Sloppy but secure: Open source TrueCrypt passes audit

An independent audit of the open source disk encryption utility finds no backdoors, but dredges up other troubling issues

How secure is TrueCrypt, the open source disk encryption system used by many as a line of defense against snoops (and maybe spooks)?

For a long time, the answer was "we don't know." Now, thanks to an independently conducted audit of TrueCrypt's source code, we have a partial answer, courtesy of iSEC Research Labs: It's not bad, but it could be a lot better.

The project to audit TrueCrypt was originally initiated by cryptography researchers Kenneth White and Matthew Green, who launched a crowdsourced fundraising campaign to put professional eyes on the project. Their Indiegogo fundraiser racked up more than $46,000 -- with an original goal of $25,000 -- and another fundraiser on Fundfill added another $16,479 to the kitty.

The report from the first phase of the audit was released on April 14, courtesy of security engineers Andreas Junestam and Nicolas Guigo, working under the banner of iSEC Partners. The two of them examined TrueCrypt's source code in detail and found a total of 11 vulnerabilities. None of them by themselves were bad enough to consider avoiding TrueCrypt altogether, but they're all worth patching. A second report will follow with a detailed analysis of the encryption itself.

Most criticisms the authors levied at TrueCrypt involved the quality of the source code, such as how comments were added or what system functions were used (or not used). One major issue was how compiling TrueCrypt from source required the use of an older Windows build environment that's noticeably out of date.

This last issue was raised before by others who attempted to build TrueCrypt from source, to see if the resulting binaries matched the ones distributed on TrueCrypt's site. They were only able to do this after a good deal of work, and by using a shockingly old version of Microsoft Visual C++ released in 1993. Why TrueCrypt was created in such a manner could inspire endless debate, especially since its original creators and development team maintain a presence at least as shadowy as that of bitcoin's Satoshi Nakamoto.

However, the report doesn't go into how an end-user could protect himself from any potential exploits detailed in the report, but the authors note that many of the issues in question can be mitigated by following directives in the documentation. Using a long password, for instance, is strongly recommended; ditto using full-system encryption for scenarios where decrypted data might be written to the page file.

The timing on the release of this report couldn't have been better. After the ghastly news of Heartbleed broke, people are now wary of the status of any independently developed open source security product. The fact that source code for something is available doesn't mean it's being audited to determine how secure it is -- and even if something is audited, that doesn't mean the people doing the auditing know what to look for. Having a paid audit team look into any project of this scope is a major positive step.

This story, "Sloppy but secure: Open source TrueCrypt passes audit," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies