Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

TrueCrypt Provides Good Data Protection: Audit

A recent security audit has shown that while TrueCrypt is plagued by some vulnerabilities, the product is efficient when it comes to protecting data, particularly in cases where an encrypted disk is lost or stolen.

A recent security audit has shown that while TrueCrypt is plagued by some vulnerabilities, the product is efficient when it comes to protecting data, particularly in cases where an encrypted disk is lost or stolen.

TrueCrypt, a popular open source file and disk encryption software, was discontinued in May 2014 by its anonymous developers who warned users that the product was not secure and advised them to migrate to other solutions. While there are some promising forks, such as VeraCrypt and CipherShed, the original TrueCrypt is still used by many, especially since there is no evidence that its encryption can be easily cracked.

Several months before it was discontinued, the Open Crypto Audit Project (OCAP) announced its intention to conduct a comprehensive audit and cryptanalysis of TrueCrypt. The audit was completed in April 2015 and while researchers found some weaknesses, they had not identified any backdoors or serious design flaws.

Some security issues related to the Windows driver code used by TrueCrypt were disclosed in October by researchers at Google’s Project Zero. However, experts noted at the time that the flaws don’t have a direct impact on the security of encrypted drive volumes at rest.

New TrueCrypt Audit by German Government

The latest TrueCrypt audit was conducted over a six-month period by the Fraunhofer Institute for Secure Information Technology (SIT) on behalf of the German Federal Office for Information Security (BSI). Researchers performed a thorough analysis of the last full version of TrueCrypt, 7.1a, and determined that the product is “safer than previous examinations suggest.”

German experts targeted the encryption mechanism, source code vulnerabilities, the quality of the code and documentation, and the program’s design and architecture. The findings of the OCAP report have also been analyzed to determine if any of the identified issues pose a serious threat.

Auditors noted that there are some quality issues related to TrueCrypt documentation and maintainability. From a security standpoint, experts found that the application of cryptography is not optimal.

Advertisement. Scroll to continue reading.

“The AES implementation is not timing-resistant, key files are not used in a cryptographically secure way and the integrity of volume headers is not properly protected. There are many redundant implementations (sometimes for hardware-optimization) and disused algorithms are still present in a deactivated form in the source code,” the BSI report reads.

Despite these issues, TrueCrypt is good for protecting data at rest — i.e., files stored on an unmounted hard drive or a USB flash drive. TrueCrypt is not very good for protecting data against attacks in which the attackers have privileged access to a running system, but this risk has been known and documented by the original developers.

In the case of the driver vulnerabilities discovered by Project Zero, an attacker would need to gain remote or direct access to the targeted system in order to exploit the weaknesses, researchers noted.

The OCAP report highlights that TrueCrypt is plagued by several buffer overflow vulnerabilities. However, tests conducted by Fraunhofer SIT researchers have demonstrated that these flaws cannot be exploited.

“In conclusion, I would say that the TrueCrypt code base is probably alright for the most parts. The flaws we found were minor, and similar flaws can occur also in any other implementation of cryptographic functions. In that sense TrueCrypt seems not better or worse than its alternatives,” explained Eric Bodden, one of the researchers involved in the TrueCrypt audit. “Code quality could be improved, though, as there are some places that call for a refactoring and certainly for better documentation. But generally the software does what it was designed for.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights