This project has moved and is read-only. For the latest updates, please go here.

VeraCrypt Self Test Option

Topics: Feature Requests
Nov 29, 2014 at 12:58 PM
Some time ago there were rumours and still are, that Intel processors or spy-ware could interfere with the output from CSPRNG on encryption products.

I have provided some links, even though some of these relate to Public Key Cryptography I still believe it is something VeraCrypt should be aware of.


http://www.forbes.com/sites/steveblank/2013/07/15/your-computer-may-already-be-hacked-nsa-inside/

http://www.theregister.co.uk/2013/09/23/rsa_crypto_warning/

https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html

https://en.wikipedia.org/wiki/Dual_EC_DRBG

https://en.wikipedia.org/wiki/Random_number_generator_attack

https://en.wikipedia.org/wiki/RSA_BSAFE

http://www.wired.com/2013/09/nsa-backdoor/all/

https://crypto.stackexchange.com/questions/10189/who-uses-dual-ec-drbg


As we can see, attackers do not attempt to break encryption directly, they make progress by weakening the output of software CSPRNG or that produced by hardware.

I wonder if it would be possible for VeraCypt to have a feature where the user could occasionally press a "Self Test" button and VeraCrypt would output a large CSPRNG file and then test that file for randomness ?

I am not entirely sure how the randomness would be tested. I know of simple tools like DieHard but I am sure something more powerful may be required.

I also wonder during this "Self Test" if VeraCrypt could perform other tests, such as hashing of it's own files and comparing them to known good hashes etc.

As VeraCrypt provides excellent strong encryption, we must always be aware an attacker is unlikely to try to target VeraCrypt head on.

Thanks.
Nov 29, 2014 at 4:50 PM
During the startup of VeraCrypt device driver, a selftest is already performed that checks the correctness of the internal algorithms (Hash and encryption). If the test fails, VeraCrypt device driver don't load and no operation can be performed.

Testing also the quality of the CSPRNG is also a good idea and this is something that is not done. As you pointed it out, the difficult thing is to find a reliable test that also would not spur false positives. DieHard test suite is a good start. There is also the NIST Statistical Test Suite that is popular in the industry.

Depending on the performance of these test, the best thing is to be able to test the output of the CSPRNG when ever it's used in VeraCrypt. Not sure if this is reliable but definitely adding a Random self-test to the already existing self-test dialog is a good feature.
Nov 29, 2014 at 5:24 PM
Thank you Mounir for taking an interest in my request :)

I will add it to the progress thread so you can edit all in one place.

https://veracrypt.codeplex.com/discussions/572862

If you get time, would you please take a look at my other request and also edit it (reject / accept) it on the progress thread ?

https://veracrypt.codeplex.com/discussions/573100

Thank you.
Jan 7, 2015 at 12:06 AM
There is no way to verify randomness. You can verify uniform distribution of a set of values by using various statistical methods (like DieHard) , but you can not determine if they are random.
For example, if an adversary injects a known (to him) sequence of numbers as an input to a cryptographic hash function, and presents the output of that hash function to you as random numbers, those numbers would appear "random" to any statistical analysis test, but the whole crypto operation based on those numbers would be breakable by the said adversary.
Also, see http://dilbert.com/strips/comic/2001-10-25/
Jan 8, 2015 at 12:00 PM
Indeed, one can't prove that it is random but the self-test can uncover basic statistic flaws in the random generator. All security certified systems (like EAL4+ smart card) implement a random self-test were various statistical tests are executed prior to using the embedded random generator. This is even mandatory in order to get the certification.

The idea is to implement a similar approach in VeraCrypt although our random generator doesn't rely only on internally generated entropy as the user's mouse movements are used everytime we need random data for sensitive operations.
Jan 8, 2015 at 8:40 PM
Edited Jan 8, 2015 at 8:41 PM
Certainly one could use statistical tests to check basic flaws in the PRNG. This may uncover some unintended coding errors or algorithmic flaws.
However, the original poster was concerned about an adversary attacking/subverting the CPRNG, and this subversion is normally done by knowing a priori the values fed into the generator. The generator whitening process will produce subverted values that the statistical tests will not be able to ascertain.