Advertisement
Guest User

Untitled

a guest
Jan 16th, 2019
178
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.12 KB | None | 0 0
  1. Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
  2. Search r/crypto
  3. User account menu
  4. Join the discussion
  5. BECOME A REDDITOR
  6. Posted byu/Black51
  7. Is it likely police would be able break through the Bitlocker encryption on my computer hard drives if they really wanted to?
  8. There's a chance I might be under investigation by the police in the future here in Canada and I'm wondering if my computer data would be safe from them or not being encrypted with Bitlocker drive encryption.
  9. If Bitlocker isn't very good, is there a better alternative i should use instead? I need my hard drive data to be safe from police.
  10. edit: spelling
  11. This thread is archived
  12. New comments cannot be posted and votes cannot be cast
  13. edited 3 years ago
  14. I do not trust Microsoft bitlocker from a nation state. It is very likely that Microsoft could assist law enforcement upon request.
  15. If your data was not previously encrypted, you will need to securely wipe your harddrive with a Gutmann 35 pass wipe. Darik's Boot And Nuke should assist in this. After securely wiping disk, then encrypt before transferring files back over. Then securely wipe the media you used to transfer the data. Note that if you have a hybrid or solid state disk then you are better off physically destroying the disc and disposing in area not associated with you if it has ever had incriminating unencrypted data on it. This is because solid state disks have what is called wear leveling so the previous data written to that disk may not be deleted.
  16. For Windows, Veracrypt is what I recommend, also look into the hidden partition feature which will let you have plausible deniability and decoy data if ever forced to reveal password. For high paranoia you could give the decoy partition a weaker password than the hidden partition so if an adversary tries do decrypt your computer they will decrypt the fake data instead of the real data. For encryption use very long and strong passphrase, do not be like that hacker that had his computer decrypted because he used the password "chewy" which was the name of his cat and a weak passphrase to encrypt his computer. Use very long string of words, letters, characters symbols etc..
  17. For linux, LUKS encryption is good, most distros have LUKS whole disc encryption feature as an option during installation.
  18. For linux computers another option for higher security or if afraid of forgetting your decryption passphrase could use the Gnupg G10code smartcard from www.kernelconcepts.de so you can encrypt your harddrive with smartcard so you have equivalent of strong crypto key with only having to remember a pin code. If incorrect pin entered too many times the card containing the key self destructs. If go this route be sure to change both the admin and the standard pin, use 4096 length key, and initialize on airgap computer or live system so malware does not intercept the pin code.
  19. Also keep in mind encrypted computers have 3 main attack vectors you will want to protect from.
  20. Attack vector #1 - RAM dump and cold boot Always keep your encrypted computer completely powered off when not in use, if your computer gets snagged when it is not completely powered off the adversary can examine the RAM for the crypto keys. With older computers using DDR2 RAM or older takes a while for the RAM to flush after computer has been powered off. With newer computers that have DDR3 RAM the RAM flushes out much faster. Use DDR3 RAM or later if possible. If the computer needs to remain powered on when you are away from it, I could design system that would allow computer to detect intrusion of someone other than you then immediately cut off power.
  21. Attack vector #2 - "Evil Maid Attack" This attack vector takes place when computer is out of your sight and an adversary tampers with the computers hardware or software to intercept your decryption key next time you use it. The only real way to defend from this is with either surveillance system, or to carry your computer with you at all times. Another precaution could be to use a boot disc to recursively calculate the sha256sum of the bootloader to audit bootloader if you suspect something strange, or to carry the bootloader on a thumb drive on your keychain. This technique of routine bootloader auditing or carrying the bootloader on you will only detect tampering of the operating system, it will not detect tampering of the BIOS or hardware. This is why I say keeping eye on the hardware 24/7 is the better option. Or do both for higher security.
  22. Attack vector #3 - "Shoulder surfing" You may have the best encryption and strongest passphrase there is, but if any person or camera watches you type in your decryption passphrase then game over. To protect from this use folding cardboard cover to cover the keyboard and hands when typing in decryption passphrase.
  23. I can offer security consulting, design solutions, or elaborate or simplify anything if you ask.
  24. edited 3 years ago
  25. tldr; Yes, and not just bitlocker but just about any other crypto implementation. Most people are not capable of sustaining a defense against something like a police force using everything the DHS, Feds, etc.. will give them to break into your data. They are extremely persistent and adamant that they have every right to do whatever it takes once they get that thought into their heads.
  26. The thing that protects most citizen's privacy is the cost of doing it. But if they had reason to target you, then very likely they will break through it through a myriad of ways even without having to break the crypto.
  27. edited 3 years ago
  28. I'd still recommend TrueCrypt.
  29. It's been thoroughly audited, and no backdoors have been found.
  30. You'll need 7.1a (as 7.2 was the final release that was read-only).
  31. Versions 7.1a are available here from grc.com:
  32. https://www.grc.com/misc/truecrypt/truecrypt.htm
  33. Look into the "hidden volume" feature (plausible deniability).
  34. Edit: 7.1a, not 7.1
  35. Indeed, I stand corrected. 7.1a
  36. Veracrypt is even better. They're improving Truecrypt.
  37. https://veracrypt.codeplex.com/
  38. For the inevitable naysayers: please watch this interview with the lead dev first.
  39. For data at rest, I reccomend TrueCrypt. I'll let others here comment on whether or not they agree.
  40. Importantly, if you may be under investigation, you should be shutting down your computer whenever you aren't using it. Don't leave it on. If they get your machine while it's turned on they have a LOT more to work with.
  41. Any reason why you recommend TrueCrypt instead of VeraCrypt?
  42. The Truecrypt code has been audited and nothing major was found
  43. I would recommend Veracrypt which is a maintained continued fork of TrueCrypt.
  44. "Recently, researchers from Google’s Project Zero team uncovered a pair of elevation of privilege vulnerabilities in TrueCrypt, both of which were patched this weekend in VeraCrypt - See more at: https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-flaws/114833/#sthash.HcXEZH1U.dpuf"
  45. Source: https://threatpost.com/veracrypt-patched-against-two-critical-truecrypt-flaws/114833/
  46. Those elevation privileges are for Windows only. And you shouldn't be using Windows or anything closed source if you're concerned about governments getting access to your data. Jumping to an unaudited fork over a minor issue is stupid.
  47. Comment deleted by user
  48. "What truly matters is not what brand of condom one uses, but that one uses a condom at all."
  49. -Sum Waiss Gai, 2015 C.E.
  50. Unless one brand of condoms break when the other does not.
  51. I wouldn't use condoms that someone poked a hole in or that came from a shady business, but as long as it comes from a reputable source that isn't out to get me out or doing things improperly, it's mostly a matter of aesthetics.
  52. I'm a bit late for the party, but I've seen that they've stopped its development. Is it still safe?
  53. I haven't been following VeraCrypt -- it may be great software, but because I'm not familiar with it I wouldn't feel comfortable recommending it. I know TrueCrypt has been thoroughly audited recently and the results were pretty good. I don't know how much the VeraCrypt fork differs from the code that was audited.
  54. ThrobbingMeatGristle
  55. edited 3 years ago
  56. The Bitlocker design in Vista had a thing called the Elephant Diffuser which helped mask the underlying patterns one finds on a disk and thus avoided any weakening of the end result (this is not an exact description, but it will probably do).
  57. The point is that this added layer was removed in versions for later versions of windows - conclude from that what you will.
  58. I go along with recommendations for TrueCrypt and Full Disk Encryption. I suggest using a Yubikey to hold all but say 16-20 chars of your password entered at boot time (so its what you remember and what you have) but the password is ridiculously long to the attacker. Obviously dont keep the Yubikey and the computer in the same place until you are booting and then unplug it after.
  59. Why is everyone recommending truecrypt over veracrypt? I recently switched to veracrypt, should I switch back?
  60. ThrobbingMeatGristle
  61. It depends... from what I have read it breaks down a bit like this...
  62. Are you mounting file based images as drives a lot? Stick with Veracrypt because the recent fixes probably affect you as you are using drive letters created via Veracrypt which patched some elevation type vulns.
  63. Are you doing FDE at boot time - if so why change from something that works well and has been really well tested ?
  64. I mainly use Truecrypt to do boot time FDE thats why I have not changed. I know my system is secure when it is powered down and locked away and only I will be able to boot it.
  65. I sometimes use Truecrypt to mount a 2Tb external USB that has been fully encrypted. For that I use a keyfile stored on a Smartcard and I use a quarantined machine.
  66. ThePooSlidesRightOut
  67. Have a look at this PDF:
  68. Bypassing Local Windows Authentication to Defeat Full Disk Encryption, by Ian Haken, November 12, 2015:
  69. https://www.blackhat.com/docs/eu-15/materials/eu-15-Haken-Bypassing-Local-Windows-Authentication-To-Defeat-Full-Disk-Encryption-wp.pdf
  70. Use whole disk encryption like Veracrypt, with a strong password. Never use sleep mode. Encryption starts to protect your data a few seconds to minutes after shutdown.
  71. Only when powered off and if you don't back up the keys in Microsoft's cloud and if it doesn't use a backdoored TPM
  72. Even then I hesitate to trust BitLocker because of Microsoft's relationship with the NSA. It's completley possible BitLocker is compromised.
  73. Comment deleted by user
  74. Comment deleted by user
  75. I have heard that Microsoft copies users keys to their servers now.
  76. Comment deleted by user
  77. I don't exactly how to put this, but I'll try. From a technological perspective, there may or may not be a weaknesses in BitLocker and various levels of police agencies may or may not have access through these weaknesses. More importantly, however, is the moral question of whether you actually have something to hide. I can assure that if you have something to hide, it will certainly be found out, irrespective of encryption, technology, exploits and all that crap. The "how" is irrelevant. It's the "what" that actually matters.
  78. COMMUNITY DETAILS
  79. Cryptography is the art of creating mathematical assurances for who can do what with data, including but not limited the classical example of encrypting messages so that only the key-holder can read it. Cryptography lives at an intersection of math, programming, and computer science. This subreddit covers the theory and practice of modern and *strong* cryptography, and it is a technical subreddit focused on the algorithms and implementations of cryptography.
  80. R/CRYPTO RULES
  81. Crypto review requests must explain the algorithms
  82. Challenges and puzzles must use modern crypto
  83. Don't flood the sub with duplicate posts
  84. Stick to the topic of cryptography, NOT currency
  85. Maintain high quality & accuracy, don't mislead
  86. Don't cheat on challenges or tests!
  87. Link directly to the original (with exceptions)
  88. RELATED SUBREDDITS
  89. 283,874 subscribers
  90. 401,274 subscribers
  91. 16,408 subscribers
  92. r/cryptography
  93. 18,019 subscribers
  94. r/shittycrypto
  95. 358 subscribers
  96. 386 subscribers
  97. GUIDELINES FOR /R/CRYPTO
  98. This sub is for cryptography, NOT cryptocurrency.
  99. RULES (along with reddiquette)
  100. Assume good faith & be kind. This is a friendly subreddit.
  101. Codes, simple ciphers, ARGs, and other such "weak crypto" don't belong here. If a desktop computer can break a code in less than an hour, it's not strong crypto. See /r/codes. This includes cracking challenges.
  102. Do not ask people to break your cryptosystem without first sharing the algorithm. Sharing just the output is like...
  103. Familiarize yourself with the following before asking about a novel cryptosystem:
  104. Kerckhoffs's principle
  105. Schneier's Law
  106. Don't use this sub to cheat on competitions or challenges!
  107. Systems that use crypto are not necessarily relevant here.
  108. Our wiki pages
  109. Threads on starting in crypto one & two
  110. Thread of crypto links - older thread
  111. Our monthly cryptography wishlist threads!
  112. Cryptology ePrint archive
  113. Freenode IRC:s ##crypto - (IRC protocol URL)
  114. Metzdowd cryptography mailing list
  115. Randombit cryptography mailing list
  116. VIEW ALL MODERATORS
  117. The Reddit App
  118. Reddit Premium
  119. Content Policy| Privacy Policy
  120. User Agreement| Mod Policy
  121. © 2018 Reddit, Inc. All rights reserved
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement