Is their anyone who has actually examined Truecrypts code?

Discussion in 'privacy technology' started by Warlockz, May 1, 2009.

Thread Status:
Not open for further replies.
  1. Warlockz
    Offline

    Warlockz Registered Member

    Just wondering if anyone out their has even examined Truecrypt 6.1a code? everyone is always saying it has no secret implementations because its Opensource, but can anyone really vouch for it with Proof, because I cant find any resource that does, and the people who make Truecrypt get all shady and worked up about it when people talk about it, or so ive heard!

    The old thread on this is outdated, and I think many users would be interested in the updated facts if any exist!
  2. slangen
    Offline

    slangen Guest

    I registered just to answer your question. :D

    before the current version the longest running one was 4.3a which was the last one without system encryption and had no signed certificate so if you complied the code you'd get a hash etc match with what was available at the site, so you knew that if you examined that code and found it ok then it was ok.

    any crypts created with that version could be used with another program TCGina and another whose name ive forgotten which was made by a user on the truecrypt forums, again hose name i've forgotten. That guy was talented and had examined the code (for v4.3a) in pretty heavy detail (of course he had to have had to come up with a custom made program to open the crypts).

    ps. if Kookyman's reading he can fill in the details.

    that version, 4.3a was trusted to have no backdoor and was pretty solid (except it used LRW instead of XTS which is moot because LRW is fine for container encryption). At the time of 4.3a it was generally believed that Truecrypt's ok.

    Then comes the v5's. There was a paper presented which destroyed the plausible deniability (by was of windows logging files) for v5.1a, its available at scheneir's website. Now if there was a flaw in truecrypt implementation wouldnt they have attacked it frist? if there was some other flaw, they'd have attacked it too. So by inference (and a weak one at that.. :p ) i assumed v5.1a was ok.

    as for v6.1a.... ..

    On the other hand, NO-ONE is going to come out and say they've examined the code and its ok (and why would you trust some 'shady' character on wilders (or any other forums). Heck i wouldn't even trust (self styled?) experts here.

    Why would anyone examine the code by giving up their time (and trust me i'd take a lot of time), unless you paid them. So if someone's willing to pay then that's the way to go. This begs the question, if you can pay then why all this.. why not PGP.

    i've read some of your other posts, trust me for the stuff we use truecrypt for its the best solution. people do get hot about it, but because its a tricky thing not knowing who the authors are. Its kinda ironic they are writing encryption software. And it dosent help that their forums are pretty nutty to register as well as ask questions. Again ask kookyman who had a nice experience.... . :D

    i know it dosent answer your question. but i seriously doubt it'll be answered at all .. satisfactorily. in the meantime, its the best of the free stuff.

    cheers.
  3. slangen
    Offline

    slangen Guest

    opps another thing. people who have firewalls (outbound) have reported no requests from truecrypt in the last 2-3 years they've used it.

    as of now, i havent see truecrypt connect to the net either...

    that dosent mean much, but .. :cautious:
  4. kareldjag
    Offline

    kareldjag Registered Member

    Hello,

    Like most Open Source softwares, TrueCrypt code source is available and can be audited by anyone who has the necessary time and know-how.
    If TrueCrypt is backdoored, then the question is the same for any proprietary software, from Windows to your antivirus.

    TrueCrypt has been certified (CSPN) by the French government.
    It is used in many administrations all around the world.
    Here's the certification report (to avoid complaints about pdf linked papers, i've changed the extension .pdf to .pda):
    http://esec.fr.sogeti.com/FR/documents/presse/tc_dcssi.pda

    I give here a quick english translation of the part related to the code source:

    "2.3.3.2 Review of the source code

    The full source code is available on TrueCrypt web site.
    The tester has considered that it is well structured, "well thinked" and that the portability requirement
    has been taken into consideration, that shows good rigor from the developpers (expert judgement).
    The most obscur part of source code seems also to be the most ancient, and those which concern user interface.
    For the need of the assessment, the tester has recompiled and in some cases modified the software.
    The code compilation has been done without particular hardnesses."

    There is a note related to the updated 6.1.a version here (use google translation):
    http://esec.fr.sogeti.com/blog/index.php?2008/12/05/44-cspn-truecrypt

    Rgds
Thread Status:
Not open for further replies.