Jump to content

Talk:VeraCrypt

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Peterl (talk | contribs) at 06:11, 7 March 2022 (Confusing info in the "Physical Security" section and the "Trusted Platform Module" section: Duplication issue). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Keep

Loyd. I am not an expert in any of this including what constitutes an ad. However, as a long time truecrypt user, this article has been very helpful about what to do since Trucrypt is no longer. Thus I feel it should be retained. Loydfoofoo (talk) 20:33, 4 February 2015 (UTC)[reply]

I agree with Loydfoofoo. Pwolverine (talk) 09:34, 7 February 2015 (UTC)[reply]

The VeraCrypt entry in Wikipedia

1) The article does not read like an advertisement to me, and if I've read it correctly is not a commercial product - its not 'for sale' but it is available. Seems to me more like a straightforward & neutral communication of information.

2) It relies too heavily on primary sources? Not sure what other sources it COULD rely on... So unconvinced that this is a valid criticism.

3) Needs additional citations for verification? Frankly I'm not even sure what this means. Verified in what sense? I will say no more since I may well simply expose further my ignorance.

(but - secret private thoughts hmmm... verified... that it exists? that the information is true? that it works? that its produced by the people who claim to be responsible?)

4) Too technical? I'd describe it as admirably concise. I wouldn't claim to fully understand the information given, and am at the opposite end of the 'techno nerd computer geek' spectrum, indeed at the opposite end of the age spectrum that implies.

I have a smart phone - it took me over a month to discover how to accept an incoming call. So, NOT tec savy.

However since the Snowden revelations and with a strong interest in the Bletcheley Park story from WW2 I have tried to educate myself to some degree in this area. More explanation could be given, but it would make it a much longer article. My supposition would be that anyone wishing to understand more about the information given would follow the available links. 86.184.230.77 (talk) 11:31, 8 February 2015 (UTC)[reply]

Problem with speed claims.

We have a quote from a reliable source that doesn't make sense. The quote is

"In technical terms, when a system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations. For standard containers and other (i.e. non system) partitions, TrueCrypt uses at most 2,000 iterations.

What Idrassi did was beef up the transformation process. VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool, he said.

While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force. "Effectively, something that might take a month to crack with TrueCrypt might take a year with VeraCrypt," Idrassi said."

Source: [ http://www.esecurityplanet.com/open-source-security/veracrypt-a-worthy-truecrypt-alternative.html ].

We use this quote in the Security improvements section.

Two problems. First, anyone who has used both knows that the speed difference is not slight. Second, how is doing 327 times more work "10 times harder"?

At [ http://www.theinquirer.net/inquirer/news/2375599/veracrypt-fork-of-truecrypt-tips-up ] the same quote is used, but it is attributed as "On the VeraCrypt website, Idrassi explained". I cannot find the quote on veracrypt.codeplex.com.

I think we should drop the esecurityplanet citation and quote and instead use this one from [ https://veracrypt.codeplex.com/ ]:

"As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.

This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted data."

--Guy Macon (talk) 07:43, 7 July 2015 (UTC)[reply]

"it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force" is a really weird statement.

1) PBKDF2 iterations have zero effect on brute force attacks. A brute force attack by definition will iterate over the whole keyspace, so it would be stupid to use PBKDF2 at all when you can just skip the step. The PBKDF2 iterations do increase the difficulity of password guessing though, e.g. dictionary attacks.

2) It makes it sound like the software itself will be brute forced, while in reality the software doesn't matter at all. It's all about the header data.

In light of these shortcomings I removed that part of the quote and replaced it with a simpler "While this makes VeraCrypt slower at opening encrypted partitions, it also makes password guessing based attacks slower."

- KaurKuut (talk) 00:32, 23 November 2015 (UTC)[reply]

Licensing of VeraCrypt

If the license is Apache 2.0, doesn't that make VeraCrypt "Free Software", as opposed to "Source available freeware"?

Yogesh Girikumar 03:17, 10 July 2015 (UTC) — Preceding unsigned comment added by Yogeshg1987 (talkcontribs)

VC includes TC code which is not released under a license recognized by FSF — Preceding unsigned comment added by 79.200.206.4 (talk) 12:45, 1 September 2015 (UTC)[reply]

Confusing info in the "Physical Security" section and the "Trusted Platform Module" section

Perhaps the information from VeraCrypt is confusing and so it's not the fault of this article, but note that in the "Physical Security" section it's stated that if possession of the computer is lost, an attacker can install a keylogger and compromise the security that way. Ok, fine, but then in the TPM section the same thing is stated and "for that reason TPM will never be supported." Well, that's dumb, but perhaps the conflict here - "we'll support our software, which may be compromised by a certain attack, but we won't support TPM, which may be compromised by the same attack" - could be explained or, if one of these sections has inaccurate info, it could be corrected. I'm reading this and thinking "WTH - are the VeraCrypt developers idiots or is this article somehow in error?" GTGeek88 (talk) 15:48, 28 January 2022 (UTC)[reply]

That section needs to be rewritten. See WP:SOFIXIT.
The main problem is the phrase "such as a hardware keystroke logger" which misses the point of the previous sentence; "if the attacker has physical or administrative access to a computer".
Nothing can save you if you are facing a sophisticated and well-funded attacker (examples: You are Edward Snowden, your computer has military secrets, you have financial info worth billions, or you are the new leader of ISIS) and the attacker has physical access. The attacker can switch your computer with an identical-looking one that looks and acts exactly the same to your eyes.
Most of us are facing threats from attackers who are not willing to break into your room and switch your computer while you sleep. Compromising your PC over the Internet and gaining administrator access is far more likely for most people. As the FAQ says:
"If the attacker has administrator privileges, he can, for example, reset the TPM, capture the content of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer)... The only thing that TPM is almost guaranteed to provide is a false sense of security (even the name itself, "Trusted Platform Module", is misleading and creates a false sense of security). As for real security, TPM is actually redundant (and implementing redundant features is usually a way to create so-called bloatware)."[1]
So the paragraph should be rewritten to make it clear that VeraCrypt is secure against someone with administrator rights but not against someone with physical access, and TPM is not secure in either of those two cases.
13:23, 29 January 2022 (UTC)2600:1700:D0A0:21B0:69AC:5512:473D:30FA (talk)

I tried to modify the TPM section to address this issue. I covered both angles: VeraCrypt's angle and the opposition's angle.

Quite frankly, I did expect some VeraCrypt fan or representative to revert or subvert my edit in a way that looks totally pro-VeraCrypt. It appears our lucky contender is User:Peterl. Peterl entirely removed the opposition's view point and wrote: "Others disagree with this" as if those others are trolls and their opinion is not worth considering. It goes without saying that censoring the valid views of the others is a violation of WP:NPOV that says:

All encyclopedic content on Wikipedia must be written from a neutral point of view (NPOV), which means representing fairly, proportionately, and, as far as possible, without editorial bias, all the significant views that have been published by reliable sources on a topic.

Let's take a look at a couple of highly controversial things that Peterl has wrote in his edit summary:

  • "This is not the place to discuss the purpose or intent of TPM." Funny, because I did the opposite of discussing the intent of TPM and wrote "See 'Trusted Platform Module § Uses' for details."
  • "The discussion over whether that's true or not belongs on the TPM page." WP:NPOV says it belongs to this page exactly. "Not going off topic" is the Internet's general excuse for censoring relevant contents.
  • "The refs left don't adequately cover that 'others disagree with this'." This phrase appears in Peterl's edit, not mine! In fact, my edit states that others partially agree with TrueCrypt devs.

Waysidesc (talk) 01:44, 7 March 2022 (UTC)[reply]

Please avoid attacking or being condescending to the editor, or any editor. It's not helpful and it's not constructive.
So, let's look at the issues at hand:
1. "VeraCrypt does not take advantage of Trusted Platform Module (TPM)." - stated fact
2. "VeraCrypt FAQ repeats the negative opinion of the original TrueCrypt developers verbatim." - stated fact
3. VeraCrypt developers "claim that TPM is entirely redundant" - stated in their doc.
Is TPM redundant? Can it be broken? Is it broken? That's a completely different question. All we have here is the VC devs claim. TPM is used in/by thousands of programs. The VeraCrypt page is not the place to discuss whether TPM is good, redundant, reliable or not; the TPM page is. Are there other developers that think TPM is redundant? Some of those links suggest that, others are glowing about TPM. They belong on the TPM page.
I see that these refs and most of that text has come from the Trusted Platform Module page. It's redundant to have such duplication, because wiki pages for other programs that avoid or have a position against TPM would also need this discussion. I've marked this section
Regarding WP:NPOV: The only fact we can state here is that VC doesn't use TPM, and the VC Devs have their reasons and don't like it. There's nothing debateable or un-NPOV in that. The viewpoints on whether they are right or not belongs on the TPM page.
peterl (talk) 06:11, 7 March 2022 (UTC)[reply]
Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:VeraCrypt&oldid=1075702545"