TrueCrypt and its forks.

[prodigeni]

https://news.ycombinator.com/item?id=7812133
truecrypt.org => truecrypt.sourceforge.net
https://gist.github.com/anonymous/e5791d5703325b9cf6d1

[Zegnat]

Well… that was weird.

Even weirder when you realise TrueCrypt was still being recommended by people like Bruce Schneier and that the audit has not turned up anything new recently.

But none of that is weirder than the reason stated on the site:

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.

TrueCrypt was cross-platform, how is it in anyway linked to Windows XP support?!

Worth of note however is that the audit will continue, as Green reported to Krebs on Security:

Green said he’s committed to finishing what he started with the code audit, if for no other reason than he’s sitting on $30,000 raised for just that purpose.

“Before this happened, we were in process of working with people to look at the crypto side of the code, and that was the project we were going to get done over this summer,” Green said. “Hopefully, we’ll be able to keep TrueCrypt.”

Who knows what the future will bring.

[Zegnat]

Wikipedia is still nicely keeping a track of the TrueCrypt story so you do not have to follow everything in the blogosphere yourself. Some key points:

1. It seems TrueCrypt was not pulled back because of current security issues, but because future issues would no longer be patched. The team no longer wanted to work on it. “We worked hard on this for 10 years, nothing lasts forever.” (source.)
2. Two Swiss-based developers are doing a “TrueCryptNext”, wanting to rally a community around the original TrueCrypt source and work on a fork from there. You can read more on truecrypt.ch.
3. The Open Crypto Audit Project (known for #istruecryptauditedyet) is “considering several scenarios, including potentially supporting a fork under appropriate free license, w/ a fully reproducible build.” (source.)

The Gibson Research Corporation is also keeping track of the latest news on their “TrueCrypt Latest Release Repository” where you can still download the latest 7.1a releases from their SSL signed domain. (Do not go downloading from just any TrueCrypt mirror, that’s how people will try to spread back-doored versions.)

So far most security researchers I have heard give their opinion have said there is no reason to believe any security problems as of yet and there should be no immediate thread associated with continued use.

[vyp]

Some more information for readers.

I agree that there shouldn't be any immediate threat to continued use, but I still think it may be compromised.

[Zegnat]

Reproducing @BigBroza’s take here from #1003:

I know there is an ongoing debate right now but I recommend you all to read this very carefully:

http://adminthe.net/?p=150

as the article states there is absolutely no reason to think truecrypt has a security issue, in fact it is the only software which is undergoing a large independent crow-funded audit which has not found anything serious so far, the security warning is generic and can apply to absolutely any software (it may contain unfixed security issues)

truecrypt has been consistently advised as the best encryption solution out there

I believe truecrypt 7.1a must be reintegrated in the recommendations, and the warning should only apply only to 7.2

Removing truecrypt from the recommendations would be doing exactly what the NSA wished for had they sent a national security letter to truecrypt developers, again all of this is just way too sudden and incoherent to take that generic warning literally, especially when we have a serious audit saying the software is safe so far. so unless we get evidence of a vulnerability, I see no reason to remove truecrypt (7.1a) from recommendations, just warn people to not use 7.2

I am not sure who is behind AdminThe.Net or what their security credentials are, but most of the things mentioned there have been mentioned before. And I mostly agree with this stance, I think there is no real problem with recommending TrueCrypt 7.1a.

The way I see it there are two main points for not reinstating TrueCrypt:

1. It is no longer being maintained by anyone: projects have been rejected for this reason before.

   On the other hand, we include old and well known systems such as EncFS in the encryption category. These have not been updated in a long time.

2. The developers themselves recommend against using this. This is probably the biggest hurdle. And the reason why I would like to wait for the audit before reinstating it.

[BigBroza]

point 2

The developer(s) also recommended using closed source products from large companies which are known to cooperate with the NSA according to Snowden leaked documents (project Bullrun), are you going to follow these recommendations too? I hope not. What I'm trying to say is these recommendations are just way too suspicious to be taken literally. There ought to be something going on we don't know about.

point 1

it's not that old, 7.1a was released in 2012, but that doesn't even matter, what matters is no other encryption software has been audited as deeply and as seriously as truecrypt, which makes it by far the most reliable solution at the moment, so unless we are to learn about a concrete flaw by the end of the second phase of the audit, I see no reason to remove truecrypt 7.1a from recommendations

Also why were all old revisions, binaries and sources alike, wiped off from the site? To replace them with a version that can not encrypt anymore. These extreme measures are very unusual from developers who would have just lost interest in maintaining a project. This whole affair has actually enforced my conviction about truecrypt being the way to go. If the NSA is trying to put such a drastic end to truecrypt, it ought to mean it is exactly what I should use. And I hope the prism-break project does not exist to relay the NSA desire to know everything about everyone.

[theGuruWithin]

BigBroza makes a lot of sense. The idea is to make it harder for the NSA i
agree this maybe a ploy to get rid of TrueCrypt by the government ... The
Audit

https://opencryptoaudit.org/

and the Swiss Group taking the repository over

http://truecrypt.ch/

Seem like encouraging steps... I would more appreciated the validation of
both the audit & the Swiss group than anything else..

The message from TrueCrypt about not to be depended upon since XP isn't
going to be supported has the STINK OF PROPAGANDA and desire to solve there
problem through discrediting a tool for which there is no replacement.
Maybe even the abandonment of XP by MSFT is a move to newer BACKDOORED OSs
from MSFT.

Lets be real and look at the bigger picture along with the code.

thanks,
@theGuruWithin

On Mon, Jun 2, 2014 at 3:53 AM, BigBroza notifications@github.com wrote:

The developer(s) also recommended using closed sourced products for
large companies which are known to cooperate with the NSA according to
Snowden leaked documents (project Bullrun), are you going to follow these
recommendations? I hope not. What I'm trying to say is these
recommendations are just way too suspicious to be taken literally. There
ought to be something going on we don't know about.
2.

it's not that old, 7.1a was released in 2012, but that doesn't even
matter, what matters is no other encryption software has been audited as
deeply and as seriously as truecrypt, which makes it the most reliable
solution at the moment, so unless we are to learn about a concrete flaw by
the end of the second phase of the audit, I see no reason to remove
truecrypt 7.1a from recommendations

This whole affair has actually enforced my conviction about truecrypt
being the way to go. If the NSA is trying to put an end to truecrypt that
drastically, it ought to mean it is exactly what I should use.

—
Reply to this email directly or view it on GitHub
#995 (comment).

[BigBroza]

so is this it?
can the NSA consider its mission to sabotage truecrypt successful?

[Zegnat]

Reopening this to keep people from opening new issues all the time. I was originally planning only to reopen this when new arguments became available.

What I'm trying to say is these recommendations are just way too suspicious to be taken literally. There ought to be something going on we don't know about.

Maybe. But “something going on we don’t know about” is hardly a valid reason to go against the developers’ wishes in my book. Note that I am not saying their claim that TrueCrypt is suddenly insecure has any merit, I am merely saying I believe a developer has the right to ask for his software to be removed from PRISM Break.

If cryptocat were to write a message tomorrow saying they deem their project a failure and urge people to move away from it PRISM Break would remove it from the list. Sure, there would be no reason why people cannot keep using it, the source is out there, and it might still be safe. But why should PRISM Break go against the developers’ wishes?

Also why were all old revisions, binaries and sources alike, wiped off from the site? To replace them with a version that can not encrypt anymore. These extreme measures are very unusual from developers who would have just lost interest in maintaining a project.

Only extreme if you believe the encryption works. If the TrueCrypt developers have some hidden reason to brand it “not secure” (as they put it on the website), they may not want to see any continued use of the old versions. (Again, I do not really believe it, but this would be a reasonable explanation.)

So are we “[relaying] the NSA desire” or the developers’? Obviously there is no way of knowing.

Also note that there is always EncFS. Which is audited and available on several platforms. There is no reason to think TrueCrypt is/was the only alternative.

To address your points in #1016:

the independent audit of truecrypt has not found any flaw so far

This is simply not true. The audit “found 8 vulnerabilities, and 3 informational issues”. (Source.) And from an earlier comment by you:

no other encryption software has been audited as deeply and as seriously as truecrypt

I guess that is ignoring Defuse Security’s audit of EncFS?

it was becoming a threat to NSA's access to any (backdoored) windows operating system out there

To elaborate on @hasufell’s comment back in #1016: if your OS really is backdoored then it would be a walk in the park for the NSA to grab the passkey to your TrueCrypt volumes. You have bigger problems then using TrueCrypt or not.

---

As far as reinstating TrueCrypt: which one do you want? Gibson’s (with independent hashes)? The Swiss? The recreated TrueCrypt website? The archive? Or a more promising fork like CipherShed?

---

For the philosophical or the conspiracy theorists: the message on the TrueCrypt website could be a Lavabit-like situation. They could have received a sealed court-order to implement a backdoor in any and all future versions of TrueCrypt. Part of such an order (like a national security letter) could restrict the developers from speaking about it. Levison chose to shut-down Lavabit, TrueCrypt can’t shut-down a piece of software so they did the next best thing: discredit themselves and make their next and final version only able to decrypt.

[BigBroza]

Reopening this to keep people from opening new issues all the time.

Thank you for reopening this issue, I am sorry to insist on it but I am under the impression it is important enough to think it further.

So are we “[relaying] the NSA desire” or the developers’? Obviously there is no way of knowing.

I am very much aware there is no direct proof so far, sadly, but that shouldn't stop up from using our reason. We do not have a proof that truecrypt has a critical flaw at this point either.

But there are just too many whys. We have a message "may contain unfixed security issues" not "it does have that issue". why may instead of does, why is there no detail about the issue, why other versions were removed and why do they advise the use of NSA backdoored solutions instead of credible alternative?

If we stick to facts, we have a software which has been audited by crowd funds (about 70,000 USD iirc) exceeding all expectations and showing a real interest in that software, audit which has not revealed any serious flaw. Yes I am aware some minor flaws were discovered, but it just shows the audit has been thorough so far.

Another fact, truecrypt is what Snowden himself used, as well as some of the journalists he leaked documents to. http://www.dailydot.com/technology/truecrypt-dead-unsecure/
When the events happened, it was still truecrypt 7.1a and I would think NSA spies know what to use when they want to leak documents, of course this is assuming there hasn't been a new critical flaw discovered ever since, but we can at least rule out truecrypt being "infiltrated" or "backdoored" for a while.

Yes the truecrypt developers do not claim they have received a national security letter, but we know anybody receiving such a letter could not talk about it.

About the nature of the threat encryption softwares pose to NSA access to windows operating systems, we do not know the details about their current level of access and I do not want to enter speculations. We can not assume their methods have not evolved since the Snowden revelations. I wish I could tell you exactly through which module windows will steal your private data but I can't, and even if I knew the methods used are not set into stone and can evolve update after update. What we know for sure according to Microsoft former security advisors such as Caspar Bowden is "We can not trust Microsoft Windows" period. But sometimes we do not have a choice but to use it sadly.

What I'm making out of it is, was truecrypt hindering NSA intelligence gathering, and would they need to put an end to it, things could not have happened any differently. Why would they target truecrypt and not other viable options? Perhaps because truecrypt had a lot more potential to get widely used. I am aware this is an opinion and not a fact. But I can not see a more plausible explanation to all of the whys I mentioned before.

My problem is right now the prism break website claims "truecrypt has security issues" but we don't know that for sure. The organizer of the TrueCrypt audit, Matthew Green, a security expert and cryptography professor, rather hopes a "volunteer group of programmers can be brought together to continue development of the TrueCrypt code".
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

[Zegnat]

My problem is right now the prism break website claims "truecrypt has security issues" but we don't know that for sure.

This I can agree with, even if we do not yet reinstate TrueCrypt. Feel free to open-up a pull request with a better message.

[Zegnat]

Administrative note: I have changed the title of this issue and labelled it for discussion. Please add all further discussion on reinstating TrueCrypt or substituting one of its forks here.

[mpmks11]

i just started using truecrypt about two weeks ago and it works perfectly for me.

[Cathryne]

Which version?

[mpmks11]

7.1a

[strugee]

7.1a

I think what @Cathryne probably meant to say was, "which fork?"

[Cathryne]

No, I did mean the version ;-) If @mpmks11 would have said "7.2" I would have recommended one of the 7.1a-forks.

[BigBroza]

http://www.theverge.com/2014/12/28/7458159/encryption-standards-the-nsa-cant-crack-pgp-tor-otr-snowden
New documents reveal which encryption tools the NSA couldn't crack

Among the encryption tools the NSA could not crack, surprise, surprise, truecrypt

Sarcasm, I'm not really surprised at all, I always knew truecrypt was stopped by a national security letter since that was the only logical explanation and have never stopped using it myself

I suggest you read the rest of the article for most useful info about other tools the NSA could not crack

[hasufell]

True Crypt v7.1a is not perfect, but secure!

err what? Did you read the part about "AES implementation susceptible to cache-timing attacks"?

The interesting part is now: who will fix it?

[Zegnat]

Did you read the part about "AES implementation susceptible to cache-timing attacks"?

I did not, as I have only had the time to read the surrounding media coverage (e.g. Schneier). Interesting how none of the articles I have seen have highlighted that in the slightest.

[hasufell]

In addition, read

B.3 Program Flow
Much of the review was focused on functions and use of cryptography as individual discrete com-
ponents. The``statemachine' 'governing when these lower-level functions are called, how errors are
handled, and under what circumstances a function may not be called should be reviewed in more
detail. While CS did look for errors of this sort, and did not identify any, the depth of review was
governed by time constraints and merits additional examination.

I'm not sure I'd consider an audit anywhere near complete if it doesn't closely examine the Program Flow.

[BigBroza]

hasufell, did you miss the documents establishing that even the NSA could not crack truecrypt?

reminder : http://www.theverge.com/2014/12/28/7458159/encryption-standards-the-nsa-cant-crack-pgp-tor-otr-snowden

ok so if you wouldn't rely on truecrypt, then on what else? based on what? your crusade is a bit suspicious

I am highly disappointed in the prism-break project, something certainly isn't right if a project that was originally supposed to make it harder for the nsa, has been warning users against truecrypt for so long, although it was obviously a ploy from the nsa, and although it is established to be one of a select few softwares that cause difficulty to the nsa

[Zegnat]

@BigBroza, I would like to point out that none of this are @hasufell’s words. It is the direct findings of the independent audit.

Page 14 of the recently released Phase Ⅱ:

By choosing inputs carefully, an attacker can induce variable timing dependent on secret key material. By measuring these timings and making statistical inferences, they can recover secret keys completely.

I am not a security researching, but the words ‘recover’ and ‘secret keys’ are not something I like to see in a single sentence. The Risk Summary (page 5) puts this vulnerability on a very high risk level, while the ‘sophistication required for an attacker’ is only middle-ish. You can probably assume the NSA has high sophistication, so they would definitely be able to make use of this vulnerability.

If that’s the case, who says the NSA wouldn’t be able to start using this vulnerability to obtain your keys? Or aren’t already doing so?

[vyp]

ok so if you wouldn't rely on truecrypt, then on what else?

...something certainly isn't right if a project that was originally supposed to make it harder for the nsa, has been warning users against truecrypt for so long, although it was obviously a ploy from the nsa, and although it is established to be one of a select few softwares that cause difficulty to the nsa

Honestly, my opinion is that we should _really_ stop pretending that Windows is viable to use whilst persuing this goal of hindering the NSA. If dm-crypt is not a solution because it is not cross platform, then that is complete nonsense. I understand the "stepping stone theory" (i.e. using things on proprietary systems is not completely pointless as it may serve to ease the process to switch to a free system), but you cannot stay on Windows forever and proclaim "I'm secure".

Why are you so insistent on something which still has confirmed flaws as hasufell and Zegnat points out? Not only does it have this vulnerability, but I feel the need to reiterate what hasufell said, "who will fix it?". Confirmed flaws and no one to fix it, at least for now. So you seem suspicious if anyone really.

I cannot believe you still trust it and use it. Maybe I'm wrong and you're right and it was some successful ploy by the NSA, but I feel the best course of action at the moment is clearly to treat it as lost. Better safe than sorry.

[hasufell]

Honestly, my opinion is that we should really stop pretending that Windows is viable to use whilst persuing this goal of hindering the NSA.

@vyp
There is a huge thread here on prism break where I ranted for days about it. But it seems most people disagree. So be it.

If that’s the case, who says the NSA wouldn’t be able to start using this vulnerability to obtain your keys? Or aren’t already doing so?

@Zegnat
Yes... and the question remains: who is going to fix it? Which fork is actually properly maintained and so on.

@BigBroza I don't use any sort of disk-encryption, because I think it is useless, unless you are using a laptop abroad. The main attack vector is not to steal your hard drive and decrypt it... it's getting into your pc while you are online and all files are already accessible. But I dare say that dm-crypt is currently a very sensible choice, because it is maintained within the kernel and every code change in the kernel goes through a huge hierarchy of reviewers until it ends up at Linus repo. Sure, that's no guarantee, but developer workflow is an extremely important point when arguing about security/reliability.

[izmine]

Besides all (and sometimes too sophisticated) debates about truecrypt and its right now completed OSCP-Audit of v7.1a for Windows (see #995 and diverse „closed“ forks), please let us (also) remember what really counts!

Some facts about this „Snowden-proven“ piece of disk encryption-software out-on-fire/in-the-wild:

Operation Satyagraha

In July 2008, several TrueCrypt-secured hard drives were seized from Brazilian banker Daniel Dantas, who was suspected of financial crimes. The Brazilian National Institute of Criminology (INC) tried unsuccessfully for five months to obtain access to his files on the TrueCrypt-protected disks. They enlisted the help of the FBI, who used dictionary attacks against Dantas' disks for over 12 months, but were still unable to decrypt them.

United States v. John Doe

In 2012 the United States 11th Circuit Court of Appeals ruled that a John Doe TrueCrypt user could not be compelled to decrypt several of his hard drives. The court's ruling noted that FBI forensic examiners were unable to get past TrueCrypt's encryption (and therefore were unable to access the data) unless Doe either decrypted the drives or gave the FBI the password, and the court then ruled that Doe's Fifth Amendment right to remain silent legally prevented the Government from making him or her do so.

David Miranda

On 18 August 2013 David Miranda, partner of journalist Glenn Greenwald, was detained at London's Heathrow Airport by Metropolitan Police while en route to Rio de Janeiro from Berlin. He was carrying with him an external hard drive said to be containing sensitive documents pertaining to the 2013 global surveillance disclosures sparked by Edward Snowden. Contents of the drive were encrypted by TrueCrypt, which authorities said "renders the material extremely difficult to access." Detective Superintendent Caroline Goode stated the hard drive contained around 60 gigabytes of data, "of which only 20 have been accessed to date." She further stated the process to decode the material was complex and "so far only 75 documents have been reconstructed since the property was initially received."

Guardian contributor Naomi Colvin concluded the statements were misleading, stating that it was possible Goode was not even referring to any actual encrypted material, but rather deleted files reconstructed from unencrypted, unallocated space on the hard drive, or even plaintext documents from Miranda's personal effects. Glenn Greenwald supported this assessment in an interview with Democracy Now!, mentioning that the UK government filed an affidavit asking the court to allow them to retain possession of Miranda's belongings. The grounds for the request were that they could not break the encryption, and were only able to access 75 of the documents that he was carrying, which Greenwald said "most of which were probably ones related to his school work and personal use."

James DeSilva

In February 2014, IT department employee James DeSilva was arrested on charges of sexual exploitation of a minor through the sharing of explicit images over the Internet. His computer, encrypted with TrueCrypt, was seized, and DeSilva refused to reveal the password. Forensics detectives from the Maricopa County Sheriff's Office were unable to gain access to his stored files.

https://en.wikipedia.org/wiki/TrueCrypt

[hasufell]

@izmine how does any of the help after the disclosure of high-severity vulnerabilities? You want to recommend software that is both discontinued and known to be vulnerable? Those two elements don't play well together. So I ask again: who is going to fix it? Who is properly maintaining that codebase?

[Zegnat]

As far as forks go, I had high hopes for CipherShed. They shared their thoughts on the Phase Ⅰ very openly and you can look up exactly who are leading the project. They have been terribly silent as of late though.

A lot of what we are talking about here depends on your personal threat level. Like @hasufell said, you probably do not even need full-disk encryption simply because someone stealing your drives isn’t part of your personal threat model. PRISM Break however deals with the highest threat level possible: a nation-size opponent targeting you specifically.

You are trying to keep your hard drive encrypted when facing an organisation that has been able to cast a dragnet over the entire internet, bringing in all sorts of communications, like the NSA. Or an organisation that has spend 20 years developing tools to wiretap you using firmware, something essential to use any of your hardware, like the Equation Group. These two may even be the same organisation.

I can certainly belief that the local sheriff’s office’s ‘forensics detectives’ were unable to crack AES. Or that the limited time U.K. officials had with Miranda’s hard drives would allow them to do any sort of statistical inference on the secret key.

But if you are a nation-sized player with no concern for time or money, what are the chances the Phase Ⅱ report is the first time you hear about TrueCrypt’s flawed AES implementation? Probably slim. And if you already knew about these flaws, would you already have developed the software needed to automate the timing attacks on TrueCrypt volumes? Probably so. As a website that is trying to stop the such a big opponent from storing a copy of your hard drive and slowly hack away at its protection, should PRISM Break recommend a tool that now has a publicly documented flaw? No.

And there-in lies the real crutch. Sure you can do just as Bruce Schneier and keep using TrueCrypt to protect your data. And you will probably be fine. However, PRISM Break should be recommending the many other encryption implementations that do not have known flaws. If dm-crypt is using an AES implementation that is not vulnerable to timing attacks, it is obvious we have to recommend that over TrueCrypt.

[izmine]

"how does any of the help after the disclosure of high-severity vulnerabilities?" (hasufell)

CryptAcquireContext may silently fail in unusual scenarios - Cryptography - High
AES implementation susceptible to cache-timing attacks - Cryptography - High

"should PRISM Break recommend a tool that now has a publicly documented flaw?" (zegnat)

YES!

(1) It does what it should do.

"I can certainly belief that the local sheriff’s office’s ‘forensics detectives’ were unable to crack AES. Or that the limited time U.K. officials had with Miranda’s hard drives would allow them to do any sort of statistical inference on the secret key."

"Belief" forgot these above examples:

FBI, "limited"? NSA, "un"limited? Remember: considering TC to be 'catastrophic', the NSA and GHCQ aren't amused. Also remember: an absolute insider-in-exile confirmed they can't crack.

(2) "Not a security researching", but security researchers say:

The cache-timing issue is not a problem unless you're on a server like setting.
https://twitter.com/amp648/status/592067743957921792

Their conclusion in general:

There is no real vulnerability despite the high rating given by the report.
The keyfile mixing issue is the more realistic issue among them all but it has been known for years.
https://veracrypt.codeplex.com/discussions/616471#post1399210

(3) None of the alternatives is more and better audited by scientific experts.

[izmine]

"As far as forks go, I had high hopes for CipherShed.

They shared their thoughts on the Phase ? very openly and you can look up exactly who are leading the project.
They have been terribly silent as of late though."

(1) Besides that: "very openly ... terribly silent", does "hope" really know "who are leading the CS-project"?

For example:

Jason Pyeron, a member of the project management committee and one of the security developers works for DISA, a government agency. We should do our research on each and every project member.
https://www.reddit.com/r/crypto/comments/2rbpm3/truecrypt_veracrypt_ciphershed_diskcryptor_is/

(2) All open-source solutions are vulnerable to pre-computed digest attacks.
https://veracrypt.codeplex.com/workitem/115

(3) There is no scientific audit by independent experts for all of them.

[Zegnat]

(1) It does what it should do.

… except decrypt and encrypt your data without opening you up for attacks.

FBI, "limited"? NSA, "un"limited? Remember: considering TC to be 'catastrophic', the NSA and GHCQ aren't amused. Also remember: an absolute insider-in-exile confirmed they can't crack.

I don’t know what their limits are, I just know the examples you gave me and they don’t tell me much. Even if I want to believe in what Snowden says, it is not like he told us about e.g. the Equation Group who may have messed with the hardware currently in your PC. Snowden was a contractor, and within the NSA people are questioning why a contractor would have been able to see as much as he did. We may easily assume there are complete servers full of higher-classified material that Snowden never saw.

But to refute some more of your examples:

• Operation Satyagraha: you say the FBI ‘used dictionary attacks’. The funny thing with dictionaries is that they are useless against good unique passwords. If I have a 200 character truly random password, a year of running dictionaries against it will get you nowhere. This has nothing to do with TrueCrypt however and holds true for any and every encryption implementation.

• United States v. John Doe: remember how these attacks take time? John Doe’s media was confiscated in or after October 2010 and was served to appear (and decrypt) April 7, 2011. That means they were done inspecting his drives and had time to build a case within 6 months. How come this ended so quickly compared to Operation Satyagraha? Because, by their own admission, the scope of the examination was very narrow:

  When pressed by Doe to explain why investigators believed something may be hidden, McCrohan replied, “The scope of my examination didn't go that far.”

  Also of note is that the “forensic analysis was able to identify two passwords”. The court document doesn’t really explain this further. It could also mean that they were able to find the passwords for 2 hidden volumes but concluded they were empty or had nothing of value in them. Who is to say they couldn’t find more passwords, given time?

  (How do I know all this? Rather than copying Wikipedia I gave a cursory read to IN RE:  GRAND JURY SUBPOENA DUCES TECUM DATED MARCH 25, 2011 UNITED STATES OF AMERICA, Plaintiff–Appellee, v. JOHN DOE, Defendant–Appellant..)

(2) "Not a security researching", but security researchers say:

The cache-timing issue is not a problem unless you're on a server like setting.
https://twitter.com/amp648/status/592067743957921792

Their conclusion in general:

There is no real vulnerability despite the high rating given by the report.
The keyfile mixing issue is the more realistic issue among them all but it has been known for years.
https://veracrypt.codeplex.com/discussions/616471#post1399210

3 independent researchers from the nccgroup have stated that the cache timing attack has a high risk and only medium sophistication, making it a high severity vulnerability. 1 not-so-independent developer of a TrueCrypt fork then said it wasn’t as high a vulnerability as the report made it seem. Whenever I am asked to make the choice I would probably side with the published report rather than a forum post, but that is just me.

(3) None of the alternatives is more and better audited by scientific experts.

This I agree with. This is also why CipherShed is telling you to use the now-audited TrueCrypt rather than their fork ’til it comes out of beta. That does not mean PRISM Break should be recommending TrueCrypt though.

As for security people being associated with a government organisation, I wish you good luck trying to find a mathematician that has not at some point received government funding. Believe it or not, governments fund the lionshare of security research because nobody else cares. Even the Tor project is funded that way.

Seeing someone the government trusts with their security work on something for the masses is a plus in my book. As long as other people keep them straight.

Also, I would rather have someone working on my security who I know works for the government than a group of anonymous programmers. But again, that might just be me.

Nothing you have said is really making a case for including anything new on PRISM Break, so I am not sure what we are arguing about, but I hope I have made my personal views clear on the current TrueCrypt-et-al-sphere.

[hasufell]

There is no real vulnerability despite the high rating given by the report.

So they are not going to fix it?

[izmine]

"So they are not going to fix it?" (hasufell) In your eyes, if so important just do it!

Fixing this cache-timing issue would be much appreciated. But...

(1) As security researchers said, there seems to be no REAL need at the moment:

• No real vulnerability DESPITE the high rating given by the report (in general)
• Cache-timing issue is not a problem UNLESS you're on a server like setting (especially)
  https://veracrypt.codeplex.com/discussions/616471#post1399210
  https://twitter.com/amp648/status/592067743957921792

Therefore, work on other issues has priority.

(2) Your alternative PRISM Break-favorites are vulnerable too.
https://veracrypt.codeplex.com/workitem/115

Maybe you got more detailed information. Are they going to fix their pre-computed digest issue?

(3) And again, there isn't any scientific audit by independent experts for all of the other disc-encryption solutions! None of its alternatives is more and better audited than TrueCrypt*.

So, their results and the above both said in mind:
"You want to recommend software that is both discontinued and known to be vulnerable?" (hasufell)

Yes, I do recommend! Because TC v7.1a is both mature and stable and up-to-date: "Not perfect, but secure".

At the moment I see hardly any better.

*)
done by the most ANONYMOUS (and suspicious) crypto-developers ever, zegnat: "Tesariks" must have been much more conscious than you about: What such a piece of disk-encryption software means to EVERY government and its special services!

(Thx for linking to: http://caselaw.findlaw.com/us-11th-circuit/1595245.html)

[Zegnat]

No real vulnerability DESPITE the high rating given by the report (in general)

What “security researchers” (multiple?) said this? I only see the VeraCrypt developer himself say this and no independent researchers. The three independent researchers that are known to have done an audit flagged this with a high rating.

Cache-timing issue is not a problem UNLESS you're on a server like setting (especially)

Again, only the VeraCrypt developer has said this. In the forum thread you linked user AndreasAll says “multi-user systems” will be affected, which I belief to include your completely standard Windows installation in an average home.

Your alternative PRISM Break-favorites are vulnerable too.

Which ones? dm-crypt? DiskCryptor? PRISM Break is not recommending any form of TrueCrypt at the moment.

And again, there isn't any scientific audit by independent experts for all of the other disc-encryption solutions! None of its alternatives is more and better audited than TrueCrypt*.

EncFS is recommended by PRISM Break and has been audited. This is even flagged on the website with a green label. So saying none have had a publicised audit is simply false.

[hasufell]

In your eyes, if so important just do it!

I will probably never use VeraCrypt or any of the TrueCrypt forks. I don't even use dm-crypt or any other disk-encryption tool. So why should I fix it?

The point was that in order to recommend a TrueCrypt fork it is important to know how upstream behaves and that includes their reaction to an audit (and I'm not sure if arguing about the severity of vulnerabilities is something I like to see).

[izmine]

Please, allow one word according to (off-topic) ENCFS and its recommendation:

(1) By the way.

The only one found, is a one-year-old "paid" security audit of "10 hours".
https://defuse.ca/audits/encfs.htm

Sure, it's not a "joke"? Because, What a contrast to the crowd-funded one-and-half-a-year scientific audit by independent experts around Matthew Green/Kenny Wright!
https://opencryptoaudit.org/

(2) But seriously.

• What about Taylor Hornby's results? At least there ARE 7 SECURITY issues in encfs!

High - Stream Cipher Used to Encrypt Last File Block. Medium - Generating Block IV by XORing Block Number - MACs Not Compared in Constant Time - 64-bit MACs - Editing Configuration File Disables MACs. Low - Same Key Used for Encryption and Authenticatin - File Holes are Not Authenticated.

Furthermore, there are 4 POTENTIAL problems mentioned in the paper.

• What about Hornby's conclusion? encfs is NOT up to speed with modern cryptography practices!

It ignores many STANDARD best-practices in cryptography. Several previously KNOWN vulnerabilities have been reported, which have NOT been completely fixed.
It IS NOT safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times.
It attempts to protect files from malicious modification, BUT there are SERIOUS problems with this feature.

(3) In FACT, also according to user-space encrypted file systems is to repeat:

"Your alternative PRISM Break-favourites are vulnerable too."

So, wonder why PRISM Break does recommend encfs. Will you guys really continue recommending it seriously? While bashing a well-done piece of crypto-software for vulnerabilities under quite NON-REALISTIC circumstances at the same time!

[izmine]

(1) "EncFS is recommended by PRISM Break. EncFS has been audited. This is even flagged on the website with a green label." (zegnat)

Don't COMPARE DIFFERENT kind of solutions!

If doing so wrong nevertheless, at least it would be nice to mention clearly that container-based crypto is much stronger by concept than file-system solutions (f.e. metadata-problems*).

(2) "So saying none have had a publiced audit is simply false." (zegnat)

No, it is not "simply false"!

As you can see easily...

"There isn't any scientific audit by independent experts for all of the other disc-encryption [!] solutions! None of its [!] alternatives is more and better audited than TrueCrypt" (izmine)

http://www.ssi.gouv.fr/IMG/qualification/2009-08-17_2088_sgdn_anssi_sr.pdf
https://www.privacy-cd.org/downloads/truecrypt_7.0a-analysis-en.pdf
https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/
http://seclists.org/fulldisclosure/2013/Oct/245
http://istruecryptauditedyet.com/
https://opencryptoaudit.org/

In so far, it's absolutely right to say what I say:

"Their results and the above both [1+2 in former post] said in mind, TC v7.1a is both mature and stable and up-to-date: 'Not perfect, but secure'. At the moment I see hardly any better." (izmine)

(3) What's really wrong, is your citation!

And that's not nice changing what is said and meant obviously. Here and now we are discussing the DISCS-AND-PARTITIONS-encryption tool TrueCrypt! Therefore could and should it be compared with its alternatives of same kind of crypto, for example freeOTFE**, VeraCrypt, CipherShed or so but nothing else. The same according to an user-space encrypted file system like encFS! It could and should be compared with the PRISM Break-recommended never audited eCryptfs***.

*)
http://www.7-zip.org/
http://sourceforge.net/projects/sevenzip/?source=navbar

Maybe an alternative, because the 7z FORMAT of open source-software 7-ZIP solves this issue of the off-topic encfs-tool:
It provides the option to encrypt 7z archive headers and filenames, encrypts with the AES algorithm with a 256-bit key, generates the key from a user-supplied passphrase using an algorithm based on the SHA-256 hash function. The SHA-256 is executed 218 (262144) times which causes a significant delay on slow PCs before compression or extraction starts. This technique is called key stretching and is used to make a brute-force search for the passphrase more difficult. Current GPU-based, and custom hardware attacks limit the effectiveness of this particular method of key stretching, so it is still important to choose a strong password. The 7z format.

**)
https://web.archive.org/web/20130531062457/http://freeotfe.org/
http://sourceforge.net/projects/freeotfe.mirror/
https://github.com/t-d-k/doxbox

freeOTFE offers a portable mode, eliminating the need to install to the computer. There is also freeOTFE Explorer, a system which allows freeOTFE volumes to be accessed without installing software, and on computers where no administrator rights are available. Supporting numerous hash (including SHA-512, RIPEMD-320, Tiger) and encryption algorithms (Including AES, Twofish, and Serpent) in several modes (CBC, LRW, AND XTS), providing a much greater level of flexibility than a number of other OTFE systems. Support for encryped Linux volumes (Cryptoloop "losetup," dm-crypt, and LUKS).

***)
https://www.schneier.com/blog/archives/2014/03/an_open_letter_.html
http://www.theregister.co.uk/2014/03/25/bruce_schneier_sneers_at_ibms_nsa_denials/

This IBM-developed and -maintained (off-topic) crypto-tool isn't audited ever.

But it is to believe much harder, that PRISM Break really does and/or wants to continue recommending a tool like ECRYPTFS seriously.

[Zegnat]

This will be my last reply on this to hopefully make my stance on both TrueCrypt and its forks clear, and to address some of @izmine’s points. Note that PRISM Break is a community project and my thoughts are in no way indicative of what will and will not end up on the website. Everyone is free to create a pull request for whatever software they want to recommend and make a case for it. If they can gain traction within the community chances are it will be merged in.

Regarding TrueCrypt:

Thank you for the link to the Ubuntu Privacy Remix Team’s audit of TrueCrypt. I had not seen it before. Even so this only means we now have a second audit of TrueCrypt, and an older version at that.

In a previous discussion I made clear that I was against adding software on PRISM Break that was abandoned by their development team. This still holds true for me, even when talking about TrueCrypt. That leaves one of the many forks.

As far as I know none of the forks have been audited. So that part of the discussion goes out the window. It becomes a debate of what fork is the best, gets the best support, and if it should be included.

The TrueCrypt licence has still not been reviewed by the #IsTrueCryptAuditedYet project which is an issue for PRISM Break. We have previously excluded solutions that were public-source rather than open-source, and we would have to apply the same ruling to TrueCrypt. This is also a potential problem for forks, I previously found a problem with VeraCrypt where it wasn’t complying with the licence by still including the name TrueCrypt in certain files.

In fact a problem also noticed by the Ubuntu Privacy Remix Team (p. 7), emphasis mine:

But the own regulations of the TrueCrypt foundation are also incompatible with the GNU General Public License (GPL). This situation complicates the legal status of the TrueCrypt sources. A continuation by others in case the TrueCrypt Foundation ceases to maintain TrueCrypt or the development of a spinoff product would be very problematic not to say illicit.

You read that right: “illicit”, forbidden by law.

Not to mention how TrueCrypt itself was based on E4M and might itself be infringing on some copyrights there. (I kid you not, this is one of the points on the Roadmap for CipherShed to fix.)

I feel much better telling people to use any of the dm-crypt LUKS tutorials linked to on PRISM Break than pointing them at TrueCrypt. If they have no choice but to use a portable encryption solution with the possibility of plausible deniability through hidden volumes, I might tell them to try out TrueCrypt. I will also tell them other people in the security community are using it (e.g. Schneier) and that it has been audited. But I will never use it myself or actively recommend it.

Personally I belief there are just too many pitfalls with TrueCrypt, not to mention @hasufell’s legitimate concern about who will be fixing the issues that are being brought up now.

Regarding EncFS:

I am not comparing EncFS and TrueCrypt on a feature-to-feature basis, only as far as both having had published audits and both wanting to encrypt your files. Mostly I wanted to point out that PRISM Break does include publicly audited encryption software. Wether you belief this audit is enough is up to you. All the points made in the audit are accessible in EncFS’ issue list on the GitHub project and can be discussed there. They are very open about fixing all of the points.

What a contrast to the crowd-funded one-and-half-a-year scientific audit by independent experts around Matthew Green/Kenny Wright!

So you do respect an audit when it is paid for by several people, but when one man wants to make software more secure and pays for 20 hours of fulltime work by a security researcher you call it a joke?

Igor Sviridov paid Defuse Security for 20 hours of work, 10 hours on EncFS and 10 hours on eCryptfs. Taylor Hornby did this work and published the results. This sounds like a security audit to me.

And what “one-and-half-a-year” are you talking about? The Phase Ⅱ audit took more like a month to a month and a half. When Matthew Green posted an update on his blog mid-February only a few weeks had passed since contracting the NCC Group with an open starting date, and the final report was finished mid-March.

And what about Hornby’s results? We have included a summary of his conclusion on the PRISM Break website. We felt alright with keeping it as a recommendation because the audit found “EncFS is probably safe as long as the adversary only gets one copy of the ciphertext”. That is reasonable for the number one reason to use encryption: protection in case of hardware theft.

If you have made a different conclusion from reading the audit and checking up on EncFS’ current development, please open a new issue and make your case for having it removed.

[izmine]

CipherShed's Compul wrote (April 2015):

"They [4 vulnerabilities found: 1 low - 1 medium - 2 high] do NOT seem to pose a great threat immediately, but are nonetheless ISSUES that will be resolved in CipherShed; first and foremost the AES issue, I would presume, which currently seems more annoying than one may think." https://forum.ciphershed.org/viewtopic.php?f=5&t=80

@hasufell@zegnat: One more vote to cool down and relax a little bit, imho.

[Atavic]

I suggest Gostcrypt