Stories
Slash Boxes
Comments

SoylentNews is people

Audit Reveals Significant Vulnerabilities for TrueCrypt and Successor VeraCrypt

posted by cmn32480 on Tuesday October 25 2016, @10:09PM   Printer-friendly
from the decrypt-this dept.

"exec" writes:

VeraCrypt security audit reveals many flaws, some already patched [Zeljka Zorz/Helpnet Security]

VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab.

The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report.

The code auditing effort analyzed VeraCrypt 1.18 and its bootloaders.

"A first step consisted in verifying that the problems and vulnerabilities identified by iSec and NCC Group in TrueCrypt 7.1a for the Open Crypto Audit Project had been taken into account and fixed," the Quarkslab researchers involved in the effort explained.

"Then, the remaining study was to identify potential security problems in the code specific to VeraCrypt. Contrary to other TrueCrypt forks, the goal of VeraCrypt is not only to fix the public vulnerabilities of TrueCrypt, but also to bring new features to the software."

A short overview of the issues found (fixed and still not fixed) can be found here. The audit report, with mitigations for still unpatched vulnerabilities, can be downloaded from here.

Are any Soylentils using Veracrypt and/or other forks of Trucrypt?

The full audit report: TrueCrypt Cryptographic Review[PDF] [Alex Balducci, Sean Devlin, Tom Ritter/Open Crypto Audit Project]

Previously:
Independent Audit: Newly Found TrueCrypt Flaw Allows Full System Compromise
No Backdoors Found in TrueCrypt
TrueCrypt Site Encodes Warning about NSA Infiltration
TrueCrypt Discontinued, Compromised?

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
Audit Reveals Significant Vulnerabilities for TrueCrypt and Successor VeraCrypt | Log In/Create an Account | Top | 18 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by driverless on Wednesday October 26 2016, @10:36AM

    by driverless (4770) on Wednesday October 26 2016, @10:36AM (#418915)

    These include the AES implementation, which is still susceptible to cache-timing attacks.

    Mitigation: replace AES with Camellia

    So in order to carry out this attack you need to have an attacker's hostile software running with root privs, or close to it, on the CPU doing the disk encryption. Mitigation: Not a real attack, nothing to mitigate.

    (Also, how do you know the Camellia implementation is any better?).

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by Post-Nihilist on Wednesday October 26 2016, @09:19PM

    by Post-Nihilist (5672) on Wednesday October 26 2016, @09:19PM (#419153)

    Your right, Camellia has the potential to be worse

    --
    Be like us, be different, be a nihilist!!!

    • (Score: 2) by Post-Nihilist on Wednesday October 26 2016, @09:23PM

      by Post-Nihilist (5672) on Wednesday October 26 2016, @09:23PM (#419155)

      I missed that phrase : "NCC Group’s report only focuses on AES. We did not check if other implementations are
      susceptible to such attacks" when I first read the report, I apologize

      --
      Be like us, be different, be a nihilist!!!