Wednesday, February 18, 2015

Another update on the Truecrypt audit

There's a story on Hacker News asking what the hell is going on with the Truecrypt audit. I think that's a fair question, since we have been awfully quiet lately. To everyone who donated to the project, first accept my apologies for the slow pace. I want to promise you that we're not spending your money on tropical vacations (as appealing as that would be). In this post I'd like to offer you some news, including an explanation of why this has moved slowly.

For those of you who don't know what the Truecrypt audit is: in late 2013 Kenn White, myself, and a group of advisors started a project to undertake a crowdfunded audit of the Truecrypt disk encryption program. To the best of my knowledge, this is the first time anyone's tried this. The motivation for the audit is that lots of people use Truecrypt and depend on it for their security and safety -- yet the authors of the program are anonymous and somewhat mysterious to boot. Being anonymous and mysterious is not a crime, but it still seemed like a nice idea to take a look at their code.

We had an amazing response, collecting upwards of $70,000 in donations from a huge and diverse group of donors. We then went ahead and retained iSEC Partners to evaluate the bootloader and other vulnerability-prone areas of Truecrypt. The initial report was published here.

That initial effort was Part 1 of a two-part project. The second -- and much more challenging part -- involves a detailed look at the cryptography of Truecrypt, ranging from the symmetric encryption to the random number generator. We had some nice plans for this, and were well on our way to implementing them. (More on those in a second.)

Then in late Spring of 2014, something bizarre happened. The Truecrypt developers pulled the plug on the entire product -- in their typical, mysterious way.

This threw our plans for a loop. We had been planning a crowdsourced audit to be run by Thomas Ptacek and some others. However in the wake of TC pulling the plug, there were questions. Was this a good use of folks' time and resources? What about applying those resources to the new 'Truecrypt forks' that have sprung up (or are being developed?) There were a few other wrinkles as well, which Thomas talks about here -- although he takes on too much of the blame.

It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We're now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group's Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price -- and make your donations stretch farther -- we allowed the start date to be a bit flexible, which is why we don't have results yet.

In our copious spare time we've also been looking manually at some portions of the code, including the Truecrypt RNG and other parts of the cryptographic implementation. This will hopefully complement the NCC/iSEC work and offer a bit more confidence in the implementation.

I don't really have much more to say -- except to thank all of the donors for their contributions and their patience. This project has been a bit slower than any of us would like, but results are coming. Personally, my hope is that they'll be completely boring.

20 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Any ETA on this ?

    ReplyDelete
  3. $70,000 for an audit?

    ReplyDelete
    Replies
    1. For auditing crypto $70k is *peanuts*.

      Delete
    2. I'm hoping you mean it's too little rather than too much.

      You have to keep in mind who would actually be doing the work. It's definitely not people in low income jobs.

      Delete
    3. No, the 70k$ mentioned were the donated funds, as explained in the article.

      Since fees are usually high in that field of expertise, it wouldn't be enough for a thorough audit though, and they had to make some compromises (hence the delay, as explained in the article...).

      Delete
    4. A code audit of a project the size of TrueCrypt would be cheap at twice or more the $70,000 raised.

      Delete
    5. No reason they can't go back to the internet for another round of funding if NCC need more cash to complete the job - nice though crowdsourcing the effort would have been, the truth is that cryptographers of the calibre needed for this sort of audit aren't common, aren't cheap, and if expected to sign their name to an audit report, aren't going to work for free.

      Delete
  4. Thanks so much for the hard work - this really helps out the entire community. I know that I love seeing that this project is going on, even with all the craziness that has happened.

    ReplyDelete
  5. It's nice to hear something from the team.

    Continuing with the audit of the original Truecrypt code is definitely the best way to proceed.

    ReplyDelete
  6. So, where in this post is the disclosure that part of the TrueCrypt audit was financed by the US government through Radio Free Asia? Why is the US government refusing to release Radio Free Asia's contract for the TrueCrypt audit? More questions than answers.

    ReplyDelete
    Replies
    1. But so what? If the audit is going to be signed off by *other* independent cryptographers whose reputations will be on the signature line, so what if a government funded organisation partially funded the audit? If indeed that is true...

      Delete
  7. Your comments about the TC devs pulling the plug is a lame excuse for the lack of communication with the community that funded you and whether or not completing the audit is a waste of time should never have even been discussed, you were funded to audit 7.1a so do it. I read some of the blogs you and those affiliated with the audit posted, it seems to me you all spend your time looking for reasons and excuses not to compete the audit.

    ReplyDelete
    Replies
    1. Ouch... I would assume they're doing the best they can, with such a complicated system... if you think you can do better, why don't you join them in the work? They could probably use all the volunteers they can get...

      Delete
    2. So true... The community funded this project for 7.1a and if any concerns were rised - you HAD to discuss it OPENLY with the community. We trusted you and crowdfunded the project and you just make some excuses about being frustrated by the original dev's move. Thats so awful! We want the result not the excuses

      Delete
  8. So glad to hear that work on Phase 2 is finally proceeding!

    ReplyDelete
  9. Matthew: you wrote "What about applying those resources to the new 'Truecrypt forks' ".

    Which brings up the topic of those TrueCrypt forks: which one(s) do you recommend?

    I only know of 2 mainstream ones:

    VeraCrypt
    https://en.wikipedia.org/wiki/VeraCrypt

    CipherShed
    https://en.wikipedia.org/wiki/CipherShed

    I am still using TrueCrypt 7.1a, but would love to know if you think that a better alternative is currently available.

    ReplyDelete
    Replies
    1. Funny how they are worried about being sued by people who have refused to identify themselves ever.

      Delete
    2. Hi Anonymous.

      A discussion between VeraCrypt and CipherShed's is:
      1) Here:
      https://veracrypt.codeplex.com/discussions/576930
      2) Because of here:
      https://forum.ciphershed.org/viewtopic.php?f=3&t=73&sid=66adcb77738bbd4c9ebd9c4cd6e8e5b2

      I would recommend VeraCrypt. The VeraCrypt developer seems to be in the right mindset, as far as free development and benevolence goes, whereas the CipherShed developers seem to have a competitive mindset, which leads me to believe they will one day go proprietary. When/if that happens, VeraCrypt will be the only open-source option, anyway (unless another alternative comes out).

      There is one downside to VeraCrypt, as far as I'm concerned - it does not yet support UEFI (version 1.0f-1), although TrueCrypt didn't, either.

      If you intend to use VeraCrypt, make sure that your computer is set to MBR when you install your OS. For Windows, BitLocker works with UEFI... but who honestly trusts Microsoft encryption to not have backdoors? Instructions for using LUKS encryption with LVM on UEFI is found here: http://askubuntu.com/questions/197521/how-to-install-in-efi-mode-with-encrypted-lvm

      Delete