LFI to RCE via access_log injection

on
18

#VeraCrypt a Worthy #TrueCrypt Alternative

on


If you're reluctant to continue using TrueCrypt now that the open source encryption project has been abandoned, and you don't want to wait for the CipherShed fork to mature, one alternative that's well worth investigating is VeraCrypt.
VeraCrypt is also a fork of the original TrueCrypt code, and it was launched in June 2013. IT security consultant Mounir Idrassi, who is based in France, runs the project and is its main contributor.
Idrassi's motivation for developing VeraCrypt stems back to 2012 when he was asked to integrate TrueCrypt with a client's product. Before doing this he carried out a security audit of the code and discovered some issues. "There were no big problems, no backdoors or anything like that. But there were some small things, so we decided to start VeraCrypt," he said.
Idrassi said the main weakness in TrueCrypt was that - in his view - it was not secure against brute force attacks. Specifically, the way the software transformed a password to derive a key was not good enough, he said. "TrueCrypt uses a transformation that is not very complex. It is not sufficient, especially now with cloud cracking systems," he explained.

TrueCrypt Weakness

In technical terms, when a system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations. For standard containers and other (i.e. non system) partitions, TrueCrypt uses at most 2,000 iterations.
What Idrassi did was beef up the transformation process. VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool, he said.
While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force. "Effectively, something that might take a month to crack with TrueCrypt might take a year with VeraCrypt," Idrassi said.
As a result of this change, the VeraCrypt storage format is incompatible with TrueCrypt. While that could be a problem for anyone looking to move from TrueCrypt to VeraCrypt, Idrassi said he is working on a conversion tool which will be available within the next three months.

Better than TrueCrypt

As well as increasing the number of iterations that are carried out, Idrassi said he has addressed weaknesses in the API and drivers, and in parameter checking. The code has also been run against static analysis tools and changes made to correct defects that the analysis detected.
"Our focus has been on security so far, but the next step will be to add new features," Idrassi said, adding that new features will include compatibility with UEFI (to make the software work with  Windows 8 and 10, for example)  and capabilities for steganography – used to hide information in things like digital image files.
An obvious question to ask is whether Idrassi has considered teaming up with the CipherShed project. He said he was contacted by Bill Cox, a member of the CipherShed project management committee, back in June and asked to help, but he is too busy. "I don't have a lot of time but I can certainly contribute patches and things like that," he said.
But there are other reasons why Idrassi is reluctant to get involved.
"The main issue I have is that we don't agree on one thing: CipherShed think it is OK to continue using the TrueCrypt format (using the smaller number of iterations.) But we don't consider it secure enough - not to provide a high level of security against people or organizations with huge resources," he said.

The NSA Effect

Idrassi hinted that breaking compatibility with TrueCrypt is a good idea for another reason too. "For more than 10 years, law enforcement agencies have developed an infrastructure and tools to do forensic analysis of TrueCrypt volumes," he said. 
Changing format and adding complexity is therefore not something that security agencies welcome, which, he suggested, makes it a problem for any U.S. based developers to contribute to VeraCrypt. "If you contribute to a project like this then you will be on a watch list in the U.S. We are based in France, so this is not a problem for us," he said.
As a result, VeraCrypt has few contributors apart from Idrassi himself. "This is not a game," he said. "It is very serious and we do it as professionals. We are very clear: The project is public, the French authorities are aware of it. But that's why not a lot of people contribute."

No TrueCrypt Conspiracy

As for the reason that TrueCrypt was abandoned by its original authors, Idrassi sees no cause for alarm. "I am sure the people involved in TrueCrypt couldn't have stayed anonymous and the security agencies knew who they were," he said.  "But when you look at the code, you get the idea that these people must have been in their 40s back in 1995. So now they are in their 60s, and they are probably tired or retired.
"When they stopped the project they knew that it would cause new initiatives to start. I certainly don't believe there was anything suspicious,"Idrassi said.


Comments

Thomas More said…
Need a virtual sidekick to ace your Pay Someone to Take My Online Exam? Look no further! I'm Thomas, your trusty companion in your academic journey. Together, we'll conquer the digital realm of education.
August 22, 2023 at 7:05 PM
Post a Comment