Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Re: Newbie question: How secure is TreuCrypt 6.3a? (http://www.velocityreviews.com/forums/t728046-re-newbie-question-how-secure-is-treucrypt-6-3a.html)

nemo_outis 07-12-2010 06:22 PM

Re: Newbie question: How secure is TreuCrypt 6.3a?
 
Richard Malchik <NoSpam@NoSiree.com> wrote in
news:5u9m365ml1gh1uoho58f9s68ssbmljncak@4ax.com:

> It obviously protects against neighborhood break-ins, but
> is it really secure against all others that may want access
> to financial records and writings and the like? Are there
> any "back-doors?"
>
> Richard



The short answer is: Yes, Truecrypt is secure (but see my
paranoid PS)

Truecrypt uses secure algorithms and methods and its source
code is available for inspection (although it isn't quite open
source).

You must understand that there are some things that software
encryption, no matter how good, cannot, by its very nature,
protect against, such as hardware keyloggers, video/acoustic
surveillance, evil maid attacks, firewire attacks, etc. And
the internet!
(Truecrypt only protects data "at rest" - if you're running
and online, you're as vulnerable as anyone else to Trojans,
viruses, etc.)

A few good practices:

1) BACK UP everything before encrypting. If you make a
beginner's mistake you don't want to find yourself locked out
of your own data. With encryption, backups are even more
important than for ordinary computing. CONFIRM you can restore
the backup (You'd be amazed how many backups turn out to be
worthless because they won't restore!) Later on when you're
experienced you will make frequent encrypted backups but at
the outset use plain unencrypted ones and keep them for a few
weeks/months at least.

2) Pick a strong password (or passphrase - diceware is also
good). And backup the Truecrypt header (i.e., make a rescue
disk)

3) Whole disk encryption is superior to container encryption
but there are more possibilities to shoot yourself in the foot
until you become experienced. Did I mention you should make a
backup?

4) Oh, and in case I forgot to tell you: Make a backup!

Regards,

PS I (as a certified paranoid :-) have many misgivings about
how trustworthy Truecrypt is and whether it contains
backdoors, etc. The authors are far too secretive for my
taste and I REALLY don't like the way they manage their
forums, purge code from the internet, etc.

But, at least on the face of it, Truecrypt is well done.

You only need to begin worrying about how truustworthy
Truecrypt is re backdoors, etc. if your activities are so
high-profile that you could be a target of major intelligence
agencies (NSA, etc.). Below that, you're bombproof.


Juergen Nieveler 07-12-2010 08:16 PM

Re: Newbie question: How secure is TreuCrypt 6.3a?
 
"nemo_outis" <abc@xyz.com> wrote:

> PS I (as a certified paranoid :-) have many misgivings about
> how trustworthy Truecrypt is and whether it contains
> backdoors, etc. The authors are far too secretive for my
> taste and I REALLY don't like the way they manage their
> forums, purge code from the internet, etc.
>
> But, at least on the face of it, Truecrypt is well done.
>
> You only need to begin worrying about how truustworthy
> Truecrypt is re backdoors, etc. if your activities are so
> high-profile that you could be a target of major intelligence
> agencies (NSA, etc.). Below that, you're bombproof.


As a benchmark - the FBI will at least CLAIM they're unable t crack
Truecrypt if you're a brazilian criminal billionaire ;-)

http://www.theregister.co.uk/2010/06...ypto_lock_out/

--
Juergen Nieveler

nemo_outis 07-12-2010 08:26 PM

Re: Newbie question: How secure is TreuCrypt 6.3a?
 
Richard Malchik <NoSpam@NoSiree.com> wrote in
news:10om36hn7n6rr4vdi6dnic3ggvvifo7ujg@4ax.com:

> On Mon, 12 Jul 2010 18:22:06 GMT, "nemo_outis"
> From what you say, I don't attract any attention that is
> skilled enough to crack my PC's encryption. All my drives,
> including my boot drive, are 100% encrypted.



Pick a good password/passphrase. For Truecrypt (and any other
well-implemnted AES encryption program) the only ways to
defeat it are 1) assorted trickery (evil maid, firewire,
trojan, video, etc.) and 2) cracking the password (NOT the
encryption algorithm).

Cracking most folks' passwords is **well within the range of
possibility** for a motivated adversary using only moderate
resources.

Full 256-bit equivalence (i.e., as strong as the underlying
AES-256 encryption) requires a password of about 45 RANDOMLY-
chosen characters (upper & lower case) - impossible for most
mortals to remember.

But don't go lower than, say, 11 random characters. (64-bit
equivalence or so). I assume (using Moore's 24-month law)
that decrypting power will increase by one bit each 2 years so
this has some small "futurity" reserve (perhaps a few decades)
against up to ordinary-power adversaries (say, local LEAs). A
64-bit password ISN'T enough against serious adversaries (the
kind who have supercomputers :-)

Or go the diceware route for a good tradeoff between security
and memorability.
http://world.std.com/~reinhold/diceware.html

Regards,



All times are GMT. The time now is 08:00 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.