Feeds

Crowdfunded audit of 'NSA-proof' encryption suite TrueCrypt is GO

Line-by-line code exam will blow hidden backdoor doubts into orbit, hope devs

Internet Security Threat Report 2014

A fundraising effort to pay for an independent, professional security audit of TrueCrypt, the popular disk encryption utility, has raised enough money to pay for an arguably long overdue audit of the security software.

TrueCrypt is a widely used utility that encrypts and decrypts entire drives, partitions or files within a virtual disk. The tool can also hide volumes of data on discs.

Cryptography expert Bruce Schneier uses TrueCrypt on an air-gapped PC to work on NSA files leaked by Edward Snowden. Yet this isn't quite the ringing endorsement it might seem at first.

Schneier, who has found flaws with the hidden volume feature of the software in the distant past, uses the utility in preference to Microsoft's BitLocker and Symantec's PGPDisk, essentially because it's independently developed rather then because he wholeheartedly trusts the tool.

The source code for the Windows, Linux and Mac OS X utility is publicly available for inspection but this alone has failed to convince security experts that it's secure. Researchers had been unable to prove that the downloadable Windows executable, built by the anonymous TrueCrypt team, can be put together from the published source code, This in turn spawned nagging doubts that the extra code might contains hooks to a backdoor that could permit the decryption of users' data without a password.

Concerns about TrueCrypt have risen to the fore because of the ongoing controversy over Bullrun, the NSA's effort to work with hardware and software technology vendors to weaken encryption systems and their underlying components.

The IsTrueCryptAuditedYet project, established by security experts three weeks ago, aims to put confidence in TrueCrypt on a sound footing by raising funds to run an independent cryptographic and security audit. Kenneth White, the principal scientist at biotechnology biz Social & Scientific, a hosted services provider to the health sector, and Matthew Green, a cryptographer and research professor at Johns Hopkins University, and the two main founders of the project, whose manifesto can be found here.

As well as running a cryptanalysis and security audit of TrueCrypt version 7.1a, one of the latest builds, the team behind the project also want to sort out licensing issues that have prevented TrueCrypt from being bundled with Linux distributions including Ubuntu, Debian and Red Hat. There's also talk of setting up a bug bounty scheme.

Huge strides have already been made both by the project itself and its allies. The project has attracted donations of $22,000 through 126 pledges to FundFill as well as a further $35,000 through Indiegogo, well past its initial funding target on the latter site of $25,000 within two months.

Researcher compiles TrueCrypt from the public source – is it repeatable?

A security researcher has compiled TrueCrypt 7.1a for Win32 and matched the official binaries.

Xavier de Carné de Carnavalet a master's student in information systems security at Concordia University, Canada, explains how he carried out this task in a detailed blog post here. In order to attain the goal of a "fully audited, independently verified repository and software distribution" for TrueCrypt it would be beneficial if other researchers were able to repeat this process, if for no other reason than to verify de Carnavalet's claim.

In other developments, TrueCrypt's anonymous developers have been in touch with the researchers behind IsTrueCryptAuditedYet project to offer their support to the audit.

"We have made contact with the TrueCrypt development team," an update to auditing project's blog explains. "They have stated a commitment to a thorough, independent security audit and cryptanalysis of the code. They did ask that we remind the community (and fellow researchers) of the TrueCrypt security model, and related caveats of what the software does and does not guarantee to do."

TrueCrypt's developers are open about the fact that the software is unable to secure data on a computer compromised by malware or a hardware keylogger. Data stored in volatile memory is also up for grabs, given physical access to a powered-up machine; an aspect of the technology well known in the computer forensics business – if not in the wider IT community – for some years.

Encryption tools are not a panacea. Unless a user follows best practices, and operational security guidelines are followed, then any protection will be stripped away by intelligence agencies or other capable attackers.

The audit of TrueCrypt is proposed more in the spirit of verifying the security of the software rather than a search to confirm suspicions. TrueCrypt's developers have stated there's no backdoor in the software – but such statements can no longer be taken on trust, hence the need for independent cryptanalysis and a code review.

Both are painstaking tasks requiring a particular mindset and (normally) years of experience, hence the need to solicit donations to hire a professional firm to carry out the task. Expecting the job to be done by hobbyists is unrealistic.

In a Twitter update last Friday, Green confirmed that the pieces are falling into place for a professional audit to be carried out.

He added in later tweets that the name of the firm who submitted the tender is being withheld pending evaluation of its offer and those from potential rival bids.

In the meantime the request for further donations is continuing. "Funding is strong & will continue [for around] 45 days," White told El Reg. "We've got multiple commercial bids in prep now." ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.