Although the developers behind the TrueCrypt encryption software have given up the ghost and decided to no longer maintain the application, interest in the project has never been higher. But, one of the developers says that a nascent effort to fork TrueCrypt is unlikely to succeed.

Matthew Green, a cryptographer and professor at Johns Hopkins University, has been part of an effort for the last several months to audit the TrueCrypt code and look for any serious vulnerabilities or backdoors and has helped raise funds for the project. In an email to one of the TrueCrypt developers, Green said that a group of people with deep experience in cryptography would like the project to continue and would rather fork it than start with a blank slate.

“What we would like is permission to take at least portions of the current codebase and fork it under a standard open source license.”

“What we would like is permission to take at least portions of the current codebase and fork it under a standard open source license (e.g., GPL/MIT/BSD). We would also like permission to use the Truecrypt trademark as part of this effort. If that’s not possible, we would accept a clear statement that you would prefer the software not be renamed,” Green said in his email, which was part of a post on Pastebin.

“I realize this is a great deal to ask, but I would ask you to consider the alternative. Without expert attention there’s a high likelihood that TC 7.1a or some future insecure fork will occupy the niche that a secure version of TC could occupy. Giving your permission to undertake a responsible process of forking and redevelopment would ensure that your work can go on, and that nobody is at risk from using older software.”

However, Green said via email that his group is not going to do the fork itself, but rather would help fund the effort.

“We’re not going to do a fork ourselves. But I am interested in funding one and helping to re-write the crypto code,” Green said.

The Open Crypto Audit Project, led by Green and Kenn White, has already audited one portion of the TrueCrypt code and is planning to do the same for the cryptographic functions in the software in the near future. Last week the group released a verified version of TrueCrypt 7.1a, the last version of the software released by the developers before they inserted a warning that the software might include unfixed security flaws. The warning was interpreted in various ways by different people in the security community, with some seeing it as a veiled warning about an NSA back door and others seeing it as a white flag from the developers, saying they were tired of developing and maintaining the software.

The reply from the TrueCrypt developer to Green’s email about forking the software doesn’t sound promising.

“I am sorry, but I think what you’re asking for here is impossible. I don’t feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn’t require much more work than actually learning and understanding all of truecrypts current codebase,” the reply says.

Categories: Cryptography, Privacy, Web Security

Comments (4)

  1. Brian m
    1

    Do understand where the original developers are coming from, if there is a lot of engineering debt in the code, then a re-write maybe a good option, but throwing the baby out with the bath water is not a good idea!

    Perhaps hand over the project to willing hands, who can maintain the code and start work on a new version. Very few re-writes need to be started from total scratch!

    Reply
  2. Dan
    2

    What is needed is to standardize the Truecrypt container/volume format, ala OpenPGP. That way, different developers could write software that can create, open, modify, and save to the same standard container. We do have non-Truecrypt software that can open TC volumes, like TCPlay and early versions of Diskcryptor. What we need is a target standard. Despite Truecrypt’s flaws, containers that it has generated have been shown to be reliable and safe. We need that. Maybe Jetico or PGP would add TC container support if the standard takes off.

    We really don’t need Truecrypt to survive. We just need to make sure that the software that replaces it would still be able to mount our already-existing containers.

    Reply
  3. T Richard Alexander
    3

    From 25 years of experience in software development, when I’ve seen developers want to totally rewrite something it is usually because the code is so butt-ugly they are ashamed for anyone to see it. Sometimes this is due to adding a lot of extra functionality that wasn’t considered in the original design but in a lot of cases I’ve seen, just flat out nasty code.

    Reply
  4. EclipseSpark
    4

    please, take a look at zuluCrypt, it is a nice software similar to TC and compatible with it, it could be a great stsrting point for the best truecrypt alternative

    let me know what do you think about, it’s preinstalled on parrot security os

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>