Security Evaluation of VeraCrypt Authors and Acknowledgments This study was executed by the Fraunhofer Institute for Secure Information Technology (SIT) on behalf of the Federal Office for Information Security (BSI). This publication was authored by (in alphabetic order): Hülya Evkan Norman Lahr Ruben Niederhagen Richard Petri Andreas Poller (project lead) Philipp Roskosch Michael Tröger The authors would like to thank Johannes Mittmann, Steven Arzt, Peter Weiland and Mounir Idrassi for their valuable support and advice. Project contact at Fraunhofer SIT Fraunhofer Institute for Secure Information Technology Andreas Poller Rheinstrasse 75, D-64295 Darmstadt, Germany E-Mail: [email protected] Phone: +49 6151 869-170 Internet: https://www.sit.fraunhofer.de Federal Office for Information Security Post Box 20 03 63 D-53133 Bonn Phone: +49 22899 9582-0 E-Mail: [email protected] Internet: https://www.bsi.bund.de © Federal Office for Information Security 2020 Executive Summary Executive Summary VeraCrypt is a popular open-source tool for disk encryption available for Windows, Linux and macOS. VeraCrypt is a successor of TrueCrypt, an encryption software whose development stopped in 2014 and which is no longer maintained by its developers. VeraCrypt adopted most of TrueCrypt’s source code and to this day shows considerable similarities to TrueCrypt. This report summarizes the results of a year-long project of Fraunhofer Institute for Secure Information Technology, Darmstadt, Germany on behalf of the Federal Office for Information Security (BSI), Bonn, Germany. After starting off with an extensive research into the project evolution and related work, we executed a security analysis of VeraCrypt with a focus on its cryptographic mechanisms and the security of the application as a whole. During the research process we followed a security model that includes pertinent usage scenarios including the use of VeraCrypt for secure online sharing of data and the use on public systems and servers. Our research efforts included both automated and manual testing techniques, manual code and documentation review, as well as the creation and use of dedicated test tools. We found that although VeraCrypt is a well-acknowledged software project, it appears that the project is still mostly driven by a single developer rather than a development team. The data we collected for VeraCrypt’s development history indicate that the project did not follow an elaborated software- development cycle with acknowledged best practices for software engineering, for instance, quality gates, peer reviews, and documentation of code changes. The code base still mainly consists of code from the TrueCrypt project that has been repeatedly criticized for its poor coding style as the case of differing implementations of the random number generator for different operating systems still tellingly shows. The inherited code base has not been cleaned up, moreover, the development still follows questionable coding practices. The basic functionality such as the parsing of container files and the interface to the kernel driver did not show security issues in any of our tests. We also did not find vulnerabilities in the cryptographic algorithms of VeraCrypt. However, VeraCrypt still uses the outdated and deprecated RIPEMD-160 hash algorithm and we found peculiarities with respect to the implementation of the random number generators and the GOST block encryption cipher. The recently integrated memory encryption has a weak rationale from a security perspective and increases the cost of related attacks by a relevant margin in very limited scenarios only. We recommend the VeraCrypt project to switch to well-acknowledged and reliable open-source libraries for the implementation of cryptographic functions instead of proceeding to provide and use own outdated cryptographic code in the VeraCrypt code base. We also recommend to switch to a state-of-the-art key derivation function. As a final remark, we want to stress that VeraCrypt can only protect data effectively in case of theft or loss of encrypted devices but not against any form of online attacks on a running system. Also, VeraCrypt cannot provide any protection in scenarios where an attacker can visit a target system multiple times. In conclusion, we did not find substantial security issues in VeraCrypt. VeraCrypt in its current version does seem to protect the confidentiality of data in an encrypted volume as long as the volume is not mounted. Authenticity and integrity, however, are not protected. A mounted VeraCrypt volume is exposed to a multitude of attack vectors including vulnerabilities of the host system. Hence, any volume-access scenario exceeds the protection envelope of VeraCrypt. The development practices and the resulting code quality of VeraCrypt are a cause for concern. Therefore, we cannot recommend VeraCrypt for sensitive data and persons or applications with high security requirements. We recommend to execute similar security assessments also for future versions of the software. Federal Office for Information Security 3 Contents Contents 1 Introduction ....................................................................................................................................................................................... 8 1.1 Overview of VeraCrypt ....................................................................................................................................................... 8 1.2 Project Scope and Methodology ..................................................................................................................................... 9 1.3 Report Structure .................................................................................................................................................................. 10 1.4 Project Results ...................................................................................................................................................................... 10 2 Evolution from TrueCrypt to VeraCrypt ............................................................................................................................. 11 2.1 Identifying the Source Code Bases to Compare ..................................................................................................... 11 2.2 General Overview of the Development History ..................................................................................................... 12 2.3 Full Source Code Comparison (“Full Diff”) ............................................................................................................... 15 2.3.1 Approach............................................................................................................................................................................ 16 2.3.2 Detecting Linux and macOS Source Files ............................................................................................................ 16 2.3.3 Changed Parts .................................................................................................................................................................. 17 2.4 Categorization of Source Code Commits .................................................................................................................. 19 2.4.1 Tags ...................................................................................................................................................................................... 20 2.4.2 Results and Use for the Further Analysis ............................................................................................................. 20 2.5 Changes in Cryptographic Functions ......................................................................................................................... 21 2.5.1 Cryptographic Primitives ........................................................................................................................................... 21 2.5.2 Random Number Generation ................................................................................................................................... 23 2.5.3 Key Derivation ................................................................................................................................................................. 23 2.5.4 Hidden Volumes ............................................................................................................................................................. 24 2.6 Changes Related to Application Security .................................................................................................................. 24 3 Security Model ................................................................................................................................................................................ 28 3.1 Application Use Cases ........................................................................................................................................................ 28 3.1.1 Personal Computers ...................................................................................................................................................... 28 3.1.2 External Data Storage Devices for Personal Use ............................................................................................... 30 3.1.3 Sharing of Encrypted Data ........................................................................................................................................