Although the developers behind the TrueCrypt encryption software have given up the ghost and decided to no longer maintain the application, interest in the project has never been higher. But, one of the developers says that a nascent effort to fork TrueCrypt is unlikely to succeed.
Matthew Green, a cryptographer and professor at Johns Hopkins University, has been part of an effort for the last several months to audit the TrueCrypt code and look for any serious vulnerabilities or backdoors and has helped raise funds for the project. In an email to one of the TrueCrypt developers, Green said that a group of people with deep experience in cryptography would like the project to continue and would rather fork it than start with a blank slate.
“What we would like is permission to take at least portions of the current codebase and fork it under a standard open source license (e.g., GPL/MIT/BSD). We would also like permission to use the Truecrypt trademark as part of this effort. If that’s not possible, we would accept a clear statement that you would prefer the software not be renamed,” Green said in his email, which was part of a post on Pastebin.
“I realize this is a great deal to ask, but I would ask you to consider the alternative. Without expert attention there’s a high likelihood that TC 7.1a or some future insecure fork will occupy the niche that a secure version of TC could occupy. Giving your permission to undertake a responsible process of forking and redevelopment would ensure that your work can go on, and that nobody is at risk from using older software.”
However, Green said via email that his group is not going to do the fork itself, but rather would help fund the effort.
“We’re not going to do a fork ourselves. But I am interested in funding one and helping to re-write the crypto code,” Green said.
The Open Crypto Audit Project, led by Green and Kenn White, has already audited one portion of the TrueCrypt code and is planning to do the same for the cryptographic functions in the software in the near future. Last week the group released a verified version of TrueCrypt 7.1a, the last version of the software released by the developers before they inserted a warning that the software might include unfixed security flaws. The warning was interpreted in various ways by different people in the security community, with some seeing it as a veiled warning about an NSA back door and others seeing it as a white flag from the developers, saying they were tired of developing and maintaining the software.
The reply from the TrueCrypt developer to Green’s email about forking the software doesn’t sound promising.
“I am sorry, but I think what you’re asking for here is impossible. I don’t feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn’t require much more work than actually learning and understanding all of truecrypts current codebase,” the reply says.