Update To say the VeraCrypt audit, which begins today, got off to an inauspicious start would be an understatement.
On Sunday, two weeks after the announcement that the open source file and disk encryption software would be formally scrutinized for security vulnerabilities, executives at one of the firms funding the audit posted a notice that four emails between the parties involved had been intercepted.
“We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our ‘sent’ folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared,” the post to the Open Source Technology Improvement Fund (OSTIF) website read. “This suggests that outside actors are attempting to listen in on and/or interfere with the audit process.”
Today, Fred Raynal, CEO and founder of Quarkslab, the company hired to audit VeraCrypt, told Threatpost that wasn’t the case.
“I think this news announcement was a mistake. I lost a message I sent to Mounir (Mounir Idrassi, VeraCrypt’s lead developer) and Derek (Derek Zimmer, OSTIF CEO and president). They experienced similar issues, three times before that,” Raynal said. “Then Derek issued that statement but he should really not have done that. On my end, I am pretty sure it is a local problem on my computer between Mail.app and GPGMail.”
VeraCrypt has been posited as an option for users looking for free file and disk encryption since the developers behind TrueCrypt closed up shop in 2014. VeraCrypt is a TrueCrypt fork (this happened in 2013), and since TrueCrypt went away, many of the vulnerabilities uncovered in its much-publicized audit and in the time since have been fixed in VeraCrypt, Idrassi said. Idrassi also told Threatpost that he accelerated plans to launch EFI system encryption this week so that it could be audited as well.
“Of course, I welcome this audit. I think this is an important milestone for the project and its credibility,” Idrassi said. “There were many calls in the past two years to organize such audit in order for users to have assurances about the changes introduced in VeraCrypt and I always answered that I will not be able to organize this without external help. So the fact that OSTIF was able to organize this is a positive step.”
Raynal said that all new code introduced since the demise of TrueCrypt will be audited, along with a focus on EFI and disk encryption, and any newly implemented algorithms.
“This is by far the most important and critical feature compared to TrueCrypt,” Idrassi said of EFI encryption. “TrueCrypt only supported MBR system encryption, and with the advent of EFI, most users were unable to encrypt their machines using TrueCrypt or VeraCrypt. With the introduction of EFI support in VeraCrypt 1.18, system encryption will again be available to most users.”
Some of other new features implemented in VeraCrypt since TrueCrypt, Idrassi said, include support for SHA-256 for Master Boot Record encryption, a mechanism that detects most evil-maid attacks in the MBR, additional compatibility for TrueCrypt volumes that allow for an easier transition to VeraCrypt, and a new feature called PIM, or Personal Iterations Multiplier, which enables the user to choose different security levels for volumes.
“Many things changed in VeraCrypt since the official end of TrueCrypt,” Idrassi said. “Many security vulnerabilities were discovered in TrueCrypt and subsequently fixed in VeraCrypt. Also, several parts of TrueCrypt code were rewritten for robustness and to avoid security issues.”
OSTIF said in its Aug. 1 announcement that Quarkslab is expected to wrap up in 30 days, by mid-September, and deliver its results to Idrassi; OSTIF said it will not have access to the results ahead of the public, and that it will publish the results once any vulnerabilities have been remediated. OSTIF said DuckDuckGo and VikingVPN also donated funds to the audit.
Raynal said Quarkslab will use a French scheme in the assessment called CSPN, which was developed by France’s national security body ANSSI. He said that the level of funding provided allowed for this type of assessment, which he said generally takes between 30 and 35 days to complete.
OSTIF did not respond to numerous requests for comment.
OSTIF’s Zimmer said the fact that TrueCrypt has been audited allows for a narrower scope with the VeraCrypt audit, and the opportunity for financial savings.
“This allows us to instruct QuarksLab to focus their audit on code that was added or changed after TrueCrypt 7.1a and any residual impact that those changes have on existing code,” Zimmer said. “The narrower scope of the audit allowed us to operate on a shorter timetable and therefore budget.”
Zimmer said that in addition to VeraCrypt, OSTIF hoping to examine other open source packages, including OpenVPN, OpenSSL, GnuPG, and Off-The-Record (aka OTR) .
“The 30-day window (with the VeraCode audit) is due to budget constraints, and the narrowing of our focus to new and changed code,” Zimmer said. “When we move forward with other open-source projects, larger budgets will be required as some of these applications have never been audited before and there’s a lot of legacy code laying around to be looked at.”
Quarklabs’ Raynal said the threat model guiding the audit is primarily a stolen or lost laptop and whether an attacker could access the encrypted hard drive or volume. Raynal said the VeraCrypt driver will also be audited for vulnerabilities.
“Since many fixes were already done in VeraCrypt, I don’t expect any new major findings, except maybe on the new EFI bootloader that didn’t exist in TrueCrypt and for which I will publish the source code today,” Idrassi said. “But knowing the expertise of Quarkslab, it is possible that will come up with novel attack or vulnerability ideas.”
This article was updated Aug. 17 with comments from OSTIF.
