Security Assessment of VeraCrypt: fixes and evolutions from TrueCrypt

Quarkslab made a security assessment of VeraCrypt 1.18. The audit was funded by OSTIF and was performed by two Quarkslab engineers between Aug. 16 and Sep. 14, 2016 for a total of 32 man-days of study. A critical vulnerability, related to cryptography, has been identified. It has been introduced in version 1.18, and will be fixed in version 1.19.

VeraCrypt is a disk encryption software developed by IDRIX. It is derived from the now defunct TrueCrypt project. This audit has been carried out at the request of the Open Source Technology Improvement Fund. Its goal was to evaluate the security of the features brought by VeraCrypt since the publication of the audit results on TrueCrypt 7.1a conducted by the Open Crypto Audit Project. The full text of the report is made available on this blogpost [1].

A first step consisted in verifying that the problems and vulnerabilities identified by iSec and NCC Group in TrueCrypt 7.1a for the Open Crypto Audit Project had been taken into account and fixed.

Then, the remaining study was to identify potential security problems in the code specific to VeraCrypt. Contrary to other TrueCrypt forks, the goal of VeraCrypt is not only to fix the public vulnerabilities of TrueCrypt, but also to bring new features to the software. The innovations introduced by VeraCrypt include:

• the support of UEFI,
• the addition of non-western cryptographic algorithms (Camellia, Kuznyechik, GOST 28147-89, Streebog),
• a volume expander,
• a "Personal Iterations Multiplier" impacting the security of the derivation of the volume header encryption keys,
• the support of UNICODE on Windows, and the use of StrSafe functions instead of string.h,
• the gathering of entropy on mouse movements at each random number generation to improve randomness and a better estimate of the randomness.

The audit followed two lines of work:

• The analysis of the fixes introduced in VeraCrypt after the results of the Open Crypto Audit Project's audit of TrueCrypt 7.1a have been published.
• The assessment of VeraCrypt's features that were not present in TrueCrypt.

Fixes

• All the vulnerabilities that have been taken into account have been correctly fixed (except a minor missing fix for one of them). In particular, the problem leading to a privilege escalation discovered by James Forshaw in the TrueCrypt driver just after the OCAP audit has been solved.

• Vulnerabilities which require substantial modifications of the code or the architecture of the project have not been fixed. These include the AES implementation, which is still susceptible to cache-timing attacks, and the issues in TC_IOCTL_OPEN_TEST that need to change the application behavior.

• Vulnerabilities leading to incompatibility with TrueCrypt, as the ones related to cryptographic mechanisms, have not been fixed. The most notable ones are:

• Keyfile mixing is not cryptographically sound: the way the keyfiles are mixed to derive secret data relies on non-cryptographic mechanisms. Several attacks are possible, as shown in a paper by the Ubuntu Privacy Remix team.
• Unauthenticated ciphertext in volume headers: the lack of a real MAC on the volume headers makes existential forgeries possible with approximately $$2^{32}$$ queries.

New Problems

Among the problems found during the audit, some must be corrected quickly:

• The availability of GOST 28147-89, a symmetric block cipher with a 64-bit block size, is an issue. This algorithm has been added in VeraCrypt 1.18. It is a 64-bit block cipher, contrary to the other block ciphers used in VeraCrypt. The XTS code has not been adapted for such ciphers, so VeraCrypt emulates a 128-bit block cipher by encrypting two 64-bit blocks in CBC mode with a zero IV, which in itself raises several issues. Furthermore, to reach the same level of security as its 128-bit counterpart, the amount of data to be processed should be no more than 512 bytes which is too small to be considered for a data at rest encryption system. GOST 28147-89 will be removed in version 1.19.
• Compression libraries are outdated or poorly written. They must be updated or replaced. VeraCrypt embeds old versions of zlib, and the latest version also contained a poorly written Zip library. Compression functions will be updated or rewritten in version 1.19. The major risk with with these libraries as in version 1.18 is a user-assisted code execution.
• If the system is encrypted, the boot password (in UEFI mode) or its length (in legacy mode) could be retrieved by an attacker.

Finally, the UEFI loader is not mature yet. However, its use has not been found to cause security problems from a strict cryptographic point of view.

Conclusion

VeraCrypt is a project hard to maintain. Deep knowledge of several operating systems, the Windows kernel, the system boot chain and good concepts in cryptography are required. The improvements made by IDRIX demonstrate the possession of these skills.

The project evolves in a good direction and clearly takes into account assessment conclusions. Its security is improving which is a good thing for people who want to use a disk encryption software.

VeraCrypt's main developer, Mounir Idrassi, was very positive along the audit, answering all questions, raising issues, discussing findings constructively.

We would like to thank him and, of course, Derek Zimmer from OSTIF for having made the study possible.