Analysis of TrueCrypt Binaries
TrueCrypt is the most popular open source multi-platform encryption software with very wide acceptance and a host of features for many thinkable and unthinkable scenarios. The trouble is, though, it was never thoroughly audited and, hence, it is unknown whether the software incorporates any backdoors or cryptographic flaws.
Ever since Edward Snowden brought us an awareness of the powers that NSA exploited throughout software landscape, the community began to question the trustworthiness of TrueCrypt, especially because it proved even to be difficult enough to compile the software from the supplied source code.
A new initiative, called "IsTrueCryptAuditedYet?" started recently with the aim to audit the software and prove it trustworthy or otherwise.
For starters, many respectful sources reported that they were never able to produce a valid binary from the source code provided on the projects site. But on October 21st, a student of Concordia Institute for Information Systems Engineering, Xavier de Carné published a thorough article on his experience of compiling TrueCrypt from the sources. Not only this work has an academic quality, but it also proves that the binaries provided on TrueCrypts site are indeed authentic and do not contain more code than in the sources. Whether the algorithms themselves are trustworthy cannot be concluded from this study, since that question goes beyond the works scope. This will be the task for IsTrueCryptAuditedYet?-project.
From the source:
Given this analysis, we can conclude that I compiled TrueCrypt from the official sources and matched the official binaries, and everyone who is able to gather the prerequisites for compiling TrueCrypt the same way as I did, is able to prove the same thing.
Before reaching this interesting result though, I was suspicious like many other people. I first compiled TrueCrypt with Visual Studio 2010 SP1 with all updates, and I got significantly different binaries, whose disassembled versions also differed a lot. I then switched to Visual Studio 2008 SP1 with all updates, but I got again significant changes, although less than compared to the build from VS2010. I had to be careful at reproducing the environment of the developers as close as possible, which made me reinstall VS2008 with SP1 but only with the post-SP1 updates released before TrueCrypt 7.1a was released. This means I omitted one available update. Only then, I could achieve an identical build and prove to myself that TrueCrypt is not backdoored by the developers in a way that is not visible from the sources. People should not take this conclusion for granted and are encouraged to reproduce this result by themselves.