Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

TrueCrypt cryptographic audit turns up little to fear

Glenn Fleishman | April 6, 2015
An independently created volume-encryption software project that shut down abruptly apparently has no lurking secrets, according to a new security audit.

After delays related to the project's shutdown, OCAP today released its long-awaited second audit phase, which looked more deeply at many aspect of TrueCrypt 7.1a, the penultimate release in 2012 that many people still rely on, and which was thought to be secure, even though it hadn't been proven. It's also important because of two projects that rely on the TrueCrypt codebase.

Ciphershed (alpha release) and VeraCrypt are "forked" releases, which expand and change the TrueCrypt format. Both support OS X. There remains some concern that TrueCrypt's software license doesn't allow these sort of forks, but these projects are proceeding nonetheless. (The anonymous developers would conceivably either have to uncloak or obtain counsel in order to pursue a copyright violation, and it's not crystal clear if they would prevail.)

The OCAP report found a few problems, none of them seemingly intentionally designed to allow unwanted access. The most severe is only an issue under Windows, and can be fixed relatively easily. The two descendant project say they've already fixed some problems they've found, and this audit should improve them even more.

The rest of the code

Without insinuating anything troubling about Apple, but rather understanding both the nature of government intrusion and gag orders, as well as remembering "gotofail," it's valid to ask questions about their code.

While Apple doesn't use the OpenSSL encryption library, we as iOS and OS X users are constantly connecting with servers and other software that does. Last year, the Heartbleed bug was discovered, a truly devastating security risk. Despite OpenSSL's extremely wide use and its collaborative, open-source approach, its code had become a poorly maintained mess over years despite a dedicated core of volunteers.

After Heartbleed, tech companies and foundations poured money into the project to allow it to hire and devote consistent programming time to improving it, and thousands of fixes have followed. Just a few days ago, the group sent out an alert in advance about a potential high-severity problem, which turned out to be obscure, but which they were able to find, patch, and release in a timely fashion. This is the direction one hopes things continue to go.

More recently, after Julia Angwin of ProPublica wrote about Werner Koch, the developer and maintainer of GNU Privacy Guard (GPG), which I've previously written about, he received grants and funding to continue his efforts at a sustainable and higher level. One guy was responsible, and lived sometimes on near-starvation wages, to keep a project of global utility going.

Apple could at a future point be unable to resist legally and comment publicly on changes required in their software and hardware. And it doesn't write bug-free code. No one does; no one can. Whatever internal procedures they have in-house, many eyes can improve on code, though there are plenty of times when critical flaws are introduced and unnoticed or remain in place for years or decades in other projects.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.