iTnews

TrueCrypt gets cautious thumbs up in technical analysis

By Juha Saarinen on Nov 23, 2015 6:19AM
TrueCrypt gets cautious thumbs up in technical analysis

Personal storage encryption tool 'mostly safe'.

An German government-commissioned security analysis of the popular free disk encryption program TrueCrypt has found that it is safe from exploitation in most circumstances, contradicting earlier suggestions it should no longer be used.

The open source tool, developed anonymously, has been scrutinised by researchers since May last year when a remark in its code warned against the use of TrueCrypt.

TrueCrypt is used by millions of people, and Amazon Web Services, to encrypt sensitive data.

In a detailed technical analysis [pdf] of the source code of the last released version (7.1a) the researchers noted that while the application of cryptography in the tool is not optimal, they found no evidence "that the guaranteed encryption characteristics are not fulfilled in the implementation of TrueCrypt".

As TrueCrypt is a software-only solution, it can only provide protection when an encrypted disk is lost, stolen or in a deactivated, or unmounted, state. 

"TrueCrypt does not provide any protection against active attack scenarios such as the installation of a key logger or malware. To protect against these would require hardware-based security measures such as those provided by a TPM or smartcard," the researchers wrote.

However a number of new weaknesses in TrueCrypt were discovered by the researchers too.

The Linux random number generator implementation in TrueCrypt needs improvement, the researchers noted.

Weak random number generation makes it easier for attackers to guess the keys used to decrypt scrambled data.

Together with the Open Crypto Audit Project, the researchers found that the implementation of the Windows random number generator in TrueCrypt is potentially dangerous.

Other problems found in TrueCrypt were a non-timing-resistant implementation of the Advanced Encryption Standard (AES), key files not being used in a cryptographically secure way, and data volume headers not being properly protected.

Overall however, the flaws in TrueCrypt are relatively minor and hard for attackers to exploit, the researchers believe.

TrueCrypt's lack of documentation for the code and overall system architecture makes maintenance and updates of the tool by third parties difficult, the researchers said. 

From the user perspective, TrueCrypt comes with a detailed handbook which unfortunately is poorly structured making information hard to find. Much of the information requires in-depth technical knowledge.

The TrueCrypt analysis was done by the Fraunhofer Institutue for Secure Information Technology in Darmstadt, on behelf of Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) or Federal Office for Information Security.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bsi encryption germany open source security snowden truecrypt

Partner Content

Tomorrow’s workplace is closer to home than you think
Partner Content Tomorrow’s workplace is closer to home than you think
Building better cybersecurity for a world without perimeters
Partner Content Building better cybersecurity for a world without perimeters
Why Kubernetes is an essential platform for digital transformation
Partner Content Why Kubernetes is an essential platform for digital transformation
Changing the game with IMMERSION
Partner Content Changing the game with IMMERSION

Sponsored Whitepapers

Develop a resiliency strategy that integrates risk analysis & continuity management
Develop a resiliency strategy that integrates risk analysis & continuity management
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
Optimise your operations with APM and AI-Powered insights
Optimise your operations with APM and AI-Powered insights
Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data
Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data
Technology skill development: The strategy for building better teams
Technology skill development: The strategy for building better teams

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2021
By Juha Saarinen
Nov 23 2015
6:19AM
0 Comments

Related Articles

  • AFP and FBI sting used encrypted app to intercept crims' comms
  • German cyber security chief fears hackers could target hospitals
  • Crims using encrypted platforms 'almost exclusively', ACIC claims
  • Signal developers hack Cellebrite forensics device
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Services Australia shifts most Centrelink payments to SAP S/4 HANA

Services Australia shifts most Centrelink payments to SAP S/4 HANA
Service NSW to hire 200 engineers, designers

Service NSW to hire 200 engineers, designers
Any Android security app is better than Google Play Protect

Any Android security app is better than Google Play Protect
Toll Group starts to scale out intelligent automation

Toll Group starts to scale out intelligent automation
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.