• IT-Karriere:
  • Services:

Truecrypt developers suddenly end development and point to security problems

Shortly after that the story took an unexpected turn. The developers of Truecrypt suddenly ended its development and put a warning on their web page: "Using TrueCrypt is not secure as it may contain unfixed security issues." There was no further explanation, the Truecrypt developers recommended that users switch to the Bitlocker encryption on Windows.

Stellenmarkt
  1. über duerenhoff GmbH, Mainz
  2. über duerenhoff GmbH, Berlin

In 2015 the final report of the Open Crypto Audit Project was published. It didn't find any larger flaws in Truecrypt's code, but some smaller issues. The experts from the company NCC found for example that the AES implementation in Truecrypt allows side-channel attacks - an information that is also contained in the BSI report. Some time later a member of Google's Project Zero found further security flaws in Truecrypt.

Followup project Veracrypt is still developed

As Truecrypt got no further releases the software is still vulnerable for all those weaknesses. However there is a fork of Truecrypt under the name Veracrypt. The found weaknesses were fixed there, also a further security audit of Veracrypt was performed.

The BSI knew all that. In reaction to the report from the Open Crypto Audit Project the BSI commissioned another security analysis of Truecrypt. This analysis can be found on the webpage of the BSI. It does not mention the older and much more detailed audit from 2010.

Golem Akademie
  1. Microsoft 365 Security Workshop
    9.-11. Juni 2021, Online
  2. IT-Sicherheit für Webentwickler
    31. Mai - 1. Juni 2021, online
Weitere IT-Trainings

THe BSI explained to us that the audit in 2010 was performed as part of an IT investment program to modernize the information and communication technology of the administration. The results were communicated to the Truecrypt foundation, however the Truecrypt developers didn't consider them to be relevant. BSI furthermore says that the results were not intended to be published.

Veracrypt developer Mounir Idrassi confirmed that he had never heard of that BSI security audit. The BSI explained that the IT investment program ended in 2011, many years before Veracrypt was started in 2015.

The BSI audit from 2010 starts with a detailed analysis of the architecture of Truecrypt on Windows and Linux. It looks like the version for Mac OS X was of less interest to BSI.

Low-risk Buffer Overflow

One of the security flaws that is described in detail is a potential buffer overflow in a function to call external programs. This function named Process::Execute takes a program name and an array of command line options as parameters. Afterwards these are copied into an array with 32 elements size, at the end a null pointer is added.

The function contains a check if too many command line options are passed, however the check misses the trailing null pointer. If exactly 31 command line options are passed a buffer overflow happens. This flaw was present in the code of Veracrypt until recently. We have sent a patch to the developers of Veracrypt that has been applied.

The practical risk is probably small. It is unlikely that the Veracrypt code would call a program with so many command line options - and even then an attacker has little control over the used memory.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
 Encryption software: German BSI withholds Truecrypt security reportMissing chapter about off-by-one-overflows 
  1.  
  2. 1
  3. 2
  4. 3
  5.  


Anzeige
Hardware-Angebote
  1. (u. a. PS5 + HD Kamera für 549,99€)

danielmain 16. Dez 2019

Was für eine Leistung in den Top 10 von Hacker news zu stehen. Weiterso!


Folgen Sie uns
       


Programm für IT-Jobeinstieg: Hoffen auf den Klebeeffekt
Programm für IT-Jobeinstieg
Hoffen auf den Klebeeffekt

Aktuell ist der Jobeinstieg für junge Ingenieure und Informatiker schwer. Um ihnen zu helfen, hat das Land Baden-Württemberg eine interessante Idee: Es macht sich selbst zur Zeitarbeitsfirma.
Ein Bericht von Peter Ilg

  1. Arbeitszeit Das Sechs-Stunden-Experiment bei Sipgate
  2. Neuorientierung im IT-Job Endlich mal machen!
  3. IT-Unternehmen Die richtige Software für ein Projekt finden

Weclapp-CTO Ertan Özdil: Wir dürfen nicht in Schönheit und Perfektion untergehen!
Weclapp-CTO Ertan Özdil
"Wir dürfen nicht in Schönheit und Perfektion untergehen!"

Der CTO von Weclapp träumt von smarter Software, die menschliches Eingreifen in der nächsten ERP-Generation reduziert. Deutschen Perfektionismus hält Ertan Özdil aber für gefährlich.
Ein Interview von Maja Hoock


    Fiat 500 als E-Auto im Test: Kleinstwagen mit großem Potenzial
    Fiat 500 als E-Auto im Test
    Kleinstwagen mit großem Potenzial

    Fiat hat einen neuen 500er entwickelt. Der Kleine fährt elektrisch - und zwar richtig gut.
    Ein Test von Peter Ilg

    1. Vierradlenkung Elektrischer GMC Hummer SUV fährt im Krabbengang seitwärts
    2. MG Cyberster MG B Roadster mit Lasergürtel und Union Jack
    3. Elektroauto E-Auto-Prämie übersteigt in 2021 schon Vorjahressumme

      •  /