Matej Kovacic <matej.kovacic@owca.info> writes:
just for info, TrueCrypt is being audited, and phase 1 report is quite good.
No, no it wasn't. Here's the report:
https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_Tru...
Take a minute to read it, I'll wait. Pay particular attention to pages 11 and 12, where they define the severity classes. Having a "Medium" severity vulnerability means:
Individual user's information at risk, exploitation would be bad for client's reputation, moderate financial impact, possible legal implications for client
So when they state that there are no less than *four* vulnerabilities that they found in this class, that is *far from quite good*. Thankfully, three of them are classified as difficulty: high to exploit, but the "Weak Volume Header key derivation algorithm" is only difficulty: medium, which referring again to pages 11 and 12 is quite exploitable.