VeraCrypt 1.0f-2 update fixes TrueCrypt audit vulnerability
VeraCrypt is a TrueCrypt fork that came to life after the original TrueCrypt project was abandoned by its developers.
It is not the only fork of TrueCrypt -- Ciphershed is another -- but one that receives regular updates.
The most recent update of VeraCrypt, released just two days ago, addresses one of the vulnerabilities reported by the second part of the Open Crypto Audit report.
Tip: Check out our in-depth review of VeraCrypt here.
The same happened after the first part of the report was released last year as most issues listed in it were fixed by an update released shortly thereafter.
VeraCrypt 1.0f-2 patches the CryptAcquireContext vulnerability in TrueCrypt's source code which is probably the most severe of the four vulnerabilities reported by TrueCrypt's auditors.
While the three remaining vulnerabilities have not been fixed, they are only threats under certain conditions, for instance when an attacker has local access to the computer.
Idrix, the company behind VeraCrypt, plans to improve VeryCrypt in regards to keyfile mixing and cache-timing attacks. The former has been on the project's issue tracker for two weeks and will be addressed in time.
Cache-timing attacks will be addressed in the future as well:
Cache-timing attacks are realistic on multi-user server environment where a malicious user can recover sensitive keys from the CPU. This type of shared environment is clearly not recommended for TrueCrypt/VeraCrypt because of other security risks so this is not a realistic scenario in our context.
Anyway, since this applies to all cryptographic libraries, we should seek external help/advice from other open source projects to look for available general purpose implementations that brings some level of protection without loosing too much performance.
Additional issues reported by the static code analysis tool Coverity were fixed in this version of VeraCrypt as well.
Functionality changes have found their way into VeraCrypt 1.0f-2.
VeraCrypt up until now supported the mounting of regular TrueCrypt volumes but not system partitions.
This changes with this release, at least on Windows, as it is now possible to mount TrueCrypt system partitions using the program.
This ensures full compatibility with all supported volume types on Windows, something that may have prevented some TrueCrypt users from switching to VeraCrypt.
The most recent version of VeraCrypt ships with additional improvements and fixes. The volume mounting speed for instance has been improved by up to 20% on 64-bit operating systems.
On Windows, VeryCryptExpander, a free tool to expand VeraCrypt volumes on the fly, has been added to the setup. You find it listed in the start menu and VeraCrypt program folder.
Download for Windows: https://veracrypt.codeplex.com/downloads/get/1372345
Although I’m pleased to see this news, a quick license note: I’m reluctant to use a program with an MS-Pl license as it’s incompatible with the GPL and therefore unlikely to see any integration with the many GPL-licensed security programs nor adoption by Linux distros/users. Ciphershed meanwhile appears to be going with LGPL .
Ciphershed license info
Update here: the license has been switched to Apache 2.0 so my concerns are now moot: the software is now compatible with GPL software. Great news. I couldn’t find a note explaining this move, only that it has changed on Wikipedia and their license page: https://veracrypt.codeplex.com/license
I am impressed with the growth of Veracrypt (btw, I was the first to suggest VC on your blog Martin), though I still use TC. I’ll give it another year to mature and prove its security and trustworthiness. I’ve used TC since before version 4.0 (I remember because my first TC volume used LRW as its mode of operation, not XTS which was introduced in 4.0).
As for the concern about the license, it is troubling, but understandable. They have a Linux version anyway, so it’s good enough for me. I am not a GPL-only kind of guy.
The thing with the license really sucks.
Yes they might violate it but I think it’s for the greater good (of mankind, to sound dramatical) to ignore it. Because otherwise there are absolutely no other trustworthy encryption programs available for windows. And there won’t be any new coming.
I trust more diskcryptor .Why ? Simple: it`s made by russians. Looking at the last message from TC developers , the lavabit story, i could only say that the TC crew had to give the key to the gov. Well….. diskryptor being russian…. probably the russian KGB has the keys , but i feel myself safer in the US with russian encryption and viceversa….
Huh? What totally uninformed nonsense. What possible key did the TC crew give to the gov? You do understand that encryption keys created by TC are generated in your system and TC does not get a copy of it? Are you talking about the SSL key to their website? Or are you talking about the signing key to their binaries? Ok, so we’ll just use the last version. Fixed.
BTW, their early history suggest a European origin for the TC developers. Which doesn’t count for much. Russian developers are no less compromised than the Americans. They are even more at the mercy of the autocrat Putin. Russia is not a bastion of freedom and liberty. Neither is America, but they at least give it lip service.
The more paranoid you are, the less you actually understand security and cryptography. I’ve seen the really paranoid fear about the supposed backdoor in AES, because they can’t understand the simple substitution permutation operations in the cipher. Learn a little math, and leave the tinfoil at the door.
I use all three for trying out:
Each one has pros and cons.
I hope in a couple months we all have a scenario better defined. I think it is kind early to pick one as being the best.
It is a big decision to pick one to format my new 2Tb HDD. 2Tb is not the amount of data that you can fool around with one pen drive to another…
I’ll stick with TrueCrypt 7.1a for now.
Let’s see what happens in two years from now.
When I first heard about TrueCrypt’s support ending I was upset and pointed the finger at NSA, turns out there was vulnerabilities in latest version of TrueCrypt. I’m just glad that VeraCrypt came along, also happy to hear they improved volume mounting speed by 20%, it was just last night when I notice it was taking longer than TrueCrypt weird.
Thanks for the Preview/Overview Martin
When Truecrypt was abandoned, I never pointed the finger at the NSA because I am not paranoid enough. I tried Veracrypt but it takes ages to load a volume especially if it’s in a thumb drive (which is how I use Truecrypt in the first place). I am content with the 1,000 iterations for TC’s PBKDF2, and while I understand why Veracrypt wants to increase it, I think their choice is overkill.
I have returned to Truecrypt for now, and I plan to wait for CipherShed to VERY SLOWLY release an update to their project. CS promises to support TC volume format for the short term, while fixing the bugs and vulnerabilities found in TC. Let’s just hope they do so before 2020. XD