[Cryptography] [cryptography] Underhanded Crypto

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Nov 27 23:31:03 EST 2014

Taylor Hornby <havoc at defuse.ca> writes:

>For the second category, you can take an existing implementation and modify
>it so that it's backdoored

So sending in a copy of openssl-1.0.1j.tar.gz and saying "there's security
holes in this, see if you can find them" is out as a strategy? :-).

>Yes, absolutely. For the "new designs" category, it does not need to be
>completely implemented. Even just an abstract description of the system is

That's what I was planning to do, with lots of the detail abstracted away,
since a full implementation would probably make it impossible to spot the flaw
due to the huge amount of complexity that's required for a reasonably secure
crypto protocol.

>Yes, it may be difficult. Note that "difficult for the organizers to verify"
>might imply "difficult for anyone in practice to verify" so that may be an
>avenue towards a good submission.

That's actually a bit of an indictment of crypto protocol implementations,
that they have to be so complex that there's no easy way to verify them any
more.  I've noticed this with crypto in embedded systems, the entire RTOS and
control system is a minimal, fairly easily-assessed system all nicely done to
something like IEC 880, and then the security/crypto portion is five times the
size of all the rest combined and so complex you can never really be sure it's
doing what it's supposed to.


More information about the cryptography mailing list