PMC Ciphers - TurboCrypt

Backup Attack and effective countermeasure implemented in TurboCrypt

TurboCrypt is the only OTFE (On-The-Fly-Encryption) software on the market that resists a ciphertext-only attack on volume image files and their backups. The attack which is described in here REQUIRES NO KNOWLEDGE OF THE KEY !!!

View paper as PDF here (1 Mb)

Introduction

OTFE (On-The-Fly-Encryption) software usually employs AES or some other symmetric cipher in ECB (Electronic Code Book) mode with block count. Truecrypt actually employs this method, as well as two more elaborate methods: LRW mode (AES cipher and Galois field multiplication) and XTS, which is XEX (Xor-Encrypt-Xor) - based Tweaked CodeBook mode with CipherText Stealing.
The key is initialized only once. For every 128 bit block, a bit pattern representing the block number is basically added prior to encryption (for LRW and XTS, more operations are executed, but the principle holds). The methodology works pretty well and security is very high.

The following two pictures show plaintext and ciphertext. The ciphertext alone seems not to leak any information about the plaintext.
Original image and ciphertext (AES ECB with block count)
left side: Sample image: reduced to 4 colors / right side: AES-encrypted image with block count incremented
by 1 for each 4x4 pixel block:

Ciphertext-only attack on backups of volume image files requiring NO knowledge of the key

If a volume file is copied and the original copy is used to encrypt data while the other copy contains known plaintext (e.g. all zeros), it is possible to simply subtract data bits with identical bit positions in the two files from each other. This attack requires NO knowledge of the key used for encryption and it applies to ECB Mode (Electronic Codebook), Counter Mode (CM), Galois/Counter Mode (GCM), LRW, XEX, XTS, as well as CBC-based modes of disk encryption applications (OTFE).

It is very easy to unveil large parts of the sample image. All that is needed is the ciphertext of the sample image and the ciphertext of an image with a uniform color. I’ve used white color to demonstrate the attack. The two images below are simply created by subtracting (respectively multiplying) the color of each pixel that is located at the very same position in the two ciphertext images.

Plaintext leaking in Backup Attack on commercial Disk Encryption Software
left side:Encrypted image – encrypted image with all white pixels (subtraction) / right side: Encrypted image multiplied with encrypted image with all white pixels

Which disk encryption products are affected by this attack?

Generally all disk encryption programs that are available on the market seem to contain this security hole !!!
The attack was proved for a number of popular and commercially available OTFE software packages. Old versions of TurboCrypt are as well affected for data areas with identical plaintexts larger than 512 bytes.

The reason why many or probably all on-the-fly encryption (OTFE) software packages are affected is easy to explain. Two or more volumes with the same encryption key that host the same data (plaintext) inevitably contain the same ciphertext. The following figure shows how encryption of sectors on a disk generally works:

On both independent encrypted volumes there shall be two identical plaintexts encrypted with an identical key.
OTFE software has no other information than key and sector number to encrypt gigabytes of data. In order not to yield always the same ciphertext when encrypting a static plaintext, sector number and the number of the block within a sector are both added to the key or this information is logically combined with the plaintext prior to the encryption process. Both methods can be applied likewise. No information about plaintext nor the key will leak at all.

The problem starts when creating a copy of volume 1. Volume 2, which is the copy of volume 1 may subsequently be used to store large pictures containing big areas with a uniform color. Volume 1 may contain data (e.g. pictures) containing blocks with the same bit pattern (= color). It is only natural that identical plaintext on volume 1 is encrypted into the very same ciphertext as on volume 2 if the data resides on sectors with the same sector number.

If the key for both volumes is identical – and one can be sure that it is for all copies of a volume file – this attack can be mounted very easily. There is nothing that can be done against this inherent weakness on the encryption level.

How is this weakness avoided in TurboCrypt?

All TurboCrypt versions from 2008 and later are equipped with two measures that close the security hole if users follow one simple rule: Let the encryption software create copies of volume image files.

Measure 1:
Creation time and date is stored in the volume image file. File dates and times are compared against data stored inside encrypted volumes during creation. If a user does not follow the rule and copies an image file with Windows Explorer for backup purposes, the operating system changes creation time (and last access time as well) for the copy. Using the copy is potentially insecure due to the attack described before. When mounting this backup with TurboCrypt, file times will not match the memorized creation time of the original image. The user will be warned by TurboCrypt.

Measure 2:
TurboCrypt creates backups of volume image files. If users keep this rule in mind, 100% security can be guaranteed. TurboCrypt selects a new disk key for each backup. If disk keys differ between all copies of an image file, it is absolutely impossible to yield any information other than noise when comparing ciphertexts against each other. The effect is visualized in the figure below:

Backup Attack - countermeasure as implemented in TurboCrypt

Most or all OTFE software packages take advantage of disk keys. Changing passwords does thus not require re-encryption of an entire image file and security does not suffer at all due to the fact that password encryption is performed using a one-time-pad. The user-selected key serves as key for the encryption of the disk key, which is a true random number.
When creating a backup of a volume image file, TurboCrypt uses a new real random key in place of the original disk key in the backup of an image file. This methodology solves the previously described security problem entirely.

Conclusion

A new ciphertext-only attack that can be mounted easily by anyone who has access to encrypted volumes using identical keys, has been identified and described by us. Likelihood for all OTFE (on-the-fly encryption) software packages to be susceptible to this kind of attack is close to 100%. Tests have shown that the majority of all commercially available OTFE (disk encryption) programs are susceptible to this attack.

All versions of TurboCrypt from 2008 and later contain two additional mechanisms that protect users so that security of their data will never be compromised as long as users follow the simple rule to let TurboCrypt create backups of their volume image files.

Developers of other OTFE products will most probably follow and implement similar countermeasures with time. To our knowledge is the described method free of patents and the author can confirm that he hasn’t applied for protection of this intellectual property.