Truecrypt is Secure - It Has Passed the Final Audit

The disk encryption software Truecrypt, a popular tool that was endorsed by Edward Snowden, has passed a full source code security audit. This comes on the heels of the developers of the app mysteriously quitting the project and recommending that people use a questionable Microsoft solution.

The initial audit of the bootloader was performed by iSec who found only minor issues with the software that would not compromise security. The full report of the phase I audit is here: 
https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf

The phase II audit was completed by NCC. The full report can be read here:
https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.pdf

The phase II audit only found two minor problems that can fixed in forks. One was that elements of the entropy pool, which contains methods for gathering random data to encrypt with, can fail to properly initialize. Truecrypt should crash or throw error when this happens but silently accepts the error and continues working. This could lead to less random sources of data in a compromised system. The second issue was with the possibility of cache timing attacks, which a person would need admin access or advanced clandestine equipment used over a long period of time to be able to weaken the security of a Truecrypt volume.

In short, Truecrypt is audited and clean. We can now move on to evaluating the forks of the software and trusting that the software is largely secure due to the strong Truecrypt 7.1a code base.

Also, credit to Matthew Green for posting the news first about the TC audit.
http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html


< last
next >