Researchers are calling for a full audit of extremely popular opensource encrpytion solution TrueCrypt. This effort begins at IsTrueCryptAuditedYet.com–that includes seeking funds for the project–but the history of TrueCrypt and its capabilities begin in February of 2002. Surprisingly, as a security tool, TrueCrypt has never been audited, its authors are anonymous, and it has an extreme depth in the market of free tools.

TrueCrypt is one of those tools that gained considerable popularity and has existed since the dawn of time. The software allows you to encrypt files “on the fly,” create virtual encrypted disks in the file, encrypt entire partitions, and on some systems, boot from an encrypted, hidden partition.

The first version was released in February 2004 for Windows 98, ME, 2000 and XP and was developed systematically, albeit more slowly. The latest version for Windows, OS X and Linux appeared in February 2012. There are plans to introduce support for Windows 8 and UEFI computers but development is yet to be done for it.

TrueCrypt is an open-source tool and has gained the trust of many users, but few people know exactly how it works and how it is programmed, even though the code is freely available. According to TrueCrypt Foundation statistics, which maintains the project, the tool has been downloaded more than 28 million times.

The authors of the applications remain anonymous, no one knows who actually develops TrueCrypt. Second, there is no guarantee that the binaries that make up the bulk of downloads do not contain bookmarks and collected on the basis of publicly available source code without making hidden changes. There has been no comprehensive audit of TrueCrypt software. It is also unclear whether the proprietary TrueCrypt License is FOSS-compatible. Furthermore, it is not yet sure what binaries were used by TrueCrypt for compiling the source code. And between versions for Linux, OS X and Windows, there are unexplained differences.

That is about to change. Cryptography researchers Kenneth White and Matthew Green have decided to raise funds to get TrueCrypt’s source code thoroughly audited by disinterested third parties. The audit results will be tracked on the website IsTrueCryptAuditedYet.com.

Legal and technical examination

Calls to review TrueCrypt intensified after reports in early September that the US National Security Agency (NSA) had attempted to weaken encryption standards and had planted backdoors in encryption software.

In a statement on its website, TrueCrypt denies it has implement a backdoor in its software, and that TrueCrypt only allows decryption with the correct password or key.

The planned audit connect four objectives: first, the license used by TrueCrypt will be examined by a competent attorney to determine whether they fall in common with the free software licenses such as the GPL. The program will also be examined in Linux systems to check for license. Second, adapt the deterministic build process that Tor is now using to improve the build process.

The third phase is to pay the developer for bug bounties for anything security critical they find in the code. The last phase is to conduct a professional audit from few security evaluation companies who are qualified to review crypto software.

The researchers have launched an additional crowdfunding Project site on IndieGoGo in addition to FundFill site. Since launching the fundraisers, the project has collected over $41,000.

“We almost have collected the required amount for a serious audit of the code,” says Matthew Green.

All funds raised will be distributed to the main audience of the project between multiple tasks – a legal analysis of the license TrueCrypt, the implementation of deterministic/repeatable builds, the payment of fees for vulnerabilities found and professional security auditing of source code.