Sunday, July 6, 2008

TrueCrypt Releases version 6.0

On July 4th, 2008, the TrueCrypt Foundation released TrueCrypt version 6.0. TrueCrypt is a very popular open-source disk encryption tool that is currently based on the XTS-AES encryption mode that the IEEE P1619 Task Group developed and standardized in December 2007. As the chair of the IEEE Security in Storage Working Group (SISWG) -- the group that oversaw the development of XTS -- I'm very pleased to see the continued adoption of XTS in the industry.

On a related note, NIST is currently considering XTS as an Approved Mode of Operation for protecting U.S. government confidential data under FIPS 140-2. If NIST accepts XTS, this will be a huge boon to TrueCrypt and similar tools that use XTS. If you use TrueCrypt or other tools that use XTS, please send NIST a comment (before Sept 2008).

For a limited time, you can pick up a free copy of XTS from IEEE. After September, you'll have to buy it from the IEEE store. See the P1619 homepage for instructions and other information.

7 comments:

  1. Any update on whether NIST has listed XTS as an Approved Mode of Operation for protecting U.S. government confidential data under FIPS 140-2? Thanks.

    ReplyDelete
  2. NIST expects to make a decision by the end of May 2009, or shortly thereafter.

    ReplyDelete
  3. Matt you and I communicated by email a few weeks ago. Do you know if the approval has come through as an extension so XTS can be considered FIPS 140-2 for a period past the end of May. I thought that was when the temporary permission to use XTS as a FIPS 140-2 compliant encryption expired.

    ReplyDelete
  4. Hi John: NIST has told me privately that they have approved XTS-AES, and will publish an SP 800-XX series draft that says so. There will be a public review period, and then NIST will update their FIPS 140-2 documentation to allow XTS-AES. It will take several months before NIST issues algorithm certificates for XTS-AES. I haven't heard of any temporary permission to use XTS-AES yes, but I'm not involved in certifying a product that uses XTS.

    ReplyDelete
  5. For those following this issue, now especially important under the HITECH Act, to avoid security breach reporting requirements for HIPAA Covered Entities and Business Associates -- TrueCrypt XES-AES has been approved by NIST with a few caveats. see http:/www.law2point0.com/

    ReplyDelete
  6. So where do we stand now in 2012? Is truecrypt and the standard maturing into something that will compete on a level with symantec and the purchase of guardian edge?

    ReplyDelete
  7. I can't comment directly on TrueCrypt itself, since I haven't used it in years, but concerning XTS-AES, Apple has shipped support for XTS-AES in OS X Lion 10.7 as the algorithm used in their full disk-encryption offering (which comes free with the operating system). I don't see anything else meaningfully competing with Apple on OS X Lion. For OS X 10.6 and 10.5, there's FileVault, but this just provides encryption of the home directory, not the entire hard disk. But this isn't nearly as secure as something like PGP-full disk encryption or TrueCrypt's full disk encryption.

    I haven't used Windows laptops in a couple years, so don't really know what's currently the best solution there (probably just PGP full-disk encryption). Linux has a number of encryption solutions, like ecryptfs, but these can sometimes be a bit slow. I'm using ecryptfs for a Linux box in my living room, and there is a substantial delay when logging in due to the time it takes to mount the ecryptfs home directory. I'm half tempted to just turn off the encryption and make sure that I don't put any sensitive information on that computer.

    XTS-AES has been an Approved algorithm under NIST's FIPS 140-2 for a couple years now, so the algorithm seems to have some staying power. There's some talk about maybe recommending that NIST also accept the EME-2 mode of IEEE Std 1619.2, but no one has done this coordination work yet. I think that PGP's full disk encryption may use EME-2 or some similar mode.

    ReplyDelete

Note: Only a member of this blog may post a comment.