[Cryptography] How to solve the hen-and-egg problem

Ralf Senderek crypto at senderek.ie
Thu Jul 30 03:10:17 EDT 2015

On Thu, 30 Jul 2015 07:07:28 Peter Gutmann writes:

> Occasionally someone will take a peek inside some code somewhere,
> and with distressing frequency find security problems, but I'm not
> sure if anyone ever sits down and says "I'm going to spend the next
> six weeks reviewing the XYZ code base".

Reviewing the two core files (secrets.c and openpgp.c) will not require
weeks, as they are both about 500 lines of code thanks to the very
good work you've kindly done already with cryptlib.

> So you've (unfortunately) really only got two options:
> 1. Review it yourself (which includes using static source code
> analysers, Valgrind/ASAN, and every fuzzer you can run on it).

While static code analysers will work with C code, they might be less
valuable when it comes to reviewing the ksh scripts. These scripts
represent the logic of the message encryption scheme and a review
needs to focus on the security of the ideas, they're based on.

> 2. Pay someone else to review it.

I think I'd add a few rows to my Lotto ticket ;-)


More information about the cryptography mailing list