• IT-Karriere:
  • Services:

Truecrypt developers suddenly end development and point to security problems

Shortly after that the story took an unexpected turn. The developers of Truecrypt suddenly ended its development and put a warning on their web page: "Using TrueCrypt is not secure as it may contain unfixed security issues." There was no further explanation, the Truecrypt developers recommended that users switch to the Bitlocker encryption on Windows.

Stellenmarkt
  1. BASF Services Europe GmbH, Berlin
  2. finanzen.de, Berlin

In 2015 the final report of the Open Crypto Audit Project was published. It didn't find any larger flaws in Truecrypt's code, but some smaller issues. The experts from the company NCC found for example that the AES implementation in Truecrypt allows side-channel attacks - an information that is also contained in the BSI report. Some time later a member of Google's Project Zero found further security flaws in Truecrypt.

Followup project Veracrypt is still developed

As Truecrypt got no further releases the software is still vulnerable for all those weaknesses. However there is a fork of Truecrypt under the name Veracrypt. The found weaknesses were fixed there, also a further security audit of Veracrypt was performed.

The BSI knew all that. In reaction to the report from the Open Crypto Audit Project the BSI commissioned another security analysis of Truecrypt. This analysis can be found on the webpage of the BSI. It does not mention the older and much more detailed audit from 2010.

THe BSI explained to us that the audit in 2010 was performed as part of an IT investment program to modernize the information and communication technology of the administration. The results were communicated to the Truecrypt foundation, however the Truecrypt developers didn't consider them to be relevant. BSI furthermore says that the results were not intended to be published.

Veracrypt developer Mounir Idrassi confirmed that he had never heard of that BSI security audit. The BSI explained that the IT investment program ended in 2011, many years before Veracrypt was started in 2015.

The BSI audit from 2010 starts with a detailed analysis of the architecture of Truecrypt on Windows and Linux. It looks like the version for Mac OS X was of less interest to BSI.

Low-risk Buffer Overflow

One of the security flaws that is described in detail is a potential buffer overflow in a function to call external programs. This function named Process::Execute takes a program name and an array of command line options as parameters. Afterwards these are copied into an array with 32 elements size, at the end a null pointer is added.

The function contains a check if too many command line options are passed, however the check misses the trailing null pointer. If exactly 31 command line options are passed a buffer overflow happens. This flaw was present in the code of Veracrypt until recently. We have sent a patch to the developers of Veracrypt that has been applied.

The practical risk is probably small. It is unlikely that the Veracrypt code would call a program with so many command line options - and even then an attacker has little control over the used memory.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
 Encryption software: German BSI withholds Truecrypt security reportMissing chapter about off-by-one-overflows 
  1.  
  2. 1
  3. 2
  4. 3
  5.  


Anzeige
Hardware-Angebote
  1. (reduzierte Überstände, Restposten & Co.)
  2. 1439,90€ (Vergleichspreis: 1530,95€)
  3. täglich neue Deals bei Alternate.de

danielmain 16. Dez 2019 / Themenstart

Was für eine Leistung in den Top 10 von Hacker news zu stehen. Weiterso!

Kommentieren


Folgen Sie uns
       


Motorola Razr (2019) - Hands on

Das neue Motorola Razr lässt sich wie das alte Razr V3 zusammenklappen - das Display ist allerdings faltbar und geht über die gesamte Innenfläche des Smartphones.

Motorola Razr (2019) - Hands on Video aufrufen
Amazon, Netflix und Sky: Disney bringt 2020 den großen Umbruch beim Videostreaming
Amazon, Netflix und Sky
Disney bringt 2020 den großen Umbruch beim Videostreaming

In diesem Jahr wird sich der Video-Streaming-Markt in Deutschland stark verändern. Der Start von Disney+ setzt Netflix, Amazon und Sky gehörig unter Druck. Die ganz großen Umwälzungen geschehen vorerst aber woanders.
Eine Analyse von Ingo Pakalski

  1. Peacock NBC Universal setzt gegen Netflix auf Gratis-Streaming
  2. Joyn Plus+ Probleme bei der Kündigung
  3. Android TV Magenta-TV-Stick mit USB-Anschluss vergünstigt erhältlich

Elektroautos in Tiefgaragen: Was tun, wenn's brennt?
Elektroautos in Tiefgaragen
Was tun, wenn's brennt?

Was kann passieren, wenn Elektroautos in einer Tiefgarage brennen? Während Brandschutzexperten dringend mehr Forschung fordern und ein Parkverbot nicht ausschließen, wollen die Bundesländer die Garagenverordnung verschärfen.
Eine Analyse von Friedhelm Greis

  1. Mercedes E-Econic Daimler elektrifiziert den Müllwagen
  2. Umweltprämie für Elektroautos Regierung verzögert Prüfung durch EU-Kommission
  3. Intransparente Preise Verbraucherschützer mahnen Ladenetzbetreiber New Motion ab

Europäische Netzpolitik: Die Rückkehr des Axel Voss
Europäische Netzpolitik
Die Rückkehr des Axel Voss

Elektronische Beweismittel, Nutzertracking, Terrorinhalte: In der EU stehen in diesem Jahr wichtige netzpolitische Entscheidungen an. Auch Axel Voss will wieder mitmischen. Und wird Ursula von der Leyen mit dem "Digitale-Dienste-Gesetz" wieder zu "Zensursula"?
Eine Analyse von Friedhelm Greis

  1. Mitgliederentscheid Netzpolitikerin Esken wird SPD-Chefin
  2. Nach schwerer Krankheit FDP-Netzpolitiker Jimmy Schulz gestorben

    •  /