Encryption software: German BSI withholds Truecrypt security report

The German Federal Office for Information Security has created a detailed analysis of the software Truecrypt in 2010. The results ended up in the drawer, the public was not informed about the found security risks.

Artikel veröffentlicht am ,
The BSI knew a lot about the security of Truecrypt, but it decided to keep the documents secret.
The BSI knew a lot about the security of Truecrypt, but it decided to keep the documents secret. (Bild: Truecrypt-Logo / Effekt)

The German Federal Office for Information Security (BSI) has kept a detailed examination of the encryption software Truecrypt secret for nine years. On more than 400 pages the documents contain a detailed description of the architecture of the encryption tool, list various security problems and make recommendations on how to fix them.

Inhalt:
  1. Encryption software: German BSI withholds Truecrypt security report
  2. Truecrypt developers suddenly end development and point to security problems
  3. Missing chapter about off-by-one-overflows

Golem.de learned about the existence of these documents via an entry on the web plattform "Frag Den Staat" (translated "ask the state"). On this web page citizens can send requests to government agencies according to the German freedom of information law. A user sent a generic request to BSI asking about all investigations of Truecrypt they may possess.

The BSI sent several documents that according to their date were created in 2010 and that contain a detailed analysis of Truecrypt. However BSI told the person that the documents are copyright protected and he is not allowed to publish them. Golem.de therefore requested the documents themselves and got them after some time - also with the remark that they must not be published.

It is a common strategy by government agencies to prevent the publication of documents revealed by freedom of information law requests due to copyright. The platform "Frag Den Staat" has for example been in a legal conflict with the German Federal Institute for Risk Assessment (BfR) about the publication of a report on the herbicide Glyphosate. The BSI also prevented the publication of an earlier report on cryptographic libraries referring to its copyright.

Stellenmarkt
  1. Fachinformatiker*in im Bereich Deployment
    Max-Planck-Institut für Plasmaphysik Teilinstitut Greifswald, Greifswald
  2. Qualitätsingenieur R&D Automotive für System- und Softwareentwicklung (m/w/d)
    Schaeffler Technologies AG & Co. KG, Herzogenaurach
Detailsuche

The Truecrypt documents contain a remark that it is an item of classified information, but that remark has been striked through. The content is noteworthy, because it shows that BSI had plenty of information about the security of Truecrypt and specific security problems since a long time. Despite various discussions about the security of Truecrypt that erupted after the Snowden affair they apparently decided not to publish it.

BSI sends complete documents only after multiple requests

The five documents are numbered from AP2 to AP6. AP1 was notably missing. After asking BSI they said: "AP1 is a research and overview of what functionality existing hard drive encryption products on the market implement (including the Windows and the Linux version of Truecrypt). Since this is not an 'investigation' of the 'Truecrypt' program, we saw this document as not covered by the Freedom of Information Act request."

We then requested to receive this document as well. It is surprising that BSI came to the conclusion that this document is not an "investigation" (in German "Untersuchung") of Truecrypt, because the title of the Document starts with "Truecrypt Untersuchung".

Even then the documents were incomplete. The documents contain multiple references that mention that attacks are explained in more detail in AP7. After multiple requests Golem.de also got that document.

Truecrypt was published by anonymous developers

The software Truecrypt has an interesting history. The program was created by anonymous developers. According to investigations by journalist Evan Ratliff the drug dealer Paul Le Roux was involved in the development. Truecrypt gives users a relatively easy way to locally encrypt files in an encrypted data container. It also offers the option to encrypt whole disk drives.

The license of the Truecrypt code is controversial. While the code is publicly available, the license contains some restrictions that cause it to not fall under the definition of free Software or Open Source. Therefore many Linux distributions don't have official Truecrypt packages.

In 2013 the cryptographer Matthew Green started collecting donations to fund a security test of Truecrypt. Together with the IT security professional Kenneth White he founded the Open Crypto Audit Project. The money came in quickly.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed
Truecrypt developers suddenly end development and point to security problems 
  1. 1
  2. 2
  3. 3
  4.  


Aktuell auf der Startseite von Golem.de
Mozilla
Firefox verliert 20 Prozent Nutzer in zweieinhalb Jahren

Die offiziellen Nutzer-Statistiken des Firefox-Browsers sehen für Mozilla nicht gut aus. Immerhin wird der Browser intensiver genutzt.

Mozilla: Firefox verliert 20 Prozent Nutzer in zweieinhalb Jahren
Artikel
  1. Raumfahrt: Strahlungsresistente Speicher für die Raumfahrt von Infineon
    Raumfahrt
    Strahlungsresistente Speicher für die Raumfahrt von Infineon

    NOR Flash Speicher soll hohe Strahlungsresistenz und bis zu 250 Jahre Datenerhalt für FPGAs, Mikrocontroller und Bildspeicher garantieren.

  2. Kryptowährung: Warschauer Polizei findet illegales Mining im Hauptquartier
    Kryptowährung
    Warschauer Polizei findet illegales Mining im Hauptquartier

    Wo würde die Polizei am wenigsten illegales Krypto-Mining vermuten? In ihrem Hauptquartier, dachte wohl ein polnischer IT-Techniker.

  3. Fahrrad-Navigation im Test: Rechenpower für Radfahrer
    Fahrrad-Navigation im Test
    Rechenpower für Radfahrer

    Schnell, sicher und schön ans Ziel: Das schaffen Bike-Computer besser als jedes Smartphone. Wir haben die Top-Geräte ausprobiert - und günstige Alternativen.
    Von Peter Steinlechner

danielmain 16. Dez 2019

Was für eine Leistung in den Top 10 von Hacker news zu stehen. Weiterso!



Du willst dich mit Golem.de beruflich verändern oder weiterbilden?
Zum Stellenmarkt
Zur Akademie
Zum Coaching
  • Schnäppchen, Rabatte und Top-Angebote
    Die besten Deals des Tages
    Schnäppchen • Samsung Galaxy Vorbesteller-Aktion • Speicherwoche bei Media Markt • Samsung Odyssey G5 (34 Zoll, 165 Hz) 399€ • 15% auf Xiaomi-Technik • McAfee Total Protection ab 15,99€ • Saturn: 1 Produkt zahlen, 2 erhalten • Final Fantasy VII HD Remake PS4 25,64€ [Werbung]
    •  /