60

The main difference being TrueCrypt creates containers and 7-Zip encrypts the file itself, so file sizes can be guessed. Now let's just talk about the strength and breakability of the encryption.

Update: http://forums.truecrypt.org/viewtopic.php?p=107396

superuser
  • 1,141
  • 5
  • 11
  • 16
  • 3
    "The main difference being TrueCrypt creates containers and 7-Zip encrypts the file itself, so file sizes can be guessed." How do you figure this? Sure, a ZIP file's size will be more closely related to the total size of all the files it contains. But ZIP files are still just another sort of container - given the possibility that they contain any number of files, reliably guessing at the size of any individual file within the container is effectively impossible. – Iszi Jun 02 '14 at 19:46
  • 7Zip may not be a good choice for encryption anymore. However for shrinking files its okay. https://twitter.com/3lbios/status/1087848040583626753 – Denis Jan 25 '19 at 08:18
  • 1
    Well 7Zip have since fixed their weak security (as reported in the tweet above) but TrueCrypt is basically defunct. VeraCrypt is the recommended successor. – Simon East Feb 09 '20 at 05:11
  • See https://security.stackexchange.com/questions/100650/how-secure-is-7z-encryption/233813#233813 for some interesting reading on a few bugs that were found in recent versions of 7zip pertaining to the RNG and IV generation in those versions. – mti2935 Jun 26 '20 at 15:37
  • Consider also [Cryptography StackExchange](https://crypto.stackexchange.com/questions/90137/7-zip-encryption-practical-effect-of-lacking-salt). – Ray Woodcock May 26 '21 at 23:39

5 Answers5

58

If implemented correctly, AES is AES; the output between two different implementations is identical, and therefore no distinction is possible in after-the-fact comparison -- if done correctly, the one is exactly the same as the other.

But there are a few points where differences can crop in:

Operation Mode
Truecrypt implements a modified counter mode called XTS. It's pretty well vetted and has withstood some serious abuse from some powerful attackers (such as the US Government).

From examining the p7zip source code, it appears that AES encoding for the 7-zip format operates in CBC mode. This is certainly not necessarily insecure; it's the mode most popularly used in protocols such as TLS, but it is potentially vulnerable to padding oracle attacks. See this discussion on operation modes for more information.

Key Derivation
Truecrypt uses PBKDF2 to turn your password into an encryption key. It's difficult to come up with a better alternative than that. p7zip uses a salted SHA256 hash repeated over a configurable number of iterations. PBKDF2 is a bit more configurable, but 7-zip's alternative is functionally similar and arguably reaches the same goals.

Vetted Implementation
Here's probably the biggest difference: TrueCrypt's code has been poured over by cryptographers and carefully examined for implementation mistakes. 7-zip's has not (at least not to the same degree). This means that there is a higher probability that 7-zip's code contains some sort of mistake that could allow for some sort of as-yet-unknown attack. That's not to say that such a mistake exists, and that's not to say that such a mistake couldn't be found in TrueCrypt instead. But the this is a matter of probability, not certainty.

All in all, the differences are minor, and for most use cases you shouldn't expect any difference at all from a security perspective. If it's a matter of life-and-death, I'd probably pick TrueCrypt. But for matters of mere secrecy, I'd recommend going with whichever solution fits your problem the best.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 8
    The difference in work factor is a significant point in favour of 7z. – CodesInChaos Jan 20 '13 at 22:11
  • 1
    @CodesInChaos, would you please elaborate on that? – Adi Jan 22 '13 at 14:13
  • 2
    @Adnan 7z uses more hash rounds than truecrypt. Truecrypt uses PBKDF2 while 7zip does it manually; but 7zip's standard is to do more of it. – tylerl Jan 22 '13 at 20:25
  • 1
    Do you have something to support the statements that TrueCrypt has been more thoroughly reviewed than 7-Zip? Both solutions are open source. While that does mean anyone *can* review them, it doesn't necessarily mean anyone *has*. (Poster child for this these days being OpenSSL and Heartbleed.) There is a crowdfunded project currently underway at http://istruecryptauditedyet.com but they haven't gotten through the crypto implementation audit yet. – Iszi Jun 02 '14 at 19:30
  • @Iszi I'm sure you've heard my thoughts on OpenSSL already - the code *actively resists auditing.* It's as if it was designed to prevent scrutiny. And I'm on the record saying that long before the heartbleed thing showed up. TrueCrypt has thwarted US Intelligence Agencies in multiple news-reported cases; but that *doesn't mean it's necessarily safer.* 7-zip has no history *at all* as far as I can find - no good, no bad. – tylerl Jun 02 '14 at 20:21
  • If its a matter of life and death, I'd pick the one thats harder for the good-guys to F-up. :) – Andrew Hoffman Oct 13 '14 at 17:48
  • If its a matter of life and death, I'd stack encryption.i am just saying that for the record. – EKanadily Nov 24 '16 at 16:21
  • @EKanadily That's actually a bad idea. It's better to use one layer with double the key size than two layers with identical keysize. IOW, two layers of AES with a 10 char password is far worse than one layer of AES with a 20 char password. – forest Sep 22 '18 at 02:21
  • @tylerl I recall hearing that 7zip does not actually use a salt. – forest Sep 22 '18 at 02:24
  • @forest you are right, i however mean something else: AES is engineered so that it can be broken (through cyptanalysis) if needed. stacking encryption is the antidote. – EKanadily Sep 22 '18 at 05:04
  • 1
    @EKanadily I'm sorry, but you are incorrect. AES is not engineered to be broken through cryptanalysis. – forest Sep 22 '18 at 05:37
  • @forest that is the what all people have said about known broken ciphers. – EKanadily Sep 22 '18 at 16:14
  • @EKanadily People knew forever that DES was eventually going to be broken because of its small key size. Almost immediately after RC4 came out, people noticed biases in its output. Etc. Not to mention, none of those were "engineered to be broken". The only thing that was was a PRNG, and it was _immediately_ noticed that something sketchy was going on with it. – forest Sep 23 '18 at 00:41
22

The security of a cipher depends on its specific implementation in a software utility. As far as I know, there are no known AES implementation issues in 7-Zip or TrueCrypt.

AES is a fast cipher, and hardware acceleration features such as AES-NI make it much faster. So protecting against brute-force requires strengthening the key through key extension mechanisms.

Brute-forcing tools exist for both 7-Zip and TrueCrypt and they support hardware acceleration.

7-Zip uses key extension to increase the time to brute-force. The user password is hashed 130,000 to 524,288 times (depending on the version) using SHA256.

TrueCrypt also uses PBKDF2 for key extension with 1000 iterations which is 2 orders of magnitude lower than 7-Zip. An issue is that TrueCrypt uses the minimum number of iterations recommended 10 years ago.

When the PBKDF2 standard was written in 2000, the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase.

It also uses 512 bit salting that decreases vulnerabilities to dictionary and rainbow tables attacks.

So from a brute-force perspective, 7-Zip is a bit better than TrueCrypt, but both are considered fairly resilient to brute-force attacks.

There is a story where the FBI tried to crack a TrueCrypt volume for 12 months and failed.

Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
  • 1
    Forgot if it was 7z or rar, but one of them used ECB mode. This isn't a big problem for compressed files, but for uncompressed files the weakness of ECB can leak something. – CodesInChaos Jan 20 '13 at 10:54
  • @CodesInChaos The original 7-zip isn't open source, but p7zip (compatible, and by the same author) is. Digging through the source for p7zip shows that it uses CBC for 7z files. Since they're compatible with the original 7-zip, that would suggest that the original 7-zip also uses CBC. – tylerl Jan 20 '13 at 22:01
  • 1
    @tylerl Seems to have been .rar with AES-ECB http://blog.zorinaq.com/?e=15 – CodesInChaos Jan 20 '13 at 22:07
  • 2
    @tylerl: [The only part that isn't open-source is the RAR extraction support](http://7-zip.org/license.txt), which isn't relevant for this. The rest is LGPL. – Mechanical snail Jan 22 '13 at 04:50
  • 1
    To the guy here who mentioned " FBI tried to crack a this kind of software with this level of implementation and PR(it was available for Windows, linux and mac from a long time, if anyone knows software programing h/she knows how hard it is to maintain several packages with this efficiency at this level), can't be without funding. If some shadow organisation has implemented it, then why they would want to share the backdoor with po-leece!!! It would ruin their project. Its for them and them only. FBI's power to do overseas ops doesn't make them a top/secret arm. –  May 04 '14 at 04:26
  • The real top secret arm is always hidden, that's why its called "secret", and it is not a govt agency for sure, CIA may have it but not FBI. When I mention secret-private-agency, I mean agency who look out for someone who has capability and interest in funding top colleges, lobbying govts of world, etc for their own private interests. –  May 04 '14 at 04:26
  • There's a typo: "An issues". – A.L Oct 13 '14 at 12:26
  • 7Zip is no longer secure for encryption. https://twitter.com/3lbios/status/1087848040583626753 – Denis Jan 25 '19 at 08:17
  • 7zip v. 19.00 corrects the issues with RNG and IV. Password hashing apparently remains weak (1000 iterations) for reasons of compatibility with WinZip-AES method. https://sourceforge.net/p/sevenzip/bugs/2176/ – BobS Mar 14 '19 at 07:37
11

Barring implementation bugs, 7-Zip's encryption is more robust than TrueCrypt's, because TrueCrypt has a much harder job.

Sector-level full-disk encryption is hard:

  • You have a fixed amount of space, any part of which may be changed at any time.
  • You have only a relatively small amount of space to save for metadata. If you keep more than a few bits of tracking data per sector, you're probably eating too much space, and the user will object.
  • You can't afford to change key material: there's too much to re-encrypt.
  • You have to ensure an attacker can't copy one sector over another.
  • You have to ensure that a snooper can't read the disk multiple times on different days and gain information from the changes.

In comparison, 7-Zip's job is easy. It writes the file once and is done. If it needs to change something, it can re-encrypt the entire file using a different IV (even if the key is the same), and the new encrypted file looks completely different from the old one.

What this means is that 7-Zip can afford to use the well-understood CTR or CBC block cipher modes. Meanwhile, TrueCrypt has to use XTS, which makes a number of compromises in order to satisfy the additional constraints of full-disk encryption.

For more detail, see this article on the limitations of full-disk encryption.

Jander
  • 981
  • 8
  • 12
  • Good answer, but "barring implementation bugs" is half of the problem. – Dan Pritts Nov 10 '16 at 15:24
  • That's true. I included that because I know very little about the details of either implementation. Maybe instead of barring them, I should argue that due to the extra complexity, there's a lot more room for bugs in TrueCrypt, and a better chance that such bugs are exploitable. – Jander Nov 10 '16 at 15:59
6

Update March 2016:

It seems that TrueCrypt is no longer developed, which will lead to future security bugs not been fixed.

This appears when opening the TrueCrypt's website: "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP."

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Luisg123v
  • 71
  • 1
  • 1
  • This doesn't seem to answer OP's question in any way. – d1str0 Mar 10 '16 at 21:06
  • 7
    Why not? I think the fact that TrueCrypt is no longer developed and security issues found in the future won't be fixed is a relevant fact, and it should be taken into account when choosing an implementation. Usually, the software is not "immutable" and the support is an important matter. – Luisg123v Mar 12 '16 at 01:06
6

I would differ with to tylerl's answer in that, at the time of the writing of the question and the answer, TrueCrypt's source code had NOT been audited by cryptographers. In fact, as of now, only a partial audit by respected cryptographers has been completed.

So, currently the the core cryptographic routines of both projects have the same level of review by expert cryptographers: none. Hopefully that will change soon for both codebases, but there's no effort underway to audit 7zip's code, AFAICT.

taltman
  • 393
  • 3
  • 8
  • The tc windows binaries were suspect, not the source; the windows container header contained/leaked some data (but not on linux container). Nobody else was able to build the windows binaries because it needed many different MS compilers. The tc license prevented anyone else from distributing the binaries but tc wesbite. – mosh Jan 23 '17 at 01:51