Audit Clears TrueCrypt of NSA Backdoors


Edward SnowdenEdward Snowden’s revelations regarding the NSA’s covert spying activities not only served to heighten the issue of online privacy, they also created a general atmosphere of suspicion and mistrust. One software which came under the microscope in particular was the popular and widely used TrueCrypt.

More than 30 million users worldwide have utilized the free and open source encryption software TrueCrypt to secure critical data and indeed entire drives, supposedly safe in the knowledge that their data was being protected from prying eyes. Then, along came Edward Snowden’s startling expose and all of a sudden people were not so certain any more. What if the NSA had somehow planted a backdoor into TrueCrypt which enabled circumvention of the encryption and left all that personal data open to surveillance?

truecrypt logoThis was the hypothetical scenario that prompted a consortium of software companies to raise $80.000, under the banner ‘Open Crypto Audit Project’ (OCAP), to fund audits of the TrueCrypt code and its cryptography. In January this year US consultancy iSEC was employed to undertake a thorough security code audit which has now been completed and its finding published.

The good news, according to the iSEC report… “iSEC did not identify any issues considered ‘high severity’ during this testing. iSEC found no evidence of backdoors or intentional flaws.


The audit did reveal a number of inherent bugs but these were assessed as “accidental”:

iSEC did not identify any issues considered ‘high severity’ during this testing. iSEC found no evidence of backdoors or intentional flaws. Several weaknesses and common kernel vulnerabilities were identified, including kernel pointer disclosure, but none of them appeared to present immediate exploitation vectors. All identified findings appeared accidental.

In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report.

While these findings are bound to offer some relief for the multitude of TrueCrypt users, it ain’t quite over yet. The second phase of the audit will examine TrueCrypt’s key cryptographic algorithm, random number generators and implementation, among other aspects.

 

About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.

2 Comments

  1. To title this article “Audit Clears TrueCrypt of NSA Backdoors” is grossly misleading.
    The audit consists of 2 phases: General program coding (and a very limited scope at that) and crypto stuff. They just published the results of the 1st phase audit. They haven’t done the crypto part yet.

    Another inaccuracy: the money raised to finance the audit was not provided by “consortium of software companies” – it was raised through donations by private individuals.

    • iSEC’s official announcement clearly states that the code audit does indeed clear TrueCrypt of any NSA backdoor…

      The audit conducted by iSEC is now complete. iSEC found no evidence of backdoors or intentional flaws.

      Furthermore, the final paragraph of the article clearly states…

      it ain’t quite over yet. The second phase of the audit will examine TrueCrypt’s key cryptographic algorithm, random number generators and implementation.

      The article does not say that the consortium of software companies (OPAC) “provided” the funds, it says they “raised” the funds, which is a different kettle of fish altogether and totally accurate.