Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt Audit: No NSA Backdoors

Posted by Soulskill on from the assuming-you-can-trust-the-auditors dept.

Mark Wilson writes: A security audit of TrueCrypt has determined that the disk encryption software does not contain any backdoors that could be used by the NSA or other surveillance agencies. A report prepared by the NCC Group (PDF) for the Open Crypto Audit Project found that the encryption tool is not vulnerable to being compromised. However, the software was found to contain a few other security vulnerabilities, including one relating to the use of the Windows API to generate random numbers for master encryption key material. Despite this, TrueCrypt was given a relatively clean bill of health with none of the detected vulnerabilities considered severe enough to lead "to a complete bypass of confidentiality in common usage scenarios."

29 of 142 comments (clear)

  1. Quis custodiet ipsos custodes? by Anonymous Coward · · Score: 2, Funny

    Now we just need an audit of the auditors to make sure they weren't compromised and we can safely use TrueCrypt again.

    1. Re:Quis custodiet ipsos custodes? by OzPeter · · Score: 5, Funny

      We need to audit the auditors of the auditors as well.

      So it's auditors all the way down?

      --
      I am Slashdot. Are you Slashdot as well?
    2. Re:Quis custodiet ipsos custodes? by BreakBad · · Score: 2

      That auditor loop would need to be audited. I see the strategy now, its job creation.

    3. Re:Quis custodiet ipsos custodes? by Opportunist · · Score: 4, Funny

      Yet look how different they turned out to be. One became and upstanding, honest person who has never ever done anything but serving his country, and the other one went into politics.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Quis custodiet ipsos custodes? by Bob+the+Super+Hamste · · Score: 4, Funny

      I still like "A ship shipping ship shipping shipping ships".

      --
      Time to offend someone
  2. Tin foil hat time by OzPeter · · Score: 3, Insightful

    Wasn't the NSA accused of suggesting/modifying various encryption standards in order to weaken them? In which case they don't need back doors into the software as they can already unlock the data.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:Tin foil hat time by Anonymous Coward · · Score: 2, Insightful

      Why don't you go inform yourself as to which encryption standards those were and then come back and actually contribute to the discussion, instead of mindlessly speculate?

      You don't want mindless speculation, yet you're reading Slashdot comments?

    2. Re:Tin foil hat time by mrchaotica · · Score: 3, Informative

      Truecrypt lets you pick which encryption algorithm (and key generation mechanism, IIRC) that you want to use. So just pick one that the NSA didn't compromise!

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    3. Re:Tin foil hat time by plover · · Score: 3, Insightful

      Yes, the NSA has been accused of colluding with RSA to promote the Dual_EC_DRBG random number generator as a standard, despite claims that it contained a backdoor. https://en.wikipedia.org/wiki/... . The NSA has also been accused of interfering with standards that would enable ubiquitous effective encryption for popular communications tools, such as phones and email, resulting in the current hodgepodge of patchwork. Sure, you may use TLS to send and retrieve your email to and from your ISP, but the data is unencrypted in their servers, and is vulnerable to interception there. Your cell calls may be encrypted, but Chris Paget demonstrated at DEFCON how easy that is to defeat, using his almost legal homemade version of a Harris Stingray. And the encryption algorithms used by cell phones only protect the data flying over the airwaves, not on the cellular wired infrastructure which is already required to be vulnerable by CALEA.

      However, the existence of one backdoor in one algorithm does not prove or disprove the existence of backdoors in other algorithms. Most exploitable weaknesses we do know about come from either protocol flaws or implementation errors, and these auditors found evidence of neither.

      --
      John
    4. Re:Tin foil hat time by Totenglocke · · Score: 2

      You can also use keyfiles too.

      --
      "The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants." ~Thomas Jefferson
    5. Re:Tin foil hat time by Andy+Dodd · · Score: 5, Interesting

      The only case I know of where an algorithm was actually backdoored was one of the random number generation schemes... The algorithm in question happens to be (IIRC) quite fast.

      In other cases (DES I think??? I could be wrong.) the NSA recommended some oddball changes. No one could find a negative consequence of them so they went in - a decade or so later, it turns out that the original implementation of DES DID have a cryptographic flaw and the NSA recommendations fixed that.

      Keep in mind there are two parts of the NSA, ones which have in many ways highly conflicting goals:
      1) One part is tasked with compromising the information infrastructure of our enemies - these are the ones who keep on making the news these days
      2) Another part is tasked with protecting our critical information infrastructure, especially with protecting data sensitive to national security. These are the people who do Type I crypto certification, worked on creating SELinux, etc. These rarely make the news but in general, from our perspective these are the good guys. You can tell that AES-256 is NOT backdoored by the NSA since they allow it to be used to protect classified information (NSA Suite B - you can assume anything in Suite B is solid since the NSA is using it themselves.)

      --
      retrorocket.o not found, launch anyway?
    6. Re:Tin foil hat time by Lord+Crc · · Score: 4, Informative

      There's talk that they influenced the decision of some recommended constants for Elliptic Curve Cryptography.

      You'll want to use constants that ensures the cryptographic strength of the algorithm, so picking them are non-trivial and hence a recommended set was published. This is the same for most algorithms. AES has constants and they are part of what makes the algorithm AES and not some other variant.

      Anyway, here's what Bruce Schneier said about ECC:

      I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.

      https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929

      And here's a nice background on ECC:
      https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

    7. Re:Tin foil hat time by meta-monkey · · Score: 3

      don't be an armchair cryptographer.

      Why not? I'm really good at it. You will NEVER decrypt my armchair.

      --
      We don't have a state-run media we have a media-run state.
    8. Re:Tin foil hat time by chihowa · · Score: 3, Informative

      The only case I know of where an algorithm was actually backdoored was one of the random number generation schemes... The algorithm in question happens to be (IIRC) quite fast.

      The random number generator, Dual_EC_DRBG is actually very very slow. If it wasn't pushed so hard, nobody would willingly use it.

      In other cases (DES I think??? I could be wrong.) the NSA recommended some oddball changes. No one could find a negative consequence of them so they went in - a decade or so later, it turns out that the original implementation of DES DID have a cryptographic flaw and the NSA recommendations fixed that.

      In addition to fixing the S-boxes as you described, they also recommended reducing the key size, which made the algorithm weaker and shorter lived.

      Dual_EC_DRBG was required for FIPS 140-2 certification, which is required for software that is used to protect sensitive-but-unclassfied information by the US government. So there is some conflict between the two goals above.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    9. Re:Tin foil hat time by swillden · · Score: 3, Informative

      In other cases (DES I think??? I could be wrong.) the NSA recommended some oddball changes. No one could find a negative consequence of them so they went in - a decade or so later, it turns out that the original implementation of DES DID have a cryptographic flaw and the NSA recommendations fixed that.

      Specifically, the S boxes (essentially some translation tables used in the algorithm) in the original design were vulnerable to linear cryptanalysis, which is a cryptanalytic technique that involves constructing systems of linear equations representing the transformations in key portions of the algorithm, then applying mathematical analysis to deduce key and/or plaintext bits. Linear cryptanalysis was unknown in the academic world at the time, but it was apparently known to the NSA. The NSA's changes made DES resistant to linear cryptanalysis.

      However, the NSA also reduced the key size and block size from 128 bits to 56 and 64 bits, respectively. This likely made DES vulnerable to brute force attacks by particularly well-funded attackers (e.g., the NSA). Use of multiple DES operations in sequence overcomes this issue and Triple DES today is still considered to be quite strong. So, all in all, the NSA improved DES security. This isn't surprising because it was a core part of their mission; a mission that appears to have been deprecated in the post 9/11 world, but was still very important to the NSA in the 70s.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    10. Re:Tin foil hat time by Opportunist · · Score: 2

      'scuse me, but this here is mindless speculation. If you want serious discussion, take your time machine and set it for 1999.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    11. Re:Tin foil hat time by Opportunist · · Score: 3, Interesting

      In theory, yes. I just think selling SELinux could be a bit hard. You see what's going on here with things where the NSA might have, allegedly, maybe, could have, possibly, considered influencing the potential eventual implementation of what could have become part of something they could use.

      In SELinux there is no doubt about the NSA's involvement. It was one of the effin' selling points of the system.

      Now, the whole deal looks good on paper (provided you find a Linux Guru willing and able to administer that monstrosity). But that nagging feeling remains: Do you want to trust a foreign intelligence service that has not allegedly, maybe, possibly spied with impunity on everyone and anyone domestic and abroad just as they feel like, but who has done that with proven certainty?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Quote at bottom of my browser window by OzPeter · · Score: 3, Funny

    Is this a deliberate choice of quote,or just randomly apropos?

    You can fool all the people all of the time if the advertising is right and the budget is big enough. -- Joseph E. Levine

    --
    I am Slashdot. Are you Slashdot as well?
  4. Very gratifying to see by sasparillascott · · Score: 4, Informative

    This was very reassuring to see and I'm very glad the audit was finished finally. The 2nd to the last version (v7.1a) is the gold standard for multi-platform encryption where you can be reasonably sure the NSA/FBI doesn't have a back door (or access to the keys) like they would with Bitlocker etc..

  5. Re: That's what they WANT you to believe! by Anonymous Coward · · Score: 5, Informative

    Look everyone, a NSA shill.

  6. What if the backdoor is well hidden? by buck-yar · · Score: 4, Interesting

    The shellshock bug went on for a long time with many eyes on the code. How do we know the auditors weren't outmatched and just missed the backdoor?

    1. Re:What if the backdoor is well hidden? by squiggleslash · · Score: 4, Insightful

      Who knows? On the other hand, the many eyes argument with ShellShock is dubious: most people who would have recognized it didn't realize the implications as they weren't looking at it from a security standpoint, and few people actually likely touched or had reason to view that part of the code.

      This story, on the other hand, is about an actual security audit. In theory, it is more comprehensive, the researchers were looking for bugs, had a security background and agenda, and so would likely have picked up on ShellShock had it been Bash they were auditing rather than TrueCrypt.

      I'm not suggesting there's no chance they've missed anything, but I am saying the process is considerably more thorough and less likely to make a mistake. Bear in mind TrueCrypt has had "many eyes" for a decade or so too. And "many eyes" did, eventually, pick up on ShellShock, it just took longer than anyone would hope.

      --
      You are not alone. This is not normal. None of this is normal.
  7. Their audit doesn't matter... by frank_adrian314159 · · Score: 3, Interesting

    If this hadn't been done ten years before he talked about, it's been done by now. They have everything they want. Live accordingly.

    --
    That is all.
    1. Re:Their audit doesn't matter... by swillden · · Score: 2

      If this hadn't been done ten years before he talked about, it's been done by now. They have everything they want. Live accordingly.

      Fortunately, we know how to counter that threat.

      It also seems pretty unlikely that the NSA had enough foresight to get VC++ instrumented to subvert TrueCrypt. It's not impossible, but there have been a lot of similar tools over the years, and I don't think the compilers could have been modified to subvert all of them.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  8. obvious logic by slashmydots · · Score: 3, Insightful

    Everyone kept saying they would find a backdoor. Don't you think that logically the NSA shut down the project because they couldn't find a backdoor in it? They would have left it alone if it had an NSA backdoor in it.

  9. Re:That's what they WANT you to believe! by Anonymous Coward · · Score: 5, Funny

    It enlarges your penis, citizen.

    You should compile with that flag every time for best results. Tell your friends.

  10. Re:WARNING: TrueCrypt propganda. by lgw · · Score: 2

    "time-boxed nature of the engagement prevented auditors from reviewing the source code in
    its entirety, the most relevant areas were investigated thoroughly."

    Was the actual quote. Those spring FUD are NSA shills. There were two specific areas they highlighted for more auditing: checking that memory was always securely wiped, and checking oddball disk sector sizes. I'd be surprised if the former were an issue, but they have a point. The latter is exactly the sort of place where bugs lurk, in my experience.

    The most important thing they didn't audit, IMO, is the "hidden volumes" feature of TrueCrypt. I'm a bit skeptical of that myself, as steganography is in general a harder problem that cryptography. Hopefully another trusted group will continue the auditing effort via crowd funding.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  11. Re:Of course, if there -was- an NSA backdoor by beernutmark · · Score: 2

    In that case they would simply say "We have finished our audit." and leave it at that. The implications would be clear.

  12. Re:That's what they WANT you to believe! by Anonymous Coward · · Score: 2, Informative

    You do realize that TrueCrypt is out of development and the shop's been shuttered, yes?

    Wrong. It's been forked:
    https://truecrypt.ch/
    https://ciphershed.org/

    And well before that it was reverse engineered:
    https://github.com/bwalex/tc-play