Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

TrueCrypt cryptographic audit turns up little to fear

Glenn Fleishman | April 6, 2015
An independently created volume-encryption software project that shut down abruptly apparently has no lurking secrets, according to a new security audit.

Most desktop cryptography relies on software created and maintained by corporations, often (not always) based on open standards, but requiring a level of trust in that firm's ability to resist government efforts to weaken it as well as believing they can validate and audit their own code well enough to find and then repair serious flaws.

Open-source projects, whether in the world of free software or other license structures, supposedly had the advantage that anyone could examine the code for flaws or injections.

That's turned out not to be the case, but things are getting better.

Truly cryptic

TrueCrypt is open-source virtual and full-disk encryption software that remains the only viable multiplatform option one could recommend that wasn't tied to a company. The independent project was developed by anonymous programmers for a decade; they still aren't identified. It works in Windows XP and later, many flavors of Linux, and Mac OS X.

In 2013, the nonprofit Open Crypto Audit Project (OCAP) was founded and raised over $70,000 to perform a thorough independent audit of TrueCrypt's codebase. The first phase, related to the "bootloader" software that worked only in Windows for full-disk encryption (FDE), finished in April 2014, and found no back doors or "super critical" bugs. (TrueCrypt can't manage an OS X boot volume. Read more about FDE and OS X's FileVault 2 in a previous Private I column.)

Then, abruptly, the project shut down in May 2014 with the release of a new version (7.2) that could only decrypt virtual disks and real partitions and drives. The developers put a note at the top of a stripped-down webpage, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues." They also implied that the end of official Microsoft support for XP was part of the reason. Later versions of Windows can use Microsoft-supplied and third-party full-disk encryption.

Mac users can also create encrypted virtual disk images with Disk Utility and encrypt external volumes with a simple Control-click on a volume in the Finder. But these have two associated issues: first, they're not portable to other platforms; second, we rely on Apple's codebase, which isn't externally and independently audited. TrueCrypt brings portability, and because the code is available for inspection, the opportunity to confirm it's not hiding secrets.

This raised many questions, none of which have been answered. Did the team get tired of the work after a decade? Did they discover a flaw so severe they felt they couldn't fix it? Did a government (one or more) discover their identities and pressure them to install weaker encryption or a backdoor? It's simply unknown, and none of my security sources have any strong inclination as to the reason.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.