3
If I encrypt an entire partition with TrueCrypt (a standard volume, not a hidden volume), would the partition look statistically indistinguishable from random data?
Or would someone be able to prove (possibly using a chi-square test) that the data is indeed not random?
user541686
Posted 2012-01-28T23:38:08.690
Reputation: 21 330
3
No, it can be distinguished from random data. However, it probably doesn't matter in practice.
There's an interesting article here that explains some of the typical properties of a TrueCrypt container:
- The suspect file size modulo 512 must equal zero.
- The suspect file size is at least 19 KB in size (although in practice this is set to 5 MB).
- The suspect file contents pass a chi-square distribution test.
- The suspect file must not contain a common file header.
It talks about the program TCHunt, which was specifically designed for finding TrueCrypt containers. One of the properties is that it passes a chi square test. However, the modulo 512 operation gives more clues, and obviously, only passing a chi square test doesn't mean it's totally random data:
Truecrypt volumes, which are essentially files, have certain characteristics that allow programs such as TCHunt to detect them with a high probability. The most significant, in mathematical terms, is that their modulo division by 512 is 0.
slhck
Posted 2012-01-28T23:38:08.690
Reputation: 182 472
1I think either I'm misunderstanding something or you are misunderstanding something. :-) How is the file size module 512 being zero a sign of a TrueCrypt partition? Aren't all partition sizes mod 512 equal to zero nowadays? Or were you talking about file containers instead? – user541686 – 2012-01-29T00:16:21.497
It will find partitions, embedded files, even TrueCrypt embedded in whole hard drives — even that is proof alone that it's somehow distinguishable. I'm not sure on the algorithmic details exactly, or why that should work, but the fact that it does work is enough for me :) And of course, it will find false positives, e.g. other files with pure random data.
– slhck – 2012-01-29T09:41:41.260For the benefit of others: At the time that I write this, Trend Micro is blacklisting apparently the entirety of 16 Systems' WWW site, and the
16s.us.hyperlink in this answer leads to a warning page about malware hosting, fraud, or scams on machines with Trend Micro Internet Security installed and running. – JdeBP – 2012-01-29T18:27:26.963I believe this is incorrect. From the TCHunt FAQ: "Note: If the encrypted volumes are hidden among /dev/urandom created files via dd, they will not stand out." – tlrobinson – 2012-07-12T19:04:11.573
@tlrobinson Interesting, good to know – but if it wasn't possible to find those volumes, why would TCHunt exist? – slhck – 2012-07-12T19:06:41.367