Add VeraCrypt to Disk Encryption? #1273
Comments
|
a) what does "successfully audited" mean? |
|
The audit has been completed with "No major issues". There was a minor flaw in the Windows version but it wasn't anything serious. I found contradicting reports saying that the issues have already been fixed and that the issues will be fixed soon. So I'm not sure what to believe. I can contact the devs to see if the issues have been solved. |
I don't think that is correct. Have a look at the second paper of the audit. There were at least two vulnerabilities with high severity. |
|
I'm no security expert. I was just reading what some tech blogs I follow were saying about it. But I see what you mean now. I've contacted the head of VeraCrypt asking if these issues have been fixed. I'll see what he says. |
|
https://veracrypt.codeplex.com/wikipage?title=Release%20Notes&version=13 |
|
Looks promising. Do you know if they have references on their bug tracker/commit history regarding those? |
|
Hello Julian, There you go https://veracrypt.codeplex.com/SourceControl/list/changesets Cheers |
|
I wasn't asking for the whole commit history, but nvm. |
|
I didn't know what you meant by commit history. Like I said I'm new at this stuff. But wifiextender found it. So what's the next step? Can it be added to prism break yet? |
|
@wifiextender @hasufell was looking for the particular commits which fixed those vulnerabilities, not the entire commit history. (Just to clarify.) |
|
yes, something like #1163 (comment) |
|
Hello Julian and Alex, How ya doin fellas ? Will list one of the "vulnerability reported by Open Crypto Audit" that was solved here Look for all commits between the dates january 4th and april 5th, those are the commits that solved the described changes in their "Release Notes" page. It shouldn't take you more than 15 minutes to find them all. The commits after january 4th will end up in the april's release notes. Cheers |
|
I have come to the realization that they haven't fixed "AES implementation susceptible to cache-timing |
|
If what @dpelletier360 is saying is true than that definitely puts VeraCrypt’s inclusion here to a stop until that is fixed. That was one of the 2 most dangerous vulnerabilities found by the audit. |
ghost
mentioned this issue
|
I contacted them and they told me that the cache timing issue is not a problem unless you're on a server like setting. Also it seems like solutions to the issue are patented. He links to a discussion where our explains everything. Does this allow us to proceed? |
|
Do we know if dm-crypt/LUKS has the same cache timing vulnerability? @hasufell? If they have been able to solve it then we should hold off on VeraCrypt and keep pushing LUKS. I am keeping my eyes on the cache-timing issue over at CipherShed as well. |
It's a completely different codebase, so I think we don't "know" it until someone will actually look for it. It uses the cryptographic API of the kernel and the kernel team doesn't like to announce security vulnerabilities, because of two reasons afair:
They've done that for years and seem to like it. So you'd really have to research on the code AND the git history of those subsystems in order to know what is and what happened. |
|
Any news about the vulnerability issues of veracrypt? |
|
in Mid-October, The Open Source Technology Improvement Fund (OSTIF) commissioned QuarkLabs to audit Veracrypt. The audit found the following: Veracrypt has released an update addressing many of these vulnerabilities. full report: https://ostif.org/the-veracrypt-audit-results/ I thought I'd add to this issue which hasn't had any updates since June 2015. |
|
Thanks @Kewjoe that's very relevant information. Can you perchance point to a source which delineates which issues are now claimed to be fixed and which are outstanding? |
|
The high level summary: The fixes include: Removal of XZip and XUnzip. These were replaced with modern and more secure zip libraries (libzip). Fixes implemented for the vulnerability described in section 5.1 (password length can be determined in classic bootloader). Fixes implemented for the vulnerability described in section 7.1 for the new bootloader. (keystrokes not erased after authentication) Fixes implemented for the vulnerability described in section 7.2 for the new bootloader. (sensitive data not correctly erased) Fixes implemented for the vulnerability described in section 7.3 for the new bootloader. (memory corruption) Fixes implemented for the vulnerability described in section 7.4 for the new bootloader. (null pointer, dead code, inconsistent data reads by ConfigRead, bad pointer in EFIGetHandles, null pointer dereference in the graphic library.) Updates to user documentation for other vulnerabilities that can be closed by user practices. Reading through the first few pages of the audit, it sounds like all the critical things were fixed. The remainder is less critical and requires more substantial code changes to resolve. I'm not well versed enough to determine if these remaining items are cause for serious concern or not. But from my limited knowledge, they don't seem too severe. |
One of the few encryption systems outside the control of the USA, like Grasshopper. |
|
What's our action item here? AFAICT it's making sure the problems found in that audit were fixed right? |
|
So in other words Veracrypt is not a safe option to use? Is that what you are saying? |
|
VeraCrypt is still safe. Why here are posted old bugs, which are fixed? Also read the Quarkslab audit that was funded by OSTIF |
|
That audit was done for v1.19. Veracrypt v1.22 was released a few hours ago. |
|
Lol? A new Version doesnt mean its now unsecure and you cant audit every Version. |
and others
Now that TrueCrypt has been successfully audited. Would it be safe to add VeraCrypt to the Disk Encryption section for Windows since it is based of TrueCrypt? It is open source software as well.
The text was updated successfully, but these errors were encountered: