[Cryptography] [cryptography] Underhanded Crypto
ianG
iang at iang.org
Thu Nov 27 17:21:26 EST 2014
On 27/11/2014 02:01 am, Peter Gutmann wrote:
> ianG <iang at iang.org> quotes:
>
>> Can you design an encrypted chat protocol that looks secure to everyone who
>> reviews it, but in reality lets anyone who knows some fixed key decrypt the
>> messages?
>
> Since some of the organisers read this list and this question may be relevant
> for other contributors as well I'll ask it here: How much code are you
> expecting?
This is a good question. I suspect the idea here would be, how much
code can you reduce it to? The more elegant of the obfuscated C entries
had nice and tight code.
> In theory a submission for "an encrypted chat protocol" could
> involve sending in a reimplementation of TLS from which it'll be pretty hard
> to dig out the backdoor due to the sheer mass of code involved.
Yeah so my vote on seeing such a thing would be "hohum" and "how much do
you wish to pay for the security review?"
> Can
> contributors send in code snippets with assumptions like /* Both sides have a
> shared authentication key */ or /* Both sides have exchanged fresh nonces */
> to save having to send in 1,000 lines of code to implement this? This would
> allow the reviewers to focus on the code containing the backdoor rather than
> having to dig through vast masses of support code.
Sounds good to me.
> Even then it's going to be really hard to review, if I send in code containing
> something like /* 2048-bit MODP Group from RFC 3526 */ someone's going to have
> to do a byte-for-byte comparison ("is that an 'E' or an 'F'?") of the entire
> thing to see whether it really does match RFC 3526.
OK. I'd rule out simple byte-wise changes to constants myself, but on
the other hand this is a valid attack. So why not?
> And that's an easy one,
> if I decide to use parameters from GOST 0177545, held in the Zheleznogorsk
> Academy of Sciences and currently buried under 3m of snow, who knows how the
> organisers will verify it.
Right, but they can point out that it is a weakness. This is the
Dual_EC thing, where the params came from *somewhere unverifiable* and
that later turned from benign to smelly.
> I think the contest needs a few more rules :-).
Or a few more years to shake out the easy ways :)
iang
More information about the cryptography
mailing list