Encryption software: German BSI withholds Truecrypt security report
The German Federal Office for Information Security (BSI) has kept a detailed examination of the encryption software Truecrypt secret for nine years. On more than 400 pages the documents contain a detailed description of the architecture of the encryption tool, list various security problems and make recommendations on how to fix them.
Golem.de learned about the existence of these documents via an entry(öffnet im neuen Fenster) on the web plattform "Frag Den Staat" (translated "ask the state"). On this web page citizens can send requests to government agencies according to the German freedom of information law. A user sent a generic request to BSI asking about all investigations of Truecrypt they may possess.
The BSI sent several documents that according to their date were created in 2010 and that contain a detailed analysis of Truecrypt. However BSI told the person that the documents are copyright protected and he is not allowed to publish them. Golem.de therefore requested the documents themselves and got them after some time – also with the remark that they must not be published.
It is a common strategy by government agencies to prevent the publication of documents revealed by freedom of information law requests due to copyright. The platform "Frag Den Staat" has for example been in a legal conflict with the German Federal Institute for Risk Assessment (BfR) about the publication of a report on the herbicide Glyphosate. The BSI also prevented the publication of an earlier report on cryptographic libraries referring to its copyright.
The Truecrypt documents contain a remark that it is an item of classified information, but that remark has been striked through. The content is noteworthy, because it shows that BSI had plenty of information about the security of Truecrypt and specific security problems since a long time. Despite various discussions about the security of Truecrypt that erupted after the Snowden affair they apparently decided not to publish it.
BSI sends complete documents only after multiple requests
The five documents are numbered from AP2 to AP6. AP1 was notably missing. After asking BSI they said: "AP1 is a research and overview of what functionality existing hard drive encryption products on the market implement (including the Windows and the Linux version of Truecrypt). Since this is not an 'investigation' of the 'Truecrypt' program, we saw this document as not covered by the Freedom of Information Act request."
We then requested to receive this document as well. It is surprising that BSI came to the conclusion that this document is not an "investigation" (in German "Untersuchung") of Truecrypt, because the title of the Document starts with "Truecrypt Untersuchung".
Even then the documents were incomplete. The documents contain multiple references that mention that attacks are explained in more detail in AP7. After multiple requests Golem.de also got that document.
Truecrypt was published by anonymous developers
The software Truecrypt has an interesting history. The program was created by anonymous developers. According to investigations by journalist Evan Ratliff the drug dealer Paul Le Roux was involved in the development. Truecrypt gives users a relatively easy way to locally encrypt files in an encrypted data container. It also offers the option to encrypt whole disk drives.
The license of the Truecrypt code is controversial. While the code is publicly available, the license contains some restrictions that cause it to not fall under the definition of free Software or Open Source. Therefore many Linux distributions don't have official Truecrypt packages.
In 2013 the cryptographer Matthew Green started collecting donations to fund a security test of Truecrypt. Together with the IT security professional Kenneth White he founded the Open Crypto Audit Project(öffnet im neuen Fenster). The money came in quickly.
Truecrypt developers suddenly end development and point to security problems
Shortly after that the story took an unexpected turn. The developers of Truecrypt suddenly ended its development and put a warning on their web page: "Using TrueCrypt is not secure as it may contain unfixed security issues." There was no further explanation, the Truecrypt developers recommended that users switch to the Bitlocker encryption on Windows.
In 2015 the final report of the Open Crypto Audit Project was published. It didn't find any larger flaws in Truecrypt's code, but some smaller issues. The experts from the company NCC found for example that the AES implementation in Truecrypt allows side-channel attacks – an information that is also contained in the BSI report. Some time later a member of Google's Project Zero found further security flaws in Truecrypt.
Followup project Veracrypt is still developed
As Truecrypt got no further releases the software is still vulnerable for all those weaknesses. However there is a fork of Truecrypt under the name Veracrypt. The found weaknesses were fixed there, also a further security audit of Veracrypt was performed(öffnet im neuen Fenster).
The BSI knew all that. In reaction to the report from the Open Crypto Audit Project the BSI commissioned another security analysis of Truecrypt. This analysis can be found on the webpage of the BSI(öffnet im neuen Fenster). It does not mention the older and much more detailed audit from 2010.
THe BSI explained to us that the audit in 2010 was performed as part of an IT investment program to modernize the information and communication technology of the administration. The results were communicated to the Truecrypt foundation, however the Truecrypt developers didn't consider them to be relevant. BSI furthermore says that the results were not intended to be published.
Veracrypt developer Mounir Idrassi confirmed that he had never heard of that BSI security audit. The BSI explained that the IT investment program ended in 2011, many years before Veracrypt was started in 2015.
The BSI audit from 2010 starts with a detailed analysis of the architecture of Truecrypt on Windows and Linux. It looks like the version for Mac OS X was of less interest to BSI.
Low-risk Buffer Overflow
One of the security flaws that is described in detail is a potential buffer overflow in a function to call external programs. This function named Process::Execute takes a program name and an array of command line options as parameters. Afterwards these are copied into an array with 32 elements size, at the end a null pointer is added.
The function contains a check if too many command line options are passed, however the check misses the trailing null pointer. If exactly 31 command line options are passed a buffer overflow happens. This flaw was present in the code of Veracrypt until recently. We have sent a patch to the developers of Veracrypt that has been applied(öffnet im neuen Fenster).
The practical risk is probably small. It is unlikely that the Veracrypt code would call a program with so many command line options – and even then an attacker has little control over the used memory.
Missing chapter about off-by-one-overflows
However the report hints that more such flaws exist. Another chapter in the documents mentions, that several such off-by-one-errors were found, but due to a lack of a complete code analysis only examples can be shown. However even those examples are missing in the document – the following chapter only consists of a headline and has no content.
Several times the documents mention a systemic weakness of Truecrypt on Linux if non-root users are allowed to mount Truecrypt volumes. This is not officially supported, however one can allow users to execute the so-called Core Service from Truecrypt via sudo(öffnet im neuen Fenster).
This makes it possible for users to mount encrypted disks, however it automatically also allows those users root privilege escalation. The BSI audit mentions several ways how that is possible, in the simplest case a user can mount a Truecrypt volume that contains a file with suid root permission that will open a shell. Golem.de was able to replicate this scenario in a current version of Veracrypt.
Keys and Passwords are often not properly overwritten
Most of the specific weaknesses and proposed improvements are regarding the memory management and the secure wiping of memory areas. In cryptographic software it is common practice to overwrite memory that contained keys, passwords or other critical data after its use. This is done to prevent leaking of memory later due to other software error.
The correct implementation of this wiping is not trivial, as compilers can optimize out such overwriting commands. A talk at last year's 35C3(öffnet im neuen Fenster) discusses this problem in detail. The Truecrypt and Veracrypt code uses a macro named burn, but it is not used in all places where this would be sensible.
The BSI audit has an extensive list of functions in the Truecrypt code. It was checked for each function whether it uses key material and if this is overwritten correctly. In many instances the auditors found weaknesses.
Particularly problematic is a C++ class called Memory that has a special function Erase and that does not use the safe macro burn, but a normal call to the memset function. However this error was fixed in newer versions of Truecrypt.
However the BSI audit mentions various other such mistakes, many of whom are still present in Veracrypt's code. In some functions key material is stored in temporary variables(öffnet im neuen Fenster), in other places not all possible code paths are properly considered(öffnet im neuen Fenster). We have sent patches for some of these problems to the Veracrypt developers.
Uninitialized Array can be used according to C standard
We found one description of a supposed bug that actually isn't one. In a function to calculate hashes with the RIPEMD160 algorithm a global array is in some situations used uninitialized. However that is no problem: Static arrays are always initialized with zeros according to the C standard.
None of the weaknesses mentioned in this report is critical. The encryption is and stays relatively solid and safe. However everyone who uses Veracrypt should only use the latest version and install provided security updates. And people who still use Truecrypt should switch to Veracrypt.
The information from this audit could be used to improve the security of Veracrypt. Many users would profit from that. While Truecrypt and Veracrypt aren't as important as they once were, it seems especially German municipalities often still use them. According to a survey by the privacy commissioner of the federal state Baden-Württemberg(öffnet im neuen Fenster) 9 percent of municipalities say that they use either Truecrypt or Veracrypt.
Shortly before we published this article the BSI has allowed to publish the Truecrypt documents. They can be downloaded from the Frag den Staat web page(öffnet im neuen Fenster).
Update from December 16th 2019, 13:22
Added link to documents that are now publicly available.Dieser Text ist auch auf deutsch verfügbar(öffnet im neuen Fenster).
- Anzeige Hier geht es zu Hacking & Security: Das umfassende Handbuch bei Amazon Wenn Sie auf diesen Link klicken und darüber einkaufen, erhält Golem eine kleine Provision. Dies ändert nichts am Preis der Artikel.