CipherShed - TrueCrypt Getting a New Life
Organizations are loathe to walk away from TrueCrypt because it is free, it is cross platform and, perhaps most importantly, the code is available for inspection. Critically, the code is not just available, but a security audit of the code is underway. The eyeballs on the code are not just theoretical, but are also there in practice — and they are professional eyeballs at that.
The first part of the code audit was completed in April - a source code assisted security assessment of the TrueCrypt bootloader and Windows kernel driver. No serious problems were found, although many issues were highlighted, including a lack of comments, use of insecure or deprecated functions and inconsistent variable types. The product is also nearly impossible to compile from the source code, which means the majority of users download pre-compiled binaries, with all the attendant security risks.
A new Swiss TrueCrypt website that claims to be “the gathering place for all up-to-date information” on TrueCrypt has sprung up. The site is the home of a new project which is taking the TrueCrypt code forward and evolving it into a new application called CipherShed.
CipherShed will be released under a standard open source license, although it has not yet been decided which one that should be, Doekbrijder added.
What will CipherShed 1.0 be like? Will it add more features to the existing product? Doekbrijder said the new code will be faster and more secure, work with new operating systems like Windows 8, and also be backward compatible so it can open old TrueCrypt containers.
"But we are not thinking of adding functionality," he said. "It will be more about stripping functionality - removing old crypto modules that are not sound and so on. But when newer crypto algorithms come along, we will integrate them into the product."
Gartner’s Mario de Boer thinks the CipherShed approach is a sensible one. “I welcome a fork and continuing support for this open source solution refactoring code, patching bugs, fixing licensing and supporting new platforms for existing users,” he said.