ISEC released the first-stage security audit report of the encryption software TrueCrypt. The preliminary analysis showed that TrueCrypt did not find evidence of backdoor or other malicious code intentionally added.
TrueCrypt is a popular encryption software, but has never been audited. After the exposure of NSA large-scale monitoring activities, security researchers initiated a complete security audit of TrueCrypt, which iSEC is responsible. Researchers found small vulnerabilities in the code-for example, TrueCrypt uses 1000 or 2000 iterations, which is insufficient to protect passwords against brute force cracking attacks-but none of them are big enough to be called backdoors.
The first-stage security evaluation focuses on TrueCrypt boot programs and Windows Kernel drivers. The second-stage security audit will investigate whether TrueCrypt cipher suite, random number generator, and key algorithm are correctly implemented.