Security → New effort to fully audit TrueCrypt raises $16,000+ in a few short weeks

»arstechnica.com/security ··· t-weeks/

I am surprised that it hasn't been audited! Also, no updates to the program since 2/7/2012's v7.1a.

A more interesting question is why hasn't Microsoft made bitlocker available in all layouts of Windows not just enterprise and ultimate of vista and 7 and pro and enterprise of 8. TrueCrypt is great but people would use the native solution that's already there if they could.

A year ago I would have said it was about upselling the more expensive layouts but now it's more tempting to ask who told them to. And you also don't know if you can even trust bitlocker or any other closed source offering not to be backdoored any more. Who can you trust...

Interesting. I never really gave it much thought. I pretty much trusted it from the get-go. I'd be interested in seeing the results of an audit.

»it.slashdot.org/story/13 ··· ruecrypt

I'd say go with the secure hardware type USB encrypted flash drives to hold only secure data on there instead. Never trusted truecrypt anyways. And never will.
I do not trust these guys.

If anyone has info about the audit results, please post it here ASAP.

From the TrueCrypt FAQ:

quote:

---

As TrueCrypt is open-source software, independent researchers can verify that the source code does not contain any security flaw or secret 'backdoor'. Can they also verify that the official executable files were built from the published source code and contain no additional code?

Yes, they can. In addition to reviewing the source code, independent researchers can compile the source code and compare the resulting executable files with the official ones. They may find some differences (for example, timestamps or embedded digital signatures) but they can analyze the differences and verify that they do not form malicious code.

---

So, from TrueCrypt's viewpoint, the audit should be able to settle the matter.

still a bit confused on this a bit though.
What seems to be the focuse on this?
Are truecrypt's HASH and Encryption schemes are too too weak to use or they are just focusing whether truecrypt's source code has a backdoor or not? Can someone clarify this?
They are using AES256 which is good enough, but do they think the AES256 what truecrypt uses might be a flaw or is too weak? Or, they just wanna proove that there is no backdoors?
Pls help me to understand this a bit.

But still, i do not trust these guys. I rather use my hardware based encrypted usb pen drive. Or use a commercial software.

Plus, these guys require you to sign up to their forum using your ISP's email. Nothing else. That to me is spooky enough.
They do not update their product, still at v7.1a

The purpose of the audit would be to discover vulnerabilities in the program, if any. They could be intentional or unintentional, it doesn't matter. But this is open source software that anyone can review the source code of at any time. So it would be extremely reckless if the authors deliberately placed an explicit backdoor in the code.

Maybe so. Maybe it is best to not trust anybody. But it is better to trust someone who posts their code, then someone who doesn't.

Once the code is posted, and nobody found a fault, then it would be a matter of finding someone trustworthy to compile and link the code.

I think that is the place where the audit is at. I'd like to see competing compilers'ers and linkers'rers of the code out there.

Is the hardware based encryption code out there, so that everyone can see there is no back door. I hear that the back door password to the hardware encryption devices is "NSA123".

The Truecrypt team is even anonymous. Do not know who these people really are.

Because they do not work for govt's and do not want to.

But you, contrary to "trusted" closed sources, can check open sourced code or hire trusted experts to do that.

Simple and fool proof logic.

Several points/questions in random order...
- This illustrates a concern I've had about open source software. They claim anyone can just dive right into the source code, start poking 'round and figger it all out. So yes it is possible to audit the code in theory, but if in actual practice the code is so complicated that takes $25K to verify even with donated resources, how often is this done? How does one know if a program has been vetted in this manner - has KeePass been audited?
- True Crypt version 7.0a has been audited, which contradicts the claim made in this effort. Was that not a "full line-by-line" audit and is that what they aim to do now?
»www.privacy-cd.org/downl ··· s-en.pdf
- In the above audit, they state TrueCrypt is solid unless you use keyfiles. They describe an attack on keyfiles (obscure/over my head) that doesn't appear to be resolved. Otherwise if you use a password, their conclusion is the program is very strong, although they cannot completely rule out the possibility of a back door.
- From the audit, "TrueCrypt makes use of cryptographic code from five different sources: from the TrueCrypt Foundation itself, from Paul Le Roux, Brian Gladman, Mark Adler and Eric Young." So we do know some of the programmers, TrueCrypt is not totally anonymous?
- Someone stated they did not trust TrueCrypt, but did trust DiskCryptor. Anyone here using it? Has that program been audited?
»www.diskcryptor.net/wiki ··· _Page/en
- From the link below. "Thursday, Oct 17, 2013: Wow! What an amazing couple of days. As of 2:15 EST today, we have raised over $36,000!" So it appears this new audit is a go!
»istruecryptauditedyet.com/

Cryptography experts such as Matthew Green of Johns Hopkins University in Baltimore agree about TrueCrypt's importance and the need to put it on "better footing" in terms of its trustworthiness. Green and Kenn White, a security researcher, helped get IsTruCryptAuditedYet off the ground. To date, the crowdfunded project has raised more than $36,000 and Green and White have begun seeking recommendations on firms that can review the software's integrity. While that decision could be made within a couple of weeks, a full audit may not be complete until early next year...................wait & see !!

I can't clarify that, but there has been some stories with innuendo suggesting a back door.

quote:

---

... the Windows binary appears to save a block of unexplained bytes with the encrypted data. Some fear this is a key to a backdoor ...

---

So, we'll see. Hopefully, all aspects of the software will be investigated.

So i guess it would be safer to use hardware based encryption usb sticks like Iron Key. Much more stronger and harder to crack and can be trusted. Or, we can just throw our hands up in the air and give up on encryption entirely. Save us some headaches trying to figure out whether or not which encryption software has flaws or backdoors in it.

What makes you think that Iron Key doesn't have a back door?

Best answer for this!!!! below.

We should all save us some headaches and give up trying to figure out whether or not which encryption software has flaws or backdoors in it.
So I think I will just give up.
And if someone from a 3 letter agency has to crack encryption whether it is truecrypt or some others, they can.

That's plain BS

ok, if your one of those people who travel around with there notebook or usb stick holding important company info, then use truecrypt only IF no other solution is possible. It is still better then having no encryption at all. And use a long complex password as well.

But still, truecrypt is getting kinda spooky on us.
There still on 7.1a version for a long time now. Thats concerning. Sorry.

The keyfile attack described in the paper rests on the assumption that you use a pre-compromised file (or multiple such files) as a keyfile. The authors also claim that a "clean" keyfile can be modified by an attacker without breaking the functionality of it and at the same time providing some benefit to the attacker.

I think either scenario is unlikely enough to not warrant much consideration. I think it would be fairly easy to guard against this sort of attack, as well, even given the weaknesses of the Truecrypt keyfile algorithm.

That audit, in part 8, Conclusions highlighted the issue that will be a large part of this audit.

quote:

---

There is a fundamental problem with the analysis of binary packages published on the TrueCrypt website. Without a very expensive "reverse engineering” it can't be proved that they are compiled from the published source code.

---

I think in the current effort, that there will be an emphasis on item 2

quote:

---

Implement deterministic/reproducible builds. Many of our concerns with Truecrypt could go away if we knew the binaries were compiled from source. Unfortunately it's not realistic to ask every Windows user to compile Truecrypt themselves. Our proposal is to adapt the deterministic build process that Tor is now using, so we can know the binaries are safe and untampered. This is really a precondition to everything else.

---

If we can get the compiling and linking straightened out, it's going to be a better product. The build process should be open, so that anyone can produce the exact same binary, bit for bit.

I had dealt with a numerous security consultants in the past and this what they think.

One thing that is overlooked here is all we are focusing on is the encryption software/hardware or even all the AV programs out there whether these are good or not.

But one of the most major things which are overlooked here are these:

* Do you trust the person who is actually carrying that encrypted notebook or a USB pen drive??? Because the owner knows the encryption passwords, right??? Or wrong???

He or she can actually take photos of a document with a smartphone, it may be hard and stuff, but it can be puzzled together.

So my point being here. Even if I give my employees an encrpyted notebook or a USB pen drive for business travel, who can I really trust here??? The encryption software thats installed which might have a backdoor, or the actual person owning that notebook?

This is the most and major things to look at here.

So whether we can assume or make assumptions about TrueCrypt if in fact it may have a backdoor, then let please ask ourselfs this:
"Well, do I really trust the security software which can protect all my data, or can I trust the person having that data who is carrying or working on that encrypted notebook since they know all the passwords"

Just my 2 cents here.

So, TrueCrypt may or not have a backdoor, ohhhh well. I am more concerned if one of my employees can manipulate that data because they know the passwords.

Avze's paranoia is adjusted.

Windows can access any bit in memory or file - so any password or key can be intercepted. And backdoors errrh vulnerabilities in Windows are common thing, not to mention good relations with NSA.

Question if encryption has backdoor or flaws isn't important anymore .

I take your point of view & I will never Trust No One

Why is it concerning? Change is the enemy of security. If there isn't a problem, there is no need to change it. Should a problem be found, then it should be corrected, but change for the sake of change is very bad for security as new issues tend to be introduced.

My fear is that the audit will find nothing major, then a change will be released, making the audit pointless as any changes would make it void.

Yeah, I mean really.
I attended dozens of information security meetings in the past.
So here is the break down.

If ANY encryption software has or does not have a backdoor, that to me is not a big deal, because I am more worried about an employee taking that data and who knows what they can do with it. Right???

Because THEY know the passwords. Makes sense or not? Do you agree?

It all about the insider threats and not only relying on whether which encryption software has a backdoor or not.

The audits might come up to be positive, but on the other hand, I would be more worried about people having an already encrypted drive on a business trip and taking that data god who knows where since they know the passwords.

Disk encryption doesn't purport to counter the insider threat. It's a specific control with a specific purpose to protect against a specific risk. Saying that insider threats exist is true but immaterial. It doesn't obviate the need for disk encryption. That's like saying our clothes are not fireproof so we should just walk around naked.

human mostly the weakest link, but could be as creative too !!

Your right on that one sbconslt

Not ALL persons are meant to be "rogue"
But they can be. Just like police, there are some bad apples out there.

And yes, encryption is still needed in case someone steals a notebook from a "trusted" person who owned that stolen notebook.

So sbconslt, I agree.

when will the final audit results will be posted here?