TrueCrypt: Its last bow
June 2016 update: Link repairs.
TrueCrypt is a discontinued free disk encryption utility for Windows, Mac, and Linux. It is a free and shared-source alternative to BitLocker, but is not restricted to the high-end editions of Windows and does not need Trusted Platform Module (TPM).
TrueCrypt’s sudden end of life on 28 May 2014 become controversial, since unlike most computer programs, TrueCrypt’s authors beheaded it with the release of version 7.2.
TrueCrypt can encrypt actual hard disk partitions or create encrypted virtual partitions. Its encryption strength is top-notch and its features far outmatches BitLocker, despite the fact that it does not support GPT partitions and does not use TPMs. The authors describe the product as “free and open-source” but this description does not accurately tallies that of OSF definition. According to OSF, an open-source product involves the public in development, which TrueCrypt does not; TrueCrypt is free and shared-source. Nevertheless, because it is free, its source code can be studied, audited and even be used to make a derivative work. It seems the authors of this program, who call themselves “TrueCrypt Foundation”, have kept their identity a secret.
Open Crypto Audit Project is currently performing a “comprehensive” cryptanalysis of TrueCrypt (analyzing its strengths and weaknesses and making sure there is no backdoor or security problem with it) and the first phase of their analysis is complete.
TrueCrypt foundation rarely released more than one new version each year. But on 28 May 2014, something unprecedented happened: Their website showed the following message:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
Accompanying the message were instructions on how to create virtual hard disks (VHDs) and encrypt them with BitLocker, as well as a newly-released TrueCrypt 7.2 which could only decrypt but not encrypt.
That the message is badly written and mostly nonsense was easy to see: BitLocker and VHD support are only available on the most exotic editions of Windows and are far underfeatured in comparison to TrueCrypt, which is still needed on other editions. Also, the message contradicts itself by stating two equally unlikely reasons for discontinuation: Adherence to the support policy of Microsoft (presumed a non-involved company) and probability of existence of security vulnerabilities in this masterpiece of art and technology. Finally, it is as if this message is written by a child whose knowledge of both computer and English was limited. Pay attention to “Using TrueCrypt is not secure” instead of “TrueCrypt is not safe”, “may contain” and the redundant “unfixed”. “Windows 8/7/Vista and later” is used instead of “Windows Vista and later”. (But reserve your comments for now; I have more to say on this.)
Naturally, many thought TrueCrypt website is hacked and the release is malicious. The “many” part is obvious from the edit history of TrueCrypt article on Wikipedia and its metadata page, as well as the news reports by Ars Technica and Daily Dot.
Gibson Research Corporation’s interpretation
Steven Barnhart of Gibson Research says that contrary to the badly written message’s claim, TrueCrypt is still very secure and very safe. But he also says the that the release of TrueCrypt 7.2 is authentic, using the digital signature and PGP signature as his evidence. He claims that TrueCrypt foundation was tired of developing this tool but also didn’t want others to adopt their precious brainchild. So, they killed it. They don’t want derivative works.
In this message:
Using TrueCrypt is not secure as it may contain unfixed security issues
… collecting the first letter of each word results in:
u t i n s a i m c u s i
It is claimed that the letter can form the following allegedly Latin sentence:
uti NSA im cu si
It is also claimed that the Latin sentence is translated into:
if you wish to use NSA
And it is also claimed that a more accurate meaning-based translation would be:
it is under the control of NSA
These allegations are entirely nonsense. “Uti NSA im cu si” is not Latin. It does not translate into “if you wish to use NSA” and it certainly does not translate into “it is under the control of NSA”. Google Translate shows this exact translation only because it is user-contributed.
The allegations of NSA interference is not new. As the linked sources hint, some people believe that NSA personnel are not all saints (or are outright immoral torturers), that they are more harmful to average God-fearing citizens than to drug lords, that they have taken down Lavabit.com out of spite just because it was connected to Edward Snowden, and that they have put TrueCrypt developers under duress, forcing them to kill TrueCrypt, again, because it was connected to Edward Snowden. I am neither in a hurry to dispute them nor join their ranks. But this? This is going too far. I’d have probably accepted the NSA’s duress theory without this wordplay.
Posted on 19 June 2014, in Computers and Internet and tagged BitLocker, discontinuation, encryption, end of life, GPT, NSA, TPM, TrueCrypt, Trusted Platform Module, VHD, Virtual Hard Disk. Bookmark the permalink. Leave a comment.