TrueCrypt Audit Is 'Go' -- And Supported by TC Developers

Discussion in 'privacy technology' started by S.B., Nov 7, 2013.

Thread Status:
Not open for further replies.
  1. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    As reported by The Register, Crowdfunded audit of 'NSA-proof' encryption suite TrueCrypt is GO

    According to the article, "TrueCrypt's anonymous developers have been in touch with the researchers behind IsTrueCryptAuditedYet project to offer their support to the audit."

    The public comments are worth reading as they raise questions whether any auditors can be trusted, particularly in view of the TC anonymous developers' offer of cooperation. Shades of things to come for the audit to finally settle the question of TC's reliability?

    For the record, I personally trust TC. I found particular comfort in the statement in TC's documentation that if the user chooses hardware acceleration, "TrueCrypt does not use any of the AES-NI instructions that perform key generation.", since as it turned out NSA apparently had targeted key generation as a soft spot to weaken encryption.

    __
     
  2. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    Great news! Will wait for the report. When is it due?
     
  3. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    They haven't said and probably don't know at this point even when the review process will start as they presumably must evaluate potential reviewers via a bidding process or some other sort of evaluation process. How long from there is not yet known, at least from this publication. Then there's the question of whether the reviewer's identities will be public or secret - nothing has been said yet.

    Looking a little further ahead, the review is for TC 7.1a. But users have been clamoring for another update for some time now. So query how the review might impact release of a new update. Clearly, a review of 7.1a won't apply to any subsequent TC updates.

    __
     
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
  5. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://arstechnica.com/security/201...s-no-evidence-of-backdoors-or-malicious-code/

    http://istruecryptauditedyet.com/
     
  6. JohnMatrix

    JohnMatrix Registered Member

    Joined:
    Apr 12, 2012
    Posts:
    48
    Location:
    Behind you
    That's some good news. Auditing encryption code is one of the hardest things to do so I'm glad someone finally does it.
     
  7. Dogfather

    Dogfather Registered Member

    Joined:
    Apr 1, 2014
    Posts:
    15
    Location:
    United Kingdom
    The only item which I find to be of concern is page 24:-

    • Exploit Scenario: Unexpected operating system or hardware conditions, such as failing RAM or low-memory situations, cause the EncryptDataUnits() function to fail, resulting in unencrypted data being written to disk.

    If I am reading it correctly it suggests that full disk encryption can leak in low memory situations which could be a serious problem...

    The findings about inconsistent coding and revising don't surprise me because the team apparently write their code as a hobby. Certainly they DON'T APPEAR to be making profit from it.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Sloppy but secure: Open source TrueCrypt passes audit:
     
  9. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    Here's Bruce Schneier's analysis in it's entirety:

    "Recently, Matthew Green has been leading an independent project to audit TrueCrypt. Phase I, a source code audit by iSEC Partners, is complete. Next up is Phase II, formal cryptanalysis.

    Quick summary: I'm still using it."

    *****
    Another interesting article is found at Threatpost.com (http://threatpost.com/so-far-so-good-for-truecrypt-initial-audit-phase-turns-up-no-backdoors/105433) and provides a bit more detail on the 'bug' considered the most serious in the iSEC Partners audit --

    “TrueCrypt relies on the what’s known as a PBKDF2 function as a way to ‘stretch” a users’ password or master key, and there is concern that it could have been stronger than the 1,000 or 2,000 iterations it uses currently.”

    Of particular interest is Threatpost's citation of the TrueCrypt developer's response -- "The TrueCrypt developers’ position is that the current values are a reasonable tradeoff of protection vs. processing delay, and that if one uses a weak password, a high-count PBK2DF2 hash won’t offer much more than a false sense of security.”

    (
    Note that TC documentation specifically states,"We strongly recommend choosing a password consisting of more than 20 characters (the longer, the better). Short passwords are easy to crack using brute-force techniques.")
    In light of the TC developer's comment I find myself wondering whether the so-called PBKDF2 function 'bug' is anything more than a criticism that TC suffers from insufficient use of smoke and mirrors.

    __

     
    Last edited: Apr 15, 2014
  10. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    this is good news , cant wait for phase II and the final conclusion of it all , something tells me this can only get better and about this

    seems reasonable not anything new really as long as you use a longer than 20 character passphrase itll take them quite a while to get anything from what ive heard , but dont ask me im just a average joe user

    here xD im just hoping for no backdoors and to have my data secure for the next 40 years then they can have at it when im in my grave , lols, thats all
     
Loading...
Thread Status:
Not open for further replies.