Truecrypt developers suddenly end development and point to security problems

Shortly after that the story took an unexpected turn. The developers of Truecrypt suddenly ended its development and put a warning on their web page: "Using TrueCrypt is not secure as it may contain unfixed security issues." There was no further explanation, the Truecrypt developers recommended that users switch to the Bitlocker encryption on Windows.

Stellenmarkt
  1. Softwareentwickler/in für SAP ABAP (m/w/d)
    Compiricus AG, Düsseldorf
  2. IT / Organisation Anwendungsbetreuer (m/w/d)
    Schöler Fördertechnik AG, Rheinfelden
Detailsuche

In 2015 the final report of the Open Crypto Audit Project was published. It didn't find any larger flaws in Truecrypt's code, but some smaller issues. The experts from the company NCC found for example that the AES implementation in Truecrypt allows side-channel attacks - an information that is also contained in the BSI report. Some time later a member of Google's Project Zero found further security flaws in Truecrypt.

Followup project Veracrypt is still developed

As Truecrypt got no further releases the software is still vulnerable for all those weaknesses. However there is a fork of Truecrypt under the name Veracrypt. The found weaknesses were fixed there, also a further security audit of Veracrypt was performed.

The BSI knew all that. In reaction to the report from the Open Crypto Audit Project the BSI commissioned another security analysis of Truecrypt. This analysis can be found on the webpage of the BSI. It does not mention the older and much more detailed audit from 2010.

Golem Akademie
  1. ITIL 4® Foundation: virtueller Zwei-Tage-Workshop
    24.–25. Januar 2022, virtuell
  2. Elastic Stack Fundamentals – Elasticsearch, Logstash, Kibana, Beats: virtueller Drei-Tage-Workshop
    15.–17. März 2022, Virtuell
Weitere IT-Trainings

THe BSI explained to us that the audit in 2010 was performed as part of an IT investment program to modernize the information and communication technology of the administration. The results were communicated to the Truecrypt foundation, however the Truecrypt developers didn't consider them to be relevant. BSI furthermore says that the results were not intended to be published.

Veracrypt developer Mounir Idrassi confirmed that he had never heard of that BSI security audit. The BSI explained that the IT investment program ended in 2011, many years before Veracrypt was started in 2015.

The BSI audit from 2010 starts with a detailed analysis of the architecture of Truecrypt on Windows and Linux. It looks like the version for Mac OS X was of less interest to BSI.

Low-risk Buffer Overflow

One of the security flaws that is described in detail is a potential buffer overflow in a function to call external programs. This function named Process::Execute takes a program name and an array of command line options as parameters. Afterwards these are copied into an array with 32 elements size, at the end a null pointer is added.

The function contains a check if too many command line options are passed, however the check misses the trailing null pointer. If exactly 31 command line options are passed a buffer overflow happens. This flaw was present in the code of Veracrypt until recently. We have sent a patch to the developers of Veracrypt that has been applied.

The practical risk is probably small. It is unlikely that the Veracrypt code would call a program with so many command line options - and even then an attacker has little control over the used memory.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
 Encryption software: German BSI withholds Truecrypt security reportMissing chapter about off-by-one-overflows 
  1.  
  2. 1
  3. 2
  4. 3
  5.  


Aktuell auf der Startseite von Golem.de
Klage
Paypal friert Konten ein und behält Geld nach 180 Tagen

In einer Sammelklage wird Paypal vorgeworfen, Konten ohne Nennung von Gründen einzufrieren und das Geld nach 180 Tagen zu behalten.

Klage: Paypal friert Konten ein und behält Geld nach 180 Tagen
Artikel
  1. Krypto-Verbot: Panikverkäufe von Krypto-Mininggerät im Kosovo
    Krypto-Verbot
    Panikverkäufe von Krypto-Mininggerät im Kosovo

    Schürfen von Kryptowährungen ist im Kosovo seit kurzem verboten. Mineure versuchen, ihr Equipment oft zu Schleuderpreisen loszuwerden.

  2. Malware: Microsoft warnt vor ungewöhnlicher Schadsoftware in Ukraine
    Malware
    Microsoft warnt vor ungewöhnlicher Schadsoftware in Ukraine

    Die Schadsoftware soll sich als Ransomware tarnen.

  3. Großunternehmen: Lindner will Mindeststeuer zum 1. Januar 2023 umsetzen
    Großunternehmen
    Lindner will Mindeststeuer zum 1. Januar 2023 umsetzen

    Bundesfinanzminister Christian Lindner will die Mindeststeuer für Großunternehmen in Deutschland schnell einführen.

Du willst dich mit Golem.de beruflich verändern oder weiterbilden?
Zum Stellenmarkt
Zur Akademie
Zum Coaching
  • Schnäppchen, Rabatte und Top-Angebote
    Die besten Deals des Tages
    Daily Deals • MindStar (u.a. WD Blue 3D 1TB 79€, be quiet! Straight Power 11 850W 119€ u. PowerColor RX 6600 Hellhound 529€) • Alternate: Weekend-Deals • HyperX Cloud II Wireless 107,19€ • Cooler Master MH752 54,90€ • Gainward RTX 3080 12GB 1.599€ • Saturn-Hits • 3 für 2: Marvel & Star Wars [Werbung]
    •  /