TrueCrypt doesn’t include a backdoor according to a security audit

The security audit of the popular encryption software TrueCrypt reveals the absence of the backdoor and other significant flaws exploitable by the NSA.

The news of the day is the conclusion of the security audit of the popular encryption tool TrueCrypt that confirmed the absence of any backdoor neither critical design vulnerabilities inside the source code.

TrueCrypt is a free, open-source and cross-platform encryption application, used by millions users worldwide to protect data. The tool could be used to encrypt single files, folders or entire hard drive partitions including the system partition. TrueCrypt is being audited for past two years following the speculation that US Intelligence deliberately compromised the code to make possible the access to encrypted data by its agents.

A team of researcher conducted an analysis that lasted two years and that was arranged in two distinct phases. In the first phase the experts analyzed the blueprints of the software and discovered only 11 issues of medium and low severity in the software.

In the second phase, that was recently terminated, the experts examined TrueCrypt’s implementation of random number generators and critical key algorithms, and several encryption cipher suites.

Security Auditors and Cryptography Experts at NCC decided to analyze TrueCrypt software in response to documents leaked by Edward Snowden that hyphotesized a possible backdoor in the application.

“TrueCrypt appears to be a relatively well-designed piece of crypto software,” cryptographic expert Matthew Green explained in a blog post on Thursday. “The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.” “You can find the full report over at the Open Crypto Audit Project website. Those who want to read it themselves should do so. This post will only give a brief summary.”

The report reveals that experts have discovered four different vulnerabilities, but none of them could be exploited by attackers to compromise TrueCrypt. The vulnerabilities and related severity are listed below:

Keyfile mixing is not cryptographically sound — Low severity
Unauthenticated ciphertext in volume headers — Undetermined
CryptAcquireContext may silently fail in unusual scenarios — High severity
AES implementation susceptible to cache timing attacks — High severity

Resuming the experts have found no evidence for the presence of a Backdoor in the code of the popular application.

“That doesn’t mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming — leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we’d like it to.” said Green.

Pierluigi Paganini

(Security Affairs – Truecrypt, security audit)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.