2 recommendations |
TrueCrypt Phase II Audit Report Out» blog.cryptographyenginee ··· ort.html» opencryptoaudit.org/repo ··· inal.pdf» opencryptoaudit.org/The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.
...
Truecrypt is a really unique piece of software. The loss of Truecrypt's developers is keenly felt by a number of people who rely on full disk encryption to protect their data. With luck, the code will be carried on by others. We're hopeful that this review will provide some additional confidence in the code they're starting with. |
|
HA Nut Premium Member join:2004-05-13 USA |
HA Nut
Premium Member
2015-Apr-2 12:47 pm
Good news! While I had no way of knowing, I had always had a fair amount of confidence in TC. A nice site for general ramblings/info about TC is on one of Steve Gibson's pages. » www.grc.com/misc/truecry ··· rypt.htm |
|
antdudeMatrix Ant Premium Member join:2001-03-25 US |
to sbconslt
Yay. I still use TC. I found out about this fork: » veracrypt.codeplex.com -- Is anyone using it? |
|
1 recommendation |
Still using 7.1a for right now. |
|
Drunkula Premium Member join:2000-06-12 Denton, TX
1 recommendation |
to sbconslt
I'm still on 7.1a, too. |
|
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT
1 recommendation |
to antdude
  I'm still using TC 7.1a, as I see no reason to change at this point. |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN |
to HA Nut
Had a fair amount of confidence that this was going to be the outcome. Steve Gibson after looking over the code said it is beautifully written code with zero bugs to be found. |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT
1 recommendation |
to sbconslt
  The next paragraph after the one you quoted goes on to say...
That doesn't mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming -- leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we'd like it to.
For example: the most significant issue in the Truecrypt report is a finding related to the Windows version of Truecrypt's random number generator (RNG), which is responsible for generating the keys that encrypt Truecrypt volumes. This is an important piece of code, since a predictable RNG can spell disaster for the security of everything else in the system. ...
A problem in Truecrypt is that in some extremely rare circumstances, the Crypto API can fail to properly initialize. When this happens, Truecrypt should barf and catch fire. Instead it silently accepts this failure and continues to generate keys. ...
"incautious programming"
Nothing serious, they say, but causing Truecrypt to give less assurance than they'd like. |
|
|
Yes, the Phase I report turned up a few Medium and Low severity issues as well. When you go through with a fine-toothed comb as was done, that's expected - small stuff with virtually zero likelihood of exploitation outside of a lab.
What we were all holding our breath to see though was if there was some Critical severity exploitable defect, or worse yet, deliberately planted backdoor. That's what it would have taken for 7.1a to be declared "insecure" as the authors did when they burned the house to the ground. |
|
1 recommendation |
to Dustyn
said by Dustyn:Steve Gibson after looking over the code said it is beautifully written code with zero bugs to be found. Steve Gibson's blessing does very little for me. He's a self proclaimed security expert and publicity hound, who doesn't seem to understand some fundamentals. Some of the crap he's put out there has been quite laughable. The serious security pros consider him a hack. » www.theregister.co.uk/20 ··· cookies/ |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT
1 recommendation |
to sbconslt
  I agree with all you said. I'm staying with TC for the time being, as I don't yet trust any of the alternatives ... |
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB
1 recommendation |
to Dustyn
Hmmmm .... "TrueCrypt Audit Phase II completed: 4 vulnerabilities identified".....The developers released a final version of TrueCrypt that was broken (by design) in many regards. The final source code of the full version of the program was published by Gibson Research Corporation and alternatives such as VeraCrypt or CipherShed appeared shortly thereafter. At that time, TrueCrypt's audit was not complete as only phase one of the audit had been completed by the researchers. The research term made the decision to continue with the audit of TrueCrypt 7.1a despite the fact that the project developers abandoned the project in the meantime.....[ » www.ghacks.net/2015/04/0 ··· ntified/ ] |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
2 edits |
Dustyn
Premium Member
2015-Apr-3 9:42 pm
I'm curious to hear what Steve Gibson may have to say about these findings? Security review finds no critical flaws in Truecrypt 7.1a |
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB
1 recommendation |
85160670 (banned)
Member
2015-Apr-7 4:05 pm
{{{ SMILE }}} meantime lifes go on ..."VeraCrypt 1.0f-2 update fixes TrueCrypt audit vulnerability"...[ » www.ghacks.net/2015/04/0 ··· ability/ ] |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT
1 recommendation |
to sbconslt
  Another article about TrueCrypt and its successors. » threatpost.com/post-cryp ··· d/112033
... [Jason] Pyeron[, one of the developers of CipherShed] for one, is not a fan of the quality of the original TrueCrypt code base, something that was also pointed out in the first phase of the audit. The TrueCrypt codebase is riddled with poor and less than secure programming practices, he said. Some of the things we have discovered along the way are improper handling of Unicode and many other strange details. Here is one for your readers: What reasons could you justify using string case manipulation in full-disk encryption software? Hint: It should not be for the data on the disk or passwords. VeraCrypt and CipherShed have addressed many of the shortcomings identified not only by the audit, but by others who have scrutinized the TrueCrypt code in recent years. VeraCrypts Idrassi, for example, said he replaced TrueCrypts lone support of the RIPEMD-160 algorithm with SHA-256 support for system encryption. He said VeraCrypt has also tried to simplify the build process, especially for Linux and Mac OS X systems, so that other less common configurations could be used....
|
|
antdudeMatrix Ant Premium Member join:2001-03-25 US |
to sbconslt
VeraCryptAre any of you using VeraCrypt? |
|
1 recommendation |
I've been testing VeraCrypt as a replacement for TrueCrypt. The major issue right now is that the initial boot is VERY VERY Long (90 seconds in some cases). This is due to a increased security at the boot process that VeraCrypt employs that TrueCrypt did not employ. It is discussed » veracrypt.codeplex.com/d ··· s/549728 and » veracrypt.codeplex.com/d ··· s/570533. As discussed in the second link, they will release a version that "fixes" this, but the fix lowers the security level (which is optionally left at a higher security level). Once booted, i see zero differences. The only issue is getting users used to the slow boot time. They often think something is wrong. |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT
1 recommendation |
to antdude
said by antdude:Are any of you using VeraCrypt?   Conversely, anyone using CipherShed? |
|