The TrueCrypt Audit

Bbcro5x29ii2rxwlbcqz
People, businesses, and governments all over the world use TrueCrypt to protect their privacy. We need help making it better and more secure.
Thumbnail
Kenneth White
Technology
Research Triangle, North Carolina
United States
2 Team Members

The TrueCrypt Audit Project

TrueCrypt (TC) is an open source file and disk encryption software package used by people all over the world, but a complete cryptanalysis has not been performed on the software, and questions remain about differences between Windows, Linux and Mac OS X versions. In addition, there has been no legal review on the current TrueCrypt v. 3.0 open source license - preventing inclusion in most of the free operating systems, including Ubuntu, Debian, RedHat, CentOS and Fedora. We want to be able to trust it, but a fully audited, independently verified repository and software distribution would make us feel better about trusting our security to this software. We're pledging this money to sponsor a comprehensive public audit of TrueCrypt. Stay tuned, and follow #IsTrueCryptAuditedYet on twitter.

Goals

  • Resolve license status on the current (v. 7.1a) TrueCrypt source code (license v. 3.0 ) copyright & distribution, in order to create a verified, independent version control history repository (signed source and binary)
  • Perform and document repeatable, deterministic builds of TC 7.1a from source code for current major operating systems:
    • Windows 7
    • Mac OS X (Lion 10.7 and Mountain Lion 10.8)
    • Ubuntu 12.04 LTS and 13.04, RedHat 6.4, CentOS 6.4, Debian 7.1, Fedora 19
  • Conduct a public cryptanalysis and security audit of the TC 7.1a

Rules

The exact terms are still a work in progress, but our proposal breaks down into roughly four components: 

  1. License review. Truecrypt uses an odd, potentially non-FOSS license. We'd like to have it reviewed by a competent attorney to see how compatible it is with GPL and other OSS software.
  2. Implement deterministic/reproducible builds. Many of our concerns with Truecrypt could go away if we knew the binaries were compiled from source. Unfortunately it's not realistic to ask every Windows user to compile Truecrypt themselves. Our proposal is to adapt the deterministic build process that Tor is now using, so we can know the binaries are safe and untampered. This is really a precondition to everything else. And it's not an easy process.
  3. Pay out bug bounties. Not every developer has time or money to audit the entire source. But some have a little time. If we collect enough, we'd like to compensate bug hunters a little bit for anything security critical they find in the code.
  4. Conduct a professional audit. The real dream of this project is to see the entire codebase receive a professional audit from one of the few security evaluation companies who are qualified to review crypto software. We're hoping to convince one of the stronger companies to donate some time and/or reduced rates. But good work doesn't come free, and that's why we're asking for help.

We don't expect any single person to do all of this. The exact balance of payouts from our collected fund is still TBD, but we will be formalizing it soon. We also want specialists and experts, and we also want people to donate their time wherever possible.

Relevant History/Past Work

Pledging Perks

We think this is an important project on its own merits, but why not have a little fun with it too? Everyone who pledges will be recognized on our Wall of Appreciation (and find out a fun fact about prime numbers). Contributors pledging $25 or more will receive a cool TrueCrypt Audit Project sticker. Those pledging $50 and up will get an official TrueCrypt Audit t-shirt (see below for sizing & shipping). And finally, a limited number of DVDs of the movie Sneakers are available and will be signed by everyone on the Project team.

Update Oct 21: T-shirts are available in S, M, L, XL and XXL. We are checking on availability of Tall-3XL, but can't make any guarantees just yet. You can indicate your preferred size in a private comment message, but we will be reaching out to everyone who made a T-shirt perk pledge at the end of the campaign to confirm size and shipping. Also, shipping is included with your contribution at no additional cost.

Please note: We plan to distribute perks at Shmoocon in January for people who prefer not to provide a shipping address. We will do our best, but because of customs rules and logistics, we can only guarantee & track shipment to the following destinations/countries:

  • Australia
  • Austria
  • Belgium
  • Brazil
  • Canada
  • France
  • Germany
  • Japan
  • Netherlands
  • New Zealand
  • Portugal
  • South Korea
  • Spain
  • Sweden
  • Switzerland
  • UK
  • USA
  • APO/FPO  Note: Shipping to APO/FPOs is only available within the Continental US and only without tracking information (best-effort). If tracking is desired, a physical address is required.


Updates

For the latest updates, see our Project page at: IsTrueCryptAuditedYet.com

Colophon

Project created by Kenn White and Matthew Green, inspired by Twitter conversations with the grugq and Eleanor Saitta. We welcome expert support, constructive criticism, and financial donations. Follow discussions on Twitter at #IsTrueCryptAuditedYet.


Enigma image graciously provided by Ruben Janssen, Creative Commons 2.0 license, © 2012. Thanks also to Matthew Inman, a great artist from whom we shamelessly borrowed for our perk list.  :-)

Find This Campaign On
$46,420USD
raised by 1,296 people in 2 months
186% funded
0 time left
$25,000 USD goal
Flexible Funding This campaign has ended and will receive all funds raised.
Campaign Closed
This campaign ended on December 13, 2013
Select a Perk
  • $7USD
    Crypto loves prime numbers

    Seven is the largest single-digit prime number. If you donate $7, cryptographers will love you. If he were alive today, Marin Mersenne would love you too, and probably personally high-five you and compliment your haircut and/or mustache.

    321 claimed

  • $25USD
    Stickers!

    Contributors pledging $25 or more will receive an awesome TrueCrypt Audit Project sticker! See notes above about shipping.

    224 out of 500 claimed

    Estimated delivery: January 2014
  • $50USD
    Official Project T-shirt

    Contributors pledging $50 or more will receive all of the above, plus an awesome TrueCrypt Audit Project sticker! See notes above about shipping. Sizes: S, M, L, XL, XXL.

    187 claimed

    Estimated delivery: January 2014
  • $50USD
    Official Project T-shirt

    Contributors pledging $50 or more will receive all of the above, plus an awesome TrueCrypt Audit Project T-shirt! See notes above about shipping. Sizes: S, M, L, XL, XXL.

    185 out of 200 claimed

    Estimated delivery: January 2014
  • $100USD
    Signed Sneakers DVD

    Contributors pledging $100 or more will receive all of the above, plus special recognition and a personal thanks on Twitter by the Project team, plus a new DVD of the classic movie Sneakers signed by the whole Project team!

    56 out of 100 claimed

    Estimated delivery: January 2014
Do you think this campaign contains prohibited content? Let us know.