SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    No Backdoors Found in TrueCrypt
Date    Friday April 03 2015, @01:07PM
Author    cmn32480
Topic   
from the and-the-people-rejoice! dept.
https://soylentnews.org/article.pl?sid=15/04/03/0245239

takyon, zorax, and an Anonymous Coward all write:

Open Crypto Audit Project has completed "Phase II" (PDF) of its audit of the TrueCrypt source code. The security audit of TrueCrypt, a freeware disk encryption utility, was crowdfunded in October 2013, before the TrueCrypt Foundation's mysterious shutdown on May 28, 2014. In his blog post describing the findings, Matthew Green says:

The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.

That doesn't mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming -- leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we'd like it to.

The most significant issue found involved TrueCrypt continuing to generate keys in a rare instance where the Windows Crypto API fails to initialize. This is not necessarily insecure because TrueCrypt "still collects entropy from sources such as system pointers and mouse movements."

In addition to the RNG issues, the NCC auditors also noted some concerns about the resilience of Truecrypt's AES code to cache timing attacks. This is probably not a concern unless you're [performing] encryption and decryption on a shared machine, or in an environment where the attacker can run code on your system (e.g., in a sandbox, or potentially in the browser). Still, this points the way to future hardening of any projects that use Truecrypt as a base.

One project that could benefit from the audit's findings is VeraCrypt, a freeware fork of TrueCrypt licensed under the Microsoft Public License and also subject to the TrueCrypt License, which uses a substantial amount of TrueCrypt code. Matthew Green has speculated that the intent of the TrueCrypt developers' licensing and shutdown decisions was to stir uncertainty over the project and force new disk encryption projects to start from scratch.

For additional analysis of the audit, see the articles by ArsTechnica's Dan Goodin, the Register and Threatpost.

Links
  1. "takyon" - https://soylentnews.org/~takyon/
  2. "zorax" - https://soylentnews.org/~zorax/
  3. ""Phase II"" - https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.pdf
  4. "TrueCrypt" - https://en.wikipedia.org/wiki/TrueCrypt
  5. "mysterious shutdown on May 28, 2014" - http://soylentnews.org/article.pl?sid=14/05/29/0243223
  6. "blog post describing the findings" - http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html
  7. "VeraCrypt" - https://en.wikipedia.org/wiki/VeraCrypt
  8. "ArsTechnica's Dan Goodin" - http://arstechnica.com/security/2015/04/truecrypt-security-audit-is-good-news-so-why-all-the-glum-faces/
  9. "the Register" - http://www.theregister.co.uk/2015/04/02/truecrypt_security_audit/
  10. "Threatpost" - https://threatpost.com/audit-concludes-no-backdoors-in-truecrypt/111994
© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, No Backdoors Found in TrueCrypt on 2024-04-19 05:27:12