• IT-Karriere:
  • Services:

Encryption software: German BSI withholds Truecrypt security report

The German Federal Office for Information Security has created a detailed analysis of the software Truecrypt in 2010. The results ended up in the drawer, the public was not informed about the found security risks.

Artikel veröffentlicht am ,
The BSI knew a lot about the security of Truecrypt, but it decided to keep the documents secret.
The BSI knew a lot about the security of Truecrypt, but it decided to keep the documents secret. (Bild: Truecrypt-Logo / Effekt)

The German Federal Office for Information Security (BSI) has kept a detailed examination of the encryption software Truecrypt secret for nine years. On more than 400 pages the documents contain a detailed description of the architecture of the encryption tool, list various security problems and make recommendations on how to fix them.

  1. Encryption software: German BSI withholds Truecrypt security report
  2. Truecrypt developers suddenly end development and point to security problems
  3. Missing chapter about off-by-one-overflows

Golem.de learned about the existence of these documents via an entry on the web plattform "Frag Den Staat" (translated "ask the state"). On this web page citizens can send requests to government agencies according to the German freedom of information law. A user sent a generic request to BSI asking about all investigations of Truecrypt they may possess.

The BSI sent several documents that according to their date were created in 2010 and that contain a detailed analysis of Truecrypt. However BSI told the person that the documents are copyright protected and he is not allowed to publish them. Golem.de therefore requested the documents themselves and got them after some time - also with the remark that they must not be published.

It is a common strategy by government agencies to prevent the publication of documents revealed by freedom of information law requests due to copyright. The platform "Frag Den Staat" has for example been in a legal conflict with the German Federal Institute for Risk Assessment (BfR) about the publication of a report on the herbicide Glyphosate. The BSI also prevented the publication of an earlier report on cryptographic libraries referring to its copyright.

  1. Universität Hamburg, Hamburg
  2. Bundesnachrichtendienst, Berlin

The Truecrypt documents contain a remark that it is an item of classified information, but that remark has been striked through. The content is noteworthy, because it shows that BSI had plenty of information about the security of Truecrypt and specific security problems since a long time. Despite various discussions about the security of Truecrypt that erupted after the Snowden affair they apparently decided not to publish it.

BSI sends complete documents only after multiple requests

The five documents are numbered from AP2 to AP6. AP1 was notably missing. After asking BSI they said: "AP1 is a research and overview of what functionality existing hard drive encryption products on the market implement (including the Windows and the Linux version of Truecrypt). Since this is not an 'investigation' of the 'Truecrypt' program, we saw this document as not covered by the Freedom of Information Act request."

We then requested to receive this document as well. It is surprising that BSI came to the conclusion that this document is not an "investigation" (in German "Untersuchung") of Truecrypt, because the title of the Document starts with "Truecrypt Untersuchung".

Even then the documents were incomplete. The documents contain multiple references that mention that attacks are explained in more detail in AP7. After multiple requests Golem.de also got that document.

Truecrypt was published by anonymous developers

The software Truecrypt has an interesting history. The program was created by anonymous developers. According to investigations by journalist Evan Ratliff the drug dealer Paul Le Roux was involved in the development. Truecrypt gives users a relatively easy way to locally encrypt files in an encrypted data container. It also offers the option to encrypt whole disk drives.

The license of the Truecrypt code is controversial. While the code is publicly available, the license contains some restrictions that cause it to not fall under the definition of free Software or Open Source. Therefore many Linux distributions don't have official Truecrypt packages.

In 2013 the cryptographer Matthew Green started collecting donations to fund a security test of Truecrypt. Together with the IT security professional Kenneth White he founded the Open Crypto Audit Project. The money came in quickly.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
Truecrypt developers suddenly end development and point to security problems 
  1. 1
  2. 2
  3. 3

  1. 69,90€ (Bestpreis)
  2. (u. a. LG 55NANO806NA Nanocell 55 Zoll für 549€, LG 65NANO806NA Nanocell 65 Zoll für 749€, LG...
  3. (u. a. DiRT 5 - Day One Edition für 29,49€, Frostpunk für 6,49€, Firefighting Simulator - The...
  4. 44,99€ (statt 59,99€)

danielmain 16. Dez 2019

Was für eine Leistung in den Top 10 von Hacker news zu stehen. Weiterso!

Folgen Sie uns

Assassin's Creed Valhalla - Fazit

Im Video stellt Golem.de das Action-Rollenspiel Assassins's Creed Valhalla vor, das Spieler als Wikinger nach England schickt.

Assassin's Creed Valhalla - Fazit Video aufrufen
iPhone 12 Mini im Test: Leistungsstark, hochwertig, winzig
iPhone 12 Mini im Test
Leistungsstark, hochwertig, winzig

Mit dem iPhone 12 Mini komplettiert Apple seine Auswahl an aktuellen iPhones für alle Geschmäcker: Auf 5,4 Zoll sind hochwertige technischen Finessen vereint, ein besseres kleines Smartphone gibt es nicht.
Ein Test von Tobias Költzsch

  1. Apple Bauteile des iPhone 12 kosten 313 Euro
  2. Touchscreen und Hörgeräte iOS 14.2.1 beseitigt iPhone-12-Fehler
  3. iPhone Magsafe ist nicht gleich Magsafe

Demon's Souls im Test: Düsternis auf Basis von 10,5 Tflops
Demon's Souls im Test
Düsternis auf Basis von 10,5 Tflops

Das Remake von Demon's Souls ist das einzige PS5-Spiel von Sony, das nicht für die PS4 erscheint - und ein toller Einstieg in die Serie!
Von Peter Steinlechner

    Librem Mini v2 im Test: Der kleine Graue mit dem freien Bios
    Librem Mini v2 im Test
    Der kleine Graue mit dem freien Bios

    Der neue Librem Mini eignet sich nicht nur perfekt für Linux, sondern hat als einer von ganz wenigen Rechnern die freie Firmware Coreboot und einen abgesicherten Bootprozess.
    Ein Test von Moritz Tremmel

    1. Purism Neuer Librem Mini mit Comet Lake
    2. Librem 14 Purism-Laptops bekommen 6 Kerne und 14-Zoll-Display
    3. Librem Mini Purism bringt NUC-artigen Mini-PC

      •  /