Much Ado About TrueCrypt
TrueCrypt, the popular cross-platform disc encryption tool, might be secure after all, according to the Open Crypto Audit Project. This comes as something of a surprise after its anonymous creators suddenly changed the status of the project to "inactive" and changed the project’s SourceForge page to say that "using TrueCrypt is not secure as it may contain unfixed security issues" early last year.
Since then there has been almost constant talk of possible cryptographic weaknesses, NSA backdoors, conspiracy theories, and, most importantly, what to do next.
Thankfully, this seems to have been false. Aside from a few fairly minor vulnerabilities, the audit came up with nothing: no NSA backdoors, no weakened cryptography and all in all it turns out it’s a pretty good piece of software.
Some people have said this all along. “Truecrypt appears to be a relatively well-designed piece of crypto software,” according to Matthew Green, a cryptographer and research professor at Johns Hopkins University, who lead the audit. The NCC audit found no evidence of deliberate backdoors or any severe design flaws that will make the software insecure in most instances.”
Testing It Twice
The audit was performed in two phases:
Ultimately, the audit report revealed four relatively minor vulnerabilities but nothing that would indicate that you should stop using it. The audit was of version 7.1a of the TrueCrypt source code, which is still available here, and there are currently at least three forks of the original project under current development: VeraCrypt, TCnext, and CipherShed.
So why did the authors abandon the code and post that message? It seems the original developers are no longer interested in maintaining the project, according to Green.
So Is It Safe To Use?
World renowned cryptographer Bruce Schneier thinks so. In a recent blog post Schneier noted that the auditors had found a few vulnerabilities, but “nothing that would make me not use the program, though.”