Experts Join Movement to Audit TrueCrypt, Perhaps Other Security Software

Organizers of the TrueCrypt audit have formed a technical advisory board and have hinted that the evaluation of TrueCrypt could lead to audits of other popular security software.

As the TrueCrypt audit chugs along toward a deterministic, clean build of the open-source encryption software and a palatable license, the organizers have brought prominent security and legal experts aboard as a technical advisory team.

The experts will not only provide guidance on the current audit, but could help evolve this project into a framework for examining other open source security tools.

The full list of luminaries is expected to be made public shortly, along with a new website housing details and progress on the TrueCrypt audit, but the list already includes noted cryptographers Bruce Schneier and Jean-Philippe Aumasson, as well as security expert Moxie Marlinspike, who has done extensive research on secure protocols, privacy and cryptography, as well as Marcia Hofmann, a digital rights attorney and Fellow at the Electronic Frontier Foundation.

“We really seemed to have sparked something here bigger than what we expected,” said Kenneth White, a security expert who along with Johns Hopkins University professor and cryptographer Matthew Green helped get the TrueCrypt audit off the ground. “The thinking is that maybe what we could do is use the TrueCrypt audit as an example of sort of how we can do an open source evaluation and use it to help refine how we could do this in a more generic way for other projects.

“I certainly get the impression from several people who are involved that we’d hate for this to be a one-off thing. We’d like to take this momentum and maximize it for other projects.”

The TrueCrypt audit, to date, has raised close to $60,000, smashing the team’s initial goal of $25,000 in the first four days of fundraising. Under the bigger umbrella of NSA surveillance and the alleged compromising of popular encryption algorithms by the spy agency, the TrueCrypt audit hopes to answer some potentially troubling questions about the software. Of particular concern is documented odd behavior by the Windows version, which is compiled from binaries and not source code, unlike the Linux and Mac OS X versions. The Windows version, therefore, cannot be compared to source code, and many have wondered whether it has been backdoored at some point.

Coupled with the fact that the identity of its developers isn’t clear, and the burdensome license governing TrueCrypt’s use, the audit is being welcomed by the technologists and experts alike. White, for example, said there have been contributions to the audit fund from close to 1,000 people in 30 countries. People from 70 countries have visited the current website, istruecryptauditedyet.com, which has generated two million hits since it went live. White also told Threatpost that the audit has been granted non-profit status by the state of North Carolina and has filed a 501(c)3 application with the IRS for non-profit status.

“We’ve got some fairly ambitious ideas and we’ll start with TrueCrypt for now,” White said, adding that there have been discussions and debate about how much to open up the audit to other entities beyond professional software firms, such as academics or the security community at large. “I suspect there’s going to be some sort of balance because we’ve got so many different people looking at this. Some people are going to only be satisfied if a professional firm looks at it. It’s crazy the range of people who have offered to help either financially or with their services.”

As for the selection of a professional software firm, White said there are a couple of options in play, including separating the cryptanalysis from system engineering as TrueCrypt is audited in order to cover all the bases.

“When you do a whole volume boot from Windows, there’s a lot of stuff going on that’s got very little to do with crypto, just in terms of implementation,” White said. “I think there are 75,000 lines of code, including assembler, C and C++ on three different platforms. There’s an awful lot you have to bring to bear and there just aren’t many people who are wizards at, say, Windows boot process, and OS X and Linux. That’s what we’re trying to figure out. Have people with expertise in all, but it’s probably going to end up being a mix of volunteers, academics and professionals.”

If this ends up being a longer-term initiative, other open source projects as popular as TrueCrypt (28 million downloads) could be in the crosshairs of a similar review.

“Matt and I had talked about it and in some of the private conversations, the suggestion was why not make this a test case for how one could do a proper open security analysis,” White said. “Certainly several people had discussed that before we crystalized the idea.”

This article was updated at 3:30 ET with corrections regarding the audit’s non profit status.

Suggested articles