Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

NSA spying prompts open TrueCrypt encryption software audit to go viral

Jaikumar Vijayan | Nov. 8, 2013
Concerns over NSA tampering provokes wide crowdsourcing response from security community

Going forward, the effort will be to do a thorough legal review of the open source license under which TrueCrypt is being made available, White said.

The audit will include research on the history of the code, a formal cryptanalysis, a software security audit and a reproducible process for building the software. "Because the development team prefers to work anonymously and with limited communication to the outside, some of these tasks are more complex than is typical in reviews of this sort," White said.

"We have had brief contact with the TrueCrypt team, but were encouraged by their stated desire in welcoming an independent audit," White dded.

The TrueCrypt security audit team is presently working with a few attorneys who specialize in privacy and security law, and also with experts in open source software licensing, he said.

After the project was announced, an independent researcher at Concordia University in Montreal published an analysis on the source code build process for the Windows version of TrueCrypt. "This is a crucial necessary step for a reproducible build," White said.

"We are still discussing the best strategy for the technical audit, which may include a combination of academic, private sector and fully open, public security research," he said.

The team is also reviewing two proposals for a commercial audit of the software by private firms with deep credentials in software security engineering, he added.

In addition, a highly respected group of technical advisers including noted cryptographer Bruce Schneier, Moxie Marlinspike former security director at Twitter, and staffers at Electronic Frontier Foundation and the Tor Project are working on a roadmap for the technical analysis.

The project's IndieGoGo crowd funding campaign will continue through Dec. 13.

The bulk of the technical analysis will require another four to six weeks of full time effort which means the audit could be completed by February 2014. "This is complex multi-platform software comprised of over 70,000 lines of C, C++ and assembler code," White explained.

"In the next few days, we are rolling out an updated site which will include more about our organizing structure and the backgrounds of our technical advisory group which reads like a Who's Who of the security and privacy communities."


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.