Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Encryption Open Source Security Software

VeraCrypt Is the New TrueCrypt -- and It's Better 220

New submitter poseur writes: If you're looking for an alternative to TrueCrypt, you could do worse than VeraCrypt, which adds iterations and corrects weaknesses in TrueCrypt's API, drivers and parameter checking. According to the article, "In technical terms, when a system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations. For standard containers and other (i.e. non system) partitions, TrueCrypt uses at most 2,000 iterations. What Idrassi did was beef up the transformation process. VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool, he said. While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force."
This discussion has been archived. No new comments can be posted.

VeraCrypt Is the New TrueCrypt -- and It's Better

Comments Filter:
  • Brute force (Score:5, Funny)

    by Anonymous Coward on Monday October 13, 2014 @06:46PM (#48135451)

    Brute force via software? No, no. You're going about it wrong. You need to apply brute force to the operator.

    • Oblig xkcd (Score:5, Funny)

      by PPH ( 736903 ) on Monday October 13, 2014 @06:57PM (#48135551)
      • The Real "Brute Force" approach.

      • Re:Oblig xkcd (Score:5, Insightful)

        by davydagger ( 2566757 ) on Monday October 13, 2014 @07:16PM (#48135705)
        thats somewhat bullshit, because rubber hose cryptography is almost as much fantasy as what they critize. What is depicted is likely mabey %1 of all scenarios where encryption would help you.

        Beating the password out of someone is more an act of romantic fiction, than standard practice, just about anywhere in the world. While XKCD recognizes that most nerds obviously aren't James Bonds, what they miss is most digital adversaries aren't James Bond Villans either.

        1. Most of the time, the person is simply going to either steal, or subversively copy your encrypted disk, so you don't even know they are looking for it. Read: what the NSA or any other wiretap is doing. They count on suprise that you don't know your being monitored. Hence they can't hit you, and expect that you remain unaware they are after your data. If they can't break the cipher, they can't break it. More likely, its not going to be a three letter agency, and just a common theif, who, will not have the resources or ability to try beat you for the password, and certainly does not want to confront you, just get your information without you finding out and changing your passwords.

        2. Another situation is where they do confront you, but they simply don't either have the political will to beat you for your password. More common than you'd think, because, well, simply put, beating people doesn't make a regime popular with its constituents. Your going to have to be accused of something fairly bad before it becomes acceptable. If you have a hidden encryption scheme like TC does, and they don't know if its there for sure, they could beat you all day long and they'd never know if you were telling the truth or not. Torture is not effective. This has been known for centuries. Despite what the defeatists will tell you. Torture in war is done more to break the spirit, will and emotions of the enemy than it is for information. Or just for the kicks or emotional benefit of really pissed off angry people.

        you can look up US case law on this.

        3. If your adversary is in the government, your adversary might not be the entire government or entire system. Encryption that police cannot recover on their own, might help you, if the cops are crooked as shit, but the DA, Judge, or someone else in the system cares. Encryption that can last long enough to make it into the court room, can save your otherwise wild and henious accusations against police misbehavior. Don't give the cops the opperuntity to tamper with the evidence, or force them to hand you a subopena or warrant, or hold out on giving up your keys until talking with a lawyer will give you many more options.
        • What's about Somalia law?

          • by Lumpy ( 12016 )

            You must fire your ak47 above your head sideways for the greatest accuracy. That is Somalia Law.

        • by PPH ( 736903 )

          you can look up US case law on this.

          This is an international website. I can also look up this [wikipedia.org].

          • Re:Oblig xkcd (Score:5, Insightful)

            by davydagger ( 2566757 ) on Monday October 13, 2014 @09:56PM (#48136805)
            Even with "manditory key disclosure" durring criminal trials, you have the benefit of needing to go to trial to give up your keys. The police can't randomly search your data, which encryption the police cannot break becomes a major lever against police abusing their power. Thats the point. They need a warrant, which means they need a judge, and probable cause, and a paper trail you can fight in court.

            Even if thats all bogus, it becomes public record, so the public can have an informed debate over who the police are searching and why.

            As opposed to breakable crypto, where the cops can just crack anyone's setup, without the need for justification.
          • This is an international website. I can also look up this [wikipedia.org].

            Key disclosure laws, huh? Ok, my key is ABC123.

            What do you mean it didn't work. Shit. Ok, try QWERTY1234567890.

            Still nothing? Dammit. Sorry guys. Ok, I'll need access to a writing pad and a random number generator ....

        • Re:Oblig xkcd (Score:5, Insightful)

          by hairyfeet ( 841228 ) <bassbeast1968.gmail@com> on Tuesday October 14, 2014 @01:07AM (#48137867) Journal

          "Torture is not effective"...sure it is, you are just doing it wrong. What you have to do is the way the cops do it which is NOT to torture and threaten the subject but instead go after their families and you'll get whatever you want quite easily.

          The cops do this kind of shit all the time and the reason why is because it often works without even having to do the deed, just the threat of the action is enough. You tell a parent you are gonna send their kids to the nightmare that is the foster care system, if they have a relative in trouble threaten to bury them in charges, and of course if they are on any kind of aid its quite easily to threaten them with homelessness.

          Rubber hoses are 1950s tech Daddy-o, mental anguish works a LOT better and doesn't leave any marks that will come back to bite you in the ass.

          • Torture is NOT effective at getting the truth.

            It is pretty darn effective at getting people to talk.

            Passwords however can be easily verified. As such, you can torture people to get a password, while you can not torture people to find out if they committed the crime.

      • Re:Oblig xkcd (Score:5, Interesting)

        by Will_Malverson ( 105796 ) on Monday October 13, 2014 @10:40PM (#48137109) Journal

        I've posted this before, but I want to get this idea out there:

        Here's how to make your password truly secure, if you really have something you want to hide:

        1) Get fifty dollar bills. Maybe get some fives and tens mixed in with them. Total cost less than $100.

        2) Shuffle them into a random order.

        3) Set your Truecrypt (or Veracrypt, or whatever) password to be the hundred-digit number formed by taking the two least significant digits of the bills' serial numbers, in order.

        4) Keep the stack of cash next to your computer, and make sure you don't let it get out of order. If you lose - or even just drop - the stack, it's game over. If/when you find yourself starting to remember the password and able to enter it without referring to the stack, shuffle the stack and change your password.

        5) If an adversary raids your house, chances are that the stack of cash will simply vanish into a pocket. And if that doesn't happen, odds are pretty good that the stack will be scrambled, especially if there are different denominations mixed in.

        6) At this point, your password is well and truly gone. No amount of rubber hose cryptography can bring it back.

        7) The best part about this plan is you don't have to actually do it. Your password can be your dog's name, as long as you're willing to stick to your story - and it helps if you actually keep a stack of cash next to your computer - that you did steps 1-4.

        • by AmiMoJo ( 196126 ) *

          The number of possible passwords using such a scheme is too low. The police could easily employ someone to write a little app that tries them all in a reasonable period of time.

          • by u38cg ( 607297 )
            Erm, that's 10^100 possibilities. At 1000 guesses per second, that's 3.2e89 years to try them all, so about 1.6e89 years on average.

            I guess it depends what you consider reasonable, though.

            • by AmiMoJo ( 196126 ) *

              1000 guesses per second is way below what modern hardware is capable of. Have a look here: http://golubev.com/gpuest.htm [golubev.com]

              Even older GPUs can manage tens of millions of guesses per second.

              • by u38cg ( 607297 )
                One can generate guesses at any rate, but it depends entirely on the encryption scheme how quickly you can test them. And I would point out that 10^100 is a little bit more entropy than a typical password of ~100^10 characters.
            • by Kjella ( 173770 )

              Actually if you "stick to the story" there's only 50 dollar bills to choose from and once chosen it's eliminated from the set so 50*49*48*.... = 3*10^64 combinations. Less if any of the bills have identical last digits, which is likely due to the birthday paradox. And if they were just counted and put in an evidence bag most the bills are in the right order. If they count the ones, either in order or reverse order and the only thing you need to figure out is where a few fivers or tens go that's cryptologica

              • by u38cg ( 607297 )
                There are 50! possible passwords formed by the bills, yes. I admit that this makes a massive difference to my analysis: now you're talking on the order of 10^53 years. Ramp it up to a trillion guesses a second and you're down to 10^44 years. As for the practicalities, it's not perfect, but it is at least plausible, and I struggle to see that you're going to prove that the pile is as-found.
    • by magarity ( 164372 ) on Monday October 13, 2014 @07:48PM (#48135937)

      You need to apply brute force to the operator

      That's why my password is "I'll never tell!"

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Shit. Someone just hacked my /. account. Please give it back?

  • by mveloso ( 325617 ) on Monday October 13, 2014 @06:52PM (#48135511)

    Wow, going from 2000 to 327,661 iterations sounds like a big deal. Does that actually add any value, or is that like doing rot-13 a million times?

    • by exploder ( 196936 ) on Monday October 13, 2014 @07:01PM (#48135601) Homepage

      Wow, going from 2000 to 327,661 iterations sounds like a big deal. Does that actually add any value, or is that like doing rot-13 a million times?

      Any idiot knows you have to do it a million and one times.

    • rot-13 would be far more secure if you did it 1000001 times.

    • Wow, going from 2000 to 327,661 iterations sounds like a big deal. Does that actually add any value, or is that like doing rot-13 a million times?

      No, it actually helps, but you have to understand what they are doing before it makes sense.

      Usually they use an encryption technique that takes a fixed sized key, usually multiples of 8 bits or so. This means you can optimize the software (or hardware) to encrypt using say 16 bits. You want 160 bits in your key, so you run 10 times though, using up 16 bits of your key each time. However, with 160 bits, you can now change how you rotate the bits in the key. Say you advance only 2 bits each time, then you

    • It makes it harder to brute force, but maybe it was already hard enough to brute force.
      It doesn't help if someone finds a way around the encryption, a shortcut. That happens fairly often.

      What happens most often, probably , is in the middle - someone finds a half-shortcut, a way to crack it 10,000 times faster than brute force, but not instantly . In this case, more rounds may or may not matter- it just depends on how gppd the shortcut is and how many iterations you choose.

      Also, if the algorithm can be d

  • ...it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force."

    What an odd sentence. Did you mean "...it makes the software 10 to 300 times harder to brute force"?

  • by BrookHarty ( 9119 ) on Monday October 13, 2014 @07:14PM (#48135687) Homepage Journal

    Just goto the codeplex site and verify the commits this time!

    commits/date/comment

    2cf9790438f8 by Mounir IDRASSI (40 downloads) Oct 6 1:20 PM
    Windows vulnerability fix : finally make bootloader decompressor more robust and secure by adding multiple checks and validation code. This solves the issue found by the Open Crypt Audit project. Note that we had to switch to the slow implementation of the function decode in order to keep the size of the decompressor code under 2K.

    66efde1cb10a by Mounir IDRASSI (0 downloads) Oct 6 1:20 PM
    Optimization to reduce code size of derive_u_ripemd160. Useful for boatloader.

    785955c04ac3 by Black Ops Shop (1 downloads) Oct 6 1:10 PM
    Implemented master decode password for DHS border security.

  • by Anonymous Psychopath ( 18031 ) on Monday October 13, 2014 @07:15PM (#48135695) Homepage

    The source still contains the original TrueCrypt license.

    • by tepples ( 727027 )
      They have to rewrite everything before they can change the license. Rewriting everything in LAME, for example, took a couple years.
  • If he was going to change it why not go straight to scrypt, which is known to be resistant to GPU decryption?
    • by gweihir ( 88907 )

      Simple: scrypt is still not very good (linear speed-down for less memory), and there is currently a contest running for getting a better function https://password-hashing.net/ [password-hashing.net]

      It would be stupid to change things at this time.

  • Nobody was ever going to brute force the original TrueCrypt.

    • by gweihir ( 88907 )

      With a bad passphrase? Easy! 1000 iterations only add about 10 bits, so passphrases up to something like 40 bits are well in reach for brute-forcing.

  • by ourlovecanlastforeve ( 795111 ) on Monday October 13, 2014 @07:23PM (#48135749)

    Take this from a guy who saw someone go through a trial for doing The Very Bad Thing:

    You will give them the password.

    This is how it works:

    "If you give us the password and let us prove you're innocent we'll let you go. If there's anything in there that would prove you guilty we'll reduce the sentence. If you don't give us the password and we have to crack the encryption ourselves and we find out you're guilty, you're going away for a very long time."

    And then of course you give them the password, they find enough evidence to make you guilty and they don't reduce the sentence.

    They just inflate the original sentence to a much worse sentence, and then deflate it to the level they were going to hit you with anyways.

    • by GrahamCox ( 741991 ) on Monday October 13, 2014 @07:44PM (#48135915) Homepage
      So given that, the right thing is not to give them the password. Without it they cannot prove anything, however much pressure they apply. There may be the assumption that you have something to hide, but without proof, you're innocent, right?
      • Plenty of innocent people in jail.

      • by AmiMoJo ( 196126 ) *

        The problem is that there is always something they can get you with, something they can spin into a charge. The real question is will what they can spin without the password be easier to defend than what they can spin with a password, since either way you are going to be charged. At least with encryption you have a choice which bogus charges you want to face.

    • If you don't give us the password and we have to crack the encryption ourselves

      Yep I'll take those odds and plead the 5th.

    • The mistake is letting them think there is something "in there".

      "Those files are just a random collection of bits generated by Gnu Shred when the drive was formatted." is the correct response.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        No.
        The only correct response is: "talk to my lawyer" or some variation of that.

    • "If you give us the password and let us prove you're innocent we'll let you go. If there's anything in there that would prove you guilty we'll reduce the sentence. If you don't give us the password and we have to crack the encryption ourselves and we find out you're guilty, you're going away for a very long time."

      "Additionally, if you don't give us the password, you're going to sit in jail for contempt of court until you change your mind."
      • And go looking for more crimes to charge you with.

        There is no such thing as an innocent person. Everyone, without exception, has committed crimes. Lots of crimes. The only difference between an innocent person and a criminal is that the criminal has done something serious enough to bother prosecuting.

    • by Boronx ( 228853 ) <evonreis@mohr-enginee r i n g .com> on Tuesday October 14, 2014 @01:48AM (#48138059) Homepage Journal

      Never make a deal with a prosecutor without a judge approved plea bargain.

      A coworker was in a car accident with her sister driving. The prosecutor told her sister: "We're charing you with reckless driving. Just plead guilty and you'll get off with a small fine. I'll ask the judge to be lenient."

      They charged her with assault on her own sister. Confused, she pled guilty anyway, like she said she would. The prosecutor asked for the maximum penalty which includes jail time, and got it.

    • "If you give us the password and let us prove you're innocent we'll let you go. If there's anything in there that would prove you guilty we'll reduce the sentence. If you don't give us the password and we have to crack the encryption ourselves and we find out you're guilty, you're going away for a very long time."

      If they were able to send you away for a very long time then they would have sent you away for a very long time. Prosecutor isn't cooperating with your defense, why would you cooperate by slipping

      • by samjam ( 256347 )

        There is a point that you have to accept that you are not in control of the situation; when there is nothing you can do,

        The poor sister didn't want to believe that there was nothing she could do and so she accepted the lie that there was something she could do to make it better.

        And so she spoke when she should have been silent.

  • by ourlovecanlastforeve ( 795111 ) on Monday October 13, 2014 @07:27PM (#48135785)

    New submitter poseur writes:

    hey guyz get this new crypto for your puterz!!

    -TOTALLY NOT DHS

    • by joe_frisch ( 1366229 ) on Monday October 13, 2014 @08:10PM (#48136089)

      That is EXACTLY the problem. Determining a chain of trust is tricky. Producing a chain of trust that a non-expert can trust is almost impossible. Most users cannot verify the algorithms themselves so they have to rely on the evaluation of other people. But, how to trust those other people?

      Government organizations have the resources to flood discussion groups like this with reasonable-sounding statements about how well something has been verified, while discrediting anyone who posts an message disagreeing.

      If someone posts that I am wrong, how can I, or any non-expert know if the arguments against this post are valid?

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        > Producing a chain of trust that a non-expert can trust is almost impossible.

        Even a non-expert can see that this project is hosted on a Microsoft site. The same Microsoft that cooperated with every 3 letter agency known to man. As far as security and trustworthiness go this project is a joke right from the start.

        Projects located in the US are too much of a risk. The fact that Microsoft has direct access to the project is about as hilariously absurd as Truecrypts "go use Bitlocker" message.

    • Someone has already given it a 5-star rating so you can put your suspicions to rest!

      • by Boronx ( 228853 )

        Undoubtedly somebody much smarter than the low-rent cryptologists they hire at the NSA.

  • When you can't rip off a name in English, do it in Latin!

    But hey; at least it's better than CipherShed. My days of not taking FOSS names seriously are certainly coming to a middle.

    stealth joke alert

  • by znrt ( 2424692 ) on Monday October 13, 2014 @07:41PM (#48135893)

    layman here, but it surprises me that something is considered cryptographically secure when a mere 10x bruteforce cost factor makes a difference. even 300x sounds small. how difficult is it then to bruteforce with 1000 iterations? it should be unfeasible with foreseeable technology. the need to make anything unfeasible 10 times more unfeasible is counterintuitive to me.

  • by Zanadou ( 1043400 ) on Monday October 13, 2014 @07:58PM (#48136015)

    Note that VeraCrypt can't open existing TrueCrypt container files, nor can it create new container files that are backward compatible with TrueCrypt. Instead it suggests you do a clumsy, "un-enecrypt, copy over, re-enecrypt" lock-in process in order to "upgrade". At least the others (truecrypt.ch [truecrypt.ch], Ciphershed [ciphershed.org], Tcplay [github.com] / Zulucrypt [google.com], et. al.) allow you to keep working with existing TC container files.

    Why this isn't in screaming bold text at the top of the VeraCrypt page (which is here [codeplex.com], btw), is beyond me.

    • by gweihir ( 88907 )

      If you use the exiting container, you get its properties and hence its far too low password iteration numbers. It is a valid design decision to not support that.

  • by Anonymous Coward

    I don't use Truecrypt to protect myself from oppressive governments, I use it so that if my computer should get stolen, the thief can't get my data.

    This is something every computer user today needs, not just "enterprise" users.

    Windows 8.1 apparently finally has something built in to respond to this need, although it doesn't work for external drives and obviously isn't cross platform like Truecrypt is. And most computers don't have Windows 8.1.

    • by tepples ( 727027 )

      And most computers don't have Windows 8.1.

      Which new major-brand laptop computers that aren't made by Apple come by default with anything other than Windows 8.1?

      • Buy business. Just about all PCs/laptops aimed at business buyers come with Windows 7, because the number of businesses using Windows 8 is negligable.

        Most business buyers will immediately wipe the system and install from their own site-licensed image anyway though, which does make the lack of blank systems seem a little suspicious. Doubtless Microsoft is offering some very sweet deals to OEMs if they'll refrain from selling OS-less computers.

  • by JoSch1337 ( 1168265 ) on Monday October 13, 2014 @08:57PM (#48136435)

    Instead of 1000 iterations of ROT13 I applied 655,331 iterations and I already feel much safer!!

  • A good passphrase (>100 bits of Entropy) will be unbreakable even completely without iteration. For a bad passphrase, iteration adds effort. TrueCrypt was sadly outdated compared to other disk encryption tools, but is not in line with established wisdom again.

  • by heypete ( 60671 ) <pete@heypete.com> on Tuesday October 14, 2014 @04:15AM (#48138643) Homepage

    From the summary: "While this makes VeraCrypt slightly slower at opening encrypted partitions..."

    On my 2.4GHz, 4-core, 8-thread i7-3630QM mounting an encrypted partition using VeraCrypt takes ~18 seconds. It takes the VeraCrypt bootloader more than 40 seconds to verify my password and proceed with booting.

    Although one need only enter the boot password once at boot time, it's still a bit of a pain. A 1-5 second processing delay is reasonable, but more than 40 seconds? Either way, a few thousand iterations combined with a strong password makes brute-force guessing impractical so why bother with obscenely high iteration counts?

    I'd much rather that VeraCrypt (or other similar software) allow one to set the number of iterations so one could set the desired delay time based on their own hardware and threat model, and have the iteration count written to the disk so the software knows how many iterations to use. For me, I use such software to protect against theft by ordinary criminals: they're not going to bother decrypting the drive, so a second or two of iterating is fine. Those defending against more well-funded adversaries would be better served with more iterations.

    • The sad part really is that I don't think that going through that many iterations is going to anything but drive people away because of the performance impact. While I know RIPEMD160 is considered strong I don't think it's stronger than Keccak [tugraz.at] which is the SHA-3 winner.

  • yesyesyes, but can it stop the cops reading the sticky notes that ppl use to write down there passwords :P

"Well, if you can't believe what you read in a comic book, what *can* you believe?!" -- Bullwinkle J. Moose

Working...