2

I am a student attempting to understand the mechanisms of the Open Source cryptography software http://www.truecrypt.org/ . In TrueCrypt there is a user created key, and/or keyfile, as well as a program generated master key. I would like a link to or a better semi technical explanation of how this user created password unlocks the header file. I have read the TrueCrypt docs at http://www.truecrypt.org/docs/?s=technical-details , [I would post more but new users are only allowed two links] , and the rest of the true crypt documentation. I would like an explanation at a High level of how the password unlocks the header files, and as a sidebar, how the salt helps to prevent rainbow attacks.

Sorry for adding to the question so frequently, but I realize the main heart of the question is this. I am trying to figure out how the password is changeable. To do this, I need to understand how header key relates to the master key, because you can change the header key, yet only certain header key's will work with your master key. The header key must be used to create the master, yet you can choose an arbitrary password that will create a header key that will also work with the master key.

Shane Chin
  • 578
  • 2
  • 9
  • 20
  • More specifically is the header key == to the user key after PBKDF2 and salt? http://www.truecrypt.org/docs/?s=header-key-derivation says that the salt is unecrypted? Is it really that difficult to add the unencrypted salt to your rainbow table and try again? I'm not sure how adding the salt translates to if "512-bit salt is used, which means there are 2^512 keys for each password." – Shane Chin Jun 27 '11 at 16:07
  • I found http://forums.truecrypt.org/viewtopic.php?p=62826#62826 to be a very helpful less technical explanation. – Shane Chin Jun 27 '11 at 16:08
  • Rainbow tables are useful for precomputation. If every password you want to crack has a unique salt, you'd either need to compute a new rainbow table each time (which is pointless, since it's more work than just attempting to crack the password directly), or you'd need an absurdly big rainbow table which incorporates all possible salt values (which is impractical). – Nick Johnson Jun 28 '11 at 03:26

1 Answers1

1

Truecrypt takes your password and passes it through PBKDF2. It's like a hash function, but takes much longer, and is slower - to slow down brute force attacks. Similar password-derivation algorithms are bcrypt and scrypt. These three are the 'big three' when it comes to 'hashing' passwords - anything else, like a simple SHA-1 or MD5 of a password is generally too fast to be safe. Attackers can run brute force attacks against simple hashes like SHA-1 very quickly. PBKDF2, bcrypt, and scrypt are much slower.

But, theoretically you could make a rainbow table against PBKDF2, bcrypt, and scrypt with the parameters used (Each has some optional parameters). The salt Truecrypt uses is designed to defend against that.

http://www.truecrypt.org/docs/header-key-derivation is the main reference for this.

More specifically is the header key == to the user key after PBKDF2 and salt?

I believe the derived-from-password key is used to decrypt the header, which contains the master key. This way you can change your password just by re-encrypting the master key with a new password.

truecrypt.org/docs/?s=header-key-derivation says that the salt is unecrypted? Is it really that difficult to add the unencrypted salt to your rainbow table and try again?

Building a rainbow table is difficult, I think difficult as brute-forcing but I'm not sure. They're in the same ballpark though. So the threat model you're thinking of "I should encrypt my salt!" doesn't really come into play. Plus, you need the salt to derive the key, to decrypt the block, to get the salt. Chicken and the Egg.

I'm not sure how adding the salt translates to if "512-bit salt is used, which means there are 2^512 keys for each password."

They mean a password of "password" actually has 2^512 combinations: password0000001, password0000002, password0000003 and so on.

Tom Ritter
  • 99,986
  • 30
  • 138
  • 174
  • More specifically, is the header key == user input key? [after PBKDF2 and salt] – Shane Chin Jun 27 '11 at 15:37
  • AFAIK, The only problem here is that the salt is plaintext, so anyone who has the encrypted volume has the salt, so theres no chicken and the egg problem, just your initial problem of creating the rainbow table in the first place. – Shane Chin Jun 27 '11 at 17:41
  • Sorry for adding to the question so frequently, but I realize the main heart of the question is this. I am trying to figure out how the password is changeable. To do this, I need to understand how header key relates to the master key, because you can change the header key, yet only certain header key's will work with your master key. – Shane Chin Jun 27 '11 at 17:54
  • Got it, header key encrypts master key, with swap master key is unecrypted, encrypted with new key and swapped back in. Thanks for your help! – Shane Chin Jun 27 '11 at 18:26