Horrors of murky TrueCrypt to be probed once more

Abandoned crypto tool may hold security treasure for bold explorers

Cloud security image

The gears of the TrueCrypt audit have whirred into life overnight with boffins poised to again probe the open source crypto tool after nearly a year of waiting.

A tiny team will fondle the tool's random number generators, cipher suites and key algorithms in a bid to pull the internet's favourite crypto suite out of the pariah status it attained when its developers claimed it contained unspecified vulnerabilities and recommened users adopt alternatives like Microsoft's BitLocker.

Auditor and crypto boffin Matthew Green says questions were asked about the worth of the project after flaws surfaced last April.

"... in the wake of TrueCrypt pulling the plug, there were questions; Was this a good use of folks' time and resources? What about applying those resources to the new TrueCrypt forks that have sprung up," Green says in a post.

"The second and much more challenging part involves a detailed look at the cryptography of TrueCrypt, ranging from the symmetric encryption to the random number generator.

"It took us a while to recover from this and come up with a plan b that works within our budget and makes sense [and] we're now implementing this."

Green says this second tranche of tests will be much more difficult than the first comparatively speedy run through which uncovered security vulnerabilities but no backdoors.

Consultancy NCC Group, formed from the original auditors iSec Partners, is working on flexible dates during the audit to make the crowd-sourced money spin further, a thrifty feat that may delay the final results.

Green and associates have not been idle. however, saying they probed parts of the TrueCrypt random number generator and other crypto areas that will hopefully be worked into the audit.

If backdoors are not found at the completion of the audit it would likely signal a rush of uptake in TrueCrypt by users who thanks to Snowden revelations are increasingly distrustful of the integrity of popular technology.

Users can stay abreast of developments on the audit homepage.

News that bods are still working on the cryptanalysis of TrueCrypt version 7.1a is also notable as it squashes rumours that national security agencies had put a kibosh on the project during its hiatus. ®


Biting the hand that feeds IT © 1998–2017