Open Crypto Audit Project has completed "Phase II" (PDF) of its audit of the TrueCrypt source code. The security audit of TrueCrypt, a freeware disk encryption utility, was crowdfunded in October 2013, before the TrueCrypt Foundation's mysterious shutdown on May 28, 2014. In his blog post describing the findings, Matthew Green says:
The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.
That doesn't mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming -- leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we'd like it to.
The most significant issue found involved TrueCrypt continuing to generate keys in a rare instance where the Windows Crypto API fails to initialize. This is not necessarily insecure because TrueCrypt "still collects entropy from sources such as system pointers and mouse movements."
In addition to the RNG issues, the NCC auditors also noted some concerns about the resilience of Truecrypt's AES code to cache timing attacks. This is probably not a concern unless you're [performing] encryption and decryption on a shared machine, or in an environment where the attacker can run code on your system (e.g., in a sandbox, or potentially in the browser). Still, this points the way to future hardening of any projects that use Truecrypt as a base.
One project that could benefit from the audit's findings is VeraCrypt, a freeware fork of TrueCrypt licensed under the Microsoft Public License and also subject to the TrueCrypt License, which uses a substantial amount of TrueCrypt code. Matthew Green has speculated that the intent of the TrueCrypt developers' licensing and shutdown decisions was to stir uncertainty over the project and force new disk encryption projects to start from scratch.
For additional analysis of the audit, see the articles by ArsTechnica's Dan Goodin, the Register and Threatpost.
Related Stories
The TrueCrypt website has been changed it now has a big red warning stating "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues". They recommend using BitLocker for Windows 7/8, FileVault for OS X, or (whatever) for Linux. So, what happened? The TrueCrypt site says:
This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
Did the TrueCrypt devs (or SourceForge?) get a NSL? They are offering a "new" version (7.2), but apparently the signing key has changed and a source code diff seems to indicate a lot of the functionality has been stripped out. What's up?
VeraCrypt security audit reveals many flaws, some already patched [Zeljka Zorz/Helpnet Security]
VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab.
The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report.
The code auditing effort analyzed VeraCrypt 1.18 and its bootloaders.
"A first step consisted in verifying that the problems and vulnerabilities identified by iSec and NCC Group in TrueCrypt 7.1a for the Open Crypto Audit Project had been taken into account and fixed," the Quarkslab researchers involved in the effort explained.
"Then, the remaining study was to identify potential security problems in the code specific to VeraCrypt. Contrary to other TrueCrypt forks, the goal of VeraCrypt is not only to fix the public vulnerabilities of TrueCrypt, but also to bring new features to the software."
A short overview of the issues found (fixed and still not fixed) can be found here. The audit report, with mitigations for still unpatched vulnerabilities, can be downloaded from here.
Are any Soylentils using Veracrypt and/or other forks of Trucrypt?
The full audit report: TrueCrypt Cryptographic Review[PDF] [Alex Balducci, Sean Devlin, Tom Ritter/Open Crypto Audit Project]
Previously:
Independent Audit: Newly Found TrueCrypt Flaw Allows Full System Compromise
No Backdoors Found in TrueCrypt
TrueCrypt Site Encodes Warning about NSA Infiltration
TrueCrypt Discontinued, Compromised?
-- submitted from IRC
(Score: 2, Informative) by Anonymous Coward on Friday April 03 2015, @02:32PM
I've got original binaries from before the big stink with Truecrypt. The 7.1a's.
This site:
https://www.truecrypt71a.com/downloads [truecrypt71a.com]
Still has the originals too. I've verified the Windows and Linux 64 bit one's sha256 sums. They match what I have.
Source: Some random anon coward...I know. But there you go.
(Score: 5, Informative) by wantkitteh on Friday April 03 2015, @02:43PM
Gibson Research Corporation (aka: Steve) also has a mirror [grc.com]. Defuse have Hashes [defuse.ca] as well. Verification with other parties is, of course, recommended.
(Score: 4, Informative) by DrMag on Friday April 03 2015, @02:47PM
Any reason for not also acknowledging CipherShed [ciphershed.org] as well?
(Score: 4, Funny) by takyon on Friday April 03 2015, @03:37PM
I was going to let you do it.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Saturday April 04 2015, @02:40AM
Pick a saner license scheme, and I may reconsider my support.
Until then, don't let the door hit you...
(Score: 5, Informative) by fadrian on Friday April 03 2015, @02:48PM
If this [bell-labs.com] hadn't been done ten years before he talked about it, it was done the next week before anyone could think of an actual check. Have you disassembled your code lately?
That is all.
(Score: 5, Interesting) by hemocyanin on Friday April 03 2015, @03:29PM
Add to this NSA's poisoned Xcode. https://www.schneier.com/blog/archives/2015/03/how_the_cia_mig.html [schneier.com]
(Score: 1) by SubiculumHammer on Friday April 03 2015, @11:05PM
Interesting
(Score: 2) by Balderdash on Friday April 03 2015, @03:52PM
ROT13 everything twice just to be safe.
I browse at -1. Free and open discourse requires consideration and review of all attempts at participation.
(Score: 2) by takyon on Friday April 03 2015, @04:47PM
You need to use ROT-13 a minimum of 8192 times to be secure.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Funny) by Anonymous Coward on Friday April 03 2015, @05:48PM
But with each successive generation the bits slowly rot. You need to use oxygen free wires to get anywhere near 8192 and not be able to hear the clarity of the data still. The warmth of the bits is just as important here.
(Score: 1) by OffTheWallSoccer on Saturday April 04 2015, @04:40PM
Duh. That's why we use premium Monster cables.
(Score: 3, Funny) by doublerot13 on Friday April 03 2015, @11:21PM
This...
(Score: 3, Interesting) by FatPhil on Friday April 03 2015, @10:45PM
I wonder what could cause the Crypto API to fail to initialise?
If it's something untoward, something malicious, could it also not subvert the Windows Crypto API after it's been initialised?
Which leads me to the question - how well does TrueCrypt behave if the Windows Crypto API *has* been subverted?
It's paranoia all the way down...
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Saturday April 04 2015, @12:57AM
I wonder what could cause the Crypto API to fail to initialise?
Space background radiation hitting your RAM at an inopportune time. No, I'm not kidding, it's astronomically unlikely but RAM bits can rarely get flipped like that.
More likely potential points of failure include messed up system libraries (usually by user incompetence or filesystem corruption), bugs in a future release of the library and broken third-party software.
(Score: 2) by takyon on Saturday April 04 2015, @01:04AM
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by FatPhil on Sunday April 05 2015, @09:43AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by kaszz on Saturday April 04 2015, @02:09AM
Now we just need an audit of the crypto algorithms them selves. And of course implementation specific kernel bugs.
(Score: 2) by edIII on Sunday April 05 2015, @04:53AM
-- Open Crypto Audit Project TrueCrypt
No Backdoors Found in TrueCrypt
It's a great start, but a full audit hasn't been performed yet. Something I think we need before we can clear TrueCrypt completely and be able to trust it again.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by Fauxlosopher on Sunday April 05 2015, @06:09PM
"Again"? What causes you to believe that anything has changed with TrueCrypt 7.1a to render it untrustworthy? The hashes and checksums from copies obtained years ago match those of the latest copies hosted by Gibson Research, et al. If someone trusted TrueCrypt before, there has been no new compelling evidence to suggest existing copies are somehow less trustworthy now.