[cryptome] Re: TrueCrypt compromised

  • From: Neal Lamb <nl1816a@xxxxxxxxxxxxx>
  • To: "cryptome@xxxxxxxxxxxxx" <cryptome@xxxxxxxxxxxxx>
  • Date: Mon, 9 Jun 2014 10:39:26 -0700 (PDT)


On Monday, June 9, 2014 11:55 AM, Aftermath <aftermath.thegreat@xxxxxxxxx> 

Some one just pointed this out too me:


from the website:

Project Description
VeraCrypt is a free disk encryption software brought to you by IDRIX 
(http://www.idrix.fr) and that is based on TrueCrypt, freely available at 
It adds enhanced security to the algorithms used for system and partitions 
encryption making it immune to new developments in brute-force attacks.

For example, when the system partition is encrypted, TrueCrypt uses 
PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And 
for standard containers and other partitions, TrueCrypt uses at most 2000 
iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for 
SHA-2 and Whirlpool.

This enhanced security adds some delay only to the opening of encrypted 
partitions without any performance impact to the application use phase. This is 
acceptable to the legitimate owner but it makes it much more harder for an 
attacker to gain access to the encrypted data.

VeraCrypt storage format is INCOMPATIBLE with TrueCrypt storage format.
VeraCrypt storage format is INCOMPATIBLE with TrueCrypt storage format.

VeraCrypt storage format is INCOMPATIBLE with TrueCrypt storage format.

(repetition is mine to highlight the fact that you cannot open truecrypt 
volumes with veracrypt)


On Tue, Jun 3, 2014 at 9:50 AM, <tpb-crypto@xxxxxxxxxxx> wrote:

> Message du 03/06/14 10:51
>> De : "Shaun O'Connor"
>> I take your point about the encryption dilemma(did I spell that
>> correctly). I think the Jury is out on that particular issue though...
>> Personally I think we are in a perpetual game of cat and mouse with
>> those who make it their business to know everything about everyone..
>The rewards for the spies are too great for this game to end one day.
>The game will continue, but because of these disclosures by half-2015, the 
>spies will have to start all over again, at least against people who are aware 
>and actively protect their systems. Because those that got legacy systems will 
>be forever under the treat.
>Considering our increasing life expectancy and the fact that we are using 
>Cobol and Fortran codes made 40 years ago in many financial and scientific 
>institutions, we can count many exploits discovered in the last decade to be 
>still exploitable in 100 years. Because those systems won't go away.
>An example of why this is possible, is how many webservers (not merely 
>firmware routers hard to re-flash) you will find that are still vulnerable to 
>heartbleed. The rate of correction seems to be asymptotic, thus always leaving 
>some uncorrected systems till the end of their usable lives.
>Put that in an automated system like spy agencies have, and you have 
>interesting data streams forever to exploit. The only solution to stop them is 
>to uncover their taps and block them, those are much smaller in number and 
>easier to tackle than millions of machines.

Other related posts: