The first round of results are in, and so far TrueCrypt, the popular open-source encryption program, has a relatively clean bill of health. Security firm iSec Partners recently carried out the first phase of the TrueCrypt audit on behalf of the Open Crypto Audit Project (OCAP).
OCAP is the official name for the group behind istruecryptauditedyet.com, a project inspired by the revelations about the National Security Agency’s surveillance activities. OCAP was created by Matthew Green, a cryptographer and research professor at Johns Hopkins University, and Kenneth White, Principal Scientist at Social & Scientific Systems.
For its report, which was released on Monday, iSec took a look at TrueCrypt’s latest Windows edition (version 7.1a). Specifically, the firm looked at the TrueCrypt for Windows’ kernel code, bootloader, filesystem driver, and related code. Overall, iSec says it “found no evidence of backdoors or intentional flaws.”
But TrueCrypt didn’t escape completely unscathed from iSec’s audit. The company said it did find 11 flaws in the software ranging from low to medium severity. The good news, however, is that none of the flaws were immediately exploitable, iSec explained in a blog post.
Besides those minor flaws in the Windows version of TrueCrypt, iSec also said the TrueCrypt code was not well maintained. While that’s not a major problem right now, poorly maintained code can still make it difficult to find and correct bugs, iSec said. Sloppy code also makes it harder for future developers who join the TrueCrypt project to become familiar with the code.
Looking at the Windows implementation was an important first step for OCAP’s TrueCrypt audit. “The reason we focused on Windows first is because the kernel drivers and bootloaders are a very special skill,” White told PCWorld. “But also because the Windows port really is the only one that offers the best protection.” Unlike the Linux and Mac programs, Windows has the only version of TrueCrypt that offers whole disk encryption for PC drives containing an operating system. Later on, White said that OCAP may look at the Linux and Mac versions of TrueCrypt.