Last May, Truecrypt made waves on the Internet when the anonymous developers shut down their SourceForge site and stated the tool was insecure and that BitLocker was a better solution. Many speculated that the site may have been hacked, that the NSA had forced the developers to stop updating the tool, or that the security audit Truecrypt was undergoing had found a major flaw and the developers just gave up.
While nobody knows the real reason, it looks like the last theory has been debunked. The code audit of TrueCrypt has been completed and the auditors found no instances of major flaws or backdoors installed in the code. This is good news for people who continue to use the tool for security, or who want to fork the code and make their own derivatives, such as VeraCrypt.
The audit did find a few serious vulnerabilities in the code, the main one being that the random number generator is tied to a Windows Crytpography API, and if that function is unavailable for some reason, the resulting encryption of your files will be much weaker. In addition, the AES encryption could potentially be vulnerable to a timing attack. Neither of these weaknesses are very likely to be exploited, but they are potential vulnerabilities.
So what does this mean for normal users? It looks like you can continue to use TrueCrypt without fear of secret backdoors. In addition, despite the warning on the SourceForge page, there are no serious vulnerabilities in the code, so you're probably safe continuing to use the old version if you don't want to switch to VeraCrypt or a similar derivative.
Source: Cryptography Engineering | Image courtesy of Advance Pensa Cola
18 Comments - Add comment