First phase of TrueCrypt audit finds no backdoors
Posted on 15 April 2014.
Remember when late last year cryptographer Matthew Green and Kenneth White, Principal Scientist at Social & Scientific Systems, called for - and then organized - a crowdfunded, public security audit of TrueCrypt?


Well, the results of the first phase of the audit have been published, and the news is good in regards to potential backdoors present in the code.

iSEC Partners, the penetration testing and software design verification firm that has been contracted in December to evaluate TrueCrypt's Windows kernel code, the bootloader, the filesystem driver, and the areas around this code, reports that they "found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas," and that the found vulnerabilities "all appear to be unintentional, introduced as the result of bugs rather than malice."

All in all, they found eleven security issues, four of which of medium severity, four of low severity, and the remaining three of "informational" severity.

"Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth," they explained.

"The team also found a potential weakness in the Volume Header integrity checks, they added. "Currently, integrity is provided using a string (“TRUE”) and two CRC32s. The current version of TrueCrypt utilizes XTS2 as the block cipher mode of operation, which lacks protection against modification; however, it is insufficiently malleable to be reliably attacked. The integrity protection can be bypassed, but XTS prevents a reliable attack, so it does not currently appear to be an issue."

The team found the online documentation for the software to be very good, easily understandable and correct.

"In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report," Tom Ritter, security consultant at iSEC Partners concluded.

The second phase of the audit project is set to follow, and it will include a thorough analysis of the part of the code responsable for the actual encryption process.









Spotlight

Free security software identifies cloud vulnerabilities

Posted on 21 October 2104.  |  Designed for IT and security professionals, the service gives a view of the data exchanged with partner and cloud applications beyond the network firewall. Completely passive, it runs on non-production systems, and does not require firewall changes.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Oct 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //