http://arstechnica.com/security/2015/04/truecrypt-security-audit-is-good-news-so-why-all-the-glum-faces/
By Dan Goodin
Ars Technica
Apr 2, 2015
The ongoing audit of the TrueCrypt whole-disk encryption tool used by
millions of privacy and security enthusiasts has reached an important
milestone—a detailed review of its cryptographic underpinnings that found
no backdoors or fatal flaws.
The 21-page Open Cryptographic review published Thursday uncovered four
vulnerabilities, the most serious of which involved the use of a Windows
programming interface to generate random numbers used by cryptographic
keys. While that's a flaw that cryptographers say should be fixed, there's
no immediate indication that the bug undermines the core security promise
of TrueCrypt. To exploit it and the other bugs, attackers would most
likely have to compromise the computer running the crypto program. None of
the vulnerabilities appear to allow the leaking of plaintext or secret key
material or allow attackers to use malformed inputs to subvert TrueCrypt.
The report was produced by researchers from information security
consultancy NCC Group.
"The TL;DR is that based on this audit, TrueCrypt appears to be a
relatively well-designed piece of crypto software," Matt Green, a Johns
Hopkins University professor specializing in cryptography and an audit
organizer, wrote in a blog post accompanying Thursday's report. "The NCC
audit found no evidence of deliberate backdoors, or any severe design
flaws that will make the software insecure in most instances."
"The good news is there weren't any devastating findings, which is great
news," Kenn White, a North Carolina-based computer scientist and audit
organizer, told Ars. "The mixed news is what happens next with the
project."
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
