[Cryptography] how reliably do audits spot backdoors?

James A. Donald jamesd at echeque.com
Tue Dec 24 02:27:52 EST 2013


> On Sun, 22 Dec 2013, Bill Cox wrote:
> [[re Peter Gutmann's claim that backdoors in source-code
> may escape discovery in audits]]
>> Nonsense.  Most other equally capable developers should be able to discover
>> a backdoor with far less effort to hide it.  Reading other people's code is
>> a skill that some people never acquire, but it's generally easier to
>> understand someone else's code entirely than to have created it from
>> scratch.

On 2013-12-23 10:51, Jonathan Thornburg wrote:
> Looking at the winners in the Underhanded C Contest
>    http://underhanded.xcott.com/
> strongly suggests that Peter is right.  And these are backdoors hidden
> in on-the-order-of-100 lines of code, which is a lot smaller (and thus
> harder-to-hide-a-backdoor-in) than most real crypto code.

The example backdoor would not have survived normal code review by me.

So all you need is people like me reviewing code.  Which you should do 
anyway.


More information about the cryptography mailing list