After all the revelations about NSA’s spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted.
Security experts have repeatedly said that it you want to trust this type of software, your best bet is to choose software that is open source. But, in order to be entirely sure, a security audit of the code by independent experts sounds like a definitive answer to that issue.
And that it exactly what Matthew Green, cryptographer and research professor at Johns Hopkins University, and Kenneth White, Principal Scientist at Social & Scientific Systems, have set out to do.
The software that will be audited is the famous file and disk encryption software package TrueCrypt. Available for Windows, Linux and OSX, the user-friendly software is developed by unknown developers and has, so far, never been audited for intentional or unintentional security flaws.
The goals of the project are several:
- To implement deterministic / reproducible builds in order to be sure that the software binaries have not been tampered with.
- To do a complete source code audit conducted by a security evaluation company that is qualified to review cryptographic software.
- To do a legal review of the software licence, and see whether there is a way to allow TrueCrypt to be bundled with many of the popular Linux distributions.
Green and White are hoping that the company that accepts to do the audit will also donate their employees’ time or reduce the rates for this project, as well as that they will have enough money to reward bug hunters who get involved.
“We don’t expect any single person to do all of this. The exact balance of payouts from our collected fund is still TBD, but we will be formalizing it soon. We also want specialists and experts, and we also want people to donate their time wherever possible,” they stated.
“The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what to trust anymore,” Green explained in blog post. “But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it.”
Also because there have been some indications that the Windows executable of Truecrypt 7.0a is compiled from a different source code than the one published. “Even if the Truecrypt source code is trustworthy, there’s no reason to believe that the binaries are. And many, many people only encounter Truecrypt as a Windows binary,” he pointed out. “In short: there are numerous reasons we need to audit this software — and move its build process onto safe, deterministic footing.”
According to the latest update, they have contacted the (anonymous) TrueCrypt development team who have voiced its support for the effort. “They did ask that we remind the community (and fellow researchers) of the TrueCrypt security model, and related caveats of what the software does and does not guarantee to do,” they noted.