![]() The TrueCrypt program asked users to move a mouse around the screen randomly to seed its random number generator. However, it is equally plausible that theĪES implementation itself is broken in some arcane manner that mere mortals wouldn’t be able to detect with a cursory review of the code. Given the history of software crypto flaws, it seems probable that if TrueCrypt has a flaw, it would be in the implementation of the random number generator. Presumably even RSA doesn’t know where the backdoor is – and they employ some of the smartest cryptographers in the private sector. ![]() Crypto expert Bruce Schneier noted, “Back when the NSA was routinely weakening commercial cryptography, their favorite technique was reducing the entropy of the random number generator." Certainly this was the case when RSA was paid by NSA to default to the use of the Dual_EC_DRBG random number generator in its software encryption suite. This example alone should highlight how easy it is to cripple a crypto implementation. Few would argue that more eyes were looking at the Debian code than the TrueCrypt code. This bug may not have been introduced intentionally, but lived through two years of code review. This resulted in using only 15 bits of entropy used in key creation (for the uninitiated this basically translates as not very much making it very computationally viable to guess). In 2008, the Debian project crippled the random number generator for SSH keys by removing a single line of code. If indeed the TrueCrypt project was shuttered to avoid a cryptanalytic review of the code, then the audit should definitely go forward.Ĭrypto weakening problems are notoriously easy to insert into source code, but devilishly difficult to detect. “Pointless” they say… “a waste of money.” But maybe that’s a short-sighted view. Since TrueCrypt announced last week that they are closing up shop, many on social media have quipped that there’s no point in completing an audit. Is TrueCrypt pulling a phoenix a good thing? Several tweets from the Twitter handle (the group working on a comprehensive audit of the TrueCrypt code, which some have rumoured was the reason the developers abandoned ship with impending discoveries of backdoors or bugs) were the first clues but you can now see a group, TrueCrypt.ch which has stepped up to the plate. Following on from this announcement it looks like some are applying the defibrillators to the abandoned TrueCrypt project and intend to fork the code and continue development. When the page at was changed to a warning (and a set of migration instructions for Microsoft Bitlocker) the source code and old versions of TrueCrypt were also removed. Whilst at this time there is little to add in terms of the potential motives for this sudden announcement a variety of interesting things have happened to the project since - including announcements that mean TrueCrypt may not be as dead as we thought. In the article I covered the potential motives for this including the technical challenges with producing full disk encryption on modern hardware and operating systems. ![]() Last week I wrote about the suspicious and abrupt announcement that TrueCrypt, a popular free open source encryption solution, was being abandoned and is considered “harmful and no longer secure”.
0 Comments
Leave a Reply. |