An audit of the encryption technology TrueCrypt has found no deliberate backdoors in the software, despite fears the tool had been corrupted by spies.
Investigators from the NCC Group found that TrueCrypt, which was used by NSA whistleblower Edward Snowden, was mostly secure but could be vulnerable in a narrow set of circumstances.
Matthew Green, a research professor at John Hopkins University, and longtime supporter of TrueCrypt, wrote on his blog: "TrueCrypt appears to be a relatively well-designed piece of crypto software.
"The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."
Among the problems uncovered by the NCC the most significant was a bug in the key generation algorithm, which would occasionally lead to weaker keys being generated on the basis of fewer unpredictable variables, which include mouse movements.
Troublingly the error was said to happen silently, leading the NCC to recommend an overhaul of error handling by gathering more diagnostic information.
"Because TrueCrypt aims to be security-critical software, it is not appropriate to fail silently or attempt to continue execution in unusual program states," the report said.
The other significant bug unearthed by the investigators was a problem with the Advanced Encryption Standard (AES) implementations, which the NCC believes could make the system vulnerable to cache-timing attacks.
Such cyberattacks work when a hacker is able to analyse the time taken to encrypt data, allowing them to work backwards to deduce information about the algorithm and key being used.
TrueCrypt was thought to have been shelved last May after a message posted on the website claimed the project had been shut down.
Since the tool had been developed by anonymous coders some speculated they had been blackmailed into abandoning the software for fear of being identified, with some arguing the developers could also be facing legal troubles.
