TrueCrypt Audit: No NSA Backdoors

Mark Wilson writes: A security audit of TrueCrypt has determined that the disk encryption software does not contain any backdoors that could be used by the NSA or other surveillance agencies. A report prepared by the NCC Group (PDF) for the Open Crypto Audit Project found that the encryption tool is not vulnerable to being compromised. However, the software was found to contain a few other security vulnerabilities, including one relating to the use of the Windows API to generate random numbers for master encryption key material. Despite this, TrueCrypt was given a relatively clean bill of health with none of the detected vulnerabilities considered severe enough to lead "to a complete bypass of confidentiality in common usage scenarios."

Very gratifying to see

[sasparillascott]

This was very reassuring to see and I'm very glad the audit was finished finally. The 2nd to the last version (v7.1a) is the gold standard for multi-platform encryption where you can be reasonably sure the NSA/FBI doesn't have a back door (or access to the keys) like they would with Bitlocker etc..

Re: That's what they WANT you to believe!

Look everyone, a NSA shill.

Re:Tin foil hat time

[Lord+Crc]

There's talk that they influenced the decision of some recommended constants for Elliptic Curve Cryptography.

You'll want to use constants that ensures the cryptographic strength of the algorithm, so picking them are non-trivial and hence a recommended set was published. This is the same for most algorithms. AES has constants and they are part of what makes the algorithm AES and not some other variant.

Anyway, here's what Bruce Schneier said about ECC:

I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.

https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929

And here's a nice background on ECC:
https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/