
A public TrueCrypt Audit - cpach
http://www.fundfill.com/fund/4-spzFJdDQk211KJDAUfcOw==#
======
jimrandomh
Yes, this is definitely needed. There are two angles to investigate: checking
the cryptography itself for mistakes, assuming good faith; and checking the
packages for backdoors, if this is questioned. Given that the TrueCrypt
developers are anonymous, both are required. I won't get much into the former
- but I've thought a bit about the TrueCrypt foundation, and when I looked
into it (not in great depth), it looked odd to me, so I gave some thought to
where back doors would be located, if there were any.

If TrueCrypt is back-doored, the backdoors are likely only present in the
binaries offered for download on truecrypt.org, not in the source code, where
they would be more easily found. A cross-check of important routines might be
informative. A back door would take one of two forms: either it'd smuggle a
copy of the key somewhere, or it'd lower the key's entropy enough to be
crackable. The former would be discovered by simple disk-space accounting, so
it is probably not the strategy used. Reducing the key entropy would make any
volume decryptable if it was first initialized by a backdoored copy of
Truecrypt, while retaining compatibility with non-backdoored copies; so likely
places are in the key-generation, or in the random number generator that feeds
it.

Also noteworthy: the download links all work by POSTing to /dl, then being
redirected. The Windows download link for me went to
[http://www.truecrypt.org/download/transient/e2ec88b9b7dfb3a8...](http://www.truecrypt.org/download/transient/e2ec88b9b7dfb3a8fee9/TrueCrypt%20Setup%207.1a.exe),
and it's not clear what that big hash is doing there - other operating systems
use a different URL scheme (without the /transient/10bytes component). Their
web server might occasionally give different binaries to people it doesn't
like. All the downloads are over http, not https (except for signatures); and
their site responds to https in a very odd way, responding with a valid
certificate but always redirecting to non-https.

~~~
pbsd
> not in the source code, where they would be more easily found.

Why do you say that? Compiling the source with the same compiler and flags,
plus diffing the binaries would quickly show where the differences lie, and if
they're hostile. Any half-decent reverse engineer could do this.

That would stand out more than if the source itself was backdoored in a non-
glaring way. Open source has taught us that nobody ever reads the source.

~~~
NateLawson
Yes, that is correct. I founded SourceDNA.com as a way of automating this kind
of analysis. We match components found in binaries in order to identify
unlicensed use of third-party code, as well as security patches.

Tools like bindiff have been around for years and take advantage of the fact
that compilers don't randomize code generation. Instead, the callgraph and
control-flow graphs largely reflect the structure of the original source code.
Once you have leverage by exact-matching the parts of the binary that are
nearly identical, you can build up and down the tree of nodes to find those
that have more changes.

Crypto backdoors can be unbelievably subtle though. A single branch condition,
a bit that is flipped, etc. can all lead to catastrophic failures. For
example, a compiler optimization for dead code elimination led to some
zeroization of key material being skipped. This kind of thing is extremely
difficult to find and requires a careful understanding of the underlying code.

I agree with you that most differences can be found, but understanding the
ramifications of those differences requires extremely careful analysis. A
crypto flaw does not stand out from a mis-optimization.

~~~
foobarbazqux
> a compiler optimization for dead code elimination led to some zeroization of
> key material being skipped.

That sounds like a pretty broken compiler, do you have a minimal example?

~~~
tedunangst

      void
      encrypt(void *data, size_t len, char *password)
      {
        char key[32];
    
        turn_password_into_key(password, key, sizeof key);
        aes_make_encrypted(data, len, key);
    
        memset(key, 0, sizeof key); /* optimized away */
      }
    

The compiler knows what memset does. It also knows that stack variables have
no use after the function returns. Therefore, the compiler knows there is no
reason to write zeroes to this memory, because the program will never read
those zeroes. Hence, the compiler will delete the call to memset.

~~~
kingkilr
This is what memset_s is for.

~~~
MacsHeadroom
So what we have here is the potential for a backdoor caused by a 2 character
difference in code.

Backdoors in source can be as simple as changing a single == to = or removing
a minus sign in some seemingly innocuous place.

------
tptacek
Matthew Green is the real deal. Truecrypt is extremely popular and not already
well assessed. If you're wondering whether this could be helpful for ensuring
end-user privacy, the answer is yes.

I couldn't make any pledge input work (just kept getting errors) but I'm
matching Matthew Green's own pledge.

~~~
d0ne
Until the pledge system is fixed we (Ionic Security) will pledge here. To get
this ball moving a bit faster we pledge $10,000 USD.

Email in profile for confirmation.

~~~
mrgreenfur
As a TrueCrypt user, thank you!

------
GrinningFool
I'm a little confused. This link takes me to a fund to "help us find stephen
martin's killer". Which is itself a duplicate of another fund on the same
site. Searching google for: truecrypt audit fundfill ... provides a link that
is _titled_ "Fund: A public TrueCrypt Audit - Fundfill", but takes me to the
same Stephen Martin page as well.

Is fundfill broken? (and if so, should I trust it with money?) Or is there a
secret decoder ring that I'm missing?

[edit] On further digging, I'm going to say "no , I should not trust it with
my money". The 'funds' are a mix of 2/3 year old and current requests, mostly
people asking for money in a kickstarter-like fashion, as opposed to the
bounty system that appears to be the intent.

The site has various issues, and while their twitter account is active the
whole thing just has an air of not-something-I'd-trust about it.

/opinion

[edit 2]

Come to think of it, wouldn't kickstarter or something similar be better? Get
an estimate for the work and start a fund to get it done?

~~~
jbalfantz
I'm the owner of fundfill, and yes, there is an issue with the site. We're
working feverishly to get the issue resolved. It is preventing money from
actually appearing in the fund. I'd ask anyone interested to register with the
site, and I'll email everyone once this is working. We're in a pre-startup
phase, so I can only beg your patience with this bug. Would a Bitcoin account
satisfy any lingering doubts? If so, I'll set it up as soon as possible.
Again, my apologies for the problems with the site - this is the most traffic
we've had. You can contact me at jbalfantz [insert symbol here] fundfill. Or
twitter @joebalfantz / @fundfill

~~~
jbalfantz
FWIW, the issues with pledging and redirection have been fixed since
yesterday. We're up to $2500 towards the TrueCrypt audit, as well.

------
mhogomchungu
In the FOSS world,there exists FOSS solutions that work with truecrypt
formatted encrypted volumes.

tcplay[1] is a BSD licensed CLI tool that can be used to create and open
truecrtpt volumes.

cryptsetup[2] is a GPL licensed CLI tool that can be used to open truecrypt
volumes.

zuluCrypt[3] is GPL licensed CLI and GUI tool that can be used to open and
create truecrypt volumes.

arch linux users can get zuluCrypt from[4]

[1] [https://github.com/bwalex/tc-play](https://github.com/bwalex/tc-play)

[2]
[http://code.google.com/p/cryptsetup/](http://code.google.com/p/cryptsetup/)

[3] [http://code.google.com/p/zulucrypt/](http://code.google.com/p/zulucrypt/)

[4]
[https://aur.archlinux.org/packages/zulucrypt/](https://aur.archlinux.org/packages/zulucrypt/)

~~~
j_s
Perhaps the funds should go into improving and auditing these projects?

~~~
mhogomchungu
There is nothing special about truecrypt formatted encrypted volume.The only
thing interesting is the format of the header used to store information about
the properties used to create the volume and necessary to open the it.

cryptsetup is a front end to dm-crypt,an infrastructure in linux kernel that
deal with block device encryption.cryptsetup just parses truecrypt header for
volume properties,the hard crypto stuff is done by the kernel.

tcplay does the same thing,it just parses the truecrypt volume header and the
hard lifting is done by linux kernel in linux and bsb kernel in BSD systems.

In both two projects,the crypto stuff is done either by crypto routines in
kernels or by libgcrypt or openssl.

zuluCrypt is just a front end to the two projects above.

None of these projects do crypto stuff themselves.

It should be possible and to some,"trivial" for windows or OSX tools that deal
with block device encryption to support truecrypt format.I think this will be
a better use of the resources.

------
andrewcooke
[edit: as pointed out in comments, the link below is now going to a different
fund. as is the original link. wtf?!]

should the link be changed to
[http://fundfill.com/fund/TrueCryptAudited](http://fundfill.com/fund/TrueCryptAudited)
? NO - SEE EDIT ABOVE

it's not clear what this link is, but the page requests using the link above
for public sharing. it might possibly be the source of errors people are
having donating...

~~~
jbalfantz
This problem was fixed yesterday with the site. Please try the link again.
We're in a pre-startup phase and that was the most traffic we had. However, we
were able to fix these issues within an hour of identifying each root cause
(the different metadata on the fund and the pledging issue). Details of the
problems can be found here: jbalfantz.wordpress.com/2013/10/10/what-happens-
when-you-break-your-sites-daily-usage-record-by-10x/ I hope that anyone
interested in opening up the curtain in front of TrueCrypt will visit the site
again - I offer my apologies to everyone who had a lousy experience.

------
Zarathust
The page links to "Help us find Stephen Martin's killer - Bay to Breakers
assault". I fail to see any TrueCrypt information in there

~~~
eps
Somebody hacked the page, just now. I still have the original opened in
another tab.

~~~
Perseids
I don't think it's hacked. I got them the other way around: First Martin's
Killer and then the TrueCrypt Review.

My guess is that their software is severely broken.

------
enscr
TrueCrypt is an awesome product and the value-add from a thorough, independent
audit would be immense. I use it in conjunction with Dropbox to add my own
security layer. Dropbox only uploads the delta changes in a truecrypt
container even though it's encrypted. I don't have to worry about bugs like
these : [http://techcrunch.com/2011/06/20/dropbox-security-bug-
made-p...](http://techcrunch.com/2011/06/20/dropbox-security-bug-made-
passwords-optional-for-four-hours/) which can exist with 2FA too. I'd love to
have a heightened sense of trust in TC if it's independently reviewed.

I'm curious why didn't this go up on kickstarter?

~~~
jcdavis
The delta changes on a modified truecrypt volume is basically the whole file.
Still acceptable for smaller volumes generally though

~~~
nknighthb
No, it's not. Disk encryption products like TrueCrypt do not have the
properties you expect from ordinary file encryption. Only a subset of blocks
are modified. It's a tradeoff, but it's the only way to make disk encryption
practical.

[http://en.wikipedia.org/wiki/Disk_encryption_theory](http://en.wikipedia.org/wiki/Disk_encryption_theory)

------
thex86
Just a simple question, leaving aside everything else: why in 2013 there is no
public repository for TrueCrypt? How hard is it to have a public repository or
at least a detailed change log of the changes they make between releases? How
hard really?

~~~
nilved
It's not, that's why it's suspicious. Moreover, nobody has been able to
replicate the binary blobs they post for download from source.

------
d0ne
To anyone from Fundfill.com: I've tried pledging and authenticating via FB
connect in both FF and Chrome with errors rendered with every attempt. The
login screen hangs (stays visible) and yet the upper right says I'm logged in.

In either case, I'm unable to pledge using FB connect. Please advise.

~~~
jbalfantz
Would you please contact me via twitter (@joebalfantz or @fundfill) or email?
I'd like to discuss your issues and your potential pledge. Kenn and Matt have
been working very hard to get the draft for the TrueCrypt proposal ready, and
I've been tracking down issues for the site and handling the website. We
pushed another version 10 minutes ago that fixed some of the pledging issues,
so if you're able to try again, please do so.

------
jbalfantz
UPDATE: All the major bugs found today have been fixed. Pledging to this fund
should not be an issue anymore. We encourage anyone interested in helping move
this project along to pledge $50 or $100. We have one pledge of $500 and
another one on the way.

------
bennyg
Fundfill is sending us the metadata of this page:
[http://www.fundfill.com/fund/U81L-pd41x0OSJ6B6AXbKYg%3d%3d](http://www.fundfill.com/fund/U81L-pd41x0OSJ6B6AXbKYg%3d%3d)

instead of the accurate one. Just letting you guys/gals know in case you were
extremely confused like I was for a couple minutes.

~~~
jbalfantz
This has been fixed. Please check the link again.

------
wintersFright
I've been half expecting for truecrypt to be revealed as an NSA funded
honeypot. I still use it myself to secure against petty criminals.

~~~
lrem
Only half? I never found another logical explanation for how it's sustained.
But, as we know from the news, FBI does not have the keys to it's back door
for even high profile cases. So it's probably really for national security
level-stuff... Or held by some other nation.

~~~
kamjam
Good point. What if we find out that it's someone like the Syrian Electronic
Army that developed this and has now backdoored everyone! Could we have
reasonably expected an announcement from the government telling us as such?

------
danso
OK, what the hell? The OP link is now redirecting to something about finding
someone's killer. I'm not opposed to that cause, but how exactly did that link
get jacked? Was it on FundFill's side? That entire site looks like a spam site
with very few entries:
[http://www.fundfill.com/funds](http://www.fundfill.com/funds)

Not sure why this site would be used instead of IndieGogo

~~~
jbalfantz
My apologies. The killer fund issue has been dealt with, and we're tackling
another issue that has been preventing some pledges from going through. I
understand the rationale to look at other sites that do crowdfunding. Fundfill
is specifically focused on rewards and bounties, and therefore doesn't have a
particular person who will automatically win the money, as kickstarter and
indiegogo would. This is designed to encourage the the auditing of TrueCrypt.
All problems with this have been on Fundfill's side, and the lack of previous
funds is because we are currently in a pre-startup phase. I understand the
concern about using a site that doesn't have thousands of users on a regular
basis, but I ask your patience as today's experience is already improving the
site for future use.

~~~
danso
Sorry for the technical glitches. I'm too cynical, I guess: my first thought
was that someone took advantage of the traffic spike and unilaterally directed
it to a worthy cause.

~~~
jbalfantz
Trust me, I understand the cynicism, and we deserve every critical comment we
received here. The good news is we can only get better. :) After the
experience of Arturas and the iphone touchid fake $10k pledge, we all have to
be on alert when money and publicity are involved.

------
egsec
Nothing says security like a site with passwords, payments, and no TLS

Also says PayPal and then links out via Stripe.

Interested, but not the site for this.

~~~
jbalfantz
We recently switched over from Paypal to Stripe, due to Paypal's increasingly
destructive behavior wrt integrating into a website. Thanks for pointing out
the Paypal text, I was able to fix that this morning. Also, we added SSL this
morning. There's an insecure image on the page right now giving Chrome
browsers a problem but we're addressing that atm. egsec, I'd like you to come
give the site another try. If not, please contact me on twitter - @joebalfantz
- and we can discuss other, and potentially more transparent, means of
pledging.

------
nullc
Why not save the auditing for things without crappy non-OSI licenses?

------
dmix
I'd rather donate to a new open source alternative to Truecrypt with a focus
on good UI/UX.

~~~
sliverstorm
What you're getting at is that in your cryptography tools, UI/UX is more
important than the efficacy of the cryptography?

~~~
dmix
What ancarda said.

Truecrypt's UI/UX sucks at the moment. I'd love an alternative. I just
discovered the CLI interfaced mentioned in another thread, which I intend to
use over their GUI going forward.

~~~
insertnickname
How does it suck?

------
gbl08ma
The initiative is honorable, but I think this was a really bad choice of
website to host the pledge. The copyright message on the footer is from last
year, which may explain why many things seem broken or unfinished, as well as
the errors other people here are reporting to be getting.

Perhaps the submission link should have been of the far more insightful
website [http://istruecryptauditedyet.com/](http://istruecryptauditedyet.com/)
?

------
nilved
I like the idea of auditing TrueCrypt, but I don't see the rationale. Spend
the time having everyone transition to GPG (or similar.) TrueCrypt will never
be secure.

~~~
kylemaxwell
On what do you base that latter assertion?

~~~
nilved
Bin blobs, no dev accountability, no community input.

------
WizzleKake
Found this interesting thread:
[http://forums.truecrypt.org/viewtopic.php?t=28782&postdays=0...](http://forums.truecrypt.org/viewtopic.php?t=28782&postdays=0&postorder=asc)

Someone in that thread quotes this paper: [https://www.privacy-
cd.org/downloads/truecrypt_7.0a-analysis...](https://www.privacy-
cd.org/downloads/truecrypt_7.0a-analysis-en.pdf)

~~~
acqq
Interesting, from the document: "As remarked in this table the Windows version
of TrueCrypt 7.0a deviates from the Linux version in that it fills the last
65024 bytes of the header with random values whereas the Linux version fills
this with encrypted zero bytes. From the point of view of a security analysis
the behavior of the Windows version is problematic. By an analysis of the
decrypted header data it can't be distin- guished whether these are indeed
random values or a second encryption of the master and XTS key with a back
door password. From the analysis of the source code we could preclude that
this is a back door. For the readability of the source code this duplication
of code which does the same thing in slightly different ways was however a
great impediment. It certainly must also hamper the maintainability of the
code."

------
ris
My general rule of thumb is: don't trust a cryptography tool that has a catchy
name. TrueCrypt has always creeped me out for that reason. Or maybe it's the
idea of a "downloadable" filesystem (ok it's not technically a filesystem)
driver that thinks it can run on more than one operating system and still do a
good job of it.

I've never seen what's wrong with dm-crypt. It just works, and is mostly
transparent.

------
ctb_mg
So what crypto software HAS been sufficiently audited, and who audited them?
Can we call upon them to audit TC as well?

------
yeukhon
Cryptanalysis IMO is an on-going process and it needs to be done at every
version. The funding will not last. True we need the first analysis, but who
is there to fund the 2nd, 3rd, 4th, etc?

 _edit_

I am not shooting down. Just thought we have to be explicit that this is not a
one time thing. I do think once it is verified and studied, and people like
it, the contribution will continue to come. We might be able to build new
products out of truecrypt.

~~~
munin
in theory, it doesn't need to be. you could formalize the definition of the
TrueCrypt cryptographic protocol in cryptol[1] and then have a checker run as
part of unit tests that verifies the source code is still a faithful
implementation of the protocol...

1: [http://corp.galois.com/cryptol/](http://corp.galois.com/cryptol/)

~~~
yeukhon
I am not familiar with this, but an implementation flaw or bug could be an
intentional backdoor. Can we automate checking process? That probably requires
humans to audit the source code.

How big is TrueCrypt and how many contributions does it get? Certainly Linux
kernel is so big and gets so many patches a day that even changeset analysis
can be hard.

------
deanclatworthy
After reading through the comments in this thread, it seems as if Truecrypt
cannot be trusted at this time. So what options do we have across different
platforms that are open source, regularly publicly audited and the download
binaries can be verified as being backdoor-free?

I should note that I'm on Windows as my home machine, so I'm personally most
interested in that.

------
JosephHatfield
Donated to the TrueCrypt project once and never heard anything from them even
after sending a followup email. Thought the project had died.

------
adekok
The link appears to go to "Help us find Stephen Martin's killer - Bay to
Breakers assault"

Chrome, OSX.

------
Groxx
"Help us find Stephen Martin's killer - Bay to Breakers assault"

Is the link not stable or something?

~~~
jbalfantz
This has been fixed. Apologies from me and my partner.

------
datakid
For those wondering - the site is back up and working.

------
tudorconstantin
NSA bait?

------
hannibal5
There could be also bounty for finding backdoor or weakness in Truecrypt.

