[cryptome] Re: Open Crypto Audit Project TrueCrypt Cryptographic Review

  • From: Shaun O'Connor <capricorn8159@xxxxxxxxx>
  • To: cryptome@xxxxxxxxxxxxx
  • Date: Fri, 03 Apr 2015 12:28:25 +0100

It is curious that truecrypt was withdrawn from circulation in light of
( or was that prior to) the audit. in fact looking at the audit report
suggests that the fault lies not so much with the software but more so
to do with the host os ( windows was specifically mentioned , but not
which version ).

This raises the question, considering that the information appearing on
the truecrypt site suggested people use winlocker instead. was the site
itself compromized by adverse parties who where very aware that
truecrypt was, ( and probably remains) impervious to direct back-door



On 03/04/2015 11:55, Peter Presland wrote:

Here here!

On 03/04/2015 09:47, Александр wrote:
Yes, but much room for improvement. In phase 2 there were 4 vulns
discovered by the audit:

1- Keyfile mixing is not cryptographically sound (low).
2- Unauthenticated ciphertext in volume headers (undetermined).
3- CryptAcquireContext may silently fail in unusual scenarios
4- AES implementation susceptible to cache timing attacks (high).

Of course, my friend. There is much room for improvement. But after all
those roomers and speculations... after two phases of serious
professional audit... we see _NO backdoors. Nothing!_ (especially if we
take into account, that the project was dead since 2012 and officially
discontinued since the middle of 2013).

I am sure that VeraCrypt (https://veracrypt.codeplex.com/) and
CipherShed (https://ciphershed.org/) will work on those flaws.

Now, one can safely shut the mouths of those bastards who slandered this
excellent program and its developer!


Other related posts: