The popular TrueCrypt full-disk encryption project shut down last year under mysterious circumstances, leaving concerns about the application's security and trustworthiness in its wake. As it happened, a group of cryptologists working under the banner of the Open Crypto Audit Project (OCAP) had already begun a community-driven audit of TrueCrypt's codebase. They continued their work in order to determine the fitness of TrueCrypt code as a basis for future forks. Today, they released the results of the audit in partnership with information assurance firm NCC Group, and the verdict is largely positive.
Matthew Green, one of OCAP's directors, summarized the results on his blog:
The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.
That doesn't mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming -- leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we'd like it to.
The most worrisome bug is said to lie in the random number generator of the Windows version of TrueCrypt, whose entropy pool relies in part on the Windows Crypto API. TrueCrypt can continue generating keys even if it detects that the Crypto API fails to initialize, which Green says should instead produce a critical error. Green also notes that TrueCrypt's AES code appears to be vulnerable to cache timing attacks.
Green expresses optimism that TrueCrypt code should be able to serve as a solid foundation for future encryption projects. TrueCrypt users might be able to rest easier now knowing that the NSA and GCHQ don't appear to have skeleton keys for volumes encrypted with the software.
|1. BIF - $340||2. Ryu Connor - $250||3. mbutrovich - $250|
|4. YetAnotherGeek2 - $200||5. End User - $150||6. Captain Ned - $100|
|7. Anonymous Gerbil - $100||8. Bill Door - $100||9. ericfulmer - $100|
|10. dkanter - $100|
|Nvidia's GeForce GTX 1060 graphics card reviewed||47|
|In the lab: EVGA's GeForce GTX 1050 Ti Superclocked graphics card||3|
|iPhone sales continue to shrivel in Apple's fiscal fourth quarter||8|
|Leaked MacBook Pro pics suggest OLED touch bar and Touch ID||10|
|Eizo FlexScan EV7280 monitor cuts cable clutter||5|
|Xiaomi reveals Mi Mix phone with a 6.4" edgeless display||30|
|Zotac and Thermaltake join forces for a liquid-cooled GTX 1080||4|
|Zotac Magnus EN1080 may be the fastest mini-PC yet||17|
|Seagate 5TB BarraCuda and 2TB FireCuda drives are big and speedy||33|
|Signing your posts is daftly redundant. Meadows||+29|