Nytro Posted October 24, 2013 Report Posted October 24, 2013 TrueCrypt is an open-source encryption software capable of on-the-fly encryption on file-, partition- or disk-based virtual disks. It supports various ciphers, including AES, Serpent, Twofish or some combination of them; provides a full disk encryption (FDE) feature under Windows environment with pre-boot authentication; and even allows plausible deniability. Hence TrueCrypt seems to be a perfect solution to protect sensitive files. However, the recent news about the NSA programs enable all conspiracy theorists to imagine the worst of all. What if TrueCrypt was backdoored? What if the binaries provided on the website were different than the source code and they included hidden features? We show in this article how to reproduce a deterministic compilation process specific to TrueCrypt 7.1a for Windows that matches the official binaries, and relieve the world from at least some concerns. [h=2]Article versions changelog[/h] 2013-10-24: Added analysis results of v7.0a and v6.3a2013-10-23: Explained differences in more details, added assembly comparison2013-10-22: Added PGP/X.509 screenshots, clarified some comparison comments2013-10-21: First version [h=2]Challenges and implications[/h] TrueCrypt is a project that doesn't provide deterministic builds. Hence, anyone compiling the sources will get different binaries, as pointed by this article on Privacy Lover, saying that "it is exceedingly difficult to generate binaries from source that match the binaries provided by Truecrypt." This has led some speculations regarding the possibility of having backdoors in the official binaries that cannot be found easiliy. This concern has also been raised in this analysis, saying: "Without a very expensive “reverse engineering” it can't be proved that they are compiled from the published source code. Since we haven't done such a reverse engineering we can't preclude that there is a back door hidden within those binary packages."Recently, the IsTrueCryptAuditedYet project was launched and aims at reviewing TrueCrypt's security and, among other things, providing deterministic build so as to enable everyone to compare her version to the official one. However, it is still at an early stage (as of October 2013) and tries to raise funds first.In this article, I present how I compiled TrueCrypt 7.1a for Windows and reached a very close match to the official binaries. I am also able to explain the small remaining differences and then prove that the official binaries indeed come from the public sources. Articolul aici: https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/ Quote
wildchild Posted October 24, 2013 Report Posted October 24, 2013 My hunch was good. NSA can suck a cock! Quote
