TrueCrypt doesn’t include a backdoor according to a security audit

Pierluigi Paganini April 03, 2015

The security audit of the popular encryption software TrueCrypt reveals the absence of the backdoor and other significant flaws exploitable by the NSA.

The news of the day is the conclusion of the security audit of the popular encryption tool TrueCrypt that confirmed the absence of any backdoor neither critical design vulnerabilities inside the source code.

TrueCrypt is a free, open-source and cross-platform encryption application, used by millions users worldwide to protect data. The tool could be used to encrypt single files, folders or entire hard drive partitions including the system partition. TrueCrypt is being audited for past two years following the speculation that US Intelligence deliberately compromised the code to make possible the access to encrypted data by its agents.

A team of researcher conducted an analysis that lasted two years and that was arranged in two distinct phases. In the first phase the experts analyzed the blueprints of the software and discovered only 11 issues of medium and low severity in the software.

In the second phase, that was recently terminated, the experts examined TrueCrypt’s implementation of random number generators and critical key algorithms, and several encryption cipher suites.

truecrypt 2

Security Auditors and Cryptography Experts at NCC decided to analyze TrueCrypt software in response to documents leaked by Edward Snowden that hyphotesized a possible backdoor in the application.

“TrueCrypt appears to be a relatively well-designed piece of crypto software,” cryptographic expert Matthew Green explained in a blog post on Thursday. “The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.” “You can find the full report over at the Open Crypto Audit Project website. Those who want to read it themselves should do so. This post will only give a brief summary.”

The report reveals that experts have discovered four different vulnerabilities, but none of them could be exploited by attackers to compromise TrueCrypt. The vulnerabilities and related severity are listed below:

  • Keyfile mixing is not cryptographically sound — Low severity
  • Unauthenticated ciphertext in volume headers — Undetermined
  • CryptAcquireContext may silently fail in unusual scenarios — High severity
  • AES implementation susceptible to cache timing attacks — High severity

Resuming the experts have found no evidence for the presence of a Backdoor in the code of the popular application.

“That doesn’t mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming — leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we’d like it to.” said Green.

Pierluigi Paganini

(Security Affairs –  Truecrypt, security audit)

you might also like

leave a comment