Security experts who are crowd-funding a project to probe the file and disk encryption tool TrueCrypt for backdoors look set to reach their financial target.
The project “Is TrueCrypt Audited Yet?” launched on Monday and will attempt to put to rest lingering concerns over the popular encryption software with a public audit of the Windows, Linux and Mac OS X versions of TrueCrypt.
Since launching two fundraisers on Monday, the project has collected just under $35,000 -- $19,303 at the time of writing on IndieGoGo, where it aims to reach $25,000 and $15,191 at FundFill, which doesn’t list a target -- making the audit more likely to go ahead.
Calls to review TrueCrypt intensified after reports in early September that the US National Security Agency (NSA) had attempted to weaken encryption standards and had planted backdoors in encryption software.
In a statement on its website, TrueCrypt denies it has implement a backdoor in its software, and that TrueCrypt only allows decryption with the correct password or key.
But while TrueCrypt’s open source code can be reviewed by anyone, previous analyses of TrueCrypt’s Windows binary package haven’t been able to determine whether the binaries have been tampered with.
As Matthew Green, a cryptographer and research professor at Johns Hopkins University, “even if the Truecrypt source code is trustworthy, there's no reason to believe that the binaries are.”
But the biggest concern for Green, one of two people behind the project, is that no one knows who wrote TrueCrypt.
Why the audit is important, adds Green, is that people don’t have many options when it comes to disk encryption.
Security technologist Bruce Schneier used TrueCrypt to protect files from NSA leaker Edward Snowden stored on his air-gapped computer. And while a lot about TrueCrypt made him suspicious, he had fewer concerns with it than the only other encryption alternatives for Windows -- Microsoft’s BitLocker and Symantec’s PGPDisk.
“I am more worried about large U.S. corporations being pressured by the NSA than I am about TrueCrypt,” he wrote.
Besides aiming to fund a full audit of TrueCrypt, the project plans to use the funds to pay out bug bounties and hire a lawyer to see if TrueCrypt’s v 3.0 license really is free and open source. At the moment, the license prevents its inclusion in Ubuntu, Debian, RedHat, CentOS and Fedora, the project’s website notes.
The project will also borrow from Tor’s approach to ensuring the integrity of its binaries by implementing a “deterministic build” process where trusted binaries are verified by multiple builders.