Encryption program complimented by Snowden passes security audit
A long-awaited security audit of computer software assumed to be impervious to state-sponsored surveillance now suggests that the program, TrueCrypt, is free of any government-sanctioned vulnerabilities or backdoors.
The results of the audit, undertaken in recent months and finally released to the public on Thursday this week, reveal that researchers failed to find any critical flaws in the program. This eases fears among some that the software, which allows users to create encrypted partitions in order to securely store and swap digital data, had been compromised by the United States government or an allied partner with similar code-cracking abilities.
“Truecrypt appears to be a relatively well-designed piece of crypto software,” security expert Matthew Green wrote on his blog on Thursday this week, adding that auditors “found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.”
Runa Sandvik, a member of the Open Crypto Audit Project’s technical advisory board, wrote last year that a then-unknown Edward Snowden attended a security event in 2012 where he touted TrueCrypt as being secure.
“After wrapping up my presentation, Snowden connected his laptop to the projector and began talking about using the TrueCrypt software for encrypting hard drives and USB sticks on Macs, Linux and Windows,” Sandvik recalled last year for Forbes. “He pointed out that while the only known name associated with TrueCrypt is someone in the Czech Republic, TrueCrypt is one of the best open-source solutions available.”
Phase two of the TrueCrypt audit is complete, no deliberate backdoors found: https://t.co/oAYtKUIN7R and http://t.co/FvRSQq2fHk
— Runa A. Sandvik (@runasand) April 2, 2015
According to classified United States government documents provided to the media by Snowden, a former contractor for the US National Security Agency, the NSA has for years sought to weaken or otherwise sabotage computer programs that could be used to evade government surveillance. When the TrueCrypt website unexpectedly announced in May 2014 that the program would no longer be updated after more than a decade, users were quick to speculate that its maintainers had suspended their efforts in the face of attempts from the NSA, and that the program could potentially have been compromised.
Indeed, as ZDNet recalled first this week, TrueCrypt’s developers said in calling it quits last year that users searching for an alternative should consider Microsoft’s BitLocker—a program that was later proven through Snowden documents to have been exploited by American intelligence. According to this week’s report, however, researchers have failed to find any major flaws within TrueCrypt.
A 21-page review of programs sourcecode undertaken by NCC Crypto Services reveals that auditors found four vulnerabilities in all within the program. But according to experts, including Green, those issues are minor enough not to have compromised the program in any major way.
“The auditors did find a few glitches and some incautious programming -- leading to a couple of issues that could, in the right circumstances, cause TrueCrypt to give less assurance than we'd like it to,” Green continued, later clarifying, “This is not the end of the world, since the likelihood of such a failure is extremely low.”
The latest audit gives credence to an article published by Germany’s Der Spiegel last December, in which it was reported that documents included within the Snowden trove suggested that US intelligence had “major” problems exploiting TrueCrypt and had failed to accomplish as much.
Although TrueCrypt has not officially been updated since its maintainers announced an end to their work on the project last May, Green wrote that, “with luck, the code will be carried on by others.”
