VeraCrypt security audit reveals many flaws, some already patched [Zeljka Zorz/Helpnet Security]
VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab.
The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report.
The code auditing effort analyzed VeraCrypt 1.18 and its bootloaders.
"A first step consisted in verifying that the problems and vulnerabilities identified by iSec and NCC Group in TrueCrypt 7.1a for the Open Crypto Audit Project had been taken into account and fixed," the Quarkslab researchers involved in the effort explained.
"Then, the remaining study was to identify potential security problems in the code specific to VeraCrypt. Contrary to other TrueCrypt forks, the goal of VeraCrypt is not only to fix the public vulnerabilities of TrueCrypt, but also to bring new features to the software."
A short overview of the issues found (fixed and still not fixed) can be found here. The audit report, with mitigations for still unpatched vulnerabilities, can be downloaded from here.
Are any Soylentils using Veracrypt and/or other forks of Trucrypt?
The full audit report: TrueCrypt Cryptographic Review[PDF] [Alex Balducci, Sean Devlin, Tom Ritter/Open Crypto Audit Project]
Previously:
Independent Audit: Newly Found TrueCrypt Flaw Allows Full System Compromise
No Backdoors Found in TrueCrypt
TrueCrypt Site Encodes Warning about NSA Infiltration
TrueCrypt Discontinued, Compromised?
-- submitted from IRC
(Score: 5, Informative) by Post-Nihilist on Tuesday October 25 2016, @10:43PM
Problem:
The availability of GOST 28147-89, a symmetric block cipher with a 64-bit block size, is an issue. This algorithm has been added in VeraCrypt 1.18. It is a 64-bit block cipher, contrary to the other block ciphers used in VeraCrypt. The XTS code has not been adapted for such ciphers, so VeraCrypt emulates a 128-bit block cipher by encrypting two 64-bit blocks in CBC mode with a zero IV, which in itself raises several issues. Furthermore, to reach the same level of security as its 128-bit counterpart, the amount of data to be processed should be no more than 512 bytes which is too small to be considered for a data at rest encryption system. GOST 28147-89 will be removed in version 1.19.
Mitigation: do not use GOST 28147-89
Problem:
If the system is encrypted, the boot password (in UEFI mode) or its length (in legacy mode) could be retrieved by an attacker.
Mitigation: use a long password and avoid UEFI.
Problem:
Vulnerabilities which require substantial modifications of the code or the architecture of the project have not been fixed. These include the AES implementation, which is still susceptible to cache-timing attacks.
Mitigation: replace AES with Camellia
Be like us, be different, be a nihilist!!!
(Score: 3, Interesting) by Runaway1956 on Wednesday October 26 2016, @12:40AM
So, essentially, Veracrypt is the best thing on the market, IF you understand those three vulnerabilities and their "fixes"?
And, even if you don't know to avoid GOST, and to use a long password, to avoid UEFI, and to use Camellia - Veracrypt is still pretty good?
These vulnerabilities have been identified, but there seems to be no indication that they are being exploited - yet.
(Score: 3, Interesting) by Post-Nihilist on Wednesday October 26 2016, @02:07AM
GOST 28147-89 is for Russian fetishist.
If you do not know how to use long password Veracrypt is not for you
And cache timing attack are somewhat impraticables.
if you have a need to encrypt a volumes and you do not have the ressources of a nation state then yes veracrypt is still pretty good
And I felt trolled
Be like us, be different, be a nihilist!!!
(Score: 3, Informative) by driverless on Wednesday October 26 2016, @10:36AM
These include the AES implementation, which is still susceptible to cache-timing attacks.
Mitigation: replace AES with Camellia
So in order to carry out this attack you need to have an attacker's hostile software running with root privs, or close to it, on the CPU doing the disk encryption. Mitigation: Not a real attack, nothing to mitigate.
(Also, how do you know the Camellia implementation is any better?).
(Score: 2) by Post-Nihilist on Wednesday October 26 2016, @09:19PM
Your right, Camellia has the potential to be worse
Be like us, be different, be a nihilist!!!
(Score: 2) by Post-Nihilist on Wednesday October 26 2016, @09:23PM
I missed that phrase : "NCC Group’s report only focuses on AES. We did not check if other implementations are
susceptible to such attacks" when I first read the report, I apologize
Be like us, be different, be a nihilist!!!