dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
718

sbconslt
join:2009-07-28
Los Angeles, CA

2 recommendations

sbconslt

Member

TrueCrypt Phase II Audit Report Out

»blog.cryptographyenginee ··· ort.html

»opencryptoaudit.org/repo ··· inal.pdf

»opencryptoaudit.org/

The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.

...

Truecrypt is a really unique piece of software. The loss of Truecrypt's developers is keenly felt by a number of people who rely on full disk encryption to protect their data. With luck, the code will be carried on by others. We're hopeful that this review will provide some additional confidence in the code they're starting with.


HA Nut
Premium Member
join:2004-05-13
USA

HA Nut

Premium Member

Good news! While I had no way of knowing, I had always had a fair amount of confidence in TC.

A nice site for general ramblings/info about TC is on one of Steve Gibson's pages. »www.grc.com/misc/truecry ··· rypt.htm

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude to sbconslt

Premium Member

to sbconslt
Yay. I still use TC. I found out about this fork: »veracrypt.codeplex.com -- Is anyone using it?

sbconslt
join:2009-07-28
Los Angeles, CA

1 recommendation

sbconslt

Member

Still using 7.1a for right now.

Drunkula
Premium Member
join:2000-06-12
Denton, TX

1 recommendation

Drunkula to sbconslt

Premium Member

to sbconslt
I'm still on 7.1a, too.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

1 recommendation

camper to antdude

Premium Member

to antdude
 
I'm still using TC 7.1a, as I see no reason to change at this point.

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

Dustyn to HA Nut

Premium Member

to HA Nut
Had a fair amount of confidence that this was going to be the outcome.
Steve Gibson after looking over the code said it is beautifully written code with zero bugs to be found.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

1 recommendation

camper to sbconslt

Premium Member

to sbconslt
 
The next paragraph after the one you quoted goes on to say...


That doesn't mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming -- leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we'd like it to.

For example: the most significant issue in the Truecrypt report is a finding related to the Windows version of Truecrypt's random number generator (RNG), which is responsible for generating the keys that encrypt Truecrypt volumes. This is an important piece of code, since a predictable RNG can spell disaster for the security of everything else in the system. ...

A problem in Truecrypt is that in some extremely rare circumstances, the Crypto API can fail to properly initialize. When this happens, Truecrypt should barf and catch fire. Instead it silently accepts this failure and continues to generate keys. ...



"incautious programming"

Nothing serious, they say, but causing Truecrypt to give less assurance than they'd like.

sbconslt
join:2009-07-28
Los Angeles, CA

sbconslt

Member

Yes, the Phase I report turned up a few Medium and Low severity issues as well. When you go through with a fine-toothed comb as was done, that's expected - small stuff with virtually zero likelihood of exploitation outside of a lab.

What we were all holding our breath to see though was if there was some Critical severity exploitable defect, or worse yet, deliberately planted backdoor. That's what it would have taken for 7.1a to be declared "insecure" as the authors did when they burned the house to the ground.
lawsoncl
join:2008-10-28
Spirit Lake, ID

1 recommendation

lawsoncl to Dustyn

Member

to Dustyn
said by Dustyn:

Steve Gibson after looking over the code said it is beautifully written code with zero bugs to be found.

Steve Gibson's blessing does very little for me. He's a self proclaimed security expert and publicity hound, who doesn't seem to understand some fundamentals. Some of the crap he's put out there has been quite laughable. The serious security pros consider him a hack.

»www.theregister.co.uk/20 ··· cookies/

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

1 recommendation

camper to sbconslt

Premium Member

to sbconslt
 
I agree with all you said.

I'm staying with TC for the time being, as I don't yet trust any of the alternatives ...

85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

1 recommendation

85160670 (banned) to Dustyn

Member

to Dustyn
Hmmmm .... "TrueCrypt Audit Phase II completed: 4 vulnerabilities identified".....The developers released a final version of TrueCrypt that was broken (by design) in many regards. The final source code of the full version of the program was published by Gibson Research Corporation and alternatives such as VeraCrypt or CipherShed appeared shortly thereafter.

At that time, TrueCrypt's audit was not complete as only phase one of the audit had been completed by the researchers.

The research term made the decision to continue with the audit of TrueCrypt 7.1a despite the fact that the project developers abandoned the project in the meantime.....[ »www.ghacks.net/2015/04/0 ··· ntified/ ]

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

2 edits

Dustyn

Premium Member

I'm curious to hear what Steve Gibson may have to say about these findings?
Security review finds no critical flaws in Truecrypt 7.1a
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

1 recommendation

85160670 (banned)

Member

{{{ SMILE }}} meantime lifes go on ..."VeraCrypt 1.0f-2 update fixes TrueCrypt audit vulnerability"...[ »www.ghacks.net/2015/04/0 ··· ability/ ]
said by Dustyn:

I'm curious to hear what Steve Gibson may have to say about these findings?
Security review finds no critical flaws in Truecrypt 7.1a


camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

1 recommendation

camper to sbconslt

Premium Member

to sbconslt
 
Another article about TrueCrypt and its successors.
»threatpost.com/post-cryp ··· d/112033


... [Jason] Pyeron[, one of the developers of CipherShed] for one, is not a fan of the quality of the original TrueCrypt code base, something that was also pointed out in the first phase of the audit.

“The TrueCrypt codebase is riddled with poor and less than secure programming practices,” he said. “Some of the things we have discovered along the way are improper handling of Unicode and many other strange details. Here is one for your readers: What reasons could you justify using string case manipulation in full-disk encryption software? Hint: It should not be for the data on the disk or passwords.”

VeraCrypt and CipherShed have addressed many of the shortcomings identified not only by the audit, but by others who have scrutinized the TrueCrypt code in recent years. VeraCrypt’s Idrassi, for example, said he replaced TrueCrypt’s lone support of the RIPEMD-160 algorithm with SHA-256 support for system encryption. He said VeraCrypt has also tried to simplify the build process, especially for Linux and Mac OS X systems, so that other less common configurations could be used....


antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude to sbconslt

Premium Member

to sbconslt

VeraCrypt

Are any of you using VeraCrypt?

TheMole
join:2001-12-06
USA

1 recommendation

TheMole

Member

I've been testing VeraCrypt as a replacement for TrueCrypt. The major issue right now is that the initial boot is VERY VERY Long (90 seconds in some cases). This is due to a increased security at the boot process that VeraCrypt employs that TrueCrypt did not employ.

It is discussed »veracrypt.codeplex.com/d ··· s/549728 and »veracrypt.codeplex.com/d ··· s/570533.

As discussed in the second link, they will release a version that "fixes" this, but the fix lowers the security level (which is optionally left at a higher security level).

Once booted, i see zero differences. The only issue is getting users used to the slow boot time. They often think something is wrong.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

1 recommendation

camper to antdude

Premium Member

to antdude
said by antdude:

Are any of you using VeraCrypt?

 

Conversely, anyone using CipherShed?