Ashkan Khalili is a personal technology columnist, and founder of Green Media System and Global Career Organization, a widely-read tech and how-to blog since 2001. Email: director@global-career.org
TrueCrypt is open source and verifiable, but until
someone actually does the verification, recent events have taught us to
be skeptical.
TrueCrypt is
easily the most popular and highly-regarded encryption program there
is. TrueCrypt is capable of encrypting complete drives, partitions,
folders, or individual files. Somewhat ironically, TrueCrypt is also
well known for its ability to hide data in plain sight.
Along
those lines, it is interesting to note that all of the TrueCrypt
developers have remained anonymous, with all communications going
through the TrueCrypt Foundation. I did find a 2005 interview, supposedly with one of the developers, code-named Ennead.
Recommended by experts
Cryptography
experts' willingness to recommend TrueCrypt is in part due to TrueCrypt
software being open source, meaning it’s reviewable. This is something
that’s happening all the time according to the TrueCrypt FAQ web page:
"In
fact, the source code is constantly being reviewed by many independent
researchers and users. We know this because many bugs and several
security issues have been discovered by independent researchers while
reviewing the source code."
But most people do not download
the source code, and then compile it. They install TrueCrypt using one
of the executable files. And that’s when the validity of the software
becomes questionable. The FAQ web page mentions one way to verify that
the downloaded files are compiled from the advertised source code:
"In
addition to reviewing the source code, independent researchers can
compile the source code and compare the resulting executable files with
the official ones. They may find some differences (for example, time
stamps or embedded digital signatures) but they can analyze the
differences and verify that they do not form malicious code."
Unfortunately, I’m unable to find any documented evidence of this having been done. After downloading the source code, I can see why. It was almost two MB of data. Reverse engineering a program that complex cannot be simple.
Up
until recently, this has not been an overly-pressing issue with
encryption experts. But that changed when Mr. Snowden released
information about the NSA Bullrun program:
"Documents
show that the NSA has been waging a war against encryption using a
battery of methods that include working with industry to weaken
encryption standards, making design changes to cryptographic software,
and pushing international encryption standards it knows it can break."
Bruce Schneier, in this blog, affirms the New York Times claim:
“Defending
against these attacks is difficult. We know from subliminal channel and
kleptography research that it's pretty much impossible to guarantee
that a complex piece of software isn't leaking secret information. We
know from Ken Thompson's famous talk on ‘trusting trust’ that you can never be totally sure if there's a security flaw in your software.”
Cryptographers,
a nervous bunch to begin with, finally had enough. Matthew Green,
cryptographer and research professor at Johns Hopkins University, and
Kenneth White, Principal Scientist at Social & Scientific Systems
decided to audit the executable files derived from the current version
(7.1a) of TrueCrypt source code, and complete the following:
Create a verified independent version control history of the TrueCrypt source and executable code.
Document the building of executable files from the source code for the various advertised operating systems.
Conduct an audit (security and cryptanalysis) of the programs.
On their website istruecryptauditedyet.com,
the gentlemen mention, "Many of our concerns with TrueCrypt could go
away if we knew the binaries (executable files) were compiled from
source." They also want to eliminate any concern that TrueCrypt has been
compromised, most notably with a backdoor.
"The real dream
of this project is to see the entire code base receive a professional
audit from one of the few security evaluation companies who are
qualified to review crypto software."
As you can well
imagine, this kind of undertaking is not cheap. Green and White came up
with a novel idea: use crowd sourcing to finance the project. It seems
to be working, having raised 50,000 dollars since October 14. Donations
are still being accepted at FundFill and IndieGoGo.
Final thoughts
I’ve
read that Green and White have reached their financial goal, so
TrueCrypt should get its day in court. The entire story behind TrueCrypt
has been a source of fascination for me, and I hope TrueCrypt passes
muster. If I were a betting man…
0 comments:
Post a Comment
Appreciate your concern ...