Cryptainer PE's ease of use together with its powerful 448 bit strong encryption provides file security without changing the way you work. It creates a 100MB encrypted drive that can be loaded and unloaded as required. It combines ease of use and simple drag-and-drop operations with powerful 448 bit strong encryption ensuring total security with phenomenal ease of use and maximum convenience. Both products use the Blowfish algorithm.
A vulnerability in the product allows a user with access to the local machine to recover the password protected by the product, by examining the memory content of the product (by causing it or the operating system to dump its memory's content).
Credit:
The information has been provided by K. K. Mookhey.
Vulnerable systems:
* Cryptainer PE
* Cryptainer 2.0
Both the versions of Cryptainer store the password in clear text in the memory of the process without encrypting it or nullifying it. This password is clearly visible as long as the following two conditions are satisfied:
1. The user has entered the password at least once
2. Cryptainer is loaded
The encrypted volume may or may not be loaded. Since this product comes with an option to minimize to the System Tray, it is quite likely that the user would keep Cryptainer running without loading the encrypted volume containing the encrypted files. In such a case, a user might assume that since the encrypted volume is not loaded, his files are safe. But an intruder who is able to dump the memory of the running process can ferret out the password with relative ease. Besides the password, the physical path of the volume is also clearly visible. Also Cryptainer does not provide a limit to the number of wrong password attempts. So an intruder must collect the memory dump, and copy the physical location of the logical volume (which is actually one big file) onto his machine, and then run Cryptainer and check all the strings in the memory dump for the correct password.
References:
A similar vulnerability was found in Password Safe written by crypto-guru Bruce Schneier. This was acknowledged by him and addressed by the developer of the open source version of this product. Bruce Schneier's response is here: http://www.counterpane.com/crypto-gram-0111.html#6
Vendor Response:
The vendor notes that "The software is still pretty secure, and if you do not keep Cryptainer in the System Tray you should be safe."
Workaround:
Do not keep Cryptainer minimized in the System Tray even if you have unloaded the encrypted volume. Exit the software as soon as you have finished encrypting/decrypting the files, by clicking on the Shutdown and Exit button.
