This project has moved. For the latest updates, please go here.

Phase II TrueCrypt Audit Starting Soon

Topics: Users Discussion
Feb 25, 2015 at 2:30 PM
Coordinator
Feb 25, 2015 at 8:40 PM
This is good news for all of us as we need experts to look closely at the underlying cryptographic primitives used by TrueCrypt and inherited by VeraCrypt.

From what I see in the code, TrueCrypt was using well known public domain implementations of all cryptographic primitives so I don't expect any issue from this side. The use of these primitives can bring vulnerabilities and bugs like the Serpent bug that was corrected in VeraCrypt (description is here: http://stackoverflow.com/a/26072218/707093, code change is here: https://sourceforge.net/p/veracrypt/code/ci/86abdb1b12e855d1b92c103446b2cadf9c4e57a3/).

The random generator is the part for which I'm waiting to see their analysis. Its design follows well proven patterns but maybe there are new attacks that requires some adjustments. In VeraCrypt, a change was made to force the seeding of the generator using mouse movements before every sensitive operation whereas in TrueCrypt it was done only once per application run, so I expect this to be part of their finding.

The first report was interesting although it missed many issues and problems. I hope this time the audit will be conducted more thoroughly and deeply.
Feb 25, 2015 at 8:53 PM
Estimate time to completion is in the early to mid Spring. However, this time-frame is not guaranteed.

https://cryptoservices.github.io/fde/2015/02/18/truecrypt-phase-two.html
The timeline for performing the audit is not yet set in stone, but we expect to complete it in the early to mid Spring.