No Major Security Flaw in TrueCrypt: Research Group

For years, TrueCrypt was user’s first choice whenever they need a cross-platform disk encryption program that is not dependable on Apple or Microsoft. However, last year the popularity of this open source disk encryption program took a twist when it got abandoned by its original developers citing the reason that it is no more a secured tool. Although it is a discontinued tool now, but this article analyzes the security perspective of this file encryption program.

Last year, very surprisingly, the creators of this open source disk encryption program shut down the product. They even posted a warning note on their official website that the tool is no more secured for use. They revealed that they were no more maintaining the tool, and hence it won’t receive any security updates. They even asked the users of TrueCrypt to switch to alternative options like BitLocker.

Why the Tool Got Disclosed?

The developers of the tool didn’t mention any specific reason to support the closing of the program. There were many rumors surrounding the cause of the sudden shutter down for the program. One of the rumors was that there was some very serious security flaw in the tool. The flaw was grave and could be exploited ruthlessly to risk the encrypted volumes. But the tool was influential and important enough to receive auditing. When the tool got officially abandoned, and users were asked to get their TrueCrypt’s encrypted data moved to other file encryption program, a publicized security audit of the software began. NCC group did this audit, and the results were published under ‘Open Crypto Audit Project’ TrueCrypt.’ Since, its codes were open source, so auditing it was not difficult.

The Results of the Security Audit

1.    No Major Security Flaw

The audit results perplexed the auditing team as they didn’t find anything to explain why TrueCrypt’s authors bolted the software all of sudden. The auditing team didn’t announce the program as a perfect or completely secured program, but they also couldn’t highlight any evidence of a critical flaw that would have compromised the security of the encrypted volumes. As mentioned above, the results of the audit got published, and it is easily available for download on the Internet. The auditing team didn’t test every single feature of the program. Its core focus was on encryption/decryption capabilities. The parameters for the audit are as follows:

•    EncryptDataUnits & DecryptDataUnits and resulting function calls

•    Key Derivation (derive_key_* from EncryptionThreadProc)

•    EncryptBuffer and DecryptBuffer

•    The cascade constructions and AES in XTS Mode

•    ReadVolumeHeader

 

2.    Detected Flaws

It is also true that the auditing team did detect certain flaws. Four detected flaws were taken as serious, and arguably the most serious of them was about a silent failure of the CryptAcquireContext function. CryptAcquireContext is a process that generates random numbers. But if the hard drive encryption tool is installed on a system that has certain Group Policy Restrictions, then CryptAcquireContext may get failed. Not just that, but it may also fall back and insecure the sources of random number generation.

The second most risk flaw was that the TrueCrypt’s AES reliability in regards to look-up tables was at risk of so-called cache timing attacks. It means an attacker may succeed in extracting AES keys that got used to protect encrypted volumes.

The other two security flaws are less risky issues, and can get corrected easily. Thus, these are not worth as fundamental threats to the core operation of the program.

Conclusion

The audit team came to the conclusion, based on the audit results, that this hard drive encryption software is a “relatively well-designed piece of crypto software.” The NCC audit didn’t find any severe design flaw or evidence of deliberate backdoors that can make the software insecure. NCC audit was the second audit for this program. Even the TrueCrypt’s forks such as Ciphershed and VeraCrypt haven’t been audited yet. Probably the original developer’s of TrueCrypt could foresee some yet-undiscovered backdoor.

However, since the software is not receiving any security updates, it may develop security flaws although currently it doesn’t have any severe security flaw. It is not wise to use software that it not under maintenance. Thus, users can start using the TrueCypt’s forks like VeraCrypt and Ciphershed or the OS inbuilt file encryption programs such as BitLocker, FileVault, etc.

Similar Articles

binary

"Tenant to tenant migration" has become a pivotal aspect of organizational evolution. As companies expand, merge, or restructure, seamlessly transferring data between different instances or tenants becomes crucial for maintaining operational continuity.

Power BI Vs. Tableau: Which Tool is Right for Your Business?

In today's data-driven world, organizations constantly seek ways to visualize and analyze their data to make informed decisions. Two popular tools in the business intelligence (BI) space are Microsoft's Power BI and Tableau. Both of these tools offer powerful features for data visualization, data modeling, and data analysis

Advanced Data Privacy Solutions

Healthcare organizations collect and store an immense amount of data. The data is essential for doctors to make informed decisions about patient care. However, the sensitive nature of this data requires healthcare organizations to protect it from unauthorized access and data breaches.

Python Django Development

Every firm nowadays is establishing its presence in the digital sector to grow internationally. As many might know in the technological environment, web development is essential for success. 

CIOs face a slew of challenges as a result of big data-Challenges

One of the things that distinguish having the CIO position now from having the job in the past, apart from the increasing recognition of the significance of information technology, is the introduction of so-called "big data." We're talking about terabytes or even petabytes of data, as well as all of the problems that come with managing such a large amount of data.

computer virus removal

A computer virus is a program that is loaded in a system without the knowledge of the user. This virus is not formed naturally but it is induced by people. After entering your system, it gets attached to another program and as the host starts working, the virus starts functioning. 

computer

Looking to buy the gaming chair? You’re standing at the right place. The gaming chair offers an immersive media X-perience as they generally put you closer to the TV and therefore closer to the action.

connected

We all know that World Wide Web applications for various services have gained customers' assurance over the years. Terrabytes of data are packed and shared across websites as people imagine the transactions are securely checked.

person+coding

If you love computers, mobiles, smart watches, various gadgets and above all, the internet, let me inform you that they all run on programming languages. A programming language is nothing but the vocabulary and a set of grammatical rules created to instruct a device or computer to perform a specific task.