The popular TrueCrypt full-disk encryption project shut down last year under mysterious circumstances, leaving concerns about the application's security and trustworthiness in its wake. As it happened, a group of cryptologists working under the banner of the Open Crypto Audit Project (OCAP) had already begun a community-driven audit of TrueCrypt's codebase. They continued their work in order to determine the fitness of TrueCrypt code as a basis for future forks. Today, they released the results of the audit in partnership with information assurance firm NCC Group, and the verdict is largely positive.
Matthew Green, one of OCAP's directors, summarized the results on his blog:
The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.
That doesn't mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming -- leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we'd like it to.
The most worrisome bug is said to lie in the random number generator of the Windows version of TrueCrypt, whose entropy pool relies in part on the Windows Crypto API. TrueCrypt can continue generating keys even if it detects that the Crypto API fails to initialize, which Green says should instead produce a critical error. Green also notes that TrueCrypt's AES code appears to be vulnerable to cache timing attacks.
Green expresses optimism that TrueCrypt code should be able to serve as a solid foundation for future encryption projects. TrueCrypt users might be able to rest easier now knowing that the NSA and GCHQ don't appear to have skeleton keys for volumes encrypted with the software.
|EK builds a full-coverage X399 waterblock for Asus boards||0|
|Razer Kiyo and Seiren X set the stage for streaming excellence||21|
|MSI Cubi 3 Silent and Silent S can be seen but not heard||13|
|Massdrop's Vast 35" VA display lives up to its name||32|
|Spitballing the performance of Nvidia's purported GTX 1070 Ti||23|
|Friday deals: a huge monitor, racing gear, audio, and more||22|
|G.Skill 3800 MT/s SO-DIMMs put lightning in tiny bottles||9|
|Cooler Master bedazzles the MasterLiquid Lite ML120L and ML240L||4|
|Razer Electra V2 offers affordable immersion||8|