TrueCrypt Audit Report is done. Results: Mostly really good!

The truecrypt audit that was started some time ago is apparently finished with some good results.

Btw. Are there any plans for similar audits for the SAFE network specifically for the security/encryption part ? I remember that David said in the London hangout session that an audit found no significant bugs when an audit was done by an outside team. Was security/encryption explicitly tested?

EDIT:

Link to the full report

3 Likes

I was actually going to post this to the other discussion. The secondary theory was that the truecrypt received one of those secret cease-and-desist orders (or whatever they are called). Everything about this was strange.

3 Likes

No, but in saying that the internal crypto is cryptopp which was tested by that project, its a huge area though. I did ask Bruce Schneider to check the basic design when I started (in days when I had never more than 2 months salary in bank) and he said he would read the papers for $40,000 then make his mind up, I could not afford that as initial evaluation. This was a reason to fire in some patents as well to get at least some input.

If we did a security evaluation we would be looking at a very long process (truecrypt was over a year I think) but as we increase in user base this should happen for sure. I would hope it does independently as that would be best.

We sponsor some post doctorate students to find attacks in the design and have approached many universities and presented this, all great results from initial disbelief. This is the design though not the implementation which is a different issue to a great extent.

7 Likes

It’s time for a TrueCrypt Conspiracy Nonsense Theory v2.0!

1 Like

Man, getting an endorsement from Bruce Schneier (I guess you’re talking about Schneier, not Schneider) would be a pretty big thing PR wise. If this is feasible from a financial standpoint somewhere in the near future, this should absolutely happen I think. Nevertheless, there should definitely be an audit and/or a bounty program for bugs in the system. This seems to working quite well for everybody else.

3 Likes

Not worth $40,000 for any individual to just read the paper. That is just taking advantage.
Crowd source the auditing process and for $40,000 you can have a bunch of people read the paper.
Find someone with similar credentials but less famous than Bruce Schneier and pay them less for an entire and thorough audit.

Exactly…I’ll have a flick through it for $40… :smiley:

1 Like