Thanks for the detailed post. There's a lot there, and I've replied inline below.
Mac wrote:@Resonance
1) You are discussing cutting down the number of algorithms.
I suggest this is not necessarily a useful notion.
Dropping support for some features would be useful in some ways, but is not necessarily the right way to move forward. In particular, it would improve security of the remaining code, since there would be less code to audit and maintain, and we could do a better job. However, I agree that this is just the sort of difference between a supported commercial tool and a hacker tool. I read in one post that TrueCrypt dropped support for various formats over time, but it's generally high backwards compatibility likely is one reason for its popularity.
I do not think we should drop encryption formats for the sake of maintaining less code. However, some features are harder to maintain than others. One of the questions I have not formed any opinion on is whether we should replace BIOS support with UEFI. The BIOS driver has so many issues that the audit had to list them in an appendix, and it requires using a Microsoft compiler from 1991. The audit team recommends upgrading the build tool chain, and I don't know how to keep BIOS support without the old one (does anyone know if it can be done?). However, I am not familiar with the issues involved, including whether or not dropping BIOS support would in any way impact current installations, or how many users lack UEFI. This should be discussed more, IMO.
Mac wrote:@Resonance
The bulk of complexity you'll need to deal with is not in the crypto or the algorithms. You will find the system interfaces to be many binary orders of magnitude more complex than the crypto algorithms -- which are pretty simple, stable, self-contained and cut-and-dried.
From a user point of view, encryption algorithms Just Work. You call AES-Encrypt, and everything is dandy. You assume whoever is in charge of that code knows what they are doing. Unfortunately, we are those guys!
To create that impression, teams like this have to do an insane amount of work on the crypto, and even then, we will sometimes get it wrong! Even standard implementations of AES have been found to be insecure for crazy reasons, like when researchers were able to extract AES passwords by simply running their process on the same machine as AES. IIRC, they used a cache timing side-channel attack. Does TC still use an insecure implementation of AES? I haven't checked, but the audit surely will! For *dramatically* better performance, should we use the new Intel AES-NI instructions, or are we too afraid that there is somehow an NSA back door in there? Even AES file encryption needs random numbers, so should we use Intel's new RDRAND instruction to help generate the entropy? Remember the
recent controversy over using RDRAND in the Linux entropy pool? If we pass on AES-NI, how about supporting the latest Haswell AVX2 instructions? These are a few of the outstanding issues for the most fundamental crypto in TC - AES! Writing and maintaining all that GUI code is simple in comparison. One reason I am very interested in working with the other FOSS competitors to TC, is that we may be able to share most of the basic crypto. For example, should we just link to the standard crypto library (-lcrypto)? These are critical design issues we need to start researching.
Now, assuming we get the core crypto right (God help us if we mess up AES), we still have lot of crypto to work on! It is not at all simple to turn a block cipher like AES into a secure, high performance encrypted volume format! Even the experts make mistakes. This is one reason why some formats in TC can only be read, and not created - some older TC formats were found to be insecure after years of use. The current TC volume format is being panned by some of the guys who maintain competing "better" formats (according to them - I am not yet qualified to judge). This is extremely difficult code to get right. This is why I feel strongly that the best crypto devs should have the final say over all code-related decisions, and if they say drop features that users still want, we should do it.
Mac wrote:@Resonance
So eliminating algorithms is not really going to meaningfully reduce the complexity, or make a software audit significantly easier.
I'll let the cryptanalysts auditing the TC code know . I'm sure the vast number of algorithms supported in no way makes cryptanalysis harder
I mostly agree with the rest of your comments. I don't think anyone is seriously considering dropping support for a lot of previous encryption algorithms and volume formats. VeraCrypt did that, and to use it, you have to re-create your volume. This is one reason we're not begging to make the VeraCrypt fork the future of TrueCrypt. We obviously will not abandon Windows users, even if some developers on the project are anti-Windows. I personally am anti-Apple, but that doesn't mean we'll drop Mac support! Unless I have my way