannot allow an attacker to modify or prepare your keyfile before you create your volume, either. Otherwise, if you do that, you cannot reasonably expect to have any security.
It is a basic security requirement that cryptographic keys (whether passwords, keyfiles,
or master keys) must be secret and unknown to attackers. Your attack violates this
requirement and is therefore invalid/bogus.
This is valid whether you use CRC-32 or HMAC-SHA-512, whether you use the TrueCrypt keyfile processing algorithm or something different.
Thank you again for taking the time to review our software. We hope that the mistakes
will be corrected before the review is published (publishing an invalid attack would be
misleading).
Sincerely,
David
PS - Even if the attack was valid (it is not) and a cryptographically secure hash
(such as HMAC-SHA-512) was used instead of CRC-32 (your suggested fix), the attacker
would still be able to 'crack' your keyfile by a comparatively short brute force attack
(it would only be slightly slower, as the attacker would merely have to find the correct keyfile among the thousands or millions of keyfiles he crafted).”
Users browsing this forum: No registered users and 1 guest