• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

TrueCrypt Audit: Phase 1 complete - The TrueCrypt Audit

smakme7757

smakme7757

Golden Member
I received the following email a few minutes ago, for your information:

Hello!
We are pleased to announce that Phase I of the audit is complete. 11 vulnerabilities were found, all rated Low to Medium severity. To date, we have found no 0-Day critical vulnerabilities or "backdoors" (intentional or otherwise) in the code. In Phase II, we will conduct a formal cryptanalysis, as well as examine the OSX and Linux ports.

The full report can be downloaded here: https://opencryptoaudit.org/reports...dit_Project_TrueCrypt_Security_Assessment.pdf

We want to give a special thanks to Tom Ritter and his team at iSec Labs.

iSec has released a summary statement here: https://isecpartners.github.io/news/2014/04/14/iSEC-Completes-Truecrypt-Audit.html

Within the next few days, we will announce the details and more information about the team leading Phase II. Finally, we have signed DVDs, and t-shirt and stickers are in process. Our best ETA for shipping is mid-May. As we've hit this major milestone in the project, we wanted to say thank you again so much for your patience and amazing support!

Is TrueCryptAuditedYet? Yes, in part!
Best,
Kenn and Matt
Click to expand...
Project Link: https://www.indiegogo.com/projects/the-truecrypt-audit

So far i don't see anything to worry about. Sloppy code is unfortunate, but not a deal breaker.

Not using the burn() function to securely wipe sensitive areas of memory in certain places seems strange to me when they have developed the function themselves. However, again, not a deal breaker.

The rounds used in their PBKDF2 algorithm to derive the Volume Header encryption key are slightly too low - 1000 or 2000 depending on the algorithm used to generate the key. Something that would be easy to change in source, but with the amount of work required to recompile the application i can't be bothered.

Compiling was also pointed out as a weakness. Relying on antique libraries to compile the source. One specified in the report was last updated in 1993.

So everything seems to be in order so far 🙂.
 
Last edited:
Good news after all the craziness recently. Let's hope it continues or they patch it soon. It seems like it's been a while since the last version came out.
 
Ive always been a bit leery of using TrueCrypt, but perhaps after this, if any newer versions are spawned based on this report, I will try it.
 
Personally, I have a mac now so I use FileVault. In a work environment we used SEE for a while, but it was kind of terrible. Stopped using that and moved to just using the locally installed HP Secure Tools that came with the laptops we were getting. We didn't have many laptops, and have even fewer now, so something free, included, or cheap was always good. I looked a TrueCrypt but being open source could never REALLY pull the trigger where it came to my job.
 
If you were wary of it before the code audit, I don't think there's much reason for the audit to change your mind. Don't get me wrong, I think the audit is a great idea and I'm impressed with how many people put up money to sponsor it. But, just because the code is being reviewed doesn't mean that they definitely will find all of the vulnerabilities or potential backdoors.
 
seepy83 said:
If you were wary of it before the code audit, I don't think there's much reason for the audit to change your mind. Don't get me wrong, I think the audit is a great idea and I'm impressed with how many people put up money to sponsor it. But, just because the code is being reviewed doesn't mean that they definitely will find all of the vulnerabilities or potential backdoors.
Click to expand...
It's no guarantee, but it's more than we will ever get on Bitlocker, for example.

I don't distrust Truecrypt any more than i do Bitlocker or SecureStar or any other propriety solution. I don't distrust truecrypt any more than any other open source solution. I would take dm-crypt over Truecrypt and any other propriety solution, but it's only available on Linux systems.

Backdoors are what we don't want to see at the end of the audit. Vulnerabilities and human error is in the code, I can almost guarantee that. No developer would ever say they have 100% perfect code, it just doesn't exist.

The results at the end of the audit will be interesting.
 
smakme7757 said:
It's no guarantee, but it's more than we will ever get on Bitlocker, for example.

I don't distrust Truecrypt any more than i do Bitlocker or SecureStar or any other propriety solution. I don't distrust truecrypt any more than any other open source solution. I would take dm-crypt over Truecrypt and any other propriety solution, but it's only available on Linux systems.

Backdoors are what we don't want to see at the end of the audit. Vulnerabilities and human error is in the code, I can almost guarantee that. No developer would ever say they have 100% perfect code, it just doesn't exist.

The results at the end of the audit will be interesting.
Click to expand...

I absolutely agree that some audit is better than no audit. But the "fear" leading up to TrueCrypt being audited was that that NSA may have sabotaged the code to include a backdoor. If the NSA (or anyone else for that matter) did intentionally put in a backdoor, do you honestly think that it would be an obvious backdoor in the code that would be found during an audit? It would more likely be code that looks pretty damn good but has a vulnerability that very few people would spot.
 
seepy83 said:
I absolutely agree that some audit is better than no audit. But the "fear" leading up to TrueCrypt being audited was that that NSA may have sabotaged the code to include a backdoor. If the NSA (or anyone else for that matter) did intentionally put in a backdoor, do you honestly think that it would be an obvious backdoor in the code that would be found during an audit? It would more likely be code that looks pretty damn good but has a vulnerability that very few people would spot.
Click to expand...
I think the problem lies in the definition of a backdoor and a vulnerability. I look at a backdoor as something that gives an attacker a very large advantage. Maybe reducing key complexity in an output from 128bits to 64, i would look at that as a backdoor.

I look at a vulnerability as something that would give an attacker an edge, but nothing more. Maybe something like that mentioned in the phase 1 report of using too few PBKDF2 rounds. Enough of them could = a backdoor, but it would also denote a pattern.

If the Audit finds vulnerabilities (which it already has), but no "Backdoor" does that mean that the NSA were really good or does that mean that there simply wasn't any backdoors in the first place?

People might then start wondering if the people doing the audit were on the NSA payroll - How deep does the rabbit hole go? People drive themselves nuts with fear and the NSA has done a really good job of nurturing that fear in recent times.
 
You said:
"...To date, we have found no 0-Day critical vulnerabilities or "backdoors" (intentional or otherwise) in the code...."
Yeah but zero-day only means we the people and our antivirus applications don't yet know the malwear is present, during the time that it is present and is violently raping and wrecking our computers, until our antivirus programs get updated to block that. (I use Kaspersky Internet Security)

So "we have found no 0-day vulnerabilities" fails to make us feel all warm & fuzzy. Just means “it may infect you but we don’t know about it yet.”



I’d rather see, “We brought EVERYBODY worldwide to an awakening to the mutual benefit all share in a safe internet free of evil viruses, worms, Trojans, evil cookies, spambots, etc.

The blue meanies can easily see in clear, and they keep a log forever, of all your tor web hits. Every single tumble url you viewed and when and how long is FOREVER logged by YOUR NAME. You knew that, Silly!
 
Last edited:
Lets hope that TC is updated and allows the use of an UEFI BIOS. TC hasn't been updated in years and their forums never say when it will be updated. All I know is UEFI is supposed to be next, but in the mean time for UEFI BIOS's you will need to switch to legacy mode or equivalent to use TC. Another thing they need to fix is that TRIM function on useing a second SSD with full disk encryption. I have two disks, but thankfully the second HDD is a platter.
 
Last edited:
ringtail said:
You said:
"...To date, we have found no 0-Day critical vulnerabilities or "backdoors" (intentional or otherwise) in the code...."
Yeah but zero-day only means we the people and our antivirus applications don't yet know the malwear is present, during the time that it is present and is violently raping and wrecking our computers, until our antivirus programs get updated to block that. (I use Kaspersky Internet Security)

So "we have found no 0-day vulnerabilities" fails to make us feel all warm & fuzzy. Just means “it may infect you but we don’t know about it yet.”



I’d rather see, “We brought EVERYBODY worldwide to an awakening to the mutual benefit all share in a safe internet free of evil viruses, worms, Trojans, evil cookies, spambots, etc.

The blue meanies can easily see in clear, and they keep a log forever, of all your tor web hits. Every single tumble url you viewed and when and how long is FOREVER logged by YOUR NAME. You knew that, Silly!
Click to expand...
That is a terrible way to interpret the results.

Any 0-Day in Truecrypt is not going to be a malicious exploit/trojan, but a failure somewhere that will allow someone to break the encryption. The audit isn't expecting to find malware, but chinks in the armour of the encryption software.
 
smakme7757 said:
That is a terrible way to interpret the results.

Any 0-Day in Truecrypt is not going to be a malicious exploit/trojan, but a failure somewhere that will allow someone to break the encryption. The audit isn't expecting to find malware, but chinks in the armour of the encryption software.
Click to expand...

/agree
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top