Audit reveals significant vulnerabilities in Truecrypt and its successors

Veracrypt was created to fill the vacuum left by the implosion of disk-encryption tool Truecrypt, which mysteriously vanished in 2014, along with a "suicide note" (possibly containing a hidden message) that many interpreted as a warning that an intelligence agency had inserted a backdoor into the code, or was attempting to force Truecrypt's anonymous creators to do so.

Truecrypt had a weird provenance: created by anonymous entities and licensed under a unique and problematic hand-rolled open source license, it had grown to enormous popularity despite a lack of any kind of rigorous auditing by security researchers. Ironically, Truecrypt disappeared just shortly after the first major audit of the software gave it a largely positive rating.

Veracrypt is a Truecrypt successor that can read Truecrypt drive files; unlike other Truecrypt sequels, Veracrypt attempts to extend Truecrypt's functionality with useful new features.

The Open Crypto Audit Project is doing the important work of subjecting widely used security tools to auditing for defects and vulnerabilities. Three auditors from the project just subjected Truecrypt, Ciphershed (another Truecrypt successor) and Veracrypt to analysis and found some alarming bugs relating to Truecrypt when run under Windows XP, some of which had already been patched in a new version, others as-yet-unpatched. The authors provide some advice for mitigating these defects — though running Windows XP has its own problems that no amount of Veracrypt can solve.

While the time-boxed nature of the engagement prevented auditors from reviewing the source code in
its entirety, the most relevant areas were investigated thoroughly. The assorted AES implementations
in both parallel and nonparallel XTS configurations were a particular point of focus. Testers looked
for implementation errors that could leak plaintext or secret key material or allow an attacker to use
malformed inputs to subvert the TrueCrypt software. Additionally, the random number generator
implementation and usage were reviewed for errors that could lead to predictable outputs used in
secret keys. The SHA-512 hash function, concomitant key derivation functions, and integration of
keyfiles were checked for similar problems.

The header volume format and protection schemes were evaluated for design and implementation
flaws that could allow an attacker to recover data, execute malicious code, or otherwise compromise
the security of the system. The cipher cascades were reviewed, and noted to behave in the most conservative
manner possible (that is, applying the entire block cipher mode successively). The unusual
legacy mode that cascades two ciphers with different block sizes was noted, but did not appear to have

Cryptographic Review
[Alex Balducci, Sean Devlin, Tom Ritter/Open Crypto Audit Project]

VeraCrypt security audit reveals many flaws, some already patched
[Zeljka Zorz/Helpnet Security]

(via /.)