TrueCrypt Audit Results

keep-calm-and-keep-using-truecrypt-7-1After many many months of testing the results are finally in for the crowd funded Truecrypt audit as performed by The NCC Group and the results are very encouraging – basically TrueCrypt is still very safe to use.

The full report of the TrueCrypt audit is very technical in nature, but it identified four main areas where there could be a potential problem with TrueCrypt if certain sets of circumstances are met.

To summarise these four areas ( in order of severity) in laymans terms they are:

  1. In Windows XP, the is a call to part of the operating system that is not called quite as robustly as it could be, so in a certain set of (extremely rare) circumstances the encryption process may not be quite as random as it could be. However the amount of randomness (entropy) in the encryption process is till exceedingly high, and is unlikely to anyone a real issue.
  2. In order to speed up whole disk encryption / decryption the writers of TrueCrypt have implemented some pre-computed lookup tables, these are generally large, and usually too big to fit in the CPU cache, so it can be stored elsewhere, while it is there, it is theoretically possible for malware to use this to read the contents of encrypted drives. The auditors have classed this being severe in nature, but also incredibly difficult to exploit, hence the risk from this bug is deemed to be negligible.
  3. Keyfiles – Truecrypt allows the user to use both a password and any specified file as a key for the encryption process. However the auditors have discovered that the keyfile is not integrated in a strictly cryptographically sound manner, so they recommend not using them at all. The risk from this also deemed to be exceedingly low.
  4. For users of whole drive encryption there is a very minor flaw in the implementation of the Cyclic Redundancy check in the header file, which contains things like the decryption key, and some information and housekeeping stuff to with the drive volume, because the decryption key is itself encrypted in this header file there is no realistic chance of some one being able to exploit this but it does remain a theoretically exploitable bug.

This is just a short summary of the full report that is available from the auditors here, which we have thrown together to try to re-assure users that TrueCrypt, whilst now non being actively supported or developed by its creators is still safe to use for keeping your private data away from prying eyes.

There are various groups working on ‘forked’ versions of the original Truecrypt source code, and they will almost certainly take the findings of this audit and fix the points above to make TrueCrypt as cryptographically secure as it possibly can be.

Thanks also to Steve Gibson over at GRC for providing a detailed explanation and summary of the Truecrypt Audit in his Security Now! post cast (Episode 502) hosted on the TWiT network.


This post is a chimpytech production – please visit our website at for great technology tutorials.

Leave a Reply

Your email address will not be published. Required fields are marked *