Audit Clears TrueCrypt of NSA Backdoors


Edward SnowdenEdward Snowden’s revelations regarding the NSA’s covert spying activities not only served to heighten the issue of online privacy, they also created a general atmosphere of suspicion and mistrust. One software which came under the microscope in particular was the popular and widely used TrueCrypt.

More than 30 million users worldwide have utilized the free and open source encryption software TrueCrypt to secure critical data and indeed entire drives, supposedly safe in the knowledge that their data was being protected from prying eyes. Then, along came Edward Snowden’s startling expose and all of a sudden people were not so certain any more. What if the NSA had somehow planted a backdoor into TrueCrypt which enabled circumvention of the encryption and left all that personal data open to surveillance?

truecrypt logoThis was the hypothetical scenario that prompted a consortium of software companies to raise $80.000, under the banner ‘Open Crypto Audit Project’ (OCAP), to fund audits of the TrueCrypt code and its cryptography. In January this year US consultancy iSEC was employed to undertake a thorough security code audit which has now been completed and its finding published.

The good news, according to the iSEC report… “iSEC did not identify any issues considered ‘high severity’ during this testing. iSEC found no evidence of backdoors or intentional flaws.

The audit did reveal a number of inherent bugs but these were assessed as “accidental”:

iSEC did not identify any issues considered ‘high severity’ during this testing. iSEC found no evidence of backdoors or intentional flaws. Several weaknesses and common kernel vulnerabilities were identified, including kernel pointer disclosure, but none of them appeared to present immediate exploitation vectors. All identified findings appeared accidental.

In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report.

While these findings are bound to offer some relief for the multitude of TrueCrypt users, it ain’t quite over yet. The second phase of the audit will examine TrueCrypt’s key cryptographic algorithm, random number generators and implementation, among other aspects.


 

About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.

There are 2 comments

Comments are closed.