Online security basics: encryption (p.3)

in #encryption6 years ago

Veracrypt

It's been already four years since TrueCrypt, the legendary software for data encryption, is not supported by its own developers. But TrueCrypt is an open source program, and anyone can start developing its product based on it. That is what the Frenchman Munir Idrassi did, in the summer of 2013 presenting the project VeraCrypt to the world. The main idea was to create a more secure solution than TrueCrypt. For example, in TrueCrypt, a rather mediocre key generation was used, which, according to experts, is not capable of providing a high level of protection against the computer services available in the arsenal of special services.

VeraCrypt offered a noticeably more robust solution against brute-force, which we will describe in more detail when we get to comparing programs. With the “live” TrueCrypt, forks were not popular. Everything changed when in the spring of 2014, TrueCrypt developers announced that they were no longer supporting the project. Then, VeraCrypt was talked about as a reliable alternative to TrueCrypt (although there were other forks, such as GostCrypt, CipherShed, for example). Some users of TrueCrypt immediately switched to using VeraCrypt, and some remained true to TrueCrypt.

Many liked VeraCrypt, but there were also a lot of critics. The network actively supported the version that VeraCrypt is a special services project with bookmarks. Many people regard the forks with a great deal of skepticism, the same opinion is shared by the developers of TrueCrypt, considering the fork as dangerous. At the core of their fears is the belief in the inability of third-party developers to fully understand their code, and, as you will learn further, these fears were not groundless.

VeraCrypt vs TrueCrypt

Let's compare TrueCrypt and VeraCrypt. These programs are very similar in functionality and design, which is not surprising for the fork and the original, so we will compare performance and security. Speed ​​mount cryptocontainers.

The first negative point that TrueCrypt users encounter when they first tried VeraCrypt, this is the time when the cryptocontainer was mounted. When you specify the correct password in TrueCrypt, the wait time for access to encrypted data on a modern computer is a tenth of a second. When using VeraCrypt, it takes much longer to wait.

Resistance to brute force

Brutphos, in simple terms, is an attempt to find a password (key) by iterating through all possible options. Modern supercomputers, available to the special services, are able to sort out the options very quickly. Due to a more advanced method of generating keys, VeraCrypt is 10 to 300 times more resistant to direct brute-force attacks. For many, this is the most important advantage of VeraCrypt.

Developer Support

TrueCrypt is no longer supported by developers, the solutions used become obsolete every day, potential vulnerabilities are not fixed. This is a plus for VeraCrypt, which is actively supported and developed.

Vulnerabilities

It would seem that the presence of support from the developers should have provided VeraCrypt an advantage, but in fact the opposite is true. In the chapter devoted to TrueCrypt, we talked about the audit of the program, which did not reveal critical vulnerabilities. VeraCrypt software was also subjected to this audit. The audit revealed 36 vulnerabilities, 8 of which received critical status, 3 moderate, and 15 minor. 8 critical vulnerabilities in such an application can only be described as a disaster. Currently, most of the detected vulnerabilities have been successfully fixed, but some of them require significant processing of the architecture and are still present in VeraCrypt.

Developer Team Level

As mentioned earlier, the VeraCrypt audit detected 8 critical vulnerabilities, and none was detected during the TrueCrypt audit. This raises concerns about the level of the VeraCrypt development team. We have no doubt that the TrueCrypt software was developed by more competent specialists.

Suppose that 8 critical vulnerabilities in VeraCrypt discovered during the audit will be closed, but where are the guarantees that the development team will not allow as many new critical vulnerabilities?

In our standoff, TrueCrypt won. But not everything is so simple. You yourself have to weigh everything and make a decision. On the one hand, TrueCrypt uses obsolete technologies that are inferior in cryptographic resistance to VeraCrypt technologies. In addition, TrueCrypt is no longer supported by developers. On the other hand, VeraCrypt is constantly updated and supports technologies that are more resistant to attacks, but the discovered vulnerabilities and questions about the level of the development team give a reason to think seriously.

There is no consensus in our editorial team, but there is a single solution - the parallel use of two tools. Simply put, you create one cryptocontainer, for example, using TrueCrypt software, create a second cryptocontainer inside it with VeraCrypt, and already place files in it. This bundle is many times more reliable than each of the programs separately.

VHCEx technical team will keep you updated on the latest developments in the world of encryption.

Thank you,
your VHCEx team!

Sort:  

wish vhcex made more articles like these. really intimidating to read something about life, not only about cryto
thumbs up

true! fed up with shitty technical analysis, at least now it's something to learn from

Maybe you could provide the holistic guide for brute force hacking? :) would be really useful

haha, pm me, mate

Brute forces are relatively easy to work out

just as they are to protect from