A few weeks ago, after learning about the NSA’s efforts to undermine encryption software, I wrote a long post urging developers to re-examine our open source encryption software. Then I went off and got distracted by other things. Well, I’m still distracted by other things, but people like Kenn White have been getting organized. Today I’m proud to announce the result. It is my great pleasure to publicize (and belatedly kick off) an open project to audit the Truecrypt disk encryption tool. If you already know why this is important, by all means stop reading this post now. Go to the site and donate! It doesn’t have to be money, although that would be best. If you’re an information security professional/expert/hobbyist please consider giving us some of your time to help identify bugs in the software. In case you don’t see the reason for a Truecrypt audit, I’m going to devote the remainder of this post to convincing you how important it is. And who knows, maybe I’ll even convince you we can do more.

Why audit Truecrypt? In case you haven’t noticed, there’s a shortage of high-quality and usable encryption software out there. Truecrypt is an enormous deviation from this trend. It’s nice, it’s pretty, it’s remarkably usable. My non-technical lawyer friends have been known to use it from time to time, and that’s the best ‘usable security’ complement you can give a piece of software.

But the better answer is: because Truecrypt is important! Lots of people use it to store very sensitive information. That includes corporate secrets and private personal information. Bruce Schneier is even using it to store information on his personal air-gapped super-laptop, after he reviews leaked NSA documents. We should be sweating bullets about the security of a piece of software like this. So what’s wrong with Truecrypt? Maybe nothing at all. Rest assured if I knew of a specific problem with Truecrypt, this post would have a very different title — something with exclamation points and curse words and much wry humor. Let me be clear: I am not implying anything like this. Not even a little.

The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what to trust anymore. We have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, makes a fantastic target for subversion. But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, ‘authorship is a better predictor of quality than openness‘. I would feel better if I knew who the TrueCrypt authors were. Now please don’t take this the wrong way: anonymity is not a crime. It’s possible the Truecrypt developers are magical security elves who are simply trying to protect their vital essence. More prosaically, perhaps they live in a country where privacy advocates aren’t as revered as they are in the US. (I kid.)

But anonymity isn’t the only thing that concerns me about Truecrypt. For one thing, the software does some damned funny things that should make any (correctly) paranoid person think twice. Here I will quote from the Ubuntu Privacy Group’s review of Truecrypt 7.0

[T]he Windows version of TrueCrypt 7.0a deviates from the Linux version in that it fills the last 65,024 bytes of the header with random values whereas the Linux version fills this with encrypted zero bytes. From the point of view of a security analysis the behavior of the Windows version is problematic. By an analysis of the decrypted header data it can’t be distinguished whether these are indeed random values or a second encryption of the master and XTR key with a back door password. From the analysis of the source we could preclude that this is a back door… As it can’t be ruled out that the published Windows executable of Truecrypt 7.0a is compiled from a different source code than the code published in “TrueCrypt_7.0a_Source.zip” we however can’t preclude that the binary Windows package uses the header bytes after the key for a back door.

Which of course tees up the most important concern: even if the Truecrypt source code is trustworthy, there’s no reason to believe that the binaries are. And many, many people only encounter Truecrypt as a Windows binary. In my very humble opinion that should worry you.

In short: there are numerous reasons we need to audit this software — and move its build process onto safe, deterministic footing.

What’s your plan?

The exact terms are still a work in progress, but our proposal breaks down into roughly four components:

License review. Truecrypt uses an odd, potentially non-FOSS license. We’d like to have it reviewed by a competent attorney to see how compatible it is with GPL and other OSS software. Implement deterministic/reproducible builds. Many of our concerns with Truecrypt could go away if we knew the binaries were compiled from source. Unfortunately it’s not realistic to ask every Windows user to compile Truecrypt themselves. Our proposal is to adapt the deterministic build process that Tor is now using, so we can know the binaries are safe and untampered. This is really a precondition to everything else. And it’s not an easy process. Pay out bug bounties. Not every developer has time or money to audit the entire source. But some have a little time. If we collect enough, we’d like to compensate bug hunters a little bit for anything security critical they find in the code. Conduct a professional audit. The real dream of this project is to see the entire codebase receive a professional audit from one of the few security evaluation companies who are qualified to review crypto software. We’re hoping to convince one of the stronger companies to donate some time and/or reduced rates. But good work doesn’t come free, and that’s why we’re asking for help.

We don’t expect any single person to do all of this. The exact balance of payouts from our collected fund is still TBD, but we will be formalizing it soon. We also want specialists and experts, and we also want people to donate their time wherever possible. We deserve better tools than what we have now. Done correctly, this project makes us all stronger. Aren’t you worried you’ll insult the Truecrypt developers? I sure hope not, since we’re all after the same thing. Remember, our goal isn’t to find some mythical back door in Truecrypt, but rather, to wipe away any doubt people have about the security of this tool.

But perhaps this will tick people off. And if you’re one of the developers and you find that you’re ticked, I’ll tell you exactly how to get back at us. Up your game. Beat us to the punch and make us all look like fools. We’ll thank you for it.

Wait, if we can do this for Truecrypt, couldn’t we do it for other software? And now you’ve seen the true promise of this plan. Help us make it work for Truecrypt. Then let’s talk.