A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase.
A report on the first phase of the audit was released today by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.
TrueCrypt is praised as not only free and open source encryption software, but also that it’s easy to install, configure and use. Given that it has been downloaded upwards of 30 million times, it stood to reason that it could be a prime target for manipulation by intelligence agencies that have been accused of subverting other widely used software packages, commercial and open source.
The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly.
“With Phase II, we will be conducting a formal cryptanalysis and looking at these issues,” White said. “In security engineering, we never say a system is ‘unbreakable,’ but rather, ‘we looked at X, Y, and Z and couldn’t find a vulnerability.’
“But yes, I would say there is certainly an increased level of confidence in TrueCrypt,” White said.
Among the still-outstanding questions publicly asked by OCAP, which was kicked off by White and Johns Hopkins professor and crypto expert Matthew Green, revolved around the Windows version of TrueCrypt. Since those are available only as downloadable binaries, they cannot be compared to the original source code, yet behave differently than versions compiled from source code. There were also concerns about the license governing TrueCrypt use, as well as the anonymous nature of the development group behind the software.
iSEC Partners’ report gave TrueCrypt a relatively clean bill of health.
“iSEC did not identify any issues considered ‘high severity’ during this testing. iSEC found no evidence of backdoors or intentional flaws. Several weaknesses and common kernel vulnerabilities were identified, including kernel pointer disclosure, but none of them appeared to present immediate exploitation vectors,” iSEC’s Tom Ritter said in a statement. “All identified findings appeared accidental.”
Ritter said iSEC recommends improvements be made to the quality of code in the software and that build process be updated to relay on tools with a “trustworthy provenance.”
“In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report,” Ritter said.
Specifically, iSEC security engineers Andreas Junestam and Nicolas Guigo audited the bootloader and Windows kernel driver in TrueCrypt 7.1a. The report says iSEC performed hands-on testing against binaries available from the TrueCrypt download page and binaries compiled from source code. Work was completed Feb. 14.
The engineers found 11 vulnerabilities, four rated medium severity, four low severity and three were rated informational issues having to do with defense in depth.
“Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code,” the report said. “This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth.”
The team dug deeper into its recommendations of updating the Windows build environment and code quality improvements, specifically replacing outdated tools and software packages, some of which date back to the early 1990s.
“Using antiquated and unsupported build tools introduces multiple risks including: unsigned tools that could be maliciously modified, unknown or un-patched security vulnerabilities in the tools themselves, and weaker or missing implementations of modern protection mechanisms such as DEP and ASLR,” the team wrote in its report. “Once the build environment has been updated, the team should consider rebuilding all binaries with all security features fully enabled.”
They added that “lax” quality standards make the source code difficult to review and maintain, impeding vulnerability assessments.
Of the four most serious bugs uncovered in the audit, the most serious involves the key used to encrypt the TrueCrypt Volume Header. It is derived using PBKDF2, a standard algorithm, that uses an iteration count that’s too small to prevent password-guessing attacks.
“TrueCrypt relies on the what’s known as a PBKDF2 function as a way to ‘stretch” a users’ password or master key, and there is concern that it could have been stronger than the 1,000 or 2,000 iterations it uses currently.” White said. “The TrueCrypt developers’ position is that the current values are a reasonable tradeoff of protection vs. processing delay, and that if one uses a weak password, a high-count PBK2DF2 hash won’t offer much more than a false sense of security.”
White said the OCAP technical advisors are also concerned about TrueCrypt’s security model which offers narrowly restricted privacy guarantees,” White said.
So, for example, if you are not running whole volume (system disk) encryption, there are many known exploits to recover plaintext data, including decryption keys,” White said, pointing out that Microsoft’s Bitlocker software and PGP, for example, have similar attack paths.
“But in the case of TrueCrypt, whole volume disk encryption is only available for the Windows port, and there exists today point-and-click forensic tools that can be purchased for a few hundred dollars that can easily decrypt data from a running machine with any of these packages, TrueCrypt included,” White said. “I have a feeling that while most in the security industry understand this, it is probably worth emphasizing to a broader audience: on the vast majority of machines that use file or disk encryption, if the underlying operating system or hardware can be compromised, then so too can the encryption software.”