The ongoing audit of the TrueCrypt whole-disk encryption tool used by millions of privacy and security enthusiasts has reached an important milestone—a detailed review of its cryptographic underpinnings that found no backdoors or fatal flaws.
The 21-page Open Cryptographic review published Thursday uncovered four vulnerabilities, the most serious of which involved the use of a Windows programming interface to generate random numbers used by cryptographic keys. While that's a flaw that cryptographers say should be fixed, there's no immediate indication that the bug undermines the core security promise of TrueCrypt. To exploit it and the other bugs, attackers would most likely have to compromise the computer running the crypto program. None of the vulnerabilities appear to allow the leaking of plaintext or secret key material or allow attackers to use malformed inputs to subvert TrueCrypt. The report was produced by researchers from information security consultancy NCC Group.
"The TL;DR is that based on this audit, TrueCrypt appears to be a relatively well-designed piece of crypto software," Matt Green, a Johns Hopkins University professor specializing in cryptography and an audit organizer, wrote in a blog post accompanying Thursday's report. "The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."