Researchers found no backdoors after finishing second TrueCrypt audit




After a second audit round, researchers who are part of the Open Crypto Audit Project does not purposefully loopholes or critical security holes in the open-source encryption software TrueCrypt found. Well there are a few flaws found.

TrueCrypt In April last year, a first report after analyzing the kernel driver for Windows and the TrueCrypt boot loader conducted by the firm iSEC Partners. Therein no backdoors or critical bugs were found that might destroy the encryption or weaken. In February it was announced that there would soon be published results of a second audit round, taking on board the cryptographic mechanisms of TrueCrypt.

Meanwhile, the results are published . The main conclusion is that there are no loopholes or critical bugs are found in the second audit. According to researchers from NCC Crypto Services TrueCrypt a relatively well-designed encryption package, though there are a few flaws in the code found in specific circumstances could reduce the reliability of encryption.

As an example, the random number generator is mentioned in the Windows version of TrueCrypt. This mechanism is used to randomly generate as possible keys. However, a ‘predictable’ rng can make the encryption vulnerable. TrueCrypt in Windows various sources to generate random numbers, including the Windows Crypto API. According to the audit report can be this api not started well in some very rare cases, but remains TrueCrypt still generate keys, while the software is actually at that time would have to stop this process. Yet the risk of abuse would be small, because sufficient other sources in the so-called entropy pool is drawn to generate strong keys, such movements with the mouse. However, it is to developers who want to create forks using the TrueCrypt code urged to adapt this mechanism.

Another flaw was found in how TrueCrypt takes appropriate precautions against so-called cache timing attacks is used as the AES algorithm. Such attacks, however, can only be done on systems that are shared or as a third code on a system can run.


In: Technology & Gadgets Asked By: [15519 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »