No Backdoors in Truecrypt, Finds Code ReviewApril 7, 2015 – 8:51 AM
A long-awaited code review of encryption service Truecrypt has finally been completed, with the good news being that there are no deliberate backdoors in the “relatively well-designed” piece of software.
Cryptographic expert Matthew Green revealed the news in a blog post last week, claiming that the NCC Crypto Services group had found “no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.”
“That doesn’t mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming — leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we’d like it to.”
One major issue relates to the Windows version of Truecrypt’s random number generator (RNG), responsible for generating the all-important encryption keys.
A malfunctioning API in the software might fail to initialize and continue to generate keys even when it should stop, warned Green.
Another issue found by the auditors apparently relates to Truecrypt’s AES code and its ability to resist cache timing attacks.
The review means the crypto platform, abruptly abandoned last year, could be used to create new forked versions in the future.
Shortly after the original service was taken offline by its anonymous developers – who claimed it “may contain unfixed security issues” – a new group based in Switzerland said it would be co-ordinating efforts to make existing versions of the product available again and eventually to fork the code for future development.
“Truecrypt is a really unique piece of software. The loss of Truecrypt’s developers is keenly felt by a number of people who rely on full disk encryption to protect their data,” concluded Green.
“With luck, the code will be carried on by others. We’re hopeful that this review will provide some additional confidence in the code they’re starting with.”