Encryption software: German BSI withholds Truecrypt security report

The German Federal Office for Information Security has created a detailed analysis of the software Truecrypt in 2010. The results ended up in the drawer, the public was not informed about the found security risks.

Artikel veröffentlicht am ,
The BSI knew a lot about the security of Truecrypt, but it decided to keep the documents secret.
The BSI knew a lot about the security of Truecrypt, but it decided to keep the documents secret. (Bild: Truecrypt-Logo / Effekt)

The German Federal Office for Information Security (BSI) has kept a detailed examination of the encryption software Truecrypt secret for nine years. On more than 400 pages the documents contain a detailed description of the architecture of the encryption tool, list various security problems and make recommendations on how to fix them.

Inhalt:
  1. Encryption software: German BSI withholds Truecrypt security report
  2. Truecrypt developers suddenly end development and point to security problems
  3. Missing chapter about off-by-one-overflows

Golem.de learned about the existence of these documents via an entry on the web plattform "Frag Den Staat" (translated "ask the state"). On this web page citizens can send requests to government agencies according to the German freedom of information law. A user sent a generic request to BSI asking about all investigations of Truecrypt they may possess.

The BSI sent several documents that according to their date were created in 2010 and that contain a detailed analysis of Truecrypt. However BSI told the person that the documents are copyright protected and he is not allowed to publish them. Golem.de therefore requested the documents themselves and got them after some time - also with the remark that they must not be published.

It is a common strategy by government agencies to prevent the publication of documents revealed by freedom of information law requests due to copyright. The platform "Frag Den Staat" has for example been in a legal conflict with the German Federal Institute for Risk Assessment (BfR) about the publication of a report on the herbicide Glyphosate. The BSI also prevented the publication of an earlier report on cryptographic libraries referring to its copyright.

Stellenmarkt
  1. SAP-Produktmanagerin/SAP-Pro- duktmanager (w/m/d)
    Berliner Verkehrsbetriebe (BVG), Berlin
  2. Anwendungsexperte (w/m/d) Dokumentenmanagement
    BEITEN BURKHARDT Rechtsanwaltsgesellschaft mbH, verschiedene Standorte
Detailsuche

The Truecrypt documents contain a remark that it is an item of classified information, but that remark has been striked through. The content is noteworthy, because it shows that BSI had plenty of information about the security of Truecrypt and specific security problems since a long time. Despite various discussions about the security of Truecrypt that erupted after the Snowden affair they apparently decided not to publish it.

BSI sends complete documents only after multiple requests

The five documents are numbered from AP2 to AP6. AP1 was notably missing. After asking BSI they said: "AP1 is a research and overview of what functionality existing hard drive encryption products on the market implement (including the Windows and the Linux version of Truecrypt). Since this is not an 'investigation' of the 'Truecrypt' program, we saw this document as not covered by the Freedom of Information Act request."

We then requested to receive this document as well. It is surprising that BSI came to the conclusion that this document is not an "investigation" (in German "Untersuchung") of Truecrypt, because the title of the Document starts with "Truecrypt Untersuchung".

Even then the documents were incomplete. The documents contain multiple references that mention that attacks are explained in more detail in AP7. After multiple requests Golem.de also got that document.

Truecrypt was published by anonymous developers

The software Truecrypt has an interesting history. The program was created by anonymous developers. According to investigations by journalist Evan Ratliff the drug dealer Paul Le Roux was involved in the development. Truecrypt gives users a relatively easy way to locally encrypt files in an encrypted data container. It also offers the option to encrypt whole disk drives.

The license of the Truecrypt code is controversial. While the code is publicly available, the license contains some restrictions that cause it to not fall under the definition of free Software or Open Source. Therefore many Linux distributions don't have official Truecrypt packages.

In 2013 the cryptographer Matthew Green started collecting donations to fund a security test of Truecrypt. Together with the IT security professional Kenneth White he founded the Open Crypto Audit Project. The money came in quickly.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
Truecrypt developers suddenly end development and point to security problems 
  1. 1
  2. 2
  3. 3
  4.  


Aktuell auf der Startseite von Golem.de
Oberleitungs-Lkw
Herr Gramkow will möglichst weit elektrisch fahren

Seit anderthalb Jahren fährt ein Lkw auf der A1 elektrisch an einer Oberleitung. Wir haben die Spedition besucht, die ihn einsetzt.
Ein Bericht von Werner Pluta

Oberleitungs-Lkw: Herr Gramkow will möglichst weit elektrisch fahren
Artikel
  1. Star Trek: Playmobil bringt 1 Meter langes Enterprise-Spielset
    Star Trek
    Playmobil bringt 1 Meter langes Enterprise-Spielset

    Star Treks klassische Enterprise NCC-1701 kommt mit den Hauptcharakteren, Phasern und Tribbles sowie einem Standfuß und einer Deckenhalterung.

  2. Wettbewerb: EU soll Untersuchung von Googles Werbegeschäft planen
    Wettbewerb
    EU soll Untersuchung von Googles Werbegeschäft planen

    Die EU-Kommission lässt Google keine Pause: Als Nächstes soll das Werbegeschäft genau auf Wettbewerbseinschränkungen untersucht werden.

  3. Akkutechnik und E-Mobilität: Natrium-Ionen-Akkus werden echte Lithium-Alternative
    Akkutechnik und E-Mobilität
    Natrium-Ionen-Akkus werden echte Lithium-Alternative

    Faradion und der Tesla-Zulieferer CATL produzieren erste Natrium-Ionen-Akkus mit der Energiedichte von LFP. Sie sind kälteresistenter, sicherer und lithiumfrei.
    Von Frank Wunderlich-Pfeiffer

danielmain 16. Dez 2019

Was für eine Leistung in den Top 10 von Hacker news zu stehen. Weiterso!


Folgen Sie uns
       


  • Schnäppchen, Rabatte und Top-Angebote
    Die besten Deals des Tages
    Schnäppchen • Orange Week bei Cyberport mit bis zu -70% • MSI Optix G32CQ4DE 335,99€ • XXL-Sale bei Alternate • Enermax ETS-F40-FS ARGB 32,99€ • Prime-Filme leihen für je 0,99€ • GP Anniversary Sale - Teil 4: Indie & Arcade • Saturn Weekend Deals • Ebay: 10% auf Gaming-Produkte [Werbung]
    •  /