seNTry 2020 Volume Files Are Excessivly Large
Written: 20th January 2000
Last updated: 22nd January 2000
Summary
When a seNTry 2020 volume is created, it's ".raw" file may be larger than necessary. The excess data at the end of the volume can be detected by an attacker, which reduces the "plausible deniability" that the user would otherwise have over the volume.
Explanation
After being created, a seNTry 2020 ".raw" file will contain nothing; just 0x00's. As data is written to the volume, these 0x00's are replaced by the encrypted data.
From filling the encrypted volume with data, and then examining the volume file, it appears that not all of this file is used, and the excess portion of the file will still contain nothing but 0x00's, as it did when the volume was first created.
Because this excess part of the file os set to contain a repeating sequence of 0x00's, the user will have less "plausible deniability" than would otherwise be possible. An attacker examining such a volume may note that the bulk of the file contains a high degree of entropy, while the last few thousand bytes or so is simply set to 0x00's
Demonstration
- Create a new seNtry 2020 volume
- Fill the volume with data (e.g. create a massive file that takes up all the free space, or run a free disk space shredder on the encrypted drive)
- Dismount the volume, and examine the ".raw" file with a hex editor
The volume file will contain a great deal of what appears to be random data. This is the data that you wrote to the disk in encrypted form. If you now take a look right at the end of this file, you may very well notive that you have a few thousand 0x00's. This indicates that not all of the volume is being used.
Notes
Workaround: After running a few tests, there appear to be two ways in whick you can work around this problem:
- Fill this apparently surplus of the volume file with random data (this should be quite harmless)
- Truncate the file immediatly after the last byte that is required for the encrypted drive (possibly leading to "chkdsk" complaining?)
A simple program to allow the user to perform either of these operations is available for download (with full source code) from here. If you do try this program to workaround this security problem, you are strongly urged to read the instructions before running it.
Please see also seNTry 2020 Volume Files Are Initialized to Containing Nothing But 0x00's
Email me at: sdean12@mailcity.com
Return to the
Attacking OTFE; Known Security Flaws in Certain OTFE Systems
page