Audit: TrueCrypt Does Not Contain Backdoors

A security audit of TrueCrypt has determined that the disk encryption software does not contain any backdoors that could be used by the NSA or other surveillance agencies. A report prepared by the NCC Group for Open Crypto Audit Project found that the encryption tool is not vulnerable to being compromised.

However, the software was found to contain a few other security vulnerabilities, including one relating to the use of the Windows API to generate random numbers for master encryption key material. Despite this, TrueCrypt was given a relatively clean bill of health with none of the detected vulnerabilities considered severe enough to lead “to a complete bypass of confidentiality in common usage scenarios”.TrueCrypt

NCC’s report reveals a total of four vulnerabilities in TrueCrypt, with two of them being marked as severe. The most worrying — although it must be stressed that the report does not suggest that there is real cause for concern — stems from the fact that random numbers are generated based on values from a Windows API. Should this API fail for any reason, TrueCrypt may continue to generate keys with the possibility of an element of predictability — clearly not ideal for encryption software.

Moving forward, the report stresses the importance of improving error handing in the software:

Because TrueCrypt aims to be security-critical software, it is not appropriate to fail silently or attempt to continue execution in unusual program states. More than simply aborting the application, attempt to gather relevant diagnostic information and make it available for submission to developers to diagnose root-causes. This is especially important as it is difficult to fully test code on multiple operating systems and configurations.

With an increased interest in the activities of the NSA, and particularly in the suggestion that hardware and software should have backdoors built in by default, the report comes as good news overall for TrueCrypt users.