Much Ado About TrueCrypt

Much Ado About TrueCrypt

TrueCrypt, the popular cross-platform disc encryption tool, might be secure after all, according to the Open Crypto Audit Project. This comes as something of a surprise after its anonymous creators suddenly changed the status of the project to "inactive" and changed the project’s SourceForge page to say that "using TrueCrypt is not secure as it may contain unfixed security issues" early last year.

Since then there has been almost constant talk of possible cryptographic weaknesses, NSA backdoors, conspiracy theories, and, most importantly, what to do next.

Thankfully, this seems to have been false. Aside from a few fairly minor vulnerabilities, the audit came up with nothing: no NSA backdoors, no weakened cryptography and all in all it turns out it’s a pretty good piece of software. 

Some people have said this all along. “Truecrypt appears to be a relatively well-designed piece of crypto software,” according to Matthew Green, a cryptographer and research professor at Johns Hopkins University, who lead the audit. The NCC audit found no evidence of deliberate backdoors or any severe design flaws that will make the software insecure in most instances.”

Testing It Twice 

The audit was performed in two phases:

  • Phase One was a source code audit, which tested the implementation of cryptographic algorithms, often the weakest point in modern day cryptographic software
  • Phase Two was a formal cryptanalysis

Ultimately, the audit report revealed four relatively minor vulnerabilities but nothing that would indicate that you should stop using it. The audit was of version 7.1a of the TrueCrypt source code, which is still available here, and there are currently at least three forks of the original project under current development: VeraCrypt, TCnext, and CipherShed.

So why did the authors abandon the code and post that message? It seems the original developers are no longer interested in maintaining the project, according to Green. 

So Is It Safe To Use?

World renowned cryptographer Bruce Schneier thinks so. In a recent blog post Schneier noted that the auditors had found a few vulnerabilities, but “nothing that would make me not use the program, though.”

About David Venable

VP, Cybersecurity, Masergy
David Venable, Vice President of Cyber Security at Masergy Communications, has over 15 years experience in information security, with expertise in cryptography, network and application security, vulnerability assessments, penetration testing, and compliance. David is a former intelligence collector with the National Security Agency, with extensive experience in Computer Network Exploitation, Information Operations, and Digital Network Intelligence. He also served as adjunct faculty at the National Cryptologic School.