TrueCrypt Gets Thumbs Up from German Auditors

TrueCrypt Gets Thumbs Up from German Auditors

A German government audit of once-famed encryption service TrueCrypt has given it a tentative thumbs up after a no-doubt exhaustive six-month process.

The audit was undertaken for the German Federal Office for Information Security (BSI) by members of the Fraunhofer Institute for Secure Information Technology and others, after TrueCrypt was abandoned by its developers in 2014.

The open source disc encryption platform had been favored by many, but doubts were cast over it after those same anonymous developers claimed in a parting shot that it “may contain unfixed security issues.”

That prompted a review led by noted cryptographic expert Matthew Green, which claimed back in April that TrueCrypt contained “no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.”

Now the German auditors are claiming that the service is actually “safer than previous examinations suggest.”

Heading up the research, Technische Universität Darmstadt professor Eric Bodden revealed in a blog post that his team found some weaknesses in the way TrueCrypt retrieves the random numbers used for encryption.

He explained:

“With a lack of randomness, an attacker can theoretically guess your encryption key more easily. This problem only occurs in non-interactive mode, though, or when using certain access-control policies on Windows. In result, it is unlikely that this problem has actually affected users in the wild. The problem is that if volumes were created with a weak key, then afterwards there is no way to tell. To be on the safe side it would therefore be advisable to re-encrypt volumes with a version of TrueCrypt in which this flaw has been fixed.”

All in all, however, the platform is described by Bodden as “probably all right for the most parts”—with the flaws uncovered minor and probably present in other encryption services.

“Code quality could be improved, though, as there are some places that call for a refactoring and certainly for better documentation,” he added. “But generally the software does what it was designed for.”

The results of the audit will be good news for firms looking for alternatives to products currently on the market.

In fact, in June 2014, a group of developers decided to make existing versions of the product available again, with servers located in Switzerland to keep them theoretically out of the reach of the NSA and its partners.

Photo © Oscity

Source: Information Security Magazine