There’s a story on Hacker News asking what the hell is going on with the Truecrypt audit. I think that’s a fair question, since we have been awfully quiet lately. To everyone who donated to the project, first accept my apologies for the slow pace. I want to promise you that we’re not spending your money on tropical vacations (as appealing as that would be). In this post I’d like to offer you some news, including an explanation of why this has moved slowly.
We had an amazing response, collecting upwards of $70,000 in donations from a huge and diverse group of donors. We then went ahead and retained iSEC Partners to evaluate the bootloader and other vulnerability-prone areas of Truecrypt. The initial report was published here.
That initial effort was Part 1 of a two-part project. The second — and much more challenging part — involves a detailed look at the cryptography of Truecrypt, ranging from the symmetric encryption to the random number generator. We had some nice plans for this, and were well on our way to implementing them. (More on those in a second.)
Then in late Spring of 2014, something bizarre happened. The Truecrypt developers pulled the plug on the entire product — in their typical, mysterious way.
This threw our plans for a loop. We had been planning a crowdsourced audit to be run by Thomas Ptacek and some others. However in the wake of TC pulling the plug, there were questions. Was this a good use of folks’ time and resources? What about applying those resources to the new ‘Truecrypt forks’ that have sprung up (or are being developed?) There were a few other wrinkles as well, which Thomas talks about here — although he takes on too much of the blame.
In our copious spare time we’ve also been looking manually at some portions of the code, including the Truecrypt RNG and other parts of the cryptographic implementation. This will hopefully complement the NCC/iSEC work and offer a bit more confidence in the implementation.
I don’t really have much more to say — except to thank all of the donors for their contributions and their patience. This project has been a bit slower than any of us would like, but results are coming. Personally, my hope is that they’ll be completely boring.