Slashdot Mirror


First Phase of TrueCrypt Audit Turns Up No Backdoors

msm1267 (2804139) writes "A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase. A report on the first phase of the audit was released today (PDF) by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.

The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly."

5 of 171 comments (clear)

  1. Bootloader & Windows Driver by Anonymous Coward · · Score: 4, Insightful

    The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver. Not really surprising that they didn't find any critical security issues in those parts. The high value bugs should be in the crypto parts and how they are implemented.

  2. Re:also by Shakrai · · Score: 5, Insightful

    Since Snowden's revelation about the NSA's clandestine $10 million contract with RSA,

    If you're on NSA's radar you've got bigger problems than TrueCrypt's trustworthiness or lack thereof. The NSA doesn't have to have a back door into AES (or the other algorithms) when they have an arsenal of zero day exploits, side channel attacks, social engineering, and TEMPEST techniques at their disposal. The average user should be far more concerned about these attack vectors (from any source, not just NSA) than the security of the underlying encryption algorithm.

    The Diceware FAQ sums up the problem rather succinctly: "Of course, if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day."

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  3. Re:Technically if an NSA backdoor existed by vux984 · · Score: 5, Insightful

    Technically, if an NSA backdoor existed in the codebase, you would be prevented from reporting it by an NSA letter, subject to immeadiate imprisonment and confiscation.

    Two responses.

    First, I suspect if they were confronted with an NSL they could go the lavabit route and simply suspend the audit project with no explanation. IANAL but I don't think the NSA can compel them to falsify the audit results.

    Second, if they are smart, they can have it audited multi-nationally with independent auditors to make it harder for any government gag orders to stick.

  4. Re:Technically if an NSA backdoor existed by vux984 · · Score: 4, Insightful

    Do they have standing NSLs with all the media organizations out there?

    I think there'd be less Snowden leak coverage if there were. :)

    You could go outside the country, but those newspapers are government by their own countries version of the NSA who's working in close relationship with ours

    Like China & Russia? Governements want their own security as much as their own intelligence agencies want to break it... there's too many pieces moving in opposite directions for there to be a credible global coverup of a transparent audit of open source software.

  5. Re:A triumph for FOSS by jones_supa · · Score: 4, Insightful

    No. This is why thorough code audits are important.