{"id":2096,"date":"2015-11-19T14:18:11","date_gmt":"2015-11-19T12:18:11","guid":{"rendered":"http:\/\/sseblog.ec-spride.de\/?p=2096"},"modified":"2017-06-25T17:30:27","modified_gmt":"2017-06-25T15:30:27","slug":"truecrypt-analysis","status":"publish","type":"post","link":"https:\/\/blogs.uni-paderborn.de\/sse\/2015\/11\/19\/truecrypt-analysis\/","title":{"rendered":"Releasing our in-depth Security Analysis of TrueCrypt"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_2096 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_2096')){$('.twoclick_social_bookmarks_post_2096').socialSharePrivacy({\"txt_help\":\"Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google eventuell ins Ausland \\u00fcbertragen und unter Umst\\u00e4nden auch dort gespeichert. N\\u00e4heres erfahren Sie durch einen Klick auf das <em>i<\\\/em>.\",\"settings_perma\":\"Dauerhaft aktivieren und Daten\\u00fcber-tragung zustimmen:\",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/blogs.uni-paderborn.de\\\/sse\\\/2015\\\/11\\\/19\\\/truecrypt-analysis\\\/\",\"post_id\":2096,\"post_title_referrer_track\":\"Releasing+our+in-depth+Security+Analysis+of+TrueCrypt\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Over\u00a0the timeframe of about six months, together with other colleagues from Fraunhofer SIT, our group has\u00a0performed a comprehensive security analysis of the encryption software TrueCrypt. The\u00a0study was conducted for the German Federal Office for Information Security (BSI), who is releasing the report today <a href=\"https:\/\/www.bsi.bund.de\/DE\/Presse\/Pressemitteilungen\/Presse2015\/Sicherheitsanalyse_TrueCrypt_19112015.html\">on its website<\/a>. (<a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/EN\/BSI\/Publications\/Studies\/Truecrypt\/Truecrypt.html\">English version here<\/a>.)<\/p>\n<p>In June 2014, the open-source disk-encryption solution TrueCrypt was abandoned by its anonymous developers, while at the same time hinting the many users of the solution at potential vulnerabilities. On behalf of the BSI, we\u00a0examined TrueCrypt for vulnerabilities, both conceptually and on the level of program code. As part of this task, we\u00a0also considered and reviewed the results of previous security assessments.<\/p>\n<h2>On previously reported vulnerabilities in the driver component<\/h2>\n<p>Our general conclusion is\u00a0that TrueCrypt is safer than previous examinations suggest. About a month ago, for instance, Google&#8217;s Project Zero had discovered <a href=\"http:\/\/googleprojectzero.blogspot.de\/2015\/10\/windows-drivers-are-truely-tricky.html\">two previously unknown vulnerabilities in TrueCrypt<\/a>, one of them classified as critical. The error allows such malicious code that already has access to the running computer system to acquire expanded system rights. The vulnerability should be fixed, as privilege escalation opens the door for other attacks. But similar problems could arise with any kernel-level driver. Importantly, the problem found does <em>not<\/em> provide an attacker simplified access to encrypted data. To exploit the vulnerability, the attacker would have to have far-reaching access to the system\u00a0anyway, for example, via a Trojan Horse or some other form of remote or direct access.<\/p>\n<p>It does not seem apparent to many people that\u00a0TrueCrypt is <em>inherently<\/em> not suitable to protect encrypted data against attackers who can repeatedly access the running system. This is because when\u00a0a TrueCrypt volume is mounted its data is generally accessible through the file system, and with repeated access one can install key loggers etc. to get hold of the key material in many situations. Only\u00a0when unmounted, and no key is kept in memory, can a TrueCrypt volume really be secure. In result,\u00a0TrueCrypt provides good protection mostly when storing encrypted data offline. If keeping a\u00a0backup stored offline\u00a0on a hard drive, for example, or keeping encrypted data on a\u00a0USB flash drive to be sent via a human carrier, then this can be considered relatively secure.<\/p>\n<h2>On buffer overflows reported by OCAP<\/h2>\n<p>The <a href=\"https:\/\/opencryptoaudit.org\/\">Open Crypto Audit Project<\/a>\u00a0(OCAP) has carefully examined TrueCrypt in the past. We have analyzed the report and also conducted a brief email exchange with the people behind OCAP. We examined closely a number of buffer overflows their study had revealed. Using the usage of static-analysis tools such as the <a href=\"http:\/\/klee.github.io\/\">KLEE<\/a>\u00a0virtual machine\u00a0we were able to prove, though, that these buffer overflows cannot actually occur at runtime, and thus cannot possibly be exploited. It&#8217;s great to see that tools such as KLEE can\u00a0nowadays\u00a0cope with such practical problems &#8211; a manual analysis would have been too complicated\u00a0since many complex path conditions\u00a0needed to be considered.<\/p>\n<h2>Weak retrieval\u00a0of random numbers<\/h2>\n<p>If you look more closely at our report you will see\u00a0that we did find\u00a0some weaknesses in the way\u00a0TrueCrypt retrieves\u00a0the\u00a0random\u00a0numbers it uses for encryption. With a lack of randomness, an attacker can theoretically guess your encryption key more easily. This problem only occurs in <em>non-interactive mode<\/em>, though, or when using certain access-control policies on Windows. In result, it is unlikely that this problem has actually affected users in he wild. The problem is that if volumes <em>were<\/em> created with a weak key then afterwards there is no way to tell. To be on the safe side it would therefore be advisable to re-encrypt volumes with a version of TrueCrypt in which\u00a0this flaw has been fixed.<\/p>\n<h2>Conclusion<\/h2>\n<p>In conclusion, I would say that the TrueCrypt code base is probably alright for the most parts. The flaws we found were minor, and similar flaws can occur also in any other implementation\u00a0of cryptographic functions. In that sense TrueCrypt seems not better or worse than its alternatives. Code quality could be improved, though, as there are some places that call for a refactoring and certainly for better documentation. But generally the software does what it was designed for.<\/p>\n<p>Note that the original designers documented all along a threat model stating that TrueCrypt cannot actually properly protect data on a running system. This matches our findings. If such protection is desired, one cannot get around solutions that use smartcards or other hardware-based key storage such that the encryption key can be better kept a secret. Also\u00a0such systems can be broken, but\u00a0they raise the bar significantly.<\/p>\n<p>We hope that folks find our report useful.\u00a0Thanks to everyone who supported our study, in particular to the BSI for funding it! We hope to be able to conduct further similar analyses in the future.<\/p>\n<h2>Update: First press coverage<\/h2>\n<p>Ars Technica:\u00a0<a id=\"MAA4AEgAUABgAWoCZGU\" class=\"usg-AFQjCNFZhAcSNu1i6M-15UaCj15BX7k4Ow sig2-zoVaCoOgheeGlYJCbah5-Q did-7c797b4c042d0f14 article _tracked\" href=\"http:\/\/news.google.com\/news\/url?sr=1&amp;sa=t&amp;ct2=de%2F0_0_s_0_0_t&amp;usg=AFQjCNFZhAcSNu1i6M-15UaCj15BX7k4Ow&amp;did=7c797b4c042d0f14&amp;sig2=zoVaCoOgheeGlYJCbah5-Q&amp;cid=52778995828200&amp;ei=BJRQVrDnAojz1AaKpRw&amp;rt=STORY&amp;vm=STANDARD&amp;url=http%3A%2F%2Farstechnica.com%2Fsecurity%2F2015%2F11%2Ftruecrypt-is-safer-than-previously-reported-detailed-analysis-concludes%2F\" target=\"_blank\"><span class=\"titletext\">TrueCrypt is safer than previously reported, detailed analysis concludes<br \/>\n<\/span><\/a>Threatpost:\u00a0<span class=\"titletext\"><a class=\"usg-AFQjCNFYZa9sUtYwW77QQX_H7UKR4ozmbQ sig2-dfkzUoXV8Rqo-lJi8A1E6g did-61961a5da38a7cbf article _tracked\" href=\"http:\/\/news.google.com\/news\/url?sr=1&amp;sa=t&amp;ct2=de%2F0_0_s_1_0_t&amp;usg=AFQjCNFYZa9sUtYwW77QQX_H7UKR4ozmbQ&amp;did=61961a5da38a7cbf&amp;sig2=dfkzUoXV8Rqo-lJi8A1E6g&amp;cid=52778995828200&amp;ei=BJRQVrDnAojz1AaKpRw&amp;rt=STORY&amp;vm=STANDARD&amp;url=https%3A%2F%2Fthreatpost.com%2Fgerman-government-audits-truecrypt%2F115441%2F\" target=\"_blank\">German Government Audits TrueCrypt<br \/>\n<\/a>Digital Trends:\u00a0<a href=\"http:\/\/www.digitaltrends.com\/computing\/truecrypt-security-fraunhofer-study\/\">Why TrueCrypt might not be so insecure after all<\/a><\/span><\/p>\n<p>ZDNet:\u00a0<a href=\"http:\/\/www.zdnet.de\/88252443\/fraunhofer-institut-truecrypt-ist-nur-in-sehr-seltenen-faellen-angreifbar\/\">Fraunhofer-Institut: TrueCrypt ist \u201enur in sehr seltenen F\u00e4llen angreifbar\u201c<br \/>\n<\/a>MacLife:\u00a0<a id=\"MAA4AEgAUABgAWoCZGU\" class=\"usg-AFQjCNGguEDw5y9E1esDacMnZlX9eOJZjg sig2-Js8ULAtwLnEcZscl7E9aTQ did-2d60dc17f966ef57 article\" href=\"http:\/\/www.maclife.de\/news\/truecrypt-verschluesselungssoftware-sicherer-erwartet-10072232.html\" target=\"_blank\"><span class=\"titletext\">Truecrypt-Verschl\u00fcsselungssoftware sicherer als erwartet<\/span><\/a><\/p>\n<p><strong>Update:\u00a0<\/strong><a href=\"https:\/\/www.cloudwards.net\/best-truecrypt-alternative-services\/\">Cloudwards has a nice article about TrueCrypt alternatives<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over\u00a0the timeframe of about six months, together with other colleagues from Fraunhofer SIT, our group has\u00a0performed a comprehensive security analysis of the encryption software TrueCrypt. The\u00a0study was conducted for the German Federal Office for Information Security (BSI), who is releasing &hellip; <a href=\"https:\/\/blogs.uni-paderborn.de\/sse\/2015\/11\/19\/truecrypt-analysis\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6542,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2096","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/2096","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/users\/6542"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/comments?post=2096"}],"version-history":[{"count":1,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/2096\/revisions"}],"predecessor-version":[{"id":4299,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/2096\/revisions\/4299"}],"wp:attachment":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/media?parent=2096"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/categories?post=2096"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/tags?post=2096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}