[Cryptography] how reliably do audits spot backdoors? (was: Re: RSA is dead.)

[Bill Frantz]

On 12/23/13 at 10:06 PM, waywardgeek at gmail.com (Bill Cox) wrote:

>Well, first, It's David Wagner.  Had we set up this test with me inserting
>the bugs and David Wagner finding them, I think the results would have been
>different.

A minor correction: This is Ka Ping Yee's work. David Wagner was 
one of his thesis advisors.

I know some of the people who doing the code review. They are 
very good at finding obscure bugs in pieces of code, including 
timing bugs and overflow bugs. The small number of bugs actually 
found is quite scary.

BTW, Ping has done some excellent work in the area of UIs and 
secure systems.


>However, IMO, David Wagner's bugs would not have survived a year of open
>source review, given that it was confined to 100 lines of code.  That code
>might be a serious mess, but people can usually grok that kind of
>complexity.

Note that the bugs were limited to 100 lines of code because of 
the limited amount of time available for the code review. A real 
system would probably consist of many times 100 lines of code, 
especially if the compiler and runtime environments are 
included. Since backdoors can be designed that depend on 
"innocent" insertions in several separate parts of the code, the 
complexity of the search goes up faster than linearly with code size.


>...  If I do say so myself, I am awesome at reading and
>groking code, and gksu is one of the only Linux projects I've had to read
>that I could not understand.  Code like that in the crypto system makes me
>want to set my hair on fire.

Obscure code has no place in any security system.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | Airline peanut bag: "Produced  | Periwinkle
(408)356-8506      | in a facility that processes   | 16345 
Englewood Ave
www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos, 
CA 95032