Forgot your password?
typodupeerror
Security Encryption

Security Researchers Want To Fully Audit Truecrypt 233

Posted by Unknown Lamer
from the brought-to-you-by-the-makers-of-stuxnet dept.
Hugh Pickens DOT Com writes "TrueCrypt has been part of security-minded users' toolkits for nearly a decade — but there's one problem: no one has ever conducted a full security audit on it. Now Cyrus Farivar reports in Ars Technica that a fundraiser reached more than $16,000 in a public call to perform a full security audit on TrueCrypt. 'Lots of people use it to store very sensitive information,' writes Matthew Green, a well-known cryptography professor at Johns Hopkins University. 'That includes corporate secrets and private personal information. Bruce Schneier is even using it to store information on his personal air-gapped super-laptop, after he reviews leaked NSA documents. We should be sweating bullets about the security of a piece of software like this.' According to Green, Truecrypt 'does some damned funny things that should make any (correctly) paranoid person think twice.' The Ubuntu Privacy Group says the behavior of the Windows version [of Truecrypt 7.0] is problematic. 'As it can't be ruled out that the published Windows executable of Truecrypt 7.0a is compiled from a different source code than the code published in "TrueCrypt_7.0a_Source.zip" we however can't preclude that the binary Windows package uses the header bytes after the key for a back door.' Green is one of people leading the charge to setup the audit, and he helped create the website istruecryptauditedyet.com. 'We're now in a place where we have nearly, but not quite enough to get a serious audit done.'"
This discussion has been archived. No new comments can be posted.

Security Researchers Want To Fully Audit Truecrypt

Comments Filter:
  • by tysonedwards (969693) on Wednesday October 16, 2013 @09:36AM (#45142369)
    I am shocked, and frankly a little pissed off that Version 6 and Version 7 aren't identical.
    • Yeah was just about to make the same post. That sentence sounds pretty stupid.

  • A thought (Score:3, Insightful)

    by Anonymous Coward on Wednesday October 16, 2013 @09:59AM (#45142617)

    TrueCrypt has a custom license and it is unclear how it mixes with other licenses. This makes code-sharing between TrueCrypt and other projects problematical.

    According to TFA nobody knows who wrote TrueCrypt.

    The answer to the problem is simple: relicense TrueCrypt. If there are no known authors, there's nobody to complain.

    • by Desler (1608317)

      Except copyright law doesn't work that way.

      • Well they would have to come forward to launch legal proceedings, wouldn't they?
        • by mlts (1038732) *

          It still is acting in bad faith. Even though nobody comes out to actively defend a work, it still isn't ethical to recopy and relicense someone else's stuff without permission.

          If TC turns out to have issues, the best thing would be to get behind a project like FreeOTFE and have that thoroughly audited and vetted. The second best would be to see about getting a company who has a product with similar functionality (BestCrypt or even better, Symantec's PGP Desktop) and having them create an "open" version.

          • Re:A thought (Score:4, Interesting)

            by TheCarp (96830) <sjc@noSPAM.carpanet.net> on Wednesday October 16, 2013 @11:18AM (#45143431) Homepage

            I have used FreeOTFE before, and kind of forgotten about it. As it happens, I am looking for something just like this now for use with some USB keys I need to use to share data at different places.

            Now that I look at it I see this on Wikipedia:
            "The FreeOTFE website is unreachable as of June 2013 and the domain name is now registered by a new owner."

            So I asked, is it even being maintained? I know its open source but, its good to know if a project is actively maintained too. Apparently the place to go is Sourceforge as freeotfe.org is something else now: http://sourceforge.net/projects/freeotfe.mirror/ [sourceforge.net]

            AND the latest release is several months after the original website disappeared, So it looks like somebody is working on it anyway. May be just what I needed.

          • "It still is acting in bad faith. Even though nobody comes out to actively defend a work, it still isn't ethical to recopy and relicense someone else's stuff without permission."

            Yes, it very much IS ethical to do so. It just isn't legal. There is a difference.

            Until just a very few years ago (around the time of CMCA), in order to enforce a copyright you had to DECLARE it. That means publicly declare who the copyright belongs to, and when the work was produced.

            For a number of extremely good reasons, this is still the way it should work. That system worked, and worked fine. There were a number of solid ethical and equity reasons for it being the way it was. It worked MUCH better

        • by gweihir (88907)

          No. They can use a proxy.

      • Re:A thought (Score:5, Informative)

        by Rob the Bold (788862) on Wednesday October 16, 2013 @10:39AM (#45142991)

        Except copyright law doesn't work that way.

        How does copyright work in the case of anonymous authorship? I found this info which I make no attempt to explain . . .

        In the US, there's this [copyright.gov]:)

        (c) Anonymous Works, Pseudonymous Works, and Works Made for Hire. — In the case of an anonymous work, a pseudonymous work, or a work made for hire, the copyright endures for a term of 95 years from the year of its first publication, or a term of 120 years from the year of its creation, whichever expires first. If, before the end of such term, the identity of one or more of the authors of an anonymous or pseudonymous work is revealed in the records of a registration made for that work under subsections (a) or (d) of section 408, or in the records provided by this subsection, the copyright in the work endures for the term specified by subsection (a) or (b), based on the life of the author or authors whose identity has been revealed. Any person having an interest in the copyright in an anonymous or pseudonymous work may at any time record, in records to be maintained by the Copyright Office for that purpose, a statement identifying one or more authors of the work; the statement shall also identify the person filing it, the nature of that person's interest, the source of the information recorded, and the particular work affected, and shall comply in form and content with requirements that the Register of Copyrights shall prescribe by regulation.

        And this [copyright.gov]

        Anonymous Work

        An author's contribution to a work is “anonymous” if that author is not identified on the copies or phonorecords of the work. If the contribution is anonymous, you may:

        * reveal the author's identity even though the work is anonymous, or
        * leave the author fields blank, or
        * give “Anonymous” in the last name field.

        Note that if a work is “made for hire,” you must name the employer as author. In any case, you should check the anonymous box.

        And internationally, there's this advice from wikipedia [wikimedia.org].

  • All typos in the writeup aside, the TrueCrypt FAQ [truecrypt.org] states:

    In addition to reviewing the source code, independent researchers can compile the source code and compare the resulting executable files with the official ones. They may find some differences (for example, timestamps or embedded digital signatures) but they can analyze the differences and verify that they do not form malicious code.

    If so, why would it cost $16,000 to do that? Heck, I bet somebody would do that, and also do "a full security audit" of the source code, for free.

    When I used to use TrueCrypt years ago, I assumed someone had already done that. But I never found any proof, so I stopped using it. Will the $16,000 maybe be used to pay someone to do that formally and publish the results?

    • Re: (Score:2, Informative)

      by AHuxley (892839)
      Expensive, unique, proprietary, complex software is going to seek out traces of the military industrial complex and its best software contractors.
    • Re:A costly analysis (Score:4, Informative)

      by nharmon (97591) on Wednesday October 16, 2013 @10:19AM (#45142781) Homepage

      Perhaps the $16,000 could be divided up and paid to multiple researchers who do their own separate analyses. Even better would be researchers on different continents, who pledge not to communicate with each other until their work is complete.

    • If so, why would it cost $16,000 to do that?

      It's not the compile and compare to existing binaries that's the expensive bit, that would just show the same source code was used.

      The expensive bit is someone has to review everyline of code and really understand it to eliminate possible backdoors and someone has to review the workflow to find flaws in the implementation.

  • Waitaminit... (Score:4, Interesting)

    by Shoten (260439) on Wednesday October 16, 2013 @10:13AM (#45142725)

    ...I thought the main point of the "open source is more secure" argument was that this process supposedly happened on its own, organically?

    • Re:Waitaminit... (Score:5, Insightful)

      by TheRaven64 (641858) on Wednesday October 16, 2013 @10:57AM (#45143205) Journal
      No, the argument is that it can happen if someone decides that it's worth doing. Just making the code open doesn't mean that anyone will read it. It does, however, mean that:
      • You can build it yourself, so you know that the code that is audited is the code that is built (modulo toolchain trojans)
      • You can audit the code, or pay someone else to do it, without permission from the original authors beyond their original license
      • You can fix any security holes that such an audit turns up (or pay someone else to do it, again without requiring permission from the original authors beyond their original license
      • by MrChips (29877)

        No, the argument is that it can happen if someone decides that it's worth doing. Just making the code open doesn't mean that anyone will read it. It does, however, mean that:

        • You can build it yourself, so you know that the code that is audited is the code that is built (modulo toolchain trojans)
        • You can audit the code, or pay someone else to do it, without permission from the original authors beyond their original license
        • You can fix any security holes that such an audit turns up (or pay someone else to do it, again without requiring permission from the original authors beyond their original license

        And, if someone else does an audit, there's a better chance that they are not bound by NDA and can therefore speak freely about what they find.

    • Re:Waitaminit... (Score:5, Insightful)

      by aaaaaaargh! (1150173) on Wednesday October 16, 2013 @11:45AM (#45143717)

      The real reason why open source practically always beats closed source in security applications is that the authors have to presume that someone else will take a look at the code later and therefore want to avoid too messy and unclean coding. With closed source the temptation is simply too high to introduce dirty hacks and shortcuts, such as crappy PRNGs where cryptographically secure ones would be required, using no salt or using default initialization vectors - things that would be too embarrasing if anybody could discover them easily.

      Closed source developers can avoid that by independent security auditing, frequent reviews and strict coding guidelines, but that costs a lot of money and is only done when there is an external incentive like having to fulfill some FIPS regulation. In many if not all cases you can and should give a shit about the claims of even the most reputable closed source vendors. They are very likely lying about one thing or another and their managers likely don't even know exactly what they are really selling and how it works (viz., doesn't work).

    • by Vellmont (569020)

      Anyone being able to review code is NOT the same thing as an audit. An audit is a more formalized process where there's a more defined process and some form of assurance of quality is provided by the group. A formalized audit should cover all, or at the least "critical areas" of the code. An audit also might entail more than just the code, but who has access to it, what the commit procedures are, etc.

      What you're describing is more ad-hoc. Individuals going in and making sure there's no glaring errors or de

  • by seandiggity (992657) on Wednesday October 16, 2013 @10:18AM (#45142763) Homepage
    From http://lists.debian.org/debian-legal/2006/06/msg00295.html [debian.org]:

    ...if you distribute modified versions of TrueCrypt, you cannot charge for copies. That is non-free...
    ...nothing in the license constitutes a promise not to sue for copyright infringement. Our counsel advises that a plain reading of this indicates that if Fedora complies with all the requirements of the TrueCrypt license, we would nonetheless have no assurance that TrueCrypt will not sue me for my acts of copying, distribution, creation of derivative works, and so forth...
    TrueCrypt seems to be reserving the right to sue any licensee for copyright infringement, no matter whether they comply with the conditions of the license or not. Based on this, our counsel advised that above and beyond being non-free, software under this license is not safe to use...
    Our counsel advised us that this license has the appearance of being full of clever traps, which make the license appear to be a sham (and non-free).

    Given all of this, plus the problems with TrueCrypt authorship etc. I think the best course of action is replacing with a free implementation, maybe starting with something like this [github.com]?

    • Given all of this, plus the problems with TrueCrypt authorship etc. I think the best course of action is replacing with a free implementation, maybe starting with something like this [github.com]?

      Ah, I see the current TrueCrypt license [truecrypt.org] has undergone substantial changes since the early days. Looks like a complete mess to me :/

    • by Mr. Slippery (47854) <tms.infamous@net> on Wednesday October 16, 2013 @10:32AM (#45142925) Homepage

      That discussion is about an older version of the TrueCrypt license. While the newer version hasn't been submitted for OSI certification, some say it does meet the Open Source Definition [wikipedia.org].

    • by mlts (1038732) * on Wednesday October 16, 2013 @11:01AM (#45143247)

      Truecrypt's main advantage is that it is cross platform. I can make a TC volume on Windows, stash it on Dropbox, then later on open it on my Mac or Linux box.

      However, each of the operating systems generally has some method which doesn't have the hidden volumes and the plausible deniability aspect, but some form of volume encryption.

      OS X has FileVault 2, which can encrypt drives with a couple clicks. OS X also has a utility that makes sparse images, using "bands", which allows one to have an encrypted volume grow and shrink as needed. Of course, there is a loss of security with this feature, but it adds versatility.

      Linux has LUKS and dm-crypt (Android uses a modified version of dm-crypt to protect the /data partition in newer revs.)

      Windows has BitLocker. Windows 8 and newer's implementation of BitLocker allow for it to ask for a password before boot even if a TPM chip isn't present. Of course, not all Windows editions have BitLocker usable.

      Of course, there are third party utilities. PGP (the commercial version owned by Symantec) comes to mind, which can encrypt Windows, Linux, and Mac volumes. I doubt this would ever be possible, but if their code was released with a free license, this likely would be the best Truecrypt replacement, although it wouldn't have hidden volume functionality.

      • Linux has LUKS and dm-crypt (Android uses a modified version of dm-crypt to protect the /data partition in newer revs.)

        re: TrueCrypt container format, dm-crypt and cryptsetup/LUKS: http://grugq.tumblr.com/post/60464139008/alternative-truecrypt-implementations [tumblr.com]

      • by tlhIngan (30335)

        OS X has FileVault 2, which can encrypt drives with a couple clicks. OS X also has a utility that makes sparse images, using "bands", which allows one to have an encrypted volume grow and shrink as needed. Of course, there is a loss of security with this feature, but it adds versatility.

        Actually, bands are created so you can back up the encrypted volume files without bloating your backups.

        Think about it - you mount your encrypted disk, then do some file operations - perhaps edit a file. You close the encryp

        • by mlts (1038732) *

          Apple's solution is quite elegant to this problem with the 8MB bands, so if one change is done to a very large file, only one, possibly two bands change. I just wish something similar was available on other platforms.

          Of course the downside is that a determined attacker can see what bands change over time and then guess what is in that data, but that is a relatively low threat, and could be countered by tossing some files in a junk directory and deleting them at random.

      • Not everyone is
        A) ready to shell out $100 for bitlocker (for windows professional) when they could simply buy the better, and cross-platform, bestcrypt;
        B) ready to trust Microsoft's FDE.

  • I'm all for an audit (Score:2, Interesting)

    by koan (80826)

    I do have one question, if you need reliable encryption and privacy why is your operating systems Windows?

    • You do realize that that between the NSA, FSB, various other TLAs and countless Russian and Chinese hackers, that the Windows source code has been the subject of more careful and complete reviews than any other operating system. Ever.

      • by Lennie (16154)

        Most of these organisations don't get to compile their own, they get the source and the binaries seperately AND I wouldn't be surprised if it only compiles with the Microsoft toolchain.

        Good luck with that.

  • by Smidge204 (605297) on Wednesday October 16, 2013 @10:40AM (#45143015) Journal

    I use the best encryption ever for everything I need to keep secret. The algorithm is a simple bitwise XOR applied to every byte in the file, using the data itself as a one-time pad. Completely uncrackable unless you know the data that was used for the pad.

    The output also compresses really well!
    =Smidge=

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Good, but the decryption is o(god).

  • The writing random bytes thing, but only on Windows, is rather puzzling. It seems like one way to build confidence that's faster than setting up a deterministic build (which at any rate, would not necessarily be accepted by the TrueCrypt authors it seems), would be to open up the binaries in IDA Pro and figure out if the bytes written there on Windows truly are random or if they are not.

    • open up the binaries in IDA Pro and figure out if the bytes written there on Windows truly are random or if they are not.

      One of the very mechanics that TrueCrypt relies on for its plausible deniability for hidden volumes is that mathematically it is very difficult to prove whether the data is random or encrypted...not to mention the difficulty with computers and ever generating "truly random" data, which I believe there was just an article about this week.

  • Oh really? (Score:4, Interesting)

    by Sperbels (1008585) on Wednesday October 16, 2013 @11:01AM (#45143255)

    "TrueCrypt has been part of security-minded users' toolkits for nearly a decade — but there's one problem: no one has ever conducted a full security audit on it except the NSA.

    FTFY

  • by Anonymous Coward

    Ask the author how they compile it. Get that exact source and compile it that way. Then work out each difference. Libs get searched in directory or date order? Tweak that. Till all that is different are a few timestamps NIC MAC's, etc.

    Then just audit the source. Non-trivial in itself.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Ask the author how they compile it.

      Great idea!

      Now we just need to find the unknown, anonymous author...

      • by gl4ss (559668)

        ..another idea, if the original compiler guy of the windows version is unknown.

        just compile the windows version and start distributing that.

  • by Anonymous Coward on Wednesday October 16, 2013 @11:40AM (#45143673)

    Be in no doubt. You are NOT witnessing an attempt to ensure the security of Truecrypt. You ARE seeing a standard FUD play by NSA people against one of the greatest thorns in their side.

    Put this in the same category as those regular stories that appear on Slashdot and elsewhere, telling you that you CANNOT ever be sure that your erased data on your Hard-drive cannot be recovered by sophisticated forensic analysis of the magnetic surface. The NSA even paid to have a peer-reviewed paper placed in the scientific literature claiming such recovery is possible- despite the fact that such a claim is provably laughable.

    Here's the mathematical proof of NONE recoverability of properly deleted data.
    - let us say that you fill a HDD with target data, and now over-write that data with a RANDOM series of bytes. If the original data CAN be recovered, we have DOUBLED the capacity of the HDD, because logically there can be no distinction between the original data, and the random data used to erase it.
    - now, let's say we wipe again with another random sequence. If the original data can be recovered, we have TRIPLED the capacity of the HDD, for the reason stated above.
    - and again, we wipe with another random wave. If the original data is STILL recoverable, we have quadrupled the functioning capacity of the HDD.
    - repeat, etc.

    The problem is that the HDD is designed, given the head, recording signal, and surface material, to only support the original capacity under the signal theory that covers the current method of recording. It does NOT matter that in theory, the disk material MAY be able to save far more data with a different head, and signal method. Only the current method matters.

    But the owners of Slashdot will allow periodic FUD articles to appear that DISCOURAGE people from using proper file erase tools, on the basis that its actually a waste of time, because the NSA can still get your data no matter how you erase it.

    Much of what the NSA engages in is PSYCHOLOGICAL WARFARE. Major US TV networks and film studios, for instance, have been ordered to NEVER reveal the fact that ALL mobile phones in the USA have their location continually tracked by cell tower triangulation methods. While is is actually LAW in the US that every cell phone must have continuous location tracking ability, the US government believes many criminals are inherently stupid, and will allow their cell phones to produce evidence against them ***IF*** they have false ideas about how cell phone technology works. US Dramas like 'Shameless' (the US remake) and films like 'The Call' have actually informed the audience that ONLY phones with real GPS chips can be location-tracked- a complete and total lie, but a lie designed to sink into the unsophisticated minds of the sheeple.

    The truth about the strength of Truecrypt is the complete LACK of stories about Truecrypt being defeated in practice. Shills will try to tell you that this is because Truecrypt is defeated in super-secret cases you can't be allowed to hear about, but this is a nonsense for two reasons. If you are a high level target of the NSA, nothing can save you, so the security of any encryption system is irrelevant. If systems like Truecrypt are defeated as part of ordinary governmental actions, the government, by law, has to allow this fact to be known (the RIGHT to a fair trial, etc).

    So instead, you get this FUD attack against Truecrypt, which will persuade a certain percentage of suckers to NOT bother using Trucrypt in the first place, give up using it, or transfer to a commercial alternative that is DEFINITELY compromised by the NSA (ALL commercial encryption software is compromised).

    • If they had the ability to break TrueCrypt encryption, they would want people to keep using TrueCrypt and thus not say anything.

      But both that, and the "doubling hard drive capacity" bit is ignoring the possibility of ridiculously expensive tools that allow one to laboriously do thing normal people can't.

    • by Anonymous Coward on Wednesday October 16, 2013 @01:50PM (#45145309)

      I have a fair amount of experience in the field (I'll leave it at that, as my credentials are not of relevance to my point). I performed an audit of TrueCrypt 6.0 when it came out, and I was not able to detect anything wrong. A few details of the header format are a little out in the documentation (e.g. GF(256) addition instead of XOR for whitening, but hardly of any security impact, the curious choice of RIPEMD160 in the morning, which actually seems to be due to simple "it fits" criteria) but that's about it. I didn't see any 'back doors' in the copy I had. (Obviously, with the concerns regarding x.509 CAs and TLS, I can't speak for the copy you might have.)

      The only times I've ever seen TrueCrypt cracked by SIGINT or LE agencies, it involved: hardware keyloggers, Firewire DMA attacks, NONSTOP attacks (or 'cold boot' attacks as the open-source security community later dubbed them - they're not as new as you'd think, crackers were doing them in the 80s - when they were, admittedly, easier), or brute-force analysis of short crappy passwords. They used Cell processors in parallel to do that (at one point, literally a cluster of PlayStation 3s running Linux). This is consistent with TrueCrypt's documentation. They have certainly failed to crack TrueCrypt in several high-profile terrorism cases where they would really, really like to do so. It seems reasonable to conclude that in general, they cannot work through it, only around it.

      It also seems likely that if they are unable to crack it, they are likely to dissuade people from using it by social engineering, and perhaps direct them to weaker tools that are easier for them to subvert. I concur with parent on that point.

      But ultimately, you don't have to trust me. You shouldn't. Many eyes do make bugs shallow, as long as the eyes are actually there and actually look. A few more eyes definitely can't hurt on a security-critical project like this. Please, by all means independently audit it. It is good practice that all software with a security impact, particularly high-profile cryptography software, should be audited whenever possible. That is entirely laudable, and we should do it.

    • by Kjella (173770) on Wednesday October 16, 2013 @02:51PM (#45145949) Homepage

      The problem is that the HDD is designed, given the head, recording signal, and surface material, to only support the original capacity under the signal theory that covers the current method of recording. It does NOT matter that in theory, the disk material MAY be able to save far more data with a different head, and signal method. Only the current method matters. But the owners of Slashdot will allow periodic FUD articles to appear that DISCOURAGE people from using proper file erase tools, on the basis that its actually a waste of time, because the NSA can still get your data no matter how you erase it.

      You sure YOU don't work for the NSA? The recording capability is what it is, but the reading capability is whatever you can put in a $100 consumer drive operating at 100MB/s with 1 error in 10^14 bits accuracy. What you can do with a >$1 million electron microscope at 1/1000th the speed at 1/1000th the accuracy is another matter. You might not want a 0.1 MB/s drive that corrupts a bit every megabyte but for forensics that's plenty. Never mind that all modern drives just pretend to offer you a linear disc, in reality it remaps a whole sector if a single bit fails. How much compromising info can you write in 4023 out of 4024 bits of a 4K sector? It's not useless but everything you hope to achieve with erasing is better achieved with encryption. Nor are they mutually exclusive, if you want to wipe your encrypted drive for that extra unrecoverable feeling go ahead.

  • by johanw (1001493) on Wednesday October 16, 2013 @11:50AM (#45143775)

    The current version of TrueCrypt is 7.1a. Why are they only talking of older versions?

  • It's time to assume that all forms of encryption and communication have been compromised and probably have been for many years. There's no coming back from this when the most powerful country on Earth intends to keep things this way.

    • by johanw (1001493)

      Why? Open source can help here very much, and the most bancrupt country on Earth can do nothing to stop publishing code.

  • Why bother audting a closed binary which can change drastically from one version to the next, requiring a near-complete (if not total) re-audit (a laborious process the first time around)?

    The better solution is to look to open source implementations, like tcplay [github.com]. Audit an open source implementation, where it's easy to see exactly what changed and how it might affect the machine's state.

    This is a bad solution to a non-problem.

How can you work when the system's so crowded?

Working...