IsTrueCryptAuditedYet?
In Part!

Update April 14, 2014: Phase I of the audit is complete, and report is available. Phase II begins on the formal cryptanalysis. Follow #istruecryptauditedyet on Twitter for updates.

TrueCrypt (TC) is an open source file and disk encryption software package used by people all over the world, but a complete cryptanalysis has not been performed on the software, and questions remain about differences between Windows, Linux and Mac OS X versions. In addition, there has been no legal review on the current TrueCrypt v. 3.0 open source license - preventing inclusion in most of the free operating systems, including Ubuntu, Debian, RedHat, CentOS and Fedora. We want to be able to trust it, but a fully audited, independently verified repository and software distribution would make us feel better about trusting our security to this software. We're pledging this money to sponsor a comprehensive public audit of TrueCrypt. Follow this page and #IsTrueCryptAuditedYet on twitter for the latest updates.

Support the Project

You can help support the Project on our FundFill site, or our new IndieGoGo site (note: both funds accept credit cards; FundFill also accepts Bitcoin, while IndieGoGo also takes PayPal & eChecks).

Goals

Rules

The exact terms are still a work in progress, but our proposal breaks down into roughly four components:

  1. License review. Truecrypt uses an odd, potentially non-FOSS license. We'd like to have it reviewed by a competent attorney to see how compatible it is with GPL and other OSS software.
  2. Implement deterministic/reproducible builds. Many of our concerns with Truecrypt could go away if we knew the binaries were compiled from source. Unfortunately it's not realistic to ask every Windows user to compile Truecrypt themselves. Our proposal is to adapt the deterministic build process that Tor is now using, so we can know the binaries are safe and untampered. This is really a precondition to everything else. And it's not an easy process.
  3. Pay out bug bounties. Not every developer has time or money to audit the entire source. But some have a little time. If we collect enough, we'd like to compensate bug hunters a little bit for anything security critical they find in the code.
  4. Conduct a professional audit. The real dream of this project is to see the entire codebase receive a professional audit from one of the few security evaluation companies who are qualified to review crypto software. We're hoping to convince one of the stronger companies to donate some time and/or reduced rates. But good work doesn't come free, and that's why we're asking for help.

We don't expect any single person to do all of this. The exact balance of payouts from our collected fund is still TBD, but we will be formalizing it soon. We also want specialists and experts, and we also want people to donate their time wherever possible.

Relevant History/Past Work

Updates

Tues, Jan 21, 2014: In case you missed it on Twitter, Matthew posted an update on the audit, including news that we have formed a non-profit organization (soon to be a 501(c)(3)), assembled an amazing group of technical advisors, and thanks to your incredible support, we have engaged with one of the top security groups in the world, iSec Research Lab, to help us assess large portions of the Windows software and bootloader code. And thanks to a matching donation by the Open Technology Fund the iSec team will be able to dedicate 5-6 weeks of full time analysis, beginning today.

In addition, we are working with our technical advisory board to work out the complete roadmap including the details of a bug bounty program, possible academic partnerships/contests, and of course the public coordination with security researchers around the world. Legal and licensing reviews are underway as well.

For folks backing the IndieGoGo campaign, the ever important t-shirt question: “When will I get the goods?” Very soon. We underestimated the amount of hoops we'd have to jump through to ship stickers, t-shirts and DVDs, but everyone who was promised a perk will get them! :-)

Sat, Dec 21, 2013 (via IndieGogo): Hello everyone!

First, a heartfelt thank you for your amazing support—the campaign has been more successful than we ever imagined, with nearly 1,300 generous contributors around the world.

Please accept our apologies for the delay; we've been *very* busy behind the scenes. Among other things, we've assembled some of the best minds in security & cryptography and are working hard on a full roadmap.

We'll be in touch with everyone shortly regarding perks & more updates.

Warmly,
Kenn and Matt.

Wed, Oct 24, 2013: We have made contact with the TrueCrypt development team. They have stated a commitment to a thorough, independent security audit and cryptanalysis of the code. They did ask that we remind the community (and fellow researchers) of the TrueCrypt security model, and related caveats of what the software does and does not guarantee to do.

In other news, we are working very hard on a complete detailed project roadmap, and have begun consulting with some of the most respected security professionals in the world, including cryptographers, security engineers and legal experts for advice and guidance. As we have said, this project will require many, many talented people from our community to be successful. This effort includes a fresh license review and legal analysis, and we are coordinating with leaders from the major open software foundations. On the fundraising, we continue to be humbled and touched by the overwhelming response from people all over the world. To date, we have had over 1,000 contributors pledging more than $53,000 to the campaign! This site alone has received over 200,000 visits from 140+ countries in the past 3 days. We have several big announcements about the organizational and legal structure of the project, and hope to have specifics to share by the end of this week.

Press coverage: Several media outlets have picked up the story about our project this week, including: The Economist, Infoworld, Threatpost, and Ars Technica. Dennis Fisher and Mike Mimoso from Threatpost also put up a podcast discussing the project. Lastly, two new links were added to the History section (above), one on the Tor project's work on deterministic builds, and the second, a rare 2005 interview with a core member of the TrueCrypt development team. For those who have asked, we are making inroads into a more complete history and provenance of the TrueCrypt software, and will publishing them soon.
—KW

Thursday, Oct 17, 2013: Wow! What an amazing couple of days. As of 2:15 EST today, we have raised over $36,000! Support has poured in from over 130 countries and hundreds of thousands of people have visited the site. Thank you so much to everyone who has been part of this project. Lastly, for those offering time & expertise, please reach out to us on Twitter, or contact us through the Comments section of IndieGoGo (publicly or privately). You can leave feedback on FundFill as well (bottom of the page - click "Show Pledges and Comments").

Monday, Oct 14, 2013: We're launching an additional crowdfunding Project site later this week on IndieGoGo, with global support and adding some fun perks for supporters.

Sunday, Oct 13, 2013: FundFill has notified us that they will be piloting a Bitcoin payment mechanism in the coming days. Thanks for supporting us on our FundFill site—still going strong!

Friday, Oct 11, 2013: We are working out the kinks on FundFill & researching alternative fund sites for specific sub-projects. More announcements soon.

Colophon

Project created by Kenneth White and Matthew Green, inspired by Twitter conversations with the grugq and Eleanor Saitta. We welcome expert support, constructive criticism, and financial donations. Follow discussions on Twitter at #IsTrueCryptAuditedYet. Please direct e-mail inquiries to: admin(at)opencryptoaudit[dot]org.

Top