![]() “Some of the things we have discovered along the way are improper handling of Unicode and many other strange details. “The TrueCrypt codebase is riddled with poor and less than secure programming practices,” he said. ![]() Pyreon, for one, is not a fan of the quality of the original TrueCrypt code base, something that was also pointed out in the first phase of the audit. My personal goals were to make full-disk encryption available to everyone, including businesses and governments, and eliminate their excuses for not using it.” We ended up with the group who thinks organization is the key to long term support and success, just like Apache has. “From there, it was a self-organizing battle royale. That was the primary motivation for starting CipherShed,” Pyeron said. Like VeraCrypt, CipherShed emerged after the TrueCrypt shutdown. If there were a backdoor put in, it would look like an innocent mistake or some buffer overflow which leaks just enough to give an advantage,” Pyeron said, adding that CipherShed’s developers are already looking at the bugs uncovered by the audit. “I did not expect them to find any obvious backdoors or other easy exploits. Jason Pyeron, one of the developers of CipherShed, said he expected the cryptanalysis to turn up more issues than it did, though the auditors did limit the scope of their investigation to certain areas of the code. That being said, the source code has been reviewed by many people for years now and it would have been extremely surprising if any backdoor was able to hide in plain sight for so long.” “VeraCrypt is based on TrueCrypt, so theoretically any backdoor present in TrueCrypt could also be present on VeraCrypt if it touches the common parts. “The results of the second audit phase are less interesting since the weaknesses mentioned were either known (keyfile processing, cache-timing attack) or not realistic, but this is expected since the code has already been analyzed by many people for years (although not in an coordinated manner) and it’s difficult to make new findings,” Idrassi said. The second phase of the audit turned up no backdoors and uncovered four vulnerabilities in the code, two of which were rated high severity bugs by NCC Group Cryptography Services. Idrassi said he was not surprised by the revelations of last week’s cryptanalysis results. “From there, I decided to start VeraCrypt as a fork to TrueCrypt to address this issue by increasing the security to a level that should remain secure for the next 10-15 years.” I first started analyzing TrueCrypt source code in 2012, and by the end of that year it was clear to me that TrueCrypt key derivation was not strong enough and needed to be upgraded to meet the challenges by the accelerating growth of computing power,” Idrassi said. “The original motivation behind VeraCrypt was to strengthen TrueCrypt key derivation. Mounir Idrassi runs VeraCrypt, the Windows version of which was launched June 22, 2013, 17 days after the first Snowden revelations. I still use TrueCrypt and want to see it supported future.” I am excited to see those projects grow and thrive and last as long as TrueCrypt did. “There are successor projects and they are improving it in their own ways. “The audits of TrueCrypt get a lot of press because it’s something flashy, but the development effort that went into TrueCrypt at the beginning are immense and incredible, and the developers don’t get as much credit as they should for producing a disk and volume encryption project for multiple platforms and for maintaining it for a decade or more,” said Tom Ritter, a security engineer with NCC Group Cryptography Services, which conducted the audit. Whatever the reason, the demise of TrueCrypt not only gave rise to a two-phase audit of the code, but also a pair of projects that forked the last TrueCrypt build into separate projects that served the same purpose: provide privacy and security conscious individuals with a free and open software package to encrypt files and disk drives. Under the growing leeriness of the Snowden revelations two summers ago, the decision to audit the code and subsequent call to stop maintaining and developing TrueCrypt birthed speculation that a backdoor was found in the code, or that the developers had been served with a court order that would somehow compromise the integrity of TrueCrypt, or perhaps they were just tired of keeping up with code changes and new builds. ![]() It’s still unknown why the mysterious and anonymous builders of a software project that’s been downloaded close to 30 million times decided overnight to close up shop. TrueCrypt’s relative clean bill of health last week has now spawned a new focus on existing alternatives to the open source encryption software, namely VeraCrypt and CipherShed.īoth open source projects sprung forth from the rubble of the original TrueCrypt developers’ decision in 2014 to abandon ship. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |