[cryptography] Has anyone analysed Google's open client update protocol?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Apr 20 11:01:42 EDT 2011

Has anyone tried to analyse this?  It's
http://omaha.googlecode.com/svn-history/r106/wiki/cup.html.  I've had a quick
look at it, but I can't make head or tail of what it's supposed to be doing,
it looks like a jumble of bits and pieces thrown together from reading Applied
Cryptography.  What are some of these operations being used for?  What attacks
to they defend against?  Why are particular values being used at specific
locations?  What purpose do the values serve?  If I change one part of it from
X to Y, what are the implications?  Since it's unclear what the purpose of
half of these things are, it's also quite unclear whether they do what they're
supposed to.

(Just curious really, someone asked me about it and the best I could say was 
"well, I can see some things it doesn't do, and some things that don't seem to 
serve any purpose, but I have no idea whether that's part of the intended 
design or not".  In the fine tradition of open-source security audits, I'm not 
volunteering to analyse it myself, just wondering if anyone else has :-).


More information about the cryptography mailing list