iTnews

TrueCrypt gets cautious thumbs up in technical analysis

By Juha Saarinen on Nov 23, 2015 6:19AM
TrueCrypt gets cautious thumbs up in technical analysis

Personal storage encryption tool 'mostly safe'.

An German government-commissioned security analysis of the popular free disk encryption program TrueCrypt has found that it is safe from exploitation in most circumstances, contradicting earlier suggestions it should no longer be used.

The open source tool, developed anonymously, has been scrutinised by researchers since May last year when a remark in its code warned against the use of TrueCrypt.

TrueCrypt is used by millions of people, and Amazon Web Services, to encrypt sensitive data.

In a detailed technical analysis [pdf] of the source code of the last released version (7.1a) the researchers noted that while the application of cryptography in the tool is not optimal, they found no evidence "that the guaranteed encryption characteristics are not fulfilled in the implementation of TrueCrypt".

As TrueCrypt is a software-only solution, it can only provide protection when an encrypted disk is lost, stolen or in a deactivated, or unmounted, state. 

"TrueCrypt does not provide any protection against active attack scenarios such as the installation of a key logger or malware. To protect against these would require hardware-based security measures such as those provided by a TPM or smartcard," the researchers wrote.

However a number of new weaknesses in TrueCrypt were discovered by the researchers too.

The Linux random number generator implementation in TrueCrypt needs improvement, the researchers noted.

Weak random number generation makes it easier for attackers to guess the keys used to decrypt scrambled data.

Together with the Open Crypto Audit Project, the researchers found that the implementation of the Windows random number generator in TrueCrypt is potentially dangerous.

Other problems found in TrueCrypt were a non-timing-resistant implementation of the Advanced Encryption Standard (AES), key files not being used in a cryptographically secure way, and data volume headers not being properly protected.

Overall however, the flaws in TrueCrypt are relatively minor and hard for attackers to exploit, the researchers believe.

TrueCrypt's lack of documentation for the code and overall system architecture makes maintenance and updates of the tool by third parties difficult, the researchers said. 

From the user perspective, TrueCrypt comes with a detailed handbook which unfortunately is poorly structured making information hard to find. Much of the information requires in-depth technical knowledge.

The TrueCrypt analysis was done by the Fraunhofer Institutue for Secure Information Technology in Darmstadt, on behelf of Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) or Federal Office for Information Security.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bsiencryptiongermanyopen sourcesecuritysnowdentruecrypt

Partner Content

Alienated from your own data? You’re not alone
Promoted Content Alienated from your own data? You’re not alone
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
Don't miss Australia’s premiere IoT Conference on 9th June
Promoted Content Don't miss Australia’s premiere IoT Conference on 9th June

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Juha Saarinen
Nov 23 2015
6:19AM
0 Comments

Related Articles

  • Remove and replace Kaspersky AV, says German cyber intelligence
  • Chinese researchers attribute 'top-tier' backdoor to NSA Equation Group
  • NSW Police issues first coercive notice under encryption-busting powers
  • Home Affairs says end-to-end encryption is detrimental to public safety
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless

Digital Nation

Why do DeFi and DAOs matter to business?
Why do DeFi and DAOs matter to business?
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
COVER STORY: A Year in the Metaverse
COVER STORY: A Year in the Metaverse
Lendlease launches its own metaverse in Milan
Lendlease launches its own metaverse in Milan
COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: Data and IoT set digital agriculture on a sustainable future
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.