Jump to content

TrueCrypt Security Audit Concludes No NSA Backdoor

Recommended Posts


The Security audit of TrueCrypt disk-encryption software has been completed, with no evidence of any critical design vulnerabilities or deliberate backdoors in its code.

TrueCrypt -- one of the world's most-used open source file encryption software used by Millions of privacy and security enthusiasts -- is being audited from past two years by a team of security researchers to assess if it could be easily exploited and cracked. Hopefully, it has cleared the second phase of the audit.

TrueCrypt is a free, open-source and cross-platform encryption program available for Windows, OSX and Linux that can be used to encrypt individual folders or encrypt entire hard drive partitions including the system partition.


Security Auditors and Cryptography Experts at NCC took an initiative to perform a public information security audit of TrueCrypt in response to the concerns that National Security Agency (NSA) may have tampered with it, according to a leaked classified document by Edward Snowden.

"TrueCrypt appears to be a relatively well-designed piece of crypto software," cryptographic expert Matthew Green wrote in a blog post on Thursday. "The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."

TrueCrypt cleared the first phase of the audit that reviewed the blueprints of the software and given a relatively clean bill of health almost a year ago. At the first phase, auditors discovered 11 issues of medium and low severity in the software.

Now, the auditors from NCC Group’s Cryptography and security audit Services have finalized and published the 21-page Open Cryptographic report related to the second phase of audit that examined TrueCrypt's implementation of random number generators and critical key algorithms, and various encryption cipher suites.


The report uncovered four vulnerabilities in the latest original version of the software, but none of them could lead to a bypass of confidentiality or let hackers use deformed inputs to subvert TrueCrypt. The vulnerabilities are given below:

  • Keyfile mixing is not cryptographically sound -- Low severity
  • Unauthenticated ciphertext in volume headers -- Undetermined
  • CryptAcquireContext may silently fail in unusual scenarios -- High severity
  • AES implementation susceptible to cache timing attacks -- High severity

The most critical of the four vulnerabilities involved the use of Windows API to generate random numbers used by master cryptographic key.

A separate vulnerability with undetermined severity checks for the volume header decryption was susceptible to tampering. Also, a low severity flaw for a method used to mix the entropy of keyfiles was not cryptographically sound.

Another high severity flaw identified refers to "several included AES implementations that may be vulnerable to cache-timing attacks."

Source: thehackernews.com

Share this post

Link to post
Share on other sites

Da, dar daca developerii originali nu mai lucreaza la el si doar e o recompilare (si aia dubioasa cine sta sa verifice md5-urile alea cu unele originale etc etc), cine mai are incredere in el daca nu mai e la zi cu problemele de securitate care pot aparea...

Interes era in Truecrypt

Nu cred ca il inchideau doar ca primeau o foaie de big brother

Deci cred ca si-au dat seama ca are vre-un mega flaw, si decat sa il faca public, mai bine l-au lasat balta.

Share this post

Link to post
Share on other sites

TrueCrypt a fost dintotdeauna open source. Poate oricine sa faca un fork si sa il continue, defapt sunt deja cateva versiuni. Provocarea este doar ca o grupare sa fie indeajuns de capabila sa mentina standardul de calitate si de incredere.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...