Not found the rear door: open source encryption software TrueCrypt security audit-vulnerability warning-the black bar safety net

2015-04-07T00:00:00
ID MYHACK58:62201560855
Type myhack58
Reporter 佚名
Modified 2015-04-07T00:00:00

Description

TrueCrypt is a popular open source file encryption software, which the user includes a large number of“sensitive persons”, such as businessmen, politicians, journalists, and therefore its safety has been well received by the attention. 2 0 1 4 年 5 months, the open source encryption software TrueCrypt abruptly on its official website warning Windows users to switch to Microsoft's BitLocker-encrypted disk, and with a big red Word of warning using TrueCrypt is not secure. ! Rest assured that with the right, not the back door The face of many for TrueCrypt whether hidden back door to worry about, from the NCC Safety Audit staff and cryptography experts on the TrueCrypt security audit comprehensive Safety Audit, and good results were long Shu tone: "TrueCrypt is a relatively design excellent encryption software, the NCC audit did not find the software there is the back door of the evidence, or anything that might lead to software unsafe serious design vulnerability." A year ago, ISEC completion of the TrueCrypt the first stage of the code audit, although not found significant security issues, but found a 1 1 medium and low-risk software vulnerability. ! The NCC's auditors recently published a report for up to 2 1-page public report that discloses the TrueCrypt random number generation program and Key Key algorithm encryption method to check the results. Vulnerability description The report discloses TrueCrypt 4 of the vulnerabilities, but these vulnerabilities are not affected to the encryption. 1, The key file of the mix from the Cryptography point of view that is not thorough enough---low-risk 2, the encrypted volume header has not authorized the ciphertext--to be determined 3, the CryptAcquireContext in certain scenarios might fail--high-risk 4, the AES encryption may be affected by the"cache timing attack" - high risk