Truecrypt developers suddenly end development and point to security problems

Shortly after that the story took an unexpected turn. The developers of Truecrypt suddenly ended its development and put a warning on their web page: "Using TrueCrypt is not secure as it may contain unfixed security issues." There was no further explanation, the Truecrypt developers recommended that users switch to the Bitlocker encryption on Windows.

In 2015 the final report of the Open Crypto Audit Project was published. It didn't find any larger flaws in Truecrypt's code, but some smaller issues. The experts from the company NCC found for example that the AES implementation in Truecrypt allows side-channel attacks - an information that is also contained in the BSI report. Some time later a member of Google's Project Zero found further security flaws in Truecrypt.

Followup project Veracrypt is still developed

As Truecrypt got no further releases the software is still vulnerable for all those weaknesses. However there is a fork of Truecrypt under the name Veracrypt. The found weaknesses were fixed there, also a further security audit of Veracrypt was performed.

The BSI knew all that. In reaction to the report from the Open Crypto Audit Project the BSI commissioned another security analysis of Truecrypt. This analysis can be found on the webpage of the BSI. It does not mention the older and much more detailed audit from 2010.

THe BSI explained to us that the audit in 2010 was performed as part of an IT investment program to modernize the information and communication technology of the administration. The results were communicated to the Truecrypt foundation, however the Truecrypt developers didn't consider them to be relevant. BSI furthermore says that the results were not intended to be published.

Veracrypt developer Mounir Idrassi confirmed that he had never heard of that BSI security audit. The BSI explained that the IT investment program ended in 2011, many years before Veracrypt was started in 2015.

The BSI audit from 2010 starts with a detailed analysis of the architecture of Truecrypt on Windows and Linux. It looks like the version for Mac OS X was of less interest to BSI.

Low-risk Buffer Overflow

One of the security flaws that is described in detail is a potential buffer overflow in a function to call external programs. This function named Process::Execute takes a program name and an array of command line options as parameters. Afterwards these are copied into an array with 32 elements size, at the end a null pointer is added.

The function contains a check if too many command line options are passed, however the check misses the trailing null pointer. If exactly 31 command line options are passed a buffer overflow happens. This flaw was present in the code of Veracrypt until recently. We have sent a patch to the developers of Veracrypt that has been applied.

The practical risk is probably small. It is unlikely that the Veracrypt code would call a program with so many command line options - and even then an attacker has little control over the used memory.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
 Encryption software: German BSI withholds Truecrypt security reportMissing chapter about off-by-one-overflows 
  1.  
  2. 1
  3. 2
  4. 3
  5.  


Aktuell auf der Startseite von Golem.de
Der Herr der Ringe
Lego bringt Bruchtal aus 6.100 Teilen und mit 15 Figuren

Die gesamte Gemeinschaft des Ringes versammelt sich in den Hallen von Bruchtal, das als Lego-Diorama Herr-der-Ringe-Fans erfreuen kann.

Der Herr der Ringe: Lego bringt Bruchtal aus 6.100 Teilen und mit 15 Figuren
Artikel
  1. Emergency Alert System: Fox muss Strafe wegen Notfallalarm-Werbung zahlen
    Emergency Alert System
    Fox muss Strafe wegen Notfallalarm-Werbung zahlen

    Eine Fernsehwerbung mit einem speziellen Signal beginnen, das normalerweise einen Notfallalarm ankündigt? Die FCC fand die Idee von Fox nicht gut.

  2. Stress reduzieren: Runter mit der Hasskappe!
    Stress reduzieren
    Runter mit der Hasskappe!

    Viele ITler stehen unter enormen Stress und ruinieren sich damit die Gesundheit und den Spaß an der Arbeit - und anderen den Tag. Psychologen empfehlen als Lösung: mit Affirmationen die eigenen Gedanken umprogrammieren.
    Ein Bericht von Marc Favre

  3. Microsoft: Bing bekommt ChatGPT-Integration und kann getestet werden
    Microsoft
    Bing bekommt ChatGPT-Integration und kann getestet werden

    Microsoft hat KI-basierte Updates für die Bing-Suchmaschine und den Edge-Browser angekündigt. Die Beta ist schon verfügbar.

Du willst dich mit Golem.de beruflich verändern oder weiterbilden?
Zum Stellenmarkt
Zur Akademie
Zum Coaching
  • Schnäppchen, Rabatte und Top-Angebote
    Die besten Deals des Tages
    Daily Deals • Powercolor RX 7900 XTX 1.119€ • WSV-Finale bei MediaMarkt • Samsung 980 Pro 2TB (PS5-komp.) 174,99€ • MSI RTX 4080 1.349€ • Samsung 55" 4K QLED Curved Gaming-Monitor -25% • Asus RX 7900 XT 939,90€ • DAMN-Deals: AMD CPUs zu Tiefstpreisen • PCGH Cyber Week nur bis 9.2. [Werbung]
    •  /