The Fall of TrueCrypt and Rise of VeraCrypt
The Fall of TrueCrypt and Rise of VeraCrypt
Recently a paper was published that showcased problems with BitLocker, and where it was possible to comprise SSDs which use hardware encryption. The researchers recommended open-sourced software, such as VeraCrypt (and which is based on TrueCrypt):
The History of TrueCrypt
On 28 May 2014 2014 visitors to the TrueCrypt site found a message of:
The development of TrueCrypt was ended in 5/2014 after Microsoft
terminated support of Windows XP. Windows 8/7/Vista and later offer
integrated support for encrypted disks and virtual disk images.
Such integrated support is also available on other platforms
(click here for more information). You should migrate any data
encrypted by TrueCrypt to encrypted disks or virtual disk images
supported on your platform.
For an open-source project which supported a wide range of computer types and languages, it was a strange message to say that users should move to a closed-source and commercial solution. From a software solution that supports most types of modern computers, and is free to use, Bitlocker is part of Microsoft Windows, and which requires a licence for a version of Microsoft Windows that supports disk encryption.
Some basics of encryption
Most encryption uses a secret encryption key, which is used to encrypt and also to decrypt. This is known as private-key encryption, and the most robust of these is AES (Advanced Encryption Standard). The key must be stored somewhere and is typically placed in a digital certificate which is stored on the computer and can be backed up onto a USB device. The encryption key is normally generated by the user generating a password, which then generates the encryption key.
Along with this, we need to provide the identity of the user, and also that the data has not been changed. For this, we use a hash signature, which allows for an almost unique code to be created for blocks of data. The hashing method used in TrueCrypt is SHA-512.
A Brief History of TrueCrypt
TrueCrypt is an open-source disk cryptography package, which has been around since February 2004 and maintained by the TrueCrypt Foundation. It has versions for Microsoft Windows, OS X, Linux, and Android, and supports 30 languages. David Tesařík registered the TrueCrypt trademarking the US and the Czech Republic, and Ondrej Tesarik registered the not-for-profit TrueCrypt company in the US. It works by creating a virtual drive on a computer, and then anything which is written to the disk is encrypted, and then decrypted when the files are read back. For encryption, it uses private key encryption with AES, Serpent, or Twofish (or combinations of these), and uses hash functions of RIPEMD-160, SHA-512, and Whirlpool. In modern systems, AES is seen to be the most secure, and SHA-512 provides state-of-the-art signatures. The encrypted drive does not have a magic number that identifies the presence of TrueCrypt, but forensic analysis can reveal a TrueCrypt boot loader, after which a hacker might try different passwords to unlock the drive.
So what happened?
Internally, with Version 7.1a, there had been an audit on the code, with an announcement on 28 May 2014 that there was a discontinuation of TrueCrypt, along with the release of a version of 7.2 (which was intentionally crippled and contained lots of warnings in the code). The updated licence (TrueCrypt License v 3.1) contained the removal of a specific language that required attribution of TrueCrypt. Never in the history of software had there been such an abrupt end, and where the developers did not even want a fork of their code. A recent email from a TrueCrypt developer (on 16 June 2014) outlined that they did not want to change the license to an open-source one, and that the code should not be forked.
Backdoor?
Some reckon that there was an ongoing code audit and that an NSA-created backdoor was due to be found. Again, something that the smoke-screen was then put up to move towards a closed-source alternative, which some reckon, also has an NSA-enabled backdoor. Few security professionals, especially those involved in the creation of encryption software, would have recommended Microsoft technology.
The mystery remains about the code, but there are some strange pointers that give some clues. A strange one is that, with the code, “U.S.” has been changed to “United States”, which could point to an automated search and replace method of changing the code to reflect a possible change of ownership of the code.
The other strange thing about the post is that the page created for the re-directed looks as if it has been created by a complete amateur:
and even the Wayback engine was having trouble finding the pages from the past:
So was it a back door or could it have been a bug, in the same way that OpenSSL was exposed?
Code bug?
If there is a code bug, the light is likely to shine on one of the weak points in cryptography, which is the generation of a pseudo-random number, which is almost impossible on a computer. One way of doing this is to randomly use the time between keystrokes for users, but if an intruder can guess these, they can significantly reduce the range of numbers used for the cryptography process. This could have been the Achilles heel of the code, and that the audit process could have uncovered a flaw, which others could exploit. In the case of TrueCrypt, the random number was generated by the user moving a cursor across the screen, and it could be this method that caused the problem.
Another possible problem focuses on the actual binary code produced. Even if the source code does not contain any bugs, it will be converted into machine code, which could expose problems that could be exploited. Overall, most users will generally download the binary distribution, as it is often too difficult to build the code from scratch. Thus there could have been an exploit within the binary distributions which could be compromised. Often developers forget that their code can be run within a debugger to view, and even edit, the code. With the code built for so many systems, it would have been almost impossible to make sure that the compiled code would be secure from being tampered with.
Will it die?
While the licence possibly prohibited a fork of the code, new groups, working outside the US, started to recreate the code in order to overcome the licencing issues. One of the most successful has been VeraCrypt:
The Problems with Disk Encryption
Many see the encrypting of disks as the ultimate method of security, but, unfortunately, it suffers from many problems. These include:
- When the user uses a weak password can make it fairly easy for an intruder to crack, as they continually try common passwords.
- The encryption key is stored in running memory which is protected when TrueCrypt is running, but researchers have shown that a warm boot (that is, one which starts from a Ctrl-Al-Del, rather than from a power-up) can release the lock on the memory and reveal the encryption key.
- The domain administrator has a copy of the encryption keys. Most users in companies connect to a domain, and the domain administrator normally has a copy of the encryption keys for the encrypted drive (and which normally can be used to decrypt the disk if the user forgets their password). If the domain is breached the encryption key can be stolen and used to decrypt the drive.
- The electronic key must be stored somewhere, and this is normally on a digital certificate. This is stored on the system and can be cracked by brute-forcing the password on the digital certificate.
Want to learn how TrueCrypt and VeraCrypt protect the symmetric key on the disk and link this to the password: