[cryptome] Re: TrueCrypt compromised

  • From: Aftermath <aftermath.thegreat@xxxxxxxxx>
  • To: cryptome@xxxxxxxxxxxxx
  • Date: Mon, 9 Jun 2014 09:54:24 -0700

Some one just pointed this out too me:


from the website:

*Project Description*
VeraCrypt is a free disk encryption software brought to you by *IDRIX *(
http://www.idrix.fr) and that is based on TrueCrypt, freely available at
It adds enhanced security to the algorithms used for system and partitions
encryption making it immune to new developments in brute-force attacks.

For example, when the system partition is encrypted, TrueCrypt uses
PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661.
And for standard containers and other partitions, TrueCrypt uses at most
2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations
for SHA-2 and Whirlpool.

This enhanced security adds some delay only to the opening of encrypted
partitions without any performance impact to the application use phase.
This is acceptable to the legitimate owner but it makes it much more harder
for an attacker to gain access to the encrypted data.

*VeraCrypt storage format is INCOMPATIBLE with TrueCrypt storage format.*

*VeraCrypt storage format is INCOMPATIBLE with TrueCrypt storage format.*
*VeraCrypt storage format is INCOMPATIBLE with TrueCrypt storage format.*

(repetition is mine to highlight the fact that you cannot open truecrypt
volumes with veracrypt)


On Tue, Jun 3, 2014 at 9:50 AM, <tpb-crypto@xxxxxxxxxxx> wrote:

> > Message du 03/06/14 10:51
> > De : "Shaun O'Connor"
> >
> > I take your point about the encryption dilemma(did I spell that
> > correctly). I think the Jury is out on that particular issue though...
> >
> > Personally I think we are in a perpetual game of cat and mouse with
> > those who make it their business to know everything about everyone..
> >
> The rewards for the spies are too great for this game to end one day.
> The game will continue, but because of these disclosures by half-2015, the
> spies will have to start all over again, at least against people who are
> aware and actively protect their systems. Because those that got legacy
> systems will be forever under the treat.
> Considering our increasing life expectancy and the fact that we are using
> Cobol and Fortran codes made 40 years ago in many financial and scientific
> institutions, we can count many exploits discovered in the last decade to
> be still exploitable in 100 years. Because those systems won't go away.
> An example of why this is possible, is how many webservers (not merely
> firmware routers hard to re-flash) you will find that are still vulnerable
> to heartbleed. The rate of correction seems to be asymptotic, thus always
> leaving some uncorrected systems till the end of their usable lives.
> Put that in an automated system like spy agencies have, and you have
> interesting data streams forever to exploit. The only solution to stop them
> is to uncover their taps and block them, those are much smaller in number
> and easier to tackle than millions of machines.

Other related posts: