Fwd: is truecrypt dead?
Robbie Harwood
rharwood at club.cc.cmu.edu
Thu May 29 04:17:38 PDT 2014
Matej Kovacic <matej.kovacic at owca.info> writes:
> just for info, TrueCrypt is being audited, and phase 1 report is quite
> good.
No, no it wasn't. Here's the report:
> https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf
Take a minute to read it, I'll wait. Pay particular attention to pages
11 and 12, where they define the severity classes. Having a "Medium"
severity vulnerability means:
> Individual user's information at risk, exploitation would be bad for
> client's reputation, moderate financial impact, possible legal
> implications for client
So when they state that there are no less than *four* vulnerabilities
that they found in this class, that is *far from quite good*.
Thankfully, three of them are classified as difficulty: high to exploit,
but the "Weak Volume Header key derivation algorithm" is only
difficulty: medium, which referring again to pages 11 and 12 is quite
exploitable.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140529/983f7470/attachment.sig>
More information about the Testlist
mailing list