A successful exploit may rely on the attacker's ability to execute native code on the victim's machine."īoth of these flaws (and the other two, less risky issues) are issues that could be corrected or substantially mitigated, and neither represented a fundamental threat to the core operation of the program. "An attacker may be able to extract AES keys used to protect encrypted volumes. The implementation of AES in Truecrypt, and its reliance on look-up tables, also place it at risk of so-called cache timing attacks. But if the user is working on a system with certain Group Policy Restrictions in place, the command can fail and fall back to insecure sources of random number generation. Truecrypt unusually uses this process to generate random numbers. One of the four detected flaws, and arguably the most serious, was coupled to a silent failure of the CryptAcquireContext function. The cascade constructions and AES in XTS Mode.Key Derivation (derive_key_* from EncryptionThreadProc).EncryptDataUnits & DecryptDataUnits and resulting function calls.
The team didn't exhaustively test every single feature of the program, but focused on its core encryption/decryption capabilities, including:
#Review veracrypt full#
The full report is available for download (Opens in a new window). Truecrypt isn't perfect, but the team found no evidence of a critical flaw that would have compromised the security of the encrypted volumes. Now that it's over, did the audit team find anything to explain why Truecrypt's authors bolted? At the time, a publicized security audit of the software had just begun. The popular software suite was deemed influential and important enough to be worth auditing - which is why it was so surprising last year when its creators closed up shop and essentially shut down the product, claiming that critical flaws in Truecrypt 7.1a might remain and be exploited. For years, if you wanted a cross-platform disk encryption suite that didn't rely on Microsoft or Apple, you went with Truecrypt.
0 kommentar(er)
