Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / No NSA Backdoors in TrueCrypt
Audit Concludes No NSA Backdoors in TrueCrypt Software
Audit Concludes No NSA Backdoors in TrueCrypt Software
By Shirley Siluk / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
An audit of the TrueCrypt cryptographic software has found a few design flaws but no evidence of intentional backdoors that could make it vulnerable to penetration by intelligence agencies such as the National Security Agency (NSA). The TrueCrypt freeware, which was discontinued by its developers in May, had been used by the team of journalists who obtained a large cache of documents about government surveillance programs from former NSA contractor and whistleblower Edward Snowden.

Published Thursday, the audit's findings described four vulnerabilities in the TrueCrypt software, none of which would have led to a complete loss of confidentiality of encrypted documents. The report was prepared by the NCC Group for the Open Crypto Audit Project, a community-led initiative charged with conducting a public audit and cryptanalysis of TrueCrypt.

At the time,'s announcement that it was ending development of its product was accompanied by a warning that "using TrueCrypt is not secure as it may contain unfixed security issues." The news raised numerous questions in the crypto community, which had already raised funds for a phase-one audit of the software that found no signs of security backdoors. The report issued this week summarized the findings of phase two of the audit.

'Well-Designed Software'

"TrueCrypt appears to be a relatively well-designed piece of crypto software," Johns Hopkins University research professor and cryptographer Matthew Green wrote Thursday in his TL;DR blog post. "The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most cases."

However, NCC Group security engineers Alex Balducci, Sean Devlin and Tom Ritter did identify four less-severe vulnerabilities in version 7.1a of the TrueCrypt software. The most serious of those arose when the Windows Crypto API "in certain obscure situations" failed to initialize properly, preventing the generation of random numbers for encryption keys.

"While disturbing, this issue should not cause failure on common Windows XP uses," the report's authors wrote.

Another relatively serious flaw affected how well TrueCrypt's AES code implementation might be able to resist cache-timing attacks. However, Green noted, "This is probably not a concern unless you're perform(ing) encryption and decryption on a shared machine, or in an environment where the attacker can run code on your system (e.g., in a sandbox, or potentially in the browser)."

Development of Forks Continues

The latest findings on TrueCrypt leave unanswered questions about why the software's developers abandoned their project so abruptly. One theory suggests they closed up shop to avoid being publicly identified. However, the audit results should relieve some concerns about the use of other encryption programs -- including VeraCrypt and CipherShed -- based on the TrueCrypt code.

While TrueCrypt was not open source, its developers appear unlikely -- given their sudden shutdown of operations -- to pursue others that have built new forks using their original program. Another organization seeking to keep the software alive is a Swiss-based team that established, a site that provides access to downloads of the TrueCrypt 7.1a software for Windows, Mac and Linux.

"The loss of TrueCrypt's developers is keenly felt by a number of people who rely on full disk encryption to protect their data," Green wrote. "With luck, the code will be carried on by others. We're hopeful that this review will provide some additional confidence in the code they're starting with."

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter

Over the past decade, hospitals have been busy upgrading their systems from paper to electronic health records. Unfortunately, spending so much on EHR may have left insufficient funds for security.
The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.