they could look at OpenSSL once they are finished here...
The first phase of crowd-funded audit of TrueCrypt has turned up several vulnerabilities, but nothing particularly amiss and certainly nothing that looks like a backdoor. iSEC Partners, which was contracted to carry out the audit by the Open Crypto Audit Project (OCAP), found 11 vulnerabilities in the full disk and file …
This post has been deleted by its author
I thought this too.
Then I actually spent an idle couple of hours trying to make sense of some of the OpenSSL code.
Now admittedly, my C is a bit rusty but I wouldn't wish the auditing of the clusterfuck of preprocessor directives and godawful coding style that is the OpenSSL codebase on my worst enemy.
If an audit of OpenSSL was 'crowdfunded' (gods, I hate that term) then you'd actually need *two* funds - one to actually pay the auditors to do their thing and another for an extensive course of therapy for the poor sods afterwards.
No you wouldn't. The crypto routines are implemented form a set of standard published algorithms. It is relatively easy to prove that encrypting string X with key Y in truecrypt produces the same output as anyone else's AES
There might be mistakes, there might be bugs which leave memory around and help you guess the keys, there might even be backdoors (if you are truly paranoid) in the original design of the algorithms that the NSA and Bruce put in there and the worlds cryptographers haven't spotted.
But backdoors in the code that allow an NSA passwd to decrypt anything are going to be in the keyhandling. The big concern fro truecrypt users was that on windows you need to run a signed driver which you can't (easily) build yourself - so you have no idea if what you were running was what they claimed.
The problems found are comparatively minor, easily fixable, and indicative of competent people writing code just outside of their core competencies.
Well... some of these errors (the messing with different data types - signed & unsigned integers etc) does not look to my (granted, inexperienced) eye as something a competent programmer would do.
However, yes, the problems do seem fairly minor (once again, no C dev here so I admit my relative ignorance - though I must commend the report writers on their clear explanations)
... of course recognise the 'good practice' basis of your comment, given that TrueCrypt is free at point of consumption, who exactly would pay for the type and level of rigour you suggest?
Not in any way intended as a criticism, more a comment on certain limitations imposed on a product such as TrueCrypt and the developers behind it.
As The_Idiot says, where are they going to get the money from to do that on a regular basis? They would have to start charging for it, which would put many people off. Or a rich sponsor.
Doing a Kickstarter is a one of, because it was in the news. That won't work, if you are doing this every year or so.
Why can't TrueCrypt be audited by a company that is not based in the UK or in the US - i.e. potentially subject to GCHQ or the NSA leaning on them? iSEC is part of NCC Group - a UK company. I would not trust their audit, not until it is also audited by a company based in a land far-far-away from UK or US.
Biting the hand that feeds IT © 1998–2020