View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

TrueCrypt audit finds tool clear of ‘deliberate backdoors’

Investigators of software used by Snowden largely happy with its integrity.


An audit of the encryption technology TrueCrypt has found no deliberate backdoors in the software, despite fears the tool had been corrupted by spies.

Investigators from the NCC Group found that TrueCrypt, which was used by NSA whistleblower Edward Snowden, was mostly secure but could be vulnerable in a narrow set of circumstances.

Matthew Green, a research professor at John Hopkins University, and longtime supporter of TrueCrypt, wrote on his blog: "TrueCrypt appears to be a relatively well-designed piece of crypto software.

"The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."

Among the problems uncovered by the NCC the most significant was a bug in the key generation algorithm, which would occasionally lead to weaker keys being generated on the basis of fewer unpredictable variables, which include mouse movements.

Troublingly the error was said to happen silently, leading the NCC to recommend an overhaul of error handling by gathering more diagnostic information.

"Because TrueCrypt aims to be security-critical software, it is not appropriate to fail silently or attempt to continue execution in unusual program states," the report said.

Content from our partners
The growing cybersecurity threats facing retailers
How to integrate security into IT operations
How Kodak evolved to tackle seismic changes in the print industry and embrace digital revolution

The other significant bug unearthed by the investigators was a problem with the Advanced Encryption Standard (AES) implementations, which the NCC believes could make the system vulnerable to cache-timing attacks.

Such cyberattacks work when a hacker is able to analyse the time taken to encrypt data, allowing them to work backwards to deduce information about the algorithm and key being used.

TrueCrypt was thought to have been shelved last May after a message posted on the website claimed the project had been shut down.

Since the tool had been developed by anonymous coders some speculated they had been blackmailed into abandoning the software for fear of being identified, with some arguing the developers could also be facing legal troubles.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy