Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Phase of TrueCrypt Audit Turns Up No Backdoors

Posted by Unknown on from the only-slightly-insecure dept.

msm1267 (2804139) writes "A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase. A report on the first phase of the audit was released today (PDF) by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.

The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly."

4 of 171 comments (clear)

  1. Wow by cold+fjord · · Score: 3, Informative

    Wow, a code audit. What a great idea for a FOSS project.

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  2. Re:memset() is bad? by Anonymous Coward · · Score: 4, Informative

    http://www.viva64.com/en/b/017...

  3. Re:memset() is bad? by canajin56 · · Score: 5, Informative

    As a special case, MSVC++ removes memset(array,value,sizeof(array)) if array isn't read again before the end of its scope.

    For example

    void Foo()
    {
    char password[MAX_PASSWORD_LEN];
    InputPassword(password);
    ProcessPassword(password);
    memset(password, 0, sizeof(password));
    }

    The MS compiler will delete the memset. In Windows you should use RtlSecureZeroMemory to zero out memory you want to keep secure.

    --
    ASCII stupid question, get a stupid ANSI
  4. Re:Bootloader & Windows Driver by epyT-R · · Score: 3, Informative

    The crypto is implemented in the driver, as well as the bootloader. The application known as truecrypt just flips their configuration bits around, loads keys into ram, and tells the driver when to mount/dismount containers etc. The bootloader needs to know enough to mount the system partition and hook into BIOS so that the regular OS bootloader can take over using it's normal calls. Once it loads the kernel and related drivers, truecrypt.sys takes over handling container IO.

      The separate formatting utility probably contains some too since it's used to create containers..