Is TrueCrypt Truly Secure?

Written in C++, with C and some assembler, TrueCrypt is an open source tool for creating encrypted disk volumes. The volumes it creates can be stored on an external disk, as a partition of a disk, or in a file on Windows, Linux or Mac.

TrueCrypt LogoDeveloped in 2004, TrueCrypt is considered one of the best pro-privacy tools around. It’s so good, forensic examiners, in at least one case, couldn’t prove that a TrueCrypt encrypted hard disk contained incriminating evidence. The Fifth Amendment prevented self-incriminating disclosure of the contents.

In addition to encrypting, TrueCrypt allows you to create hidden volumes, so you can keep secrets with enhanced safety. It does so by storing them inside of a visible volume, in a partition otherwise consumed by random data. If you’re forced to allow access to your volume’s contents by revealing your password, you can deny having anything hidden – there’s no way to prove the hidden volumes exist. Enter the normal password and only your main volume is accessible. To access a hidden volume, you need to enter another password.

Likewise, a hidden operating system can be created on an encrypted partition with a decoy system. Again, enter one password for the decoy or another for the hidden one. Note that passwords are rarely immune to rubber-hose extraction methods where violence or threats of violence are used to “brute force” them.

Password protection security can be enhanced by creating a key file. Once created, access to an encrypted volume requires the key file. To maintain plausible deniability,  remove the key file from the computer when not in use, and ensure all traces of it are obliterated. If you send a TrueCrypt file over the Internet or on USB, move the key file separately, to make decryption without both parts impossible.

TrueCrypt has other tricks up its sleeve, too: Its volumes have no identifying signatures, so they appear as random bytes (though that in itself may be a clue, just as Sherlock Holmes’ dog was notable because it didn’t bark). Also, the files can be hidden in all sorts of different ways, including inside a .MP4 video file.

How Secure is TrueCrypt

There have been recent revelations about the NSA’s policy of weakening encryption, including that the NSA weakened the NIST standard for cryptographically secure pseudo-random number generation using elliptic curves — something that was speculated about five years ago but has now been confirmed. With that in mind, how secure are TrueCrypt and other open source security products? According to a 23 page report by the French government on TrueCrypt version 6.0a, it has a few vulnerabilities.

Little is known about the people behind TrueCrypt except that they are particularly well skilled and they continue to improve it. One concern, however, is that a government agency produced the software and gave it away, giving the government a very subtle backdoor to identify TrueCrypt files and read them at will. For that reason, among others, TrueCrypt should be audited.

Security researcher Matthew Green set up a website with the following requests for the TrueCrypt 7.1a release:

1. The License is potentially non free and open source, it needs clarifying.

2. The software should be audited for bugs.

3. The build system should be more secure so binaries are trusted.

4. Bounties should be raised for bug finding.

The third request is a source of contention. Building drivers for Windows 7 or higher requires that the drivers are signed by Microsoft or that the driver signing requirement is disabled at boot time.

If you think you are good at locating backdoors in C++, C or assembler, or building software on Windows, or you have an interest in Cryptanalysis, take a look at TrueCrypt.