Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption Open Source Security Software

TrueCrypt Alternatives Step Up Post-Cryptanalysis 83

msm1267 writes: What's next for TrueCrypt now that a two-phase audit of the code and its cryptography uncovered a few critical vulnerabilities, but no backdoors? Two alternative open source encryption projects forked TrueCrypt once its developers decided to abandon the project in early 2014, giving rise to VeraCrypt and CipherShed — and both are ready to accelerate growth, compatibility and functionality now that the TrueCrypt code has been given a relatively clean bill of health.
This discussion has been archived. No new comments can be posted.

TrueCrypt Alternatives Step Up Post-Cryptanalysis

Comments Filter:
  • good job (Score:5, Insightful)

    by slashmydots ( 2189826 ) on Tuesday April 07, 2015 @03:05PM (#49424755)
    So the NSA or whatever succeeded in turning one software program into two. Good job, guys. They're probably foreign-managed too so the US gov can't touch them.
    • You're jumping to conclusions. The strong-arm-government theory is certainly plausible - it explains the outright weird exit of the developers, as if they wanted to signal something was going on but were under legal threat. That doesn't have to mean the NSA though: The developers might not be in the US, and there are plenty of other governments who might also exert pressure to subvert a project like truecrypt. Most of them, even. They are probably in an English-speaking country, so it might have been the wo

    • by gsslay ( 807818 )

      How do you know they aren't US gov managed?

  • What exactly does that mean? Granted, I don't use TrueCrypt but lately I've felt the need to encrypt some of my private emails and videos.
    • by mcl630 ( 1839996 )

      It means they didn't find any backdoors, and the four vulnerabilities that were found weren't critical (despite what the summary incorrectly says).

    • What exactly does that mean? Granted, I don't use TrueCrypt but lately I've felt the need to encrypt some of my private emails and videos.

      My reading of the results is that while no backdoors were found, there were some vulnerabilities found, which are being addressed in the forked projects. That's about as good as could be expected, really, since all software has bugs.

  • by Resol ( 950137 ) on Tuesday April 07, 2015 @03:09PM (#49424779)
    I've been using TrueCrypt for a long while (in fact still do), but I'm interested in what others use and their justification for its use? (e.g why?) I'm certainly not expert enough to audit any code myself, so I eventually have to just trust something.
    • by Anonymous Coward

      I use truecrypt still also. Why? Because it's the only product that's been so thoroughly tested. And I'm not changing until I find something with the same level of testing.

      It's obvious to me that the truecrypt project was shutdown at the governments coercion. Truecrypt provides undefeatable security if used correctly.

      Not only that, but it stops the hard drive firmware attacks that look for a magic word.

      • by fisted ( 2295862 )

        Not only that, but it stops the hard drive firmware attacks that look for a magic word.

        What?

        • If you compromise a drive firmware, what do you do with it? There's nothing much you can do to get data out, but one speculation is it could be used for a remotely triggerable DoS attack: If the drive detects a key phrase (likely a 128- or 192-bit sequence) written, it locks up or self-erases. Easy enough to, say, put the sequence into a URL so a web-server will log it, or send it to an email server. The ability to trigger such would be a powerful first-strike attack in any major conflict, and a good way to

    • Truecrypt is very popular, (more eyes and faster bugfixes) user friendly, and is the ONLY audited, open-source software with its features. I don't see any reason to use something else.
    • Well I still use it. I like it because it is fairly simple to use and very portable. I have a few TrueCrypt files that store info I would rather not become public (scanned tax documents, financial docs, scanned identity docs, other important docs) but would like to have an easy electronic access to if out somewhere. Also since a TrueCrypt volume is just a file I can easily back them up and move them. So I have the main files on my computer, keep a backup of them in the safe on a USB drive, have another back
  • Instead of asking "what now", doesn't anyone wonder why TC chose to self-destruct, invoking its own canary and refusing to let anyone keep the name?

    If the devs just wanted out, they could have passed on the name to a blessed successor. Even if they wanted to act petty and protect the name for no good reason, they didn't need to invoke their canary. Something about this just doesn't make a whole lot of sense.

    Hmm, if we question whether or not we can trust that the NSA didn't get to the original devs...
    • That dead horse has had about enough, that's why. Try googling it, as there's plenty of speculation out there. But in light of the fact that the TC devs have been silent, speculation is all you're going to get.
    • by ajegwu ( 1142365 )
      Yeah, I've been thinking that the way they went out is a lot more perplexing now that the audit came up clean.
    • by gurps_npc ( 621217 ) on Tuesday April 07, 2015 @03:31PM (#49424927) Homepage
      Because they did NOT get to the original devs - they tried and FAILED. The devs refused to bow down to their orders and shut down the project.

      Getting to the auditors is harder than getting to the devs, because anyone can be the auditor.

      The thing about a free society is that the fact that we find out about the tyranny. That makes paranoid fools think their is more tyranny going on. But the truth is that real tyranny hides.

      In North Korea, they would not have shut down the the devs, the devs would have put the back door in and kept their mouth shut.

      Here in the free world, the devs say no and shut it down, because we have more freedom than they do.

      • > The devs refused to bow down to their orders and shut down the project.
        > Here in the free world, the devs say no and shut it down, because we have more freedom than they do.

        Huh?

        Cognitive dissonance much??

        You are going to argue they have _more_ freedom yet under duress they complied? How the fuck is this "more" freedom??

        **IF** they had this mythical freedom you claim then the original TrueCrypt devs would NOT have felt the need to shut it down.

        The only think the TrueCrypt devs showed is that they ha

        • They did NOT comply.

          The order was not "shut down" - the US government is not stupid enough to give that order. It's against the basic principles of Capitalist Republic Democracy.

          Any non-psychotic person can easily tell that the NSA went up to them and said:

          "Hey, you TrueCrypt people, making a safe, un-crackable encryption system? You are going to put in a back door to let us, the NSA in - and you are NOT going to tell anyone about our order or you will go to jail."

          The order the NSA gave was legal.

          • by tlhIngan ( 30335 )

            "Hey, you TrueCrypt people, making a safe, un-crackable encryption system? You are going to put in a back door to let us, the NSA in - and you are NOT going to tell anyone about our order or you will go to jail."

            The order the NSA gave was legal. The true crypt devs are law abiding people. But they weren't going to obey the NSA. So the True Crypt Devs said "Screw that shit, we shut down."

            And how do you propose the Truecrypt devs do that?

            Remember, TrueCrypt is open-source. Anyone can go and diff the sources b

          • It's also possible, and possibly more likely, that the devs simply abandoned the project because they couldn't or didn't want to put any more time into it. There's literally zero information about why they pulled the plug.

            The devs of both the forks referenced in TFS have said the TC source contains a lot of problematic code. CypherShed has said they think the NCC audit wasn't detailed enough and was too high level to uncover all the issues.

            • It's even possible that the (anonymous, uncompensated) devs were looking at all the crap they were going to have to change and deal with as a result of UEFI, signed bootloaders, etc. and otherwise increasingly restricted hardware and said "screw this, I have kids now, maybe my own startup, I have a ton of things I can spend my time on that are just as satisfying and that I don't have to avoid talking about with anyone."
              • It's possible, but why not then put a one line message on their web page that said they grew tired on the project and no longer wish to develop it.

                That's not what they did. They put up a page that said "ZOMG this is insecure don't use it!" then disappeared.

                No matter how you look at it, that's not someone you can trust to keep your data secure.

          • by Kjella ( 173770 )

            You on the other hand are a wanker that thinks normal people - who are not anywhere near wealthy enough to defend themselves against the full might of a TREASON charge

            Not even Snowden is going to be charged with that:

            Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.

            Of course they have a fair selection of others if they want to "throw the book" at you, unless you end up at Gitmo for waterboarding instead. But you get that one fig leaf to cover behind at least.

          • Most of the time the simplest answer is the correct one.

            We have a project that hadn't seen an update in years, all development effort had stopped and the people behind it were basically gone.

            On one hand you have a claim of an order to backdoor the software that hasn't seen an update in ages. An order that contrary to your claim would NOT be legal.

            On the other hand you have a claim that the software developers basically realized that unmaintained software is more dangerous than no software because it implies

            • Your solution does not explain why they wouldn't SAY that's what they were doing and why.

              As such your simplest explanation fails badly.

              My explanation may be wrong - but it not tinfoil hat. The NSA has done far worse things than illegally put back doors into software. More importantly, I was using overly specific example to convince a real tin-foil hat guy that he was crazy. I don't claim to know the specifics - I don't know if it was the NSA or some other agency, nor do I know the specific or

              • Baloney. They were concerned about security, they were shutting down a security related project. The logical "explanation" is to point people at the other solutions that exist to provide the same functionality. Like most logical people they probably figured people would take them at their word and not play pseudo conspiracy theory with why they quit. But like most logical people they failed to take into account the wacko's like you that would read a conspiracy theory into a clean shutdown.

                What you suggested

                • You seem to be assuming that TrueCrypt was based in the US. I don't think we can make that assumption.

                  As far as I know, the NSA tries to abide by the law, but I'm not convinced it does all the time, even the tortured interpretations of the law they use. I certainly wouldn't trust anybody in the NSA if they denied it. Nor, if it was in the US, was it necessarily the NSA. The FBI might have pressured them, like they did LavaBit. The government may not have had a legal leg to stand on, but that doesn't

        • Would you concur that 0.6 is larger than 0.5? Then why do you have a hard time understanding what gurps wrote?

    • Instead of asking "what now", doesn't anyone wonder why TC chose to self-destruct, invoking its own canary and refusing to let anyone keep the name? If the devs just wanted out, they could have passed on the name to a blessed successor. Even if they wanted to act petty and protect the name for no good reason, they didn't need to invoke their canary. Something about this just doesn't make a whole lot of sense. Hmm, if we question whether or not we can trust that the NSA didn't get to the original devs... How can we trust that they didn't get to the auditors? "Yup, all clear! Enjoy! (Can I have my kids back now, Mr. Suit?)"

      We'll never know for certain but one theory is that, being just a couple of developers doing it in their own time for no money, and perhaps with family and other concerns, they just got sick of it. However it would have been nice if the bastards could have at least given us a clue as to why they left.

      One big disappointment for me is that the audit did not cover the plausible deniability function of Truecrypt, something that could be crucial if you live in an authoritarian right wing state — such as t

    • Instead of asking "what now", doesn't anyone wonder why TC chose to self-destruct, invoking its own canary and refusing to let anyone keep the name?

      I don't see why anyone should bow down to what the original developers wanted. They walked away from the project so the name and the code should be up for grab.

      Anyone want to pick up where they left off and use the name truecrypt should go right ahead and do so. What are the original devs going to do? Sue them?

  • Did they finished the Step 2 of the analysis?, it's weird, i didn't see it anywhere.
  • by dargaud ( 518470 ) <slashdot2@nOSpaM.gdargaud.net> on Tuesday April 07, 2015 @03:31PM (#49424921) Homepage
    So, how retro-compatible are they ? Can you take any kind of TC container (file or device) and open it into those newcomers ? Or do you have to transfer the content into a new container ?
    • VeraCrypt is incompatible with TrueCrypt containers (and vice versa).

      Also, VeraCrypt apparently beefs up the security, which results in containers taking minutes to mount instead of seconds. Argh.

      • by cfalcon ( 779563 )

        The big thing here is that none of these files have a header- if they did, they wouldn't be indistinguishable from randomized data. When you type in a key, it uses a hash over a certain number of repetitions (a lower number for truecrypt, a massive one for veracrypt). It then tests the hashed key. If this fails... it tries with the next possible hashing algo. It goes strictly in order- there's no way to say "just use Whirlpool" or whatever. So if you chose a hash further down the list, you are waiting

      • Not true; the latest version of veracrypt CAN open old truecrypt containers and volumes. But yes, the older format is less secure.

      • by Steve B ( 42864 )

        The latest versions of VeraCrypt can mount TrueCrypt containers. They also allow you to select the hash algorithm (instead of autodetecting) when mounting disks, which speeds up the process (I've never found it to take more than 15 seconds on a six-year-old computer).

  • Which should i use?
    • Yes, should I use a VeraCrypt container encrypted by CipherShed...

      ...or a CipherShed container encrypted by VeraCrypt?
  • Cut off one head and two will emerge!

If all else fails, lower your standards.

Working...