Friday 3 April 2015

Researchers Found No Backdoor In TrueCrypt


Researchers have completed the investigation into the cryptographic functionality of TrueCrypt and found no backdoors or other intentional introduced vulnerabilities in the encryption software. However, the software is not perfect and contains some errors. TrueCrypt is a popular program for encrypting files and computers. Despite the popularity of the source code and cryptographic functionality of the software has never been audited.

Several experts therefore decided to raise money through crowdfunding for an audit. Last January, the TrueCrypt boot loader and Windows kernel driver audited, with the audit report was presented in April of the same year. There were no backdoors to be present in the software. The second part of the audit would focus on the cryptographic operation of the encryption program.

End of May 2014 decided the TrueCrypt developers suddenly stop the development of the software and advised users to stop using. This ensured that the audit of the cryptographic operation was delayed, but early this year was yet started. The results have just been published ( pdf ) showing that TrueCrypt is a well-designed encryption program.

There were no intentional backdoors or other serious design errors encountered that would infest the software. However, the software is not perfect, says cryptography professor Matthew Green . The auditors discovered "Programming imprudent" several errors and that in some cases can lead to problems that TrueCrypt guarantee less than desirable.

Biggest problem

The biggest problem was found for the "random number generator" (RNG) of the Windows version. TrueCrypt used to generate the keys that TrueCrypt volumes are encrypted. An important part, because if the RNG is predictable, this may undermine the security of the system. The RNG in TrueCrypt is based on a design from 1998 by Peter Guttman. This RNG is trying "unpredictable" values ​​from disconnecting it and used here include the Windows Crypto API.

In very special cases, the Crypto API could not be initialized. If this happens TrueCrypt would have to stop and give a warning, but the program seems to accept this quietly and continues to generate keys. According to Green, this is not the end of the world, because the probability of this happening is very small. Addition, it would TrueCrypt, in addition to the Crypto API, also retrieve values ​​from other parts of the system, such as mouse movements. This is probably good enough to protect users, notes the professor. "But it is a bad design and should definitely be resolved in divestitures of TrueCrypt."

No comments:

Post a Comment