Shortly after that the story took an unexpected turn. The developers of Truecrypt suddenly ended its development and put a warning on their web page: "Using TrueCrypt is not secure as it may contain unfixed security issues." There was no further explanation, the Truecrypt developers recommended that users switch to the Bitlocker encryption on Windows.
In 2015 the final report of the Open Crypto Audit Project was published. It didn't find any larger flaws in Truecrypt's code, but some smaller issues. The experts from the company NCC found for example that the AES implementation in Truecrypt allows side-channel attacks - an information that is also contained in the BSI report. Some time later a member of Google's Project Zero found further security flaws in Truecrypt.
Followup project Veracrypt is still developed
As Truecrypt got no further releases the software is still vulnerable for all those weaknesses. However there is a fork of Truecrypt under the name Veracrypt. The found weaknesses were fixed there, also a further security audit of Veracrypt was performed.
The BSI knew all that. In reaction to the report from the Open Crypto Audit Project the BSI commissioned another security analysis of Truecrypt. This analysis can be found on the webpage of the BSI. It does not mention the older and much more detailed audit from 2010.
THe BSI explained to us that the audit in 2010 was performed as part of an IT investment program to modernize the information and communication technology of the administration. The results were communicated to the Truecrypt foundation, however the Truecrypt developers didn't consider them to be relevant. BSI furthermore says that the results were not intended to be published.
Veracrypt developer Mounir Idrassi confirmed that he had never heard of that BSI security audit. The BSI explained that the IT investment program ended in 2011, many years before Veracrypt was started in 2015.
The BSI audit from 2010 starts with a detailed analysis of the architecture of Truecrypt on Windows and Linux. It looks like the version for Mac OS X was of less interest to BSI.
Low-risk Buffer Overflow
One of the security flaws that is described in detail is a potential buffer overflow in a function to call external programs. This function named Process::Execute takes a program name and an array of command line options as parameters. Afterwards these are copied into an array with 32 elements size, at the end a null pointer is added.
The function contains a check if too many command line options are passed, however the check misses the trailing null pointer. If exactly 31 command line options are passed a buffer overflow happens. This flaw was present in the code of Veracrypt until recently. We have sent a patch to the developers of Veracrypt that has been applied.
The practical risk is probably small. It is unlikely that the Veracrypt code would call a program with so many command line options - and even then an attacker has little control over the used memory.
|Encryption software: German BSI withholds Truecrypt security report||Missing chapter about off-by-one-overflows|