As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.
The team behind the Open Crypto Audit Project, which has undertaken an audit of TrueCrypt, has posted a verified repository of TrueCrypt 7.1a on GitHub. There are versions for Windows, Linux and OS X. When the anonymous developers behind TrueCrypt posted a notice on their Web site and SourceForge page in late May saying that the software was not safe to use because it might contain unfixed security vulnerabilities, speculation arose immediately that perhaps the team had been targeted by a National Security Letter, a la Lavabit, or that maybe the developers were sending a subtle message about a backdoor in the application. No word has been forthcoming from the developers, and speculation has continued, but many seem to have come to the conclusion that the developers simply hit a wall with the project.
The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a.
“These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit,” said Kenn White, part of the team involved in the TrueCrypt audit.
The provenance and integrity of TrueCrypt has been a subject of much debate in the security community. The developers of the software are anonymous and have proven elusive. It took some doing for the OCAP audit team to get in touch with the developers and get the audit started, a project that was meant to answer longstanding questions about the integrity of the application. The events of the last couple of weeks haven’t served to calm any of the fears of those who worried that TrueCrypt might have been backdoored or otherwise compromised, despite the clean bill of health produced by the first phase of the audit.
For some, those questions may never be answered fully, but the OCAP team is continuing with its audit, now looking at the cryptographic functions used in the software.