Security researchers have completed the Open Source Technology Improvement Fund-backed audit of encryption platform VeraCrypt and found eight critical, three medium, and 15 low-severity vulnerabilities. The team behind the popular tool addressed the audit's findings in VeraCrypt 1.19. This is how security audits should work.
OSTIF said VeraCrypt 1.9 is safe because most of the the flaws have been addressed. Some vulnerabilities were not addressed in this version, due to the "high complexity for the proposed fixes," but workarounds for those exist.
"As long as you are following the documentation for known issues and using it as advised, I believe [VeraCrypt 1.9] is one of the best FDE [full-disk encryption] systems out there," said Derek Zimmer, OSTIF CEO and president, in an Ask-Me-Anything Q&A on Reddit. Zimmer is also a partner with virtual private network service provider VikingVPN.
OSTIF hired Quarkslab senior security researcher Jean-Baptiste Bédrune and senior cryptographer Marion Videau to check the VeraCrypt codebase, focusing on version 1.18, and the DCS EFI Bootloader. The audit focused on new security features that were introduced into VeraCrypt after the April 2015 security audit of TrueCrypt. VeraCrypt is the fork of that now-abandoned encryption tool, and is backwards-compatible.
Four problems in the bootloader -- keystrokes not being erased after authentication, sensitive data not correctly erased, memory corruption, and null/bad pointer references -- were found in the audit and fixed in version 1.19.
A low-severity boot password flaw, where the password length could be determined, was also addressed. While the information leak itself is not critical, as the system needs to be booted and privileged access is required to read BIOS memory, the vulnerability needed to be fixed because an attacker knowing the length of the password would hasten the time needed for brute-force attacks, the audit said.
VeraCrypt relied on compression functions to decompress the bootloader when the hard drive is encrypted, to create and check the recovery disks if the system is encrypted and uses UEFI, and during installation. The audit found that all the compression functions had issues.
VeraCrypt was using XZip and XUnzip, which had known vulnerabilities and were out-of-date. "We strongly recommend to either rewrite this library and use an up-to-date version of zlib, or preferably, use another component to handle Zip files," the auditors said. VeraCrypt 1.19 replaced the vulnerable libraries with libzip, a modern and more secure zip library.
UEFI is one of the most important -- and newest -- features added to VeraCrypt, so the auditors paid extra attention to this part of the code. All code specific to UEFI is in the VeraCrypt-DCS repository, and was "considered much less mature than the rest of the project" by VeraCrypt's lead developer, the researchers wrote in the audit report. "Some parts are incomplete, or not incomplete at all."
In the audit summary OSTIF wrote that "VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software."
As a result of the audit, VeraCrypt dumped GOST 28147-89 symmetric block cipher, originally added in VeraCrypt 1.17, due to errors in how it was implemented. GOST 28147-89 encryption was a Soviet-developed alternative to DES designed to strengthen the algorithm. All compression libraries were considered outdated or poorly written, the audit found. The implementation "fell short," Zimmer said in the Reddit AMA.
In version 1.9, users can decrypt existing volumes that used the cipher but cannot create new instances.
Users who used the GOST cipher that was removed as part of the audit should re-encrypt old partitions using the latest version. Users should also re-encrypt on all full-disk encryption systems since a number of issues with the bootloader have been fixed. Anyone who used pre-1.18 versions should re-encrypt partitions because of the bug related to the discovery of hidden partitions.
VeraCrypt is a fork of TrueCrypt, which developers abruptly shut down in May 2014, hinting at unspecified security issues. There were concerns that the platform had a backdoor or some other flaw compromising the tool. The audit was necessary to assess the overall security of the platform.
OSTIF said TrueCrypt 7.1a should no longer be considered safe because it is no longer under active maintenance and it is affected by the bootloader issues uncovered in the audit. However, the audit report also suggested that the weaknesses in TrueCrypt 7.1a do not affect the security of containers and non-system drives.
It is easy to dismiss VeraCrypt as being unsafe because of the issues uncovered, but that ignores the entire value of having an audit. If the audit had uncovered issues and the team had refused to fix the issues, or were unresponsive to requests from the auditors, then that would give cause for concern. In this case, Quarkslab completed the audit in a month, and the maintainers fixed a significant number of the issues and documented in detail how to handle the other issues that hadn't been addressed. Yes, the auditors found some questionable decisions and mistakes that shouldn't have been made in the first place, but there were no problematic backdoors or any vulnerabilities that compromise the integrity of the full-disk encryption tool.
The nature of open source development means the source code is available for anyone to examine. But, as has been repeatedly shown over the last few years, very few developers are actively looking for security flaws. This is why, despite the "many eyeballs" approach, Heartbleed and Shellshock and other critical vulnerabilities lingered in OpenSSL for years before being discovered.
With an audit, professionals scrutinize every line of the open source software's source code to verify the integrity of the code, uncover security flaws and backdoors, and work with the project to fix as many problems as possible. The audit is typically expensive -- private search engine DuckDuckGo and virtual private network service Viking VPN were the primary donors to OSTIF for this audit -- which is why audits aren't more common. However, as many commercial products and other open source projects rely heavily on a handful of open source projects, audits are increasingly becoming important.
With the VeraCrypt audit complete, the OSTIF is looking ahead to audits of OpenVPN 2.4. GnuPG, Off-the-Record, and OpenSSL are also on the roadmap. The Linux Foundation's Core Infrastructure Initiative had stated plans for a public audit of OpenSSL with NCC Group, but the status of that project is currently unclear.
"I wish we could just hit every project that everyone likes, and my list would be enormous, but we have finite resources to work with and securing funding is the vast majority of our work right now," Zimmer wrote, noting that OSTIF is focusing on one "promising" project in each area of cryptography.