Recent Two Vulnerabilities Explanation in TrueCrypt & pre-1.15 Version VeraCrypt

Topics: Users Discussion
Oct 4, 2015 at 2:40 AM
Edited Oct 4, 2015 at 3:11 AM
To prevent misinformation, below is an article explaining the two recent vulnerabilities reported by James Forshaw (Google Project Zero) in TrueCrypt and pre-1.15 version of VeraCrypt.

Mounir provided his explanations in the article for CVE-2015-7358 (critical) and CVE-2015-7359.

Kind Regards.
Oct 4, 2015 at 6:47 AM
And now the TC audit can just fly in the junk bin....
i still remember the times when I knew where is each and every file of my pc and what it does precisely..... times are different now can never be sure that a software does what it is supposed to do.....
Back on the topic, this is a big issue.... i hope there will be a solution soon.... and i think (not that i want to) that we, the users, have to support monetarily Mounir for his work on VC....
Oct 4, 2015 at 7:09 PM
Edited Oct 4, 2015 at 7:12 PM
Hello Alex,

I still consider the TC audit valuable as the two audits exposed short comings of the product that were not previously exposed until the audit. The audit had limited funding that shorten the length of engagement to perform the audits of TC that supports three OS platforms and has over 1 million lines of code.

I encourage everyone to donate any amount of money they can afford to the VeraCrypt project to keep the project viable. Just think of how much money you would have to spend per year using commercial software.

You can find the donation methods on the home page.

Kind Regards.
Oct 4, 2015 at 7:33 PM
Edited Oct 4, 2015 at 9:17 PM
Hi Enigma2Illusion :)
100% valid argument about the complicated code.... when new software runs 1 million lines of code it is indeed very difficult to audit it or be confident in its implementation.... and in cryptography, this is deadly.... as you dont see the results immediately... if it is my printer driver, it either prints or not..... so i know if its working fine..... crypto stuff..... doesnt work that way....
But an audit that misses such a vulnerability, with all due respect, is worth nothing.... IMHO
Oct 8, 2015 at 5:30 PM
Edited Oct 8, 2015 at 5:35 PM
The TrueCrypt audit only looked at aspects of the cryptography. It wasn't a full audit of all the code. A few quite minor issues were found which have been addressed in VeraCrypt.Hence, the cryptographic code in VeraCrypt may be expected to satisfy the original auditors. Each of the points the auditors made seem to have been addressed in VeraCrypt looking at the source code.

The recent vulnerability found by James Forshaw has nothing to do with the cryptography. This has now been addressed in v1.16.
Oct 11, 2015 at 1:05 PM
I don't think the security audit has only looked at aspects of the cryptography. If an audit is to look only at the crypto side, then it should take the plaintext, the password and the cyphertext and only check to see if the transformation from plain to cypher is ok. In fact, if that was the case, there should be a simple test vector analysis to see from the plaintext, password and salt that the right cyphertext is produced..... The audit however should have confirmed that all the processes are running correctly, there is no leak of information to temporary location for instance, and of course, if the driver functions ok.....

Unfortunately, the company who did the audit missed important flaws.... For me, their reputation is ruined.....