
Truecrypt report - java-man
http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html
======
rsync
So there is now a complete truecrypt audit.

What is the checksum of the source tree that I can use to verify that I have
exactly the copy they audited ?

I looked at the full report PDF and saw no mention of downloads, binaries,
source trees or checksums.

~~~
alexwlchan
There's a paragraph in the Phase I Audit Report (published a year ago) which
includes a checksum:

> The iSEC team reviewed the TrueCrypt 7.1a source code, which is publicly
> available as a zip archive (“truecrypt 7.1a source.zip”) at
> [http://www.truecrypt.org/downloads2](http://www.truecrypt.org/downloads2).
> The SHA1 hash of the reviewed zip archive is
> 4baa4660bf9369d6eeaeb63426768b74f77afdf2.

The Phase II report (today;s release) claims to be auditing 7.1a, so I assume
it's exactly the same version and ZIP file.

Last June, they published "a verified TrueCrypt v. 7.1 source and binary
mirror", including file hashes, on GitHub:
[https://github.com/AuditProject/truecrypt-verified-
mirror](https://github.com/AuditProject/truecrypt-verified-mirror)

I just cloned that repo and inspected the source ZIP; the SHA1 sum matches
what they quote in the report.

------
java-man
The TL;DR is that based on this audit, Truecrypt appears to be a relatively
well-designed piece of crypto software. The NCC audit found no evidence of
deliberate backdoors, or any severe design flaws that will make the software
insecure in most instances.

That doesn't mean Truecrypt is perfect. The auditors did find a few glitches
and some incautious programming -- leading to a couple of issues that could,
in the right circumstances, cause Truecrypt to give less assurance than we'd
like it to.

~~~
lucb1e
Yeah, that's right on top of the post but you comment it like you came up with
it yourself...

~~~
spdustin
Plenty of people check comments before the article. The summary was helpful.

~~~
ebbv
Yes and plenty of people make it clear when they're quoting the article.

~~~
java-man
You are right. I should have quoted the excerpt. Sorry.

~~~
chadzawistowski
Can you still edit the post?

~~~
java-man
No, I can't. I think the ability to edit disappears after a while.

------
pbsd
For what it's worth, regarding the recommendation in page 14 of the report,
there is a portable implementation (well, direct port of the SSSE3 code) of
AES-CTR in NaCl:
[https://github.com/jedisct1/libsodium/tree/master/src/libsod...](https://github.com/jedisct1/libsodium/tree/master/src/libsodium/crypto_stream/aes128ctr/portable).
Don't expect it to be fast or anything, but it exists.

------
acqq
The problem with not complaining if the Microsoft CryptoAPI can't be
initialized doesn't appear to be really a thing to worry. I'd really like to
hear about any known Windows configuration on which the calls can fail, and
even if the calls would magically fail, the RNG is uses other entropy sources,
including user's own mouse movements, specially requested from the user before
the key is to be generated.

~~~
tomrittervg
> I'd really like to hear about any known Windows configuration on which the
> calls can fail

Mandatory Profiles

~~~
tedunangst
Is that likely to intersect with TrueCrypt use in a troublesome way? If you're
making the profile, don't do that; if somebody you don't like is making the
profile, you're already boned.

~~~
tomrittervg
> Is that likely to intersect with TrueCrypt use in a troublesome way

/shrug While it's certain that if you're operating inside a mandatory profile
you are at the mercy of whoever created it... but that doesn't mean that
people don't try to circumvent restrictions placed on them by their
Administrators.

It's also not clear to me just how common Mandatory Profiles are actually.

------
dtech
Very good to know. Does anyone know the status of the Truecrypt forks?
Although it has proven reliable and doesn't need a lot more functionality, it
will eventually break without further development.

~~~
java-man
Forks, in no particular order:

[https://ciphershed.org/](https://ciphershed.org/)

[https://truecrypt.ch/](https://truecrypt.ch/)

[https://veracrypt.codeplex.com/](https://veracrypt.codeplex.com/)

Also, please refer to this stackexchange thread:

[http://security.stackexchange.com/questions/58994/are-
there-...](http://security.stackexchange.com/questions/58994/are-there-any-
reasonable-truecrypt-forks)

~~~
jordigh
Has the licensing situation been clarified? The original license was not open
source, but it seems unlikely that it would be enforced, as that would involve
de-anonymising the copyright holders.

~~~
jstalin
There's nothing to clarify. You've summarized it correctly.

~~~
wtbob
I think perhaps by 'clarification' he was hoping for _resolution_ …

~~~
LLWM
It is resolved. Just not in the way you want.

------
toothbrush
Explained for a layperson: should i be using TrueCrypt, or is LUKS okay?
Anyone here use TrueCrypt for whatever reason?

~~~
sdevlin
Report coauthor here.

No significant issues were found in either phase of the TrueCrypt audit. If
you're using it today (or have used it in the past), I don't think you have
anything to worry about.

But it is an unmaintained piece of software, and for that reason I would
migrate away from it. If I were setting up a new laptop today, I wouldn't
consider installing it. If I had an existing laptop using it, I would think
about transitioning when I had some spare time.

Not a hair-on-fire problem, though.

~~~
Lawtonfogle
All else being equal it would make sense to move. But all else isn't equal and
having an audit and knowing the programmer knew their stuff enough to pass the
audit (especially since this is in the crypto field) seems to be a huge
benefit that other projects can't match right now.

~~~
tptacek
BitLocker and Filevault were almost certainly reviewed more carefully than
Truecrypt was (I didn't participate in either audit, but can confirm that both
of those companies allocate significant resources to third-party audits).

~~~
thesimon
Yeah, better trust US companies who are subject to NSA, which has been proven
to require no backdoors in software /s

~~~
sdevlin
If those companies wanted to subvert your TrueCrypt installation, they would
have an easy time of it.

~~~
mafribe
Could you sketch how, so we can think about countermeasures?

~~~
tedunangst
MITM the http connection you used to download truecrypt?

------
getdavidhiggins
Interesting reading, for those trying to reproduce the official binaries:

"How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries" ―

[https://madiba.encs.concordia.ca/~x_decarn/truecrypt-
binarie...](https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-
analysis/)

------
rdtsc
Any news, insight or updates on why it is unmaintained anymore?

That always seems a bit shady and suspicious

~~~
wil421
This all happened when the Snowden leaks were coming out. I always assumed
that they were served with some type of National Security court orders,
papers, threats whatever the Govt sends out.

Similar to what happened with lavabit. I doubt the devs did anything, more
likely they were asked to do something they felt was shady. They could've seen
the storm that was brewing on the horizon.

~~~
kordless
> I doubt the devs did anything

The best course of action was to do nothing, given they couldn't talk about it
if they were served. Walking away was the only option.

This is pure speculation. Logical, but still speculation.

------
sandworm
Frankly, I have to dismiss this report. As Truecrypt is cross-platform and
this report evaluates Truecrypt only under windows, this is at best 33% of a
report. A fault in the linux/mac implementations could result failings in the
windows version. For example, if the mac version has issues with RNGs, volumes
created on mac could be week even when mounted and used on windows machines
years later.

"Linux" only appears once in the report, and then only in a footnote.

------
java-man
Discussion on Arstechnica:

[http://arstechnica.com/security/2015/04/truecrypt-
security-a...](http://arstechnica.com/security/2015/04/truecrypt-security-
audit-is-good-news-so-why-all-the-glum-faces/?comments=1)

------
chdir
This is good to know. Thank you for the great work. I've been looking for
alternatives, but I think I'll stick with TC for now.

1\. Download it for your OS :
[https://www.grc.com/misc/truecrypt/truecrypt.htm](https://www.grc.com/misc/truecrypt/truecrypt.htm)

2\. Verify the hash :
[https://defuse.ca/truecrypt-7.1a-hashes.htm](https://defuse.ca/truecrypt-7.1a-hashes.htm)

------
java-man
Link to PDF:
[https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_O...](https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.pdf)

------
creshal
It's interesting that XTS mode in general is seen as a weakness – this has
implications for LUKS et. al. as well, not just TrueCrypt.

~~~
JoachimSchipper
This is a known issue with (almost) any full-disk encryption - see e.g. our
own tptacek's [http://sockpuppet.org/blog/2014/04/30/you-dont-want-
xts/](http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/).

~~~
keithpeter
_" Someday you’ll leave a laptop in the passenger seat of your parked car and
lose it when someone cinderblocks the window. When that happens, you’ll be
glad for the failsafe of locked-at-wakeup."_

Or, in my case, leave the laptop in a rather nice leather messenger bag on the
seat in the bus. Very reassuring that the average opportunistic thief (or as I
like to imagine, the skint teenager) basically has to wipe the hard drive and
reinstall an operating system.

Now, on Linux, has anyone here been able to get luksSuspend and luksResume
working with suspend to _RAM_ on a Debian/Ubuntu system? That would be golden.

[http://waaaaargh.github.io/gnu&linux/2013/08/06/lukssuspend-...](http://waaaaargh.github.io/gnu&linux/2013/08/06/lukssuspend-
with-encrypted-root-on-archlinux/)

[http://askubuntu.com/questions/348196/how-do-i-enable-
ubuntu...](http://askubuntu.com/questions/348196/how-do-i-enable-ubuntu-using-
full-disk-encryption-to-call-lukssupend-before-sl)

------
jstalin
Is there a consensus project that's carrying on development?

------
tedks
I think the interesting lesson from this is less about crypto, more about
free-software projects and how to grow them.

The Truecrypt developers supposedly left because it wasn't interesting/fun for
them anymore. I believe that. Funding this audit required ~$65k in donations,
probably more than the Truecrypt project _ever_ saw. If you were the developer
of a project that you knew was solid, and you knew had no backdoors, how would
you feel about people essentially maligning you being able to generate more
cash than you've ever seen for your side project? That'd make me want to quit
too.

At the end of the day, which is more preferable -- a TrueCrypt that was never
audited professionally, or a TrueCrypt with active developers?

How can we ensure security in open-source software without driving the
developers away in the future?

I think one way would be to match every single audit donation with a donation
to the upstream developers. If it's worth spending a dollar to audit software,
it's worth spending a dollar to keep that project alive and show the developer
you care. It would have taken twice as long to get the audit funded, but maybe
then the developer wouldn't have been hounded away.

Personally, though, I think this audit was a colossal waste of time and
resources. All it told us was something every truecrypt user was assuming
already, and it cost us all Truecrypt. What guarantee is there any of the new
developers are going to be as trustworthy as the original developers, or as
skilled?

~~~
tptacek
The Truecrypt Audit Project did not "cost you Truecrypt". The primary reason
the project was abandoned was that it's a 3rd party package that implements
something every operating system now implements for itself, better than
Truecrypt could. There is a mythology among Linux Truecrypt users that the
whole project was an effort to create a cross-platform encrypted disk scheme
to free users from the tyrannical yoke of I don't know LUKS, but I've seen
zero evidence that such a goal was particularly important to actual TC
developers.

~~~
krylon
Alas, TrueCrypt was/is the only free solution that allows you to encrypt a USB
flash drive (or create an encrytped container file on it) and thus exchange
data between, a Mac, a Windows machine, and a Linux machine[1]. Maybe the
number of people who need/want that is small compared to the number of people
who want some form of whole disk encryption, but if you are one of those
people, you are pretty much screwed without TrueCrypt.

It would be relly nice if there was some common container format you could
mount natively on these operating systems without the need for 3rd party
software. I think I remember reading about LUKS supporting TrueCrypt's
container format - but that, of course, only works on Linux. And frankly, I
don't see Apple and Microsoft either supporting the TrueCrypt container format
natively or getting together to define a new one.

Plus, BitLocker is not available on Vista Business and Windows 7 Pro. So if
you don't want to use Windows 8, again, you are kind of screwed.

[1] At least it was/is the only software that I know of which allows you to do
that. If there are alternatives, I would very much like to hear about them!

~~~
mhogomchungu
> I think I remember reading about LUKS supporting TrueCrypt's container
> format - but that, of course, only works on Linux.

"LUKS" stands for "linux unified key setup" and it is an "on-disk format" and
its reference implementation is found in cryptsetup[1]

LUKS on-disk format is supported in windows through doxbox[2]

cryptsetup also supports TrueCrypt,the on-disk format.

people usually say "LUKS" when they mean cryptsetup as it makes no difference
to them but i think its important to know the difference.

[1]
[https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification](https://gitlab.com/cryptsetup/cryptsetup/wikis/Specification)

[2] [https://github.com/t-d-k/doxbox](https://github.com/t-d-k/doxbox)

~~~
krylon
Thank you very much for clearing that up!

------
yalogin
Can someone tell me why so much attention is paid to Truecrypt? Is it that
popular? I thought openssl or mozilla's crypto engine are the most used.

~~~
jonathantm
TLDR: Its a relatively easy way to create encrypted digital virtual drives.

\---------------------------------------------

Details:

Truecrypt creates a .txt file - via a GUI - which is complete gibberish...
until you unlock it. It is then a mounted drive.

At time of creation of the Truecrypt volume you:

* set the drive size - it can be very small (ex: 1mb) to very large (many GB iirc)

* set the access credentials. This can be a password, or it can be a password and key-file - that is a file you must pass in addition to the password. The file can be any kind of file. A jpg, an MS Word doc file, a OS iso, a .pem or .ppk... it doesn't matter. I think the hash generated by the file is essentially a second passphrase. Change the contents of the file and you change the hash... it doesn't work. Pick your favorite picture among the tens of thousands you have backed up several places online... and it's much less obvious than the one or two .ppk files you have tucked away in you lastpass account.

* you can have a "hidden volume." Say for example somebody drugs you and hits you over the head with a wrench to get your Truecrypt volume access credentials. You give them the credentials, they unlock and mount the drive... and inside is your grandma's banana bread recipe... not your bitcoin wallet details. You gave them the passphrase to a "dummy volume." If you follow the instructions correctly regarding this you can have the actually valuable information hidden within the Truecrypt volume. There's no indication that any particular volume has a hidden volume in it or not. So there's a kind "plausible deniability" about what's there.

~~~
Adlai
Any electric anthill operator worth his salt knows that banana bread recipes
aren't real secrets. A convincing dummy volume has a high-traffic mostly-empty
bitcoin wallet, with enough coins remaining that the agents can claim it was
recovered empty, and everybody goes home happy.

------
ikeboy
I'm imagining this being finished yesterday and them waiting a day to release
it.

~~~
tomrittervg
We had it finished earlier, but it was undergoing review. Matt and Kenn _did_
want to release it yesterday, I suggested stalling just a day =P

~~~
java-man
Thank you for your work!

