14 DAY TRIAL // The security audit project initiated in 2013 for TrueCrypt, a highly popular encryption program, ground to a halt when the developer(s) of the program decided to discontinue development, but it is scheduled to be resumed in the near future.
For a long time, TrueCrypt has been the go-to disk encryption solution for professionals and average users alike, but its maintainer(s), whose identity is shrouded in mystery, abandoned it in May 2014, leaving a simple message on the program’s web page: “Using TrueCrypt is not secure as it may contain unfixed security issues.”
This came at a time when Edward Snowden’s revelations about NSA’s spying activity captured the attention of the world through leaked documents published by news media.
Pulling the plug on TrueCrypt impacted the audit work
Matthew Green, a cryptography professor, and security researcher Kenneth White had already engaged in an audit of the application which was funded by donations that surpassed the $70,000 / €62,000 mark.
When TrueCrypt development stopped, Green and White had already contracted iSEC Partners to check the bootloader and parts of the program that could be susceptible to vulnerabilities.
That was only the first part of the audit, which was put on hold until the right way to proceed would be found.
“However in the wake of TC pulling the plug, there were questions. Was this a good use of folks' time and resources? What about applying those resources to the new 'Truecrypt forks' that have sprung up (or are being developed?),” Green explains in a blog post.
No exact date has been set
After a while, the two researchers decided to continue with the second part of the audit, which consists in a deep check of TrueCrypt’s cryptography mechanism, including the symmetric encryption and the random number generator.
At the moment, a team of consultants from iSEC Partners, Matasano and Intrepidus Group have formed Cryptography Services, part of NCC Group, and have been contracted for the second part of the audit. They will look at TrueCrypt 7.1, the last stable version available.
Green announces in a blog post that the evaluation “will begin shortly,” although the start date is a flexible one in order to make the most out of the user donations.
During the hiatus between the two stages of the audit, the two researchers inspected some portions of the program’s code (random number generator and some aspects of the cryptographic implementation), which is expected to complement the NCC/iSEC work, Green says.