No backdoor found: the open-source encryption software TrueCrypt security audit is complete
TrueCrypt is a popular open-source file encryption software, which includes a large number of "sensitive people" (such as businessmen, politicians, reporters), so its security has been widely concerned.
On September 18, May 2014, TrueCrypt, an open-source encryption software, suddenly warned Windows users to switch to Microsoft's BitLocker encrypted disk and warned them that TrueCrypt is not safe.
Don't worry, no backdoors.
Faced with a lot of concerns about whether or not TrueCrypt contains backdoors, NCC Security Auditors and cryptography experts conducted a comprehensive security audit on TrueCrypt. Fortunately, the results made people quite comfortable:
"TrueCrypt is a relatively well-designed encryption software. The NCC audit does not find evidence of a backdoor in the software, or any serious design vulnerabilities that may lead to software insecurity. "
A year ago, ISEC completed the first-stage code audit of TrueCrypt. Although no major security issues were found, 11 moderate and low-risk software vulnerabilities were found.
The NCC auditor recently published a 21-page public report showing the results of checks on TrueCrypt's Random Number Generation Program, key algorithms, and other encryption methods.
Vulnerability description
The report discloses four vulnerabilities in TrueCrypt, but these vulnerabilities do not affect encryption.
1. The combination of key files is not thorough enough from the cryptography perspective-low risk
2. The encrypted volume header has unauthorized ciphertext-to be determined
3. CryptAcquireContext may fail in some scenarios-High Risk
4. AES encryption may be affected by Cache Time Series attacks-High Risk