Audit Concludes No NSA Backdoors in TrueCrypt Software

An audit of the TrueCrypt cryptographic software has found a few design flaws but no evidence of intentional backdoors that could make it vulnerable to penetration by intelligence agencies such as the National Security Agency (NSA). The TrueCrypt freeware, which was discontinued by its developers in May, had been used by the team of journalists who obtained a large cache of documents about government surveillance programs from former NSA contractor and whistleblower Edward Snowden.

Published Thursday, the audit's findings described four vulnerabilities in the TrueCrypt software, none of which would have led to a complete loss of confidentiality of encrypted documents. The report was prepared by the NCC Group for the Open Crypto Audit Project, a community-led initiative charged with conducting a public audit and cryptanalysis of TrueCrypt.

At the time, TrueCrypt.org's announcement that it was ending development of its product was accompanied by a warning that "using TrueCrypt is not secure as it may contain unfixed security issues." The news raised numerous questions in the crypto community, which had already raised funds for a phase-one audit of the software that found no signs of security backdoors. The report issued this week summarized the findings of phase two of the audit.

'Well-Designed Software'

"TrueCrypt appears to be a relatively well-designed piece of crypto software," Johns Hopkins University research professor and cryptographer Matthew Green wrote Thursday in his TL;DR blog post. "The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most cases."

However, NCC Group security engineers Alex Balducci, Sean Devlin and Tom Ritter did identify four less-severe vulnerabilities in version 7.1a of the TrueCrypt software. The most serious of those arose when the Windows Crypto API "in certain obscure situations" failed to initialize properly, preventing the generation of random numbers...

Comments are closed.