TrueCrypt Travails Continue: Page 2
Two serious bugs later, almost no one thinks it is a good idea to use TrueCrypt. But what are your options?
He has also added a number of features, including:
- Making the encryption stronger by supporting SHA-256 instead of the aging RIPEMD-160 used by TrueCrypt
- Adding TrueCrypt compatibility through support of mounting and converting TrueCrypt volumes
- Adding a tool to resize VeraCrypt volumes
- Introducing a new feature called PIM (Personal Iterations Multiplier), which enables the user to choose the desired security level for the volumes: dynamic level vs static one inherited from TrueCrypt. It also allows the user to crank up the number of iterations used in response to the increase of computation power available to attackers.
VeraCrypt is available under a dual Apache 2.0/TrueCrypt license, and it runs under Windows (XP up to 10), Linux and OS X (Snow Leopard to El Capitan).
But Idrassi warned eSecurityPlanet that Windows 10 support is not complete. "There are still some compatibility issues on Windows 10 linked to the use of network drives, he said. "Also there are stability issues with some large disks (greater than three terabytes) with large sector size, and this must also be addressed."
VeraCrypt is still very much under development, Idrassi added. One feature he hopes to add is UEFI support - if he can get help. "A way must be found to attract skilled developers in this field to contribute," he said. "One idea is to ask for funding to pay for such development because people with such knowledge prefer to sell such code instead of giving it for free."
Idrassi also plans to add SHA-3 support to the product, and is considering requests for non-Western ciphers and algorithms like Japanese Camellia and Russian GOST standards (Streebog for hash, GOST 28147-89 and the future GOST-Kuznyechik for encryption).
The development of CipherShed is progressing slowly. As of now there is nothing ready to be put into production use, according to Jos Doekbrijder, the initiator of the project.
"Do not forget we are an open source community project, and as such are depending on the effort of people in the community and their free time," he said. "There is one lead developer with about four to six active people in the community who test, code, review and help in other ways."
Despite the flaws that have been revealed in TrueCrypt like the two Project Zero bugs - which were fixed in CipherShed within hours - Doekbrijder is still impressed with what was achieved before it was abandoned. "It is a brilliant piece of code, especially if you take all things in consideration. There is code in TrueCrypt dating back to the early nineties!"
You can download the current version of CipherShed from the project's website, but this is a pre-alpha release which should only be used for testing.
Doekbrijder has a roadmap for how the code will be developed, and says ultimately it will be faster than TrueCrypt and use other, newer encryption algorithms. But despite this it will be able to open existing TrueCrypt containers. "This is a MUST requirement," he said.
He also plans to introduce a new GUI and some features and to remove existing features that are either not used or considered insecure. However the project community has not yet decided on which features to add and remove, he said.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.
August 20, 2015
Mark Cartwright, group program manager at Microsoft, discusses the intersection between the Security Development Lifecycle and open source software.