Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeraCrypt Is the New TrueCrypt -- and It's Better

Posted by Soulskill on from the not-that-anybody-cares-about-your-tax-returns-and-old-school-papers dept.

New submitter poseur writes: If you're looking for an alternative to TrueCrypt, you could do worse than VeraCrypt, which adds iterations and corrects weaknesses in TrueCrypt's API, drivers and parameter checking. According to the article, "In technical terms, when a system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations. For standard containers and other (i.e. non system) partitions, TrueCrypt uses at most 2,000 iterations. What Idrassi did was beef up the transformation process. VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool, he said. While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force."

10 of 220 comments (clear)

  1. Re:CipherShed by binarylarry · · Score: 2, Insightful

    The NSA did not approve. They love VeraShed however.

    --
    Mod me down, my New Earth Global Warmingist friends!
  2. Wow, that's a lot of iterations by mveloso · · Score: 3, Insightful

    Wow, going from 2000 to 327,661 iterations sounds like a big deal. Does that actually add any value, or is that like doing rot-13 a million times?

  3. Re:Oblig xkcd by davydagger · · Score: 5, Insightful

    thats somewhat bullshit, because rubber hose cryptography is almost as much fantasy as what they critize. What is depicted is likely mabey %1 of all scenarios where encryption would help you.

    Beating the password out of someone is more an act of romantic fiction, than standard practice, just about anywhere in the world. While XKCD recognizes that most nerds obviously aren't James Bonds, what they miss is most digital adversaries aren't James Bond Villans either.

    1. Most of the time, the person is simply going to either steal, or subversively copy your encrypted disk, so you don't even know they are looking for it. Read: what the NSA or any other wiretap is doing. They count on suprise that you don't know your being monitored. Hence they can't hit you, and expect that you remain unaware they are after your data. If they can't break the cipher, they can't break it. More likely, its not going to be a three letter agency, and just a common theif, who, will not have the resources or ability to try beat you for the password, and certainly does not want to confront you, just get your information without you finding out and changing your passwords.

    2. Another situation is where they do confront you, but they simply don't either have the political will to beat you for your password. More common than you'd think, because, well, simply put, beating people doesn't make a regime popular with its constituents. Your going to have to be accused of something fairly bad before it becomes acceptable. If you have a hidden encryption scheme like TC does, and they don't know if its there for sure, they could beat you all day long and they'd never know if you were telling the truth or not. Torture is not effective. This has been known for centuries. Despite what the defeatists will tell you. Torture in war is done more to break the spirit, will and emotions of the enemy than it is for information. Or just for the kicks or emotional benefit of really pissed off angry people.

    you can look up US case law on this.

    3. If your adversary is in the government, your adversary might not be the entire government or entire system. Encryption that police cannot recover on their own, might help you, if the cops are crooked as shit, but the DA, Judge, or someone else in the system cares. Encryption that can last long enough to make it into the court room, can save your otherwise wild and henious accusations against police misbehavior. Don't give the cops the opperuntity to tamper with the evidence, or force them to hand you a subopena or warrant, or hold out on giving up your keys until talking with a lawyer will give you many more options.

  4. Nope not suspicious at all by ourlovecanlastforeve · · Score: 4, Insightful

    New submitter poseur writes:

    hey guyz get this new crypto for your puterz!!

    -TOTALLY NOT DHS

    1. Re:Nope not suspicious at all by joe_frisch · · Score: 5, Insightful

      That is EXACTLY the problem. Determining a chain of trust is tricky. Producing a chain of trust that a non-expert can trust is almost impossible. Most users cannot verify the algorithms themselves so they have to rely on the evaluation of other people. But, how to trust those other people?

      Government organizations have the resources to flood discussion groups like this with reasonable-sounding statements about how well something has been verified, while discrediting anyone who posts an message disagreeing.

      If someone posts that I am wrong, how can I, or any non-expert know if the arguments against this post are valid?

    2. Re:Nope not suspicious at all by Anonymous Coward · · Score: 2, Insightful

      > Producing a chain of trust that a non-expert can trust is almost impossible.

      Even a non-expert can see that this project is hosted on a Microsoft site. The same Microsoft that cooperated with every 3 letter agency known to man. As far as security and trustworthiness go this project is a joke right from the start.

      Projects located in the US are too much of a risk. The fact that Microsoft has direct access to the project is about as hilariously absurd as Truecrypts "go use Bitlocker" message.

  5. Re:You'll give them the password by GrahamCox · · Score: 4, Insightful

    So given that, the right thing is not to give them the password. Without it they cannot prove anything, however much pressure they apply. There may be the assumption that you have something to hide, but without proof, you're innocent, right?

  6. Re:Oblig xkcd by davydagger · · Score: 4, Insightful

    Even with "manditory key disclosure" durring criminal trials, you have the benefit of needing to go to trial to give up your keys. The police can't randomly search your data, which encryption the police cannot break becomes a major lever against police abusing their power. Thats the point. They need a warrant, which means they need a judge, and probable cause, and a paper trail you can fight in court.

    Even if thats all bogus, it becomes public record, so the public can have an informed debate over who the police are searching and why.

    As opposed to breakable crypto, where the cops can just crack anyone's setup, without the need for justification.

  7. Re:You'll give them the password by Anonymous Coward · · Score: 2, Insightful

    No.
    The only correct response is: "talk to my lawyer" or some variation of that.

  8. Re:Oblig xkcd by hairyfeet · · Score: 5, Insightful

    "Torture is not effective"...sure it is, you are just doing it wrong. What you have to do is the way the cops do it which is NOT to torture and threaten the subject but instead go after their families and you'll get whatever you want quite easily.

    The cops do this kind of shit all the time and the reason why is because it often works without even having to do the deed, just the threat of the action is enough. You tell a parent you are gonna send their kids to the nightmare that is the foster care system, if they have a relative in trouble threaten to bury them in charges, and of course if they are on any kind of aid its quite easily to threaten them with homelessness.

    Rubber hoses are 1950s tech Daddy-o, mental anguish works a LOT better and doesn't leave any marks that will come back to bite you in the ass.

    --
    ACs don't waste your time replying, your posts are never seen by me.