[cryptography] Underhanded Crypto

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Nov 26 21:01:04 EST 2014


ianG <iang at iang.org> quotes:

>Can you design an encrypted chat protocol that looks secure to everyone who 
>reviews it, but in reality lets anyone who knows some fixed key decrypt the
>messages?

Since some of the organisers read this list and this question may be relevant 
for other contributors as well I'll ask it here: How much code are you 
expecting?  In theory a submission for "an encrypted chat protocol" could 
involve sending in a reimplementation of TLS from which it'll be pretty hard 
to dig out the backdoor due to the sheer mass of code involved.  Can 
contributors send in code snippets with assumptions like /* Both sides have a 
shared authentication key */ or /* Both sides have exchanged fresh nonces */ 
to save having to send in 1,000 lines of code to implement this?  This would 
allow the reviewers to focus on the code containing the backdoor rather than 
having to dig through vast masses of support code.

Even then it's going to be really hard to review, if I send in code containing 
something like /* 2048-bit MODP Group from RFC 3526 */ someone's going to have 
to do a byte-for-byte comparison ("is that an 'E' or an 'F'?") of the entire 
thing to see whether it really does match RFC 3526.  And that's an easy one, 
if I decide to use parameters from GOST 0177545, held in the Zheleznogorsk 
Academy of Sciences and currently buried under 3m of snow, who knows how the 
organisers will verify it.

I think the contest needs a few more rules :-).

Peter.


More information about the cryptography mailing list