Encryption is a trending topic these days and there have been many reports over the past few months regarding which encryptions are [not] safe. TrueCrypt has come under attack by various researchers and studies recently, although it turns out that this encryption tool is much safer than most would assume. Do keep in mind there is no such thing as a 100% secure solution, though.
TrueCrypt Is Safer Than Assumed, But Not Perfect
Just a few weeks ago, Google’s Project Zero security team announced how they had found two undisclosed TrueCrypt vulnerabilities in this whole-disk encryption tool. The news came as quite a shock, considering how this encryption tool is used by millions of people all over the world. But it turns out things are not as grim as assumed at first.
A new report was presented by Fraunhofer Institute for Security Information Technology. While the report itself is 77 pages long – and very detailed to regarding these alleged vulnerabilities – it turns out TrueCrypt is safe under certain conditions. To be more precise, users are advised to use TrueCrypt as a tool for encrypting data at rest, rather than encrypting data stored in computer memory or on a mounted drive.
Furthermore, the two vulnerabilities discovered by Project Zero ought to be fixed, although there is no indication that they are viable exploits. Accessing encrypted data stored on an unmounted drive is still questionable, even when using either of these two exploits. That being said, there are still a few questions regarding whether or not TrueCrypt users are aware of how this tool was intended to be used in the first place.
“Only when unmounted, and no key is kept in memory, can a TrueCrypt volume really be secure. In result, TrueCrypt provides good protection mostly when storing encrypted data offline. If keeping a backup stored offline on a hard drive, for example, or keeping encrypted data on a USB flash drive to be sent via a human carrier, then this can be considered relatively secure.” – Eric Bodden, Leader of the Fraunhofer audit team explained.
While it is positive news to hear the two earlier discovered vulnerabilities pose far less of a risk than originally assumed, there are various programming errors to be found in the TrueCrypt code. One of the most worrying errors comes in the form of using a Windows programming interface to generate random numbers used by cryptographic keys.
On paper this may sound normal to some people, yet it creates weaknesses in the generation of random numbers by TrueCrypt. Fixing this flaw would require a code update, but that may never take place as the project is no longer actively being developed. Things are looking bleak when the original developers feel TrueCrypt can no longer be trusted.
Looking For Other Options Is Critical
Encryption is critical for any computer user in the world, and even more so for Bitcoin users who want to go above and beyond to protect their funds. Encrypting a Bitcoin wallet can be done in a variety of ways, yet there are a fair few users who rely on TrueCrypt for this process as well. As it turns out, this is not the safest of solutions.
Looking for alternatives can be quite a challenge as most of the projects following the “path” of TrueCrypt are still in development. However, the silver lining is how the software has been made open-source, allowing any aspiring and experienced developers to take a stab at improving the product.
How do you encrypt your Bitcoin wallet or any other data on your computer? Let us know in the comments below!
Source: BSI Bund