[Cryptography] how reliably do audits spot backdoors? (was: Re: RSA is dead.)

[Benjamin Kreuter]

On Sun, 22 Dec 2013 16:51:44 -0800 (PST)
Jonathan Thornburg <jthorn at astro.indiana.edu> wrote:

> Auditing code is *hard*.  We should no more expect auditors to be 100%
> perfect at finding backdoors than we should expect well-meaning
> programmers to be 100% perfect at (say) correctly using strncpy().

I have been wondering for some time if this might be more a symptom of
the languages we are using than a fundamental difficulty in the
auditing process itself.  Quite a few UCC entries rely on undefined or
counterintuitive behavior in C.  A better language might improve the
auditability of code, particularly in cases where we do not really need
to squeeze every last bit of performance out of our computers (e.g. for
something like OTR, where you are not going to be sending hundreds of
messages per second).

-- Ben



-- 
Benjamin R Kreuter
KK4FJZ

--

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131223/d51e5ed3/attachment.pgp>