TrueCrypt Audit Phase II completed: 4 vulnerabilities identified


Top member
The recent history of the TrueCrypt encryption software is a strange one. First, there was a crowdfunding campaign to get the software audited for security issues in 2013 after Edward Snowden leaked classified information from the National Security Agency (NSA) starting June 2013.

Then in May 2014, an announcement was published on the TrueCrypt website claiming that TrueCrypt was not secure anymore and that users should find another program to use for that purpose. The developers released a final version of TrueCrypt that was broken (by design) in many regards. The final source code of the full version of the program was published by Gibson Research Corporation and alternatives such as VeraCrypt or CipherShed appeared shortly thereafter.

At that time, TrueCrypt's audit was not complete as only phase one of the audit had been completed by the researchers. The research term made the decision to continue with the audit of TrueCrypt 7.1a despite the fact that the project developers abandoned the project in the meantime.

Today, phase 2 of the TrueCrypt analysis has completed. The researches have uploaded the final report as a PDF document to the official website from where it can be downloaded.

A total of four vulnerabilities were discovered:
  1. Keyfile mixing is not cryptographically sound (low).
  2. Unauthenticated ciphertext in volume headers (undetermined).
  3. CryptAcquireContext may silently fail in unusual scenarios (high).
  4. AES implementation susceptible to cache timing attacks (high).
The most severe finding relates to the use of the Windows API to generate random numbers for master encryption key material among other things. While CS believes these calls will succeed in all normal scenarios,at least one unusual scenario would cause the calls to fail and rely on poor sources of entropy; it is unclear in what additional situations they may fail.

Additionally, CS identified that volume header decryption relies on improper integrity checks to detect tampering, and that the method of mixing the entropy of keyfiles was not cryptographically sound.

Finally, CS identified several included AES implementations that may be vulnerable to cache-timing attacks. The most straightforward way to exploit this would be using native code, potentially delivered through NaCl in Chrome; however, the simplest method of exploitation through that attack vector was recently closed off.

The report highlights each vulnerability in detail which should help projects that use the TrueCrypt source as their base to address the issues in future updates. It needs to be noted that the audit was narrow in scope and not a full code review. The team concentrated on important parts of TrueCrypt and here especially its cryptographic implementations and use.