The popular TrueCrypt full-disk encryption project shut down last year under mysterious circumstances, leaving concerns about the application's security and trustworthiness in its wake. As it happened, a group of cryptologists working under the banner of the Open Crypto Audit Project (OCAP) had already begun a community-driven audit of TrueCrypt's codebase. They continued their work in order to determine the fitness of TrueCrypt code as a basis for future forks. Today, they released the results of the audit in partnership with information assurance firm NCC Group, and the verdict is largely positive.
Matthew Green, one of OCAP's directors, summarized the results on his blog:
The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.
That doesn't mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming -- leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we'd like it to.
The most worrisome bug is said to lie in the random number generator of the Windows version of TrueCrypt, whose entropy pool relies in part on the Windows Crypto API. TrueCrypt can continue generating keys even if it detects that the Crypto API fails to initialize, which Green says should instead produce a critical error. Green also notes that TrueCrypt's AES code appears to be vulnerable to cache timing attacks.
Green expresses optimism that TrueCrypt code should be able to serve as a solid foundation for future encryption projects. TrueCrypt users might be able to rest easier now knowing that the NSA and GCHQ don't appear to have skeleton keys for volumes encrypted with the software.
|Aerocool's Project 7 P7-C1 Pro case reviewed||6|
|Google Project Tango is dead—long live ARCore||6|
|Thermaltake Sync box bridges RGB LED walled gardens||3|
|Intel tips off potential 960 GB and 1.5 TB Optane SSD 900Ps||6|
|Sapphire Nitro+ Radeon RX Vegas put a big chill on spicy-hot chips||17|
|Antec P110 Silent touts quiet looks and quiet operation||11|
|Updated LG Gram laptops put heavy-duty power into feathery bodies||17|
|Monkey Day Shortbread||14|
|Thursday deals: a nice Z370 mobo, a huge VA display, and more||6|
|Nice but unoptaneable.||+11|