TrueCrypt, the whole-disk encryption tool used by millions of privacy and security enthusiasts is safer than originally reported, according to a new comprehensive analysis conducted by the Fraunhofer Institute for Secure Information Technology.
The extremely detailed 77-page analysis (PDF) comes five weeks after Google’s Project Zero security team disclosed two unknown TrueCrypt vulnerabilities, which led thousands into a panic thinking the tool was completely insecure. One of the serious vulnerabilities reported allowed an application running as a normal user or within a low-integrity security sandbox to elevate privileges to SYSTEM and at times even the kernel. Fraunhofer researchers in addition to their research, discovered several additional previously unknown TrueCrypt security flaws.
The audit, which was contracted out by the Germany Federal Office for Security in Information Technology, largely mirrors the conclusions reached in April, where a separate group of auditors provided the same conclusions on TrueCrypt. Both uncovered a number of security flaws, the most serious being the use of Windows programming interface to generate random numbers used by cryptographic keys. Fraunhofer researchers also found weaknesses in the way TrueCrypt retrieves random numbers.
Unfortunately, fixes for these flaws may never be addressed due to the anonymous developers abruptly shutting down the Truecrypt project development 18 months ago, claiming the tool was “not secure”.
During the previous security audit, researchers uncovered a number of buffer overflow vulnerabilities. Fraunhofer researchers said the overflows cannot occur at runtime and “thus cannot possibly be exploited.”
Despite uncovering additional vulnerabilities, the institute’s analysis concluded that TrueCrypt remains safe when used as a tool for encrypting data at rest opposed to data stored in computer memory on on a mounted drive. Researchers said underlying flaws uncovered by both Google’s Project Zero and Fraunhofer should be addressed, but there is no indication an attacker can exploit these vulnerabilities to access encrypted data stored on a hard drive or thumb drive.
According to a report by Eric Bodden, the Technische Universität Darmstadt professor who led the Fraunhofer audit team said:
“In conclusion, I would say that the TrueCrypt code base is probably alright for the most parts. The flaws we found were minor, and similar flaws can occur also in any other implementation of cryptographic functions. In that sense TrueCrypt seems not better or worse than its alternatives. Code quality could be improved, though, as there are some places that call for a refactoring and certainly for better documentation. But generally the software does what it was designed for.
“Note that the original designers documented all along a threat model stating that TrueCrypt cannot actually properly protect data on a running system. This matches our findings. If such protection is desired, one cannot get around solutions that use smartcards or other hardware-based key storage such that the encryption key can be better kept a secret. Also such systems can be broken, but they raise the bar significantly.”
The institutes conclusions can relieve the millions who depend on TrueCrypt to keep their data safe. This will likely be the case til VeraCrypt or another TrueCrypt alternative can patch the looming vulnerabilities and be confirmed secure.