Over a number of years, TrueCrypt gained a reputation and a sizeable following as a reliable and stable, tried and tested free full disk encryption solution.
The architecture is believed to be sound and as far as is known, no critical bugs have been found in version 7.1a, released around two years ago.
Indeed, Edward Snowden has expressed his faith in it, and he should know what can be cracked by the best minds in the business using the best tools available!
A crowd-funded audit has released its first results, which raised no major concerns.
Then suddenly and without warning at the end of May, the developers declared it unsafe to use and effectively killed it, recommending users move to Bitlocker (for Windows) or other tools for Mac and Linux.
This was very shortly after I had taken delivery of a shiny new SSD and while I was planning the transfer of my Windows 7 installation to it, encrypting it on the way. Since Bitlocker is only available on Ultimate Edition, which offers nothing else I might need, Truecrypt seemed the obvious choice.
Should I still use it?
The whole saga has brought into focus an issue which has been central to security thinking in government circles for many years, though much less so more widely: that of assurance.
I take out insurance to make good if my house burns down. But assurance is the measures I might take to reduce the risk of it burning down in the first place.
Product and system assurance schemes such as Common Criteria, CCTM and CAPS are at the heart of government security policies.
In simplistic terms, they check whether the Target of Evaluation (or ToE) can be relied upon to do what it says on the tin.
A product may be built on the latest hyper-secure bullet-proof technology, but with only the vendor’s word for it a security architect working in the government arena would favour an independently assured product, even if theoretically not as strong. However, formal evaluation is not the only form of assurance.
So comparing Truecrypt against Bitlocker, what sources of assurance do we have?
- Steve Gibson examined TrueCrypt a while back and declared his faith in it.
- As we’ve already noted, Edward Snowden has endorsed it more recently.
- An independent audit has delivered its verdict on the boot code with no critical issues found. And it’s inconceivable that the NSA wouldn’t have dwarfed that audit by its own efforts, despite which, TrueCrypt is understood to have thwarted the best efforts of criminal investigation teams.
As for Windows, versions since NT and including Windows 7 and Server 2008 have been subjected to formal Common Criteria evaluations.
Much has been written on the negative side regarding TrueCrypt.
For example, the audit raised serious questions about code quality and the antediluvian build environment. But this is a bit like criticising a donkey for not being a horse. The groundwork was laid when Microsoft was only just waking up to the need for a secure development methodology.
This leads to the question of the lack of ongoing support and updates, which would hopefully have encouraged an evolution of the development processes.
But updates are only needed to fix bugs or to introduce new features. There appear to be no known critical bugs, and the features are sufficient, at least up to Windows 7.
Feature creep leads to complexity, and complexity is the enemy of security. We have something which works, doesn’t crash and doesn’t trash your data.
The Heartbleed bug and subsequent revelations about OpenSSL code quality have shaken confidence in open source.
The source of TrueCrypt is available for anyone to look at, but in practice, everyone assumes someone else will do so and in the end, no one does.
Whilst this is true, quite apart from the fact that the TrueCrypt audit is continuing, there is a key difference. OpenSSL is huge and has a vast repertoire of functions. Consequently it has an enormous and very complex attack surface.
TrueCrypt has an attack surface during installation; if your installation environment has been compromised then there’s no hope for you, whatever product you use. The next point of potential weakness is in booting and password entry, which have already been covered by the audit.
After that, if an attacker is able to freeze your RAM with liquid nitrogen in the time it takes for you to put your coat on to go home then he may have you, and likewise if he can mount an "evil maid" attack.
This applies to any encryption product to a greater or lesser extent.
But if you can shut your computer down and give the RAM a minute to die, then the attacker’s only recourse is a direct assault on the cryptography, which rarely if ever succeeds, given a decent password.
So how much assurance does the Windows Common Criteria evaluation offer?
Evaluating a product of the size of Windows is a vast undertaking, and it’s not clear, on the surface at least, how much attention was given to BitLocker. A common mistake in using evaluated products is to assume that the specific security enforcing function you are relying on is fully included in the Target of Evaluation, and tested in sufficient depth.
BitLocker does appear to have been included in the evaluation, but unlike TrueCrypt, which is a single-user product (lose your password, loose your data) BitLocker is aimed at the enterprise.
As such, it includes enterprise-grade key management and password recovery features. In contrast to a direct cryptographic attack which practically never succeeds, key management is a minefield and extremely difficult to get right.
And as well as technical attacks, social engineering can often be leveraged.
As for the Windows 7 Evaluation Report, the NSA’s name is on the front page. Who knows what vulnerabilities they might have failed to disclose, or what back-doors they might have persuaded Microsoft to include?
Formal assurance methodologies and their methods of application have evolved considerably over the years.
There was a time around 10 years ago when an evaluated version of the PIX firewall firmware was preferred in government applications long after any self-respecting network engineer would touch it with a bargepole.
Because it was evaluated. Those days are long gone, but we still need to look at assurance from the widest perspective.
So, am I still going to use TrueCrypt? In an enterprise or serious business you can’t afford to use a product without a good support model. It has to be BitLocker – unless you’re a journalist guarding Edward Snowden’s files.
But TrueCrypt does have an advantage in being cross-platform: in extremis I could in principle do an offline virus scan, or fix other serious problems using Linux-based tools.
So yes, for my own use I might still use Truecrypt. But first, I have to work out why Microsoft System Backup is giving me an error 0x8007045D. There must be an answer – after all, Windows is formally evaluated!