Veracrypt and encryption

L8437

So I know this is a 3rd party product but there are videos of people retrieving a password of a veracrypt encrypted container.
Im only a novice with this stuff, but I think the guy said it's the hash that he brute forces the password from.

Now baring in mind he said "you have to know the encryption that was used, and the hash"

And the password for the demo was only 4 digit pin

Why was he able to retrieve the password?
Surely the container is encrypted.....not with a strong password, does this mean it's all crackable, or is it because of the short password?

final

L8437 Now baring in mind he said "you have to know the encryption that was used, and the hash"

Correct, you have to know both the algorithm and the hash because each algorithm will generate the same input (in this case, the drive's password) differently. There are some ways to see what algorithm the hash is such as looking at it's length or by putting it through tools.

L8437 Why was he able to retrieve the password?

When you encrypt your storage, the hash of the decryption password has to be stored somewhere for the encrypted drive bootloader (in this case the VeraCrypt bootloader) to check for the right password. VeraCrypt and predecessor TrueCrypt have an unusual aversion to using a TPM and won't store anything in a dedicated hardware security module. This means that it is stored on the hard disk if it's a boot drive, or in the VeraCrypt container file if it is anything else.

A threat actor could image the drive (if a boot drive) or copy the container file (if anything else) and then see the hash of the decryption password. After obtaining the hash, the attacker could then try and bruteforce it. Because the hash can essentially be processed elsewhere after known, it can completely bypass any anti-bruteforce mechanisms.

Tools for decrypting VeraCrypt/TrueCrypt volumes exist such as HashCat, or for investigators they would be more inclined to use Passware: https://www.forensicfocus.com/articles/how-to-efficiently-decrypt-truecrypt-veracrypt-encryption-using-passware/ - Passware works a lot better however they are only truly effective if you have imaged the memory of the device or provided a memory dump to the software. VeraCrypt keys are stored in the memory when the device or volume is decrypted.

While the hash is still an encrypted string, it won't be any useful if your PIN/password is weak because the hash is only different when the input is. Salting the input can help produce a different hash for the same original input, however it's not very useful if you also know what the salt is or the mechanisms used to create one.

L8437 does this mean it's all crackable, or is it because of the short password?

VeraCrypt containers are not cracked and neither is the encryption. This scenario would only apply if you used a very weak password. If you used a very long password as they suggest with numbers, letters, symbols etc then this doesn't count to you. For containers with strong passwords a memory image would be required (which requires sophisticated equipment or a threat actor taking the image / device while it was unlocked). Use a secure password and you wont have this problem.

Encryption software that incorporates hardware security such as a TPM would be less susceptible to issues like this as key data would be isolated and stored in a dedicated hardware module. An example is BitLocker in Windows, configured with a startup PIN via group policy, although they would still be vulnerable if your memory was imaged while unlocked.

Lastly, if your device was taken while it was capable of having it's memory imaged you have a lot more to worry about, considering your device would have to be unlocked...

Modern and secure smartphones uses the hardware security module for the encryption process and is much safer like the above comment stated.

vcmj

In the case of most Android devices your PIN is not used to directly encrypt your storage. If it was then yes, that would be particularly easy to crack. Remember every door has a key, encryption will always be broken eventually, it is a matter of making it "not worth waiting for".
For Android the PIN/pattern is used as an authentication factor for the secure element which returns a much longer, secure key for encryption. This has the advantage of being able to throttle attempts and enact lockouts which makes a simple PIN much more viable than if it was used as a key directly. You simply won't be able to crack an Android as quickly as that guy did

L8437

final in veracrypt there is the option to use keyfiles and store it on a secure usb as an example. Does this elimate risk of the key being stored on the hard disk container?

I hope that makes sense

L8437

Cheers for the replie, very helpful and reassuring

final

L8437 The hash will always be stored, the only way it would be secure is if the hash was unique and not of a common password. It is secure as long as the authentication method is.

Using a keyfile would overcome this problem. Placing pseudorandom data in the file would make it better also. It would essentially only be vulnerable to taking keys from memory by that point, VeraCrypt does encrypt the keys in memory but Passware can decrypt it in some scenarios: https://support.passware.com/hc/en-us/articles/360050713974-Tips-for-Efficient-TrueCrypt-VeraCrypt-Decryption

Although just using a secure, long password would also be sufficient.

DrJack60

This is an outstanding & very informative thread! So what about a Veracrypt encrypted flash drive, I assume the hash is stored and so can it be read? Then such a drive is actually LESS secure than a hardware device with an encrypted container within? I was pondering the question of data storage on vs. off device. I will re-read the thread & dig a bit deeper. I appreciate the collective expertise that gathers around the GoS campfire!

final

DrJack60 So what about a Veracrypt encrypted flash drive, I assume the hash is stored and so can it be read?

Yes, it is the same process, Hash is stored in the first 512 bytes of the drive.

Image the VeraCrypt encrypted USB with a command line tool like dd to clone the first 512 bytes to a new file, then you can place through Hashcat or Passware again to brute force. I should stress again this is only really possible to be successful for really weak passwords or already known ones. It's mostly used as exercises, and you'll need to know PIM/algorithm used too. This thread was about how someone brute forced a VeraCrypt container, not if VeraCrypt is insecure after all. VeraCrypt is very safe providing you use a good password. I'd still personally suggest BitLocker over VC as your boot drive encryption option if you use Windows.

Here is a step-by-step on the brute-force: https://devsday.ru/blog/details/20018

DrJack60 Then such a drive is actually LESS secure than a hardware device with an encrypted container within?

I assume you mean self-encrypting USB storage devices with PIN panels on them like iStorage and the like? Hardware encrypted USBs are more for leak protection and insurance in high-security government organisations rather than data privacy. For most people's scenarios a software encrypted one is just fine provided it encrypts the entire drive including free space or securely wipes unallocated space before encryption.

Hardware-encrypted drives are used mostly because they can be FIPS validated and governments wont use what isnt FIPS, they can also support any platform and also can be used as a bootable drive without any special software. They can be quite tamper resistant and quite durable, my iStorage is 6 years old and works perfectly fine. There are limited use cases, such as maybe having an encrypted, deniable TAILS USB in one.

Providing the OS is not compromised then both are practically the same, the hardware ones simply exist to meet government compliance demands. They are also very expensive.