19.11.2015
TrueCrypt is safer than expected
The Fraunhofer SIT has analyzed the encryption software TrueCrypt in terms of security vulnerabilities – the result: only in very rare cases, the cryptographic functions are vulnerable. A vulnerability found in late September this year, although problematical in general, however, has no relevance for the security of TrueCrypt itself, according to the the experts at Fraunhofer SIT. The complete results of the safety study that Fraunhofer SIT has created under contract to the Federal Office for Security in Information Technology BSI are summarized in a report, which is available for download on the website of the BSI.
The open-source encryption solution TrueCrypt has been abandoned in June 2014 by its anonymous developers, leaving the many users of the solution merely an indication of possible vulnerabilities. Experts of the Fraunhofer Institute for Secure Information Technology SIT have examined TrueCrypt for vulnerabilities and programming errors on behalf of the BSI. The Fraunhofer team, headed by Prof. Dr. Eric Bodden, has also considered and reviewed the results of previous safety analyses. The experts concluded that TrueCrypt is safer than previous examinations suggest.
In late September, Google's Project Zero had discovered two previously unknown vulnerabilities in TrueCrypt, one of them classified as critical. The gap allows malicious code that already has access to the running computer system, to acquire expanded system rights. Prof. Dr. Michael Waidner, Director of Fraunhofer SIT, says: "The vulnerability should be closed, but it does not simplify access to encrypted data for the attacker". To exploit the vulnerability, the attacker would have far-reaching access to the computer anyway, for example, via a Trojan. "TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the system," Michael Waidner explains, "unfortunately, this is often misunderstood."
According to the Fraunhofer experts, TrueCrypt provides especially good protection to store data offline on encrypted drives. "This applies for example on a backup, which is kept on a hard drive, or for a USB flash drive with encrypted data on it to send it via a messenger. Furthermore, TrueCrypt protects encrypted data on disconnected laptops if they are stolen", Waidner said. "In these cases, TrueCrypt is relatively secure", summarizes the expert, "during operation, it is not really able to protect data".
"Especially in mobile scenarios, as the use of laptops or USB storage media, the encryption of hard disks or containers make an essential contribution to the protection of critical data," adds Thomas Caspers, head of evaluation and operation of cryptosystems at BSI. "Due to the fact that TrueCrypt is widely used and has many derived products, such as the German solution TrustedDisc, the present analysis of the security of TrueCrypt provides an important basis for the evaluation of the level of protection and possible improvements in further developments," says Casper.The results of the analysis of TrueCrypt are available here