• IT-Karriere:
  • Services:

Encryption software: German BSI withholds Truecrypt security report

The German Federal Office for Information Security has created a detailed analysis of the software Truecrypt in 2010. The results ended up in the drawer, the public was not informed about the found security risks.

Artikel veröffentlicht am ,
The BSI knew a lot about the security of Truecrypt, but it decided to keep the documents secret.
The BSI knew a lot about the security of Truecrypt, but it decided to keep the documents secret. (Bild: Truecrypt-Logo / Effekt)

The German Federal Office for Information Security (BSI) has kept a detailed examination of the encryption software Truecrypt secret for nine years. On more than 400 pages the documents contain a detailed description of the architecture of the encryption tool, list various security problems and make recommendations on how to fix them.

  1. Encryption software: German BSI withholds Truecrypt security report
  2. Truecrypt developers suddenly end development and point to security problems
  3. Missing chapter about off-by-one-overflows

Golem.de learned about the existence of these documents via an entry on the web plattform "Frag Den Staat" (translated "ask the state"). On this web page citizens can send requests to government agencies according to the German freedom of information law. A user sent a generic request to BSI asking about all investigations of Truecrypt they may possess.

The BSI sent several documents that according to their date were created in 2010 and that contain a detailed analysis of Truecrypt. However BSI told the person that the documents are copyright protected and he is not allowed to publish them. Golem.de therefore requested the documents themselves and got them after some time - also with the remark that they must not be published.

It is a common strategy by government agencies to prevent the publication of documents revealed by freedom of information law requests due to copyright. The platform "Frag Den Staat" has for example been in a legal conflict with the German Federal Institute for Risk Assessment (BfR) about the publication of a report on the herbicide Glyphosate. The BSI also prevented the publication of an earlier report on cryptographic libraries referring to its copyright.

  1. AdS Consulting GmbH, Aschaffenburg
  2. RSG Group GmbH, Berlin

The Truecrypt documents contain a remark that it is an item of classified information, but that remark has been striked through. The content is noteworthy, because it shows that BSI had plenty of information about the security of Truecrypt and specific security problems since a long time. Despite various discussions about the security of Truecrypt that erupted after the Snowden affair they apparently decided not to publish it.

BSI sends complete documents only after multiple requests

The five documents are numbered from AP2 to AP6. AP1 was notably missing. After asking BSI they said: "AP1 is a research and overview of what functionality existing hard drive encryption products on the market implement (including the Windows and the Linux version of Truecrypt). Since this is not an 'investigation' of the 'Truecrypt' program, we saw this document as not covered by the Freedom of Information Act request."

We then requested to receive this document as well. It is surprising that BSI came to the conclusion that this document is not an "investigation" (in German "Untersuchung") of Truecrypt, because the title of the Document starts with "Truecrypt Untersuchung".

Even then the documents were incomplete. The documents contain multiple references that mention that attacks are explained in more detail in AP7. After multiple requests Golem.de also got that document.

Truecrypt was published by anonymous developers

The software Truecrypt has an interesting history. The program was created by anonymous developers. According to investigations by journalist Evan Ratliff the drug dealer Paul Le Roux was involved in the development. Truecrypt gives users a relatively easy way to locally encrypt files in an encrypted data container. It also offers the option to encrypt whole disk drives.

The license of the Truecrypt code is controversial. While the code is publicly available, the license contains some restrictions that cause it to not fall under the definition of free Software or Open Source. Therefore many Linux distributions don't have official Truecrypt packages.

In 2013 the cryptographer Matthew Green started collecting donations to fund a security test of Truecrypt. Together with the IT security professional Kenneth White he founded the Open Crypto Audit Project. The money came in quickly.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
Truecrypt developers suddenly end development and point to security problems 
  1. 1
  2. 2
  3. 3

  1. (u. a. The Bradwell Conspiracy für 8,99€, Days of War: Definitive Edition für 8,30€, The King...
  2. 39,99€
  3. Tom Clancy's Rainbow Six Siege für 7,99€, Assassin's Creed Odyssey für 17,99€, Far Cry 5 für...
  4. 31,49€

danielmain 16. Dez 2019

Was für eine Leistung in den Top 10 von Hacker news zu stehen. Weiterso!

Folgen Sie uns

Projekt Mare - DLR

Helga und Zohar sind zwei anthropomorphe Phantome, ihre Körper simulieren die Struktur des menschlichen Gewebes. DLR-Forscher wollen messen, wie sich die Strahlung auf den Körper auswirkt.

Projekt Mare - DLR Video aufrufen
Corona: Der Staat muss uns vor der Tracing-App schützen
Der Staat muss uns vor der Tracing-App schützen

Politiker wie Axel Voss fordern "Anreize" für die Nutzung der Corona-App. Doch das schafft nicht das notwendige Vertrauen in die staatliche Technik.
Ein Gastbeitrag von Stefan Brink und Clarissa Henning

  1. Schnittstelle installiert Android-Handys sind bereit für die Corona-Apps
  2. Corona-App Google und Apple stellen Bluetooth-API bereit
  3. Coronapandemie Quarantäne-App soll Gesundheitsämter entlasten

Big Blue Button: Wie CCC-Urgesteine gegen Teams und Zoom kämpfen
Big Blue Button
Wie CCC-Urgesteine gegen Teams und Zoom kämpfen

Ein Verein aus dem Umfeld des CCC zeigt in Berlin, wie sich Schulen mit Open Source digitalisieren lassen. Schüler, Eltern und Lehrer sind begeistert.
Ein Bericht von Friedhelm Greis

  1. Mint-Allianz Wir bleiben schlau! Wir bleiben unwissend!
  2. Programmieren lernen Informatik-Apps für Kinder sind oft zu komplex

Maneater im Test: Bissiger Blödsinn
Maneater im Test
Bissiger Blödsinn

Wer schon immer als Bullenhai auf Menschenjagd gehen wollte - hier entlang schwimmen bitte. Maneater legt aber auch die Flosse in die Wunde.
Ein Test von Marc Sauter

  1. Mount and Blade 2 angespielt Der König ist tot, lang lebe der Bannerlord
  2. Arkade Blaster 3D-Shooter mit der Plastikkanone spielen
  3. Wolcen im Test Düster, lootig, wuchtig!

    •  /