On Monday, after seven months of discussion and planning, the first phase of a two-part audit of TrueCrypt was released.
The results? iSEC, the company contracted to review the bootloader and Windows kernel driver for any backdoor or related security issue, concluded (PDF) that TrueCrypt has: “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”While the team did find some minor vulnerabilities in the code itself, iSEC labeled them as appearing to be “unintentional, introduced as the result of bugs rather than malice.”
Since September 2013, a handful of cryptographers have been discussing new problems and alternatives to the popular security application. By February 2014, the Open Crypto Audit Project—a new organization based in North Carolina that seeks formal 501(c)3 non-profit status—raised around $80,000 toward this goal on various online fundraising sites.
"[The results] don't panic me,” Matthew Green, a Johns Hopkins cryptography professor who has been one of the people leading this effort, told Ars. “I think the code quality is not as high as it should be, but on the other hand, nothing terrible is in there, so that's reassuring.”
Green said that the second phase was now to perform a “detailed crypto review and make sure that there’s no bug in the encryption.”
Specifically, the report continued:
Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth. A more in-depth discussion on the quality issues identified can be found in Appendix B. In contrast to the TrueCrypt source code, the online documentation available at http://www.truecrypt.org/docs/ does a very good job at both describing TrueCrypt functionality and educating users on how to use TrueCrypt correctly. This includes recommendations to enable full disk encryption that protects the system disk, to help guard against swap, paging, and hibernation-based data leaks.
The team also found a potential weakness in the Volume Header integrity checks. Currently, integrity is provided using a string (“TRUE”) and two (2) CRC32s. The current version of TrueCrypt utilizes XTS2 as the block cipher mode of operation, which lacks protection against modification; however, it is insufficiently malleable to be reliably attacked. The integrity protection can be bypassed, but XTS prevents a reliable attack, so it does not currently appear to be an issue. Nonetheless, it is not clear why a cryptographic hash or HMAC was not used instead.
Green also told Ars that he corresponded with one “David Morgan at TrueCrypt.com, who may or may not be a real person”—the software’s developers remain mysteriously anonymous—to inform them of the plan to do the audit and share the audit results.
The crypto professor said that Morgan acknowledged the Volume Header weakness but said that TrueCrypt “was only supposed to protect you against certain things” and not be as foolproof as some may like it.
“It did not seem extremely important, but I think it's good to know about,” Green noted. “But I think it's good that we didn't find anything super critical.”
reader comments
85