Feeds

Crowdfunded audit of 'NSA-proof' encryption suite TrueCrypt is GO

Line-by-line code exam will blow hidden backdoor doubts into orbit, hope devs

Website security in corporate America

A fundraising effort to pay for an independent, professional security audit of TrueCrypt, the popular disk encryption utility, has raised enough money to pay for an arguably long overdue audit of the security software.

TrueCrypt is a widely used utility that encrypts and decrypts entire drives, partitions or files within a virtual disk. The tool can also hide volumes of data on discs.

Cryptography expert Bruce Schneier uses TrueCrypt on an air-gapped PC to work on NSA files leaked by Edward Snowden. Yet this isn't quite the ringing endorsement it might seem at first.

Schneier, who has found flaws with the hidden volume feature of the software in the distant past, uses the utility in preference to Microsoft's BitLocker and Symantec's PGPDisk, essentially because it's independently developed rather then because he wholeheartedly trusts the tool.

The source code for the Windows, Linux and Mac OS X utility is publicly available for inspection but this alone has failed to convince security experts that it's secure. Researchers had been unable to prove that the downloadable Windows executable, built by the anonymous TrueCrypt team, can be put together from the published source code, This in turn spawned nagging doubts that the extra code might contains hooks to a backdoor that could permit the decryption of users' data without a password.

Concerns about TrueCrypt have risen to the fore because of the ongoing controversy over Bullrun, the NSA's effort to work with hardware and software technology vendors to weaken encryption systems and their underlying components.

The IsTrueCryptAuditedYet project, established by security experts three weeks ago, aims to put confidence in TrueCrypt on a sound footing by raising funds to run an independent cryptographic and security audit. Kenneth White, the principal scientist at biotechnology biz Social & Scientific, a hosted services provider to the health sector, and Matthew Green, a cryptographer and research professor at Johns Hopkins University, and the two main founders of the project, whose manifesto can be found here.

As well as running a cryptanalysis and security audit of TrueCrypt version 7.1a, one of the latest builds, the team behind the project also want to sort out licensing issues that have prevented TrueCrypt from being bundled with Linux distributions including Ubuntu, Debian and Red Hat. There's also talk of setting up a bug bounty scheme.

Huge strides have already been made both by the project itself and its allies. The project has attracted donations of $22,000 through 126 pledges to FundFill as well as a further $35,000 through Indiegogo, well past its initial funding target on the latter site of $25,000 within two months.

Researcher compiles TrueCrypt from the public source – is it repeatable?

A security researcher has compiled TrueCrypt 7.1a for Win32 and matched the official binaries.

Xavier de Carné de Carnavalet a master's student in information systems security at Concordia University, Canada, explains how he carried out this task in a detailed blog post here. In order to attain the goal of a "fully audited, independently verified repository and software distribution" for TrueCrypt it would be beneficial if other researchers were able to repeat this process, if for no other reason than to verify de Carnavalet's claim.

In other developments, TrueCrypt's anonymous developers have been in touch with the researchers behind IsTrueCryptAuditedYet project to offer their support to the audit.

"We have made contact with the TrueCrypt development team," an update to auditing project's blog explains. "They have stated a commitment to a thorough, independent security audit and cryptanalysis of the code. They did ask that we remind the community (and fellow researchers) of the TrueCrypt security model, and related caveats of what the software does and does not guarantee to do."

TrueCrypt's developers are open about the fact that the software is unable to secure data on a computer compromised by malware or a hardware keylogger. Data stored in volatile memory is also up for grabs, given physical access to a powered-up machine; an aspect of the technology well known in the computer forensics business – if not in the wider IT community – for some years.

Encryption tools are not a panacea. Unless a user follows best practices, and operational security guidelines are followed, then any protection will be stripped away by intelligence agencies or other capable attackers.

The audit of TrueCrypt is proposed more in the spirit of verifying the security of the software rather than a search to confirm suspicions. TrueCrypt's developers have stated there's no backdoor in the software – but such statements can no longer be taken on trust, hence the need for independent cryptanalysis and a code review.

Both are painstaking tasks requiring a particular mindset and (normally) years of experience, hence the need to solicit donations to hire a professional firm to carry out the task. Expecting the job to be done by hobbyists is unrealistic.

In a Twitter update last Friday, Green confirmed that the pieces are falling into place for a professional audit to be carried out.

He added in later tweets that the name of the firm who submitted the tender is being withheld pending evaluation of its offer and those from potential rival bids.

In the meantime the request for further donations is continuing. "Funding is strong & will continue [for around] 45 days," White told El Reg. "We've got multiple commercial bids in prep now." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.