What's the differences between TrueCrypt7.1a and VeraCrypt which is more secure?

[BirdDad]

I have tried them both and it takes twice as long to encrypt a VeraCrypt non system 3GB whole hard drive encryption than TC.
Is TC really not secure? and if it isn't is VC?
I would want one of these for win/lin/osx.
I am using a TC that I dled on december.

 

[smakme7757]

Just keep using TrueCrypt v7.1a. As far as we know it's secure.

 

[BirdDad]

I am using TC right now but have tried VC on a few storage drives and am hoping that it will not put back doors in and make it so current and future versions of Windows can be encrypted with it.

 

[BirdDad]

I have been wondering for some time if TC doesn't have a backdoor built into it or if the NSA shut them down because they refused to put one in.

 

[John Connor]

Did no one hear about the TC audit? Besides some sloppy code its golden. I personly think TC went through Lava Bit BS. I still use TC.

 

[JBT]

Lets just say it DOES have a NSA back door in it, but no one else can get in except the best crackers. It will still protect you from 99.9% of the other folks in the world. Unless you are backing up American or terrorist secrets don't worry about it too much.

 

[lxskllr]

Lets just say it DOES have a NSA back door in it, but no one else can get in except the best crackers. It will still protect you from 99.9% of the other folks in the world. Unless you are backing up American or terrorist secrets don't worry about it too much.

Security through obscurity isn't security. No crack is hard once you know how to do it, and if the NSA can do it, anyone can. It just takes the right person to find it.

 

[smakme7757]

Did no one hear about the TC audit? Besides some sloppy code its golden. I personly think TC went through Lava Bit BS. I still use TC.

The audit isn't even finished yet . The only thing they have finished auditing is the bootloader.
How can you say it's "Golden"?

 

[John Connor]

Don't take my word for it. Bruce Schneier in his blog wrote about the first audit and said he still uses it.

http://en.wikipedia.org/wiki/Bruce_Schneier

 

[PrincessFrosty]

VeraCrypt is a fork of Truecrypt which increases the number of rounds of hashing that is done on the partition container. What occurs normally in truecrypt is that when a password is first entered it's hashed and the result of that hasing algorithm is then hashed again and so on, 2000 times.

This means if you want to test a password to see if it opens the container header then you have to hash the plaintext 2000 times. With VeraCrypt that's increased significantly up to 655331, it means that brute force attacks which attempt many password combinations in quick succession are slowed down, in this case by approximately 330x slower.

This is only helpful if you picked a weak password, a strong password will already have a character space that is unfeasible to brute force to begin with, if you're hell bent on using weaker passwords then VeraCrypt might be helpful

In all other regards, near as I can tell, it's a straight fork of TrueCrypt so it's not a good replacement if you're concerned about security. The audit of TrueCrypt revealing no significant crypto weaknesses is a good indicator it's currently fit for purpose given the original guidelines for use.

 

[Fallen Kell]

VeraCrypt is a fork of Truecrypt which increases the number of rounds of hashing that is done on the partition container. What occurs normally in truecrypt is that when a password is first entered it's hashed and the result of that hasing algorithm is then hashed again and so on, 2000 times.

This means if you want to test a password to see if it opens the container header then you have to hash the plaintext 2000 times. With VeraCrypt that's increased significantly up to 655331, it means that brute force attacks which attempt many password combinations in quick succession are slowed down, in this case by approximately 330x slower.

This is only helpful if you picked a weak password, a strong password will already have a character space that is unfeasible to brute force to begin with, if you're hell bent on using weaker passwords then VeraCrypt might be helpful

In all other regards, near as I can tell, it's a straight fork of TrueCrypt so it's not a good replacement if you're concerned about security. The audit of TrueCrypt revealing no significant crypto weaknesses is a good indicator it's currently fit for purpose given the original guidelines for use.

I thought they were also changing some of the seeds and values for the algorithms used such as the ecliptic curve points to be ones that were not "suggested" by the NSA for use in the product.

 

[PrincessFrosty]

For a full list of changes you have to see their website, I'm sure they have other changes made and planned.

 

[sonitravel09]

I use it for the vault feature in particular. But I will recommend you with BitLocker.

 

[John Connor]

Seriously? A closed source encryption? I wouldn't touch it with a 50' pole!

 

[Fox5]

Truecrypt died just do to lack of developer interest. It should still be secure.

However, on Windows 8, I would just upgrade to the Pro version and use Bitlocker. You don't have to upload the decryption key to Microsoft's servers.

Really though, if you're security minded, you should be on Linux, and using its full disk encryption. What's the point of trusting boot time encryption, when you're using a closed source untrusted OS like Windows?

 

[John Connor]

If you use FDE in the first place it should be air gaped.

 

[seepy83]

If you use FDE in the first place it should be air gaped.

Are you saying you think every device that uses FDE should be air-gapped? It's pretty clear that's what you wrote...but are you serious? There are plenty of use-cases where FDE'd devices wouldn't be anywhere near air-gapped, or even physically secure all of the time. The biggest reason to use FDE is to provide security for data on mobile/portable devices. Good luck air-gapping all of your laptops, phones, tablets, etc.

 

[John Connor]

Just going with the Bruce Schneier philosophy.

 

[seepy83]

Just going with the Bruce Schneier philosophy.

Have a reference? I'd love to see the context where Schneier said all FDE devices should be air-gapped.

I would also love to know how you would protect data on mobile devices that may be lost/stolen, if you don't think FDE is the solution.

 

[John Connor]

https://www.schneier.com/blog/archives/2013/10/air_gaps.html

 

[seepy83]

https://www.schneier.com/blog/archives/2013/10/air_gaps.html

That's a use-case for air gaps, and some recommendations for implementation. Unless I'm missing something, nowhere does he say that all FDE devices should be air-gapped. Not trying to derail the thread, but air gaps and FDE have different uses...if they were on a venn diagram showing when they should be used, they would overlap but neither would completely consume (or be a sub-population of) the other.