Slashdot Mirror

← Back to Stories (view on slashdot.org)

How I Compiled TrueCrypt For Windows and Matched the Official Binaries

Posted by timothy on from the all-the-lurid-details dept.

First time accepted submitter xavier2dc writes "TrueCrypt is a popular software enabling data protection by means of encryption for all categories of users. It is getting even more attention lately following the revelations of the NSA as the authors remain anonymous and no thorough security audit have yet been conducted to prove it is not backdoored in any way. This has led several concerns raised in different places, such as this blog post, this one, this security analysis [PDF], also related on that blog post from which IsTrueCryptAuditedYet? was born. One of the recurring questions is: What if the binaries provided on the website were different than the source code and they included hidden features? To address this issue, I built the software from the official sources in a careful way and was able to match the official binaries. According to my findings, all three recent major versions (v7.1a, v7.0a, v6.3a) exactly match the sources."

5 of 250 comments (clear)

  1. Little Let Down by Anrego · · Score: 5, Interesting

    I was kinda hoping he'd built some elaborate timing setup to somehow match the exact timestamps and compile speed as the official binaries were built with.

    This is still a great analysis though, and the detail provided is a fun read and useful insight into the general mindset and method of how this kind of analysis is done.

  2. Re:But can you trust xavier2dc? by javajawa · · Score: 5, Interesting

    Then follow the same steps and compile it yourself. You should come to the same results.

    --

    Meh

  3. Re:Can you trust the compiler? by surmak · · Score: 4, Interesting

    The compiler (and support stack) is a MS compiler, and MS is already owned by "the man", so as Kernighan demonstrated you still can't trust it.

    The disassembler he used is not. So it is (at least theoretically) possible to see if there is a back door. The compiler has a very low-level view of what it is doing. In order to add a back door, it would need to recognize when it is compiling TC. This could be a much more difficult technical problem than what Kernighan did to login, and, if discovered, would be devastating to MS from a PR standpoint.

  4. Did same, found same by Anonymous Coward · · Score: 5, Interesting

    I did the exact same thing as in TFA a few days earlier and ended up finding the exact same variations and causes for those variations.
    My conclusion was also identical, binaries are indeed coming from the provided sources and can be trusted if no further backdoor is found in the sources themselves.

    A cryptographic and coding oriented audit is still much required.

  5. Compiler can not be trusted by kbg · · Score: 5, Interesting

    There is one problem with his findings. In order to compile TrueCrypt you have to use Microsoft Visual C++ compiler, which is made by Microsoft from a closed source. If I was the NSA I would but the backdoor in the compiler and it would get injected into the binary whenever TrueCrypt was compiled.