Fwd: is truecrypt dead?
Matej Kovacic
matej.kovacic at owca.info
Wed May 28 23:58:10 PDT 2014
Hi,
just for info, TrueCrypt is being audited, and phase 1 report is quite good.
Phase 2 is being conducted right now, and it is on the formal
cryptanalysis, which is actually more easy to check than phase 1.
Please see:
- http://istruecryptauditedyet.com/
- https://opencryptoaudit.org/reports/
Summary:
During this engagement, the iSEC team identified eleven (11) issues in
the assessed areas. Most issues were of severity Medium (four (4) found)
or Low (four (4) found), with an additional three (3) issues having
severity Informational (pertaining to Defense in Depth).
Overall, the source code for both the bootloader and the Windows kernel
driver did not meet expected standards for secure code. This includes
issues such as lack of comments, use of insecure or deprecated
functions, inconsistent variable types, and so forth.
...
The team also found a potential weakness in the Volume Header integrity
checks. Currently, integrity is provided using a string (“TRUE”) and two
(2) CRC32s. The current version of True-Crypt utilizes XTS2 as the block
cipher mode of operation, which lacks protection against modification;
however, it is insufficiently malleable to be reliably attacked. The
integrity protection can be bypassed, but XTS prevents a reliable
attack, so it does not currently appear to be an issue.
...
Finally, iSEC found no evidence of backdoors or otherwise intentionally
malicious code in the assessed areas. The vulnerabilities described
later in this document all appear to be unintentional, introduced as the
result of bugs rather than malice.
So I bet their website was hacked. Anyway, I would be very careful
downloading any binary from their website and would not trust the
signatures.
Regards,
Matej
More information about the cypherpunks
mailing list