Feeds

Crowdfunded audit of 'NSA-proof' encryption suite TrueCrypt is GO

Line-by-line code exam will blow hidden backdoor doubts into orbit, hope devs

Next gen security for virtualised datacentres

A fundraising effort to pay for an independent, professional security audit of TrueCrypt, the popular disk encryption utility, has raised enough money to pay for an arguably long overdue audit of the security software.

TrueCrypt is a widely used utility that encrypts and decrypts entire drives, partitions or files within a virtual disk. The tool can also hide volumes of data on discs.

Cryptography expert Bruce Schneier uses TrueCrypt on an air-gapped PC to work on NSA files leaked by Edward Snowden. Yet this isn't quite the ringing endorsement it might seem at first.

Schneier, who has found flaws with the hidden volume feature of the software in the distant past, uses the utility in preference to Microsoft's BitLocker and Symantec's PGPDisk, essentially because it's independently developed rather then because he wholeheartedly trusts the tool.

The source code for the Windows, Linux and Mac OS X utility is publicly available for inspection but this alone has failed to convince security experts that it's secure. Researchers had been unable to prove that the downloadable Windows executable, built by the anonymous TrueCrypt team, can be put together from the published source code, This in turn spawned nagging doubts that the extra code might contains hooks to a backdoor that could permit the decryption of users' data without a password.

Concerns about TrueCrypt have risen to the fore because of the ongoing controversy over Bullrun, the NSA's effort to work with hardware and software technology vendors to weaken encryption systems and their underlying components.

The IsTrueCryptAuditedYet project, established by security experts three weeks ago, aims to put confidence in TrueCrypt on a sound footing by raising funds to run an independent cryptographic and security audit. Kenneth White, the principal scientist at biotechnology biz Social & Scientific, a hosted services provider to the health sector, and Matthew Green, a cryptographer and research professor at Johns Hopkins University, and the two main founders of the project, whose manifesto can be found here.

As well as running a cryptanalysis and security audit of TrueCrypt version 7.1a, one of the latest builds, the team behind the project also want to sort out licensing issues that have prevented TrueCrypt from being bundled with Linux distributions including Ubuntu, Debian and Red Hat. There's also talk of setting up a bug bounty scheme.

Huge strides have already been made both by the project itself and its allies. The project has attracted donations of $22,000 through 126 pledges to FundFill as well as a further $35,000 through Indiegogo, well past its initial funding target on the latter site of $25,000 within two months.

Researcher compiles TrueCrypt from the public source – is it repeatable?

A security researcher has compiled TrueCrypt 7.1a for Win32 and matched the official binaries.

Xavier de Carné de Carnavalet a master's student in information systems security at Concordia University, Canada, explains how he carried out this task in a detailed blog post here. In order to attain the goal of a "fully audited, independently verified repository and software distribution" for TrueCrypt it would be beneficial if other researchers were able to repeat this process, if for no other reason than to verify de Carnavalet's claim.

In other developments, TrueCrypt's anonymous developers have been in touch with the researchers behind IsTrueCryptAuditedYet project to offer their support to the audit.

"We have made contact with the TrueCrypt development team," an update to auditing project's blog explains. "They have stated a commitment to a thorough, independent security audit and cryptanalysis of the code. They did ask that we remind the community (and fellow researchers) of the TrueCrypt security model, and related caveats of what the software does and does not guarantee to do."

TrueCrypt's developers are open about the fact that the software is unable to secure data on a computer compromised by malware or a hardware keylogger. Data stored in volatile memory is also up for grabs, given physical access to a powered-up machine; an aspect of the technology well known in the computer forensics business – if not in the wider IT community – for some years.

Encryption tools are not a panacea. Unless a user follows best practices, and operational security guidelines are followed, then any protection will be stripped away by intelligence agencies or other capable attackers.

The audit of TrueCrypt is proposed more in the spirit of verifying the security of the software rather than a search to confirm suspicions. TrueCrypt's developers have stated there's no backdoor in the software – but such statements can no longer be taken on trust, hence the need for independent cryptanalysis and a code review.

Both are painstaking tasks requiring a particular mindset and (normally) years of experience, hence the need to solicit donations to hire a professional firm to carry out the task. Expecting the job to be done by hobbyists is unrealistic.

In a Twitter update last Friday, Green confirmed that the pieces are falling into place for a professional audit to be carried out.

He added in later tweets that the name of the firm who submitted the tender is being withheld pending evaluation of its offer and those from potential rival bids.

In the meantime the request for further donations is continuing. "Funding is strong & will continue [for around] 45 days," White told El Reg. "We've got multiple commercial bids in prep now." ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?