[Cryptography] [cryptography] Underhanded Crypto

ianG iang at iang.org
Thu Nov 27 17:21:26 EST 2014


On 27/11/2014 02:01 am, Peter Gutmann wrote:
> ianG <iang at iang.org> quotes:
>
>> Can you design an encrypted chat protocol that looks secure to everyone who
>> reviews it, but in reality lets anyone who knows some fixed key decrypt the
>> messages?
>
> Since some of the organisers read this list and this question may be relevant
> for other contributors as well I'll ask it here: How much code are you
> expecting?


This is a good question.  I suspect the idea here would be, how much 
code can you reduce it to?  The more elegant of the obfuscated C entries 
had nice and tight code.

> In theory a submission for "an encrypted chat protocol" could
> involve sending in a reimplementation of TLS from which it'll be pretty hard
> to dig out the backdoor due to the sheer mass of code involved.


Yeah so my vote on seeing such a thing would be "hohum" and "how much do 
you wish to pay for the security review?"

> Can
> contributors send in code snippets with assumptions like /* Both sides have a
> shared authentication key */ or /* Both sides have exchanged fresh nonces */
> to save having to send in 1,000 lines of code to implement this?  This would
> allow the reviewers to focus on the code containing the backdoor rather than
> having to dig through vast masses of support code.


Sounds good to me.

> Even then it's going to be really hard to review, if I send in code containing
> something like /* 2048-bit MODP Group from RFC 3526 */ someone's going to have
> to do a byte-for-byte comparison ("is that an 'E' or an 'F'?") of the entire
> thing to see whether it really does match RFC 3526.

OK.  I'd rule out simple byte-wise changes to constants myself, but on 
the other hand this is a valid attack.  So why not?

> And that's an easy one,
> if I decide to use parameters from GOST 0177545, held in the Zheleznogorsk
> Academy of Sciences and currently buried under 3m of snow, who knows how the
> organisers will verify it.


Right, but they can point out that it is a weakness.  This is the 
Dual_EC thing, where the params came from *somewhere unverifiable* and 
that later turned from benign to smelly.


> I think the contest needs a few more rules :-).


Or a few more years to shake out the easy ways :)



iang



More information about the cryptography mailing list