The new version removes an insecure Russian encryption method, and replaces marginal zip methods with a more cryptographically secure library. Five of the vulnerabilities were involved with Full Disk Encryption (FDE) and have been patched. Eight vulnerabilities were found and addressed in the version released Monday. The improvements made by IDRIX demonstrate the possession of these skills,” the two researchers said.If you use encryption software, VeraCrypt just completed a security audit by QuarksLab in France. Deep knowledge of several operating systems, the Windows kernel, the system boot chain and good concepts in cryptography are required. “VeraCrypt is a project hard to maintain. The overall security of the project is improving and the results are beneficial for people interested in using a disk encryption software. On top of that, researchers reveal that, if the system is encrypted, the boot password (in UEFI mode) or its length (in legacy mode) could be retrieved by an attacker, and they say that the UEFI loader is not mature yet, but that this is not causing security problems from a strict cryptographic point of view.ĭespite these issues, however, the security researchers say that VeraCrypt evolved in a good direction and that assessment conclusions are taken into consideration. Moreover, the audit discovered that compression libraries are outdated or poorly written and that they must be updated or replaced. Added in VeraCrypt 1.18, the algorithm has been removed in version 1.19. The researchers also discovered a series of new issues that must be corrected quickly, such as the availability of GOST 28147-89, a symmetric block cipher with a 64-bit block size. There is also an unauthenticated ciphertext in volume headers flaw, where the lack of a real MAC on the volume headers makes existential forgeries possible with approximately 2 32 queries. Moreover, vulnerabilities leading to incompatibility with TrueCrypt have not been fixed.Ī keyfile mixing not being cryptographically sound bug was one of the most notable issues found by the audit, a result of the fact that the manner in which the keyfiles are mixed to derive secret data relies on non-cryptographic mechanisms. However, the researchers explain that the flaws that require “substantial modifications of the code or the architecture of the project” haven’t been patched, including the AES implementation that is susceptible to cache-timing attacks. “In particular, the problem leading to a privilege escalation discovered by James Forshaw in the TrueCrypt driver just after the OCAP audit has been solved,” the researchers noted in their security assessment (PDF). The Quarkslab researchers first focused on assessing the manner in which VeraCrypt resolved the vulnerabilities discovered in TrueCrypt and revealed that all of those brought to light by last year’s audit have been correctly fixed, except for a minor fix for one of them. Some of the introduced features include: support of UEFI, non-Western cryptographic algorithms ( Camellia, Kuznyechik, GOST 28147-89, Streebog), volume expander, “Personal Iterations Multiplier,” support of UNICODE on Windows, use of StrSafe functions instead of string.h, gathering of entropy on mouse movements at each random number generation. ![]() The security researchers analyzed version 1.18 of the software, and version 1.19 has already released to resolve the discovered issues. ![]() 14, 2016, the two focused mainly on the new features that were introduced following last year’s audit of TrueCrypt.ĭerived from the now discontinued TrueCrypt, VeraCrypt is a disk encryption software developed by IDRIX that not only focused on resolving vulnerabilities, but also on introducing new features. ![]() A recently conducted security assessment of VeraCrypt has revealed over 25 security vulnerabilities in the popular encryption platform, including a critical cryptography flaw.įunded by OSTIF (The Open Source Technology Improvement Fund), the assessment was performed by two Quarkslab senior researchers, Jean-Baptiste Bédrune and Marion Videau.
0 Comments
Leave a Reply. |