![]() The code base still mainly consists of code from the TrueCrypt project that has been repeatedly criticized for its poor coding style as the case of differingimplementations of the random number generator for different operating systems still tellingly shows. The data we collected for VeraCrypt’s development history indicate that the project did not follow an elaborated software-development cycle with acknowledged best practices for software engineering, for instance, quality gates, peer reviews, and documentation of code changes. We found that although VeraCrypt is a well-acknowledged software project, it appears that the project is still mostly driven by a single developer rather than a development team. Our research efforts included both automated and manual testing techniques, manual code and documentation review, as well as the creation and use of dedicated test tools. During the research process we followed a security model that includes pertinent usage scenarios including the use of VeraCrypt for secure online sharing of data and the use on public systems and servers. After starting off with an extensive research into the project evolution and related work, we executed a security analysis of VeraCrypt with a focus on its cryptographic mechanisms and the security of the application as a whole. This report summarizes the results of a year-long project of Fraunhofer Institute for Secure Information Technology, Darmstadt, Germany on behalf of the Federal Office for Information Security (BSI), Bonn, Germany. VeraCrypt adopted most of TrueCrypt’s source code and to this day shows considerable similarities to TrueCrypt. VeraCrypt is a successor of TrueCrypt, an encryption software whose development stopped in 2014 and which is no longer maintained by its developers. VeraCrypt is a popular open-source tool for disk encryption available for Windows, Linux and macOS. The full report can be found here.įollowing the executive summary of the study: The evaluation was executed by the Fraunhofer Institute for Secure Information Technology (SIT) on behalf of the Federal Office for Information Security (BSI). In December 2020 the results of a security evaluation of VeraCrypt have been published.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |