headers
Brian M. Carlson | 3 Aug 2006 00:47

Re: Possible packages - seccure

On Wed, Aug 02, 2006 at 09:12:13PM +0200, Ulf Harnhammar wrote:
> On Sun, Jul 30, 2006 at 01:51:48PM +0100, James Westby wrote:
> > 2) I have an ITP[3] open for seccure[4]. I would be interested in an
> >    audit of the code.
> 
> I have audited it now. I looked for the normal problems like buffer
> overflows, format string bugs and NULL dereferencing without finding
> any bugs at all. It's all well-written code by someone clueful. I don't
> know very much about cryptography, so I have no idea whether the
> program's encryption is easy to break or not.

I've looked at the underlying primitives, but not their implementation.
In short, if they are actually implemented properly[0], they are
secure[1].

The long version (you can skip this) is that the signature is ECDSA (DSA
over elliptic curve) and the encryption is ECIES (Elliptic Curve
Integrated Encryption Scheme).  Both are based on the Diffie-Hellman
problem, which is what regular DSA is based on.  DSA and Elgamal are
what most people use for signing and encryption in OpenPGP, and they are
presently considered secure.  The benefit to elliptic curve cryptography
is that the keys are smaller and it can be faster.  Instead of
multiplying or exponentiating, you can add or multiply points on the
curve.  The curve is such that adding two points will always produce a
third point on the curve.

The only other concern of mine is the method for creating keys.  If the
underlying curves are the ANSI standard curves, they are secure, but
patented.  That is part of the reason that GnuPG nor the OpenPGP
standard include ECC algorithms.  Someone may want to look at the curves
(Continue reading)

Permalink | Reply |
headers
Steve Kemp | 4 Aug 2006 11:59

Re: Possible packages - seccure

On Wed, Aug 02, 2006 at 10:47:00PM +0000, Brian M. Carlson wrote:
> On Wed, Aug 02, 2006 at 09:12:13PM +0200, Ulf Harnhammar wrote:
> > On Sun, Jul 30, 2006 at 01:51:48PM +0100, James Westby wrote:
> > > 2) I have an ITP[3] open for seccure[4]. I would be interested in an
> > >    audit of the code.
> > 
> > I have audited it now. I looked for the normal problems like buffer
> > overflows, format string bugs and NULL dereferencing without finding
> > any bugs at all. It's all well-written code by someone clueful. I don't
> > know very much about cryptography, so I have no idea whether the
> > program's encryption is easy to break or not.
> 
> I've looked at the underlying primitives, but not their implementation.
> In short, if they are actually implemented properly[0], they are
> secure[1].

  This is the problem that I have with cryptography audits.  I can
 look over the code for the standard buffer overflows and format
 string-type bugs.   But I don't have enough of a grasp of the actual
 theory to know if the primitives, or the algorithm implemenation is
 correct.

  I think for that reason it would be bad for me to really look at
 any code like that, since after looking for obvious bugs I'd not
 be able to say with confidence that the program was OK or not.

Steve
--

--
Permalink | Reply |
headers
Ulf Harnhammar | 3 Aug 2006 20:16
Picon

Re: Possible packages - seccure

On Wed, Aug 02, 2006 at 10:47:00PM +0000, Brian M. Carlson wrote:
> Oh, and hi.  I've been reading for a while, but I just haven't gotten
> around to auditing anything lately.  Just for the record, I am not a
> cryptographer, but I know enough about cryptography to know how things
> work and what problems usually happen with it.  I also write crypto code
> on occasion.

Nice! It would be useful if you would take a look at various Debian packages
that implement some kind of encryption and start making noise if you find
things that are obviously insecure (Caesar ciphers, hiding data with XOR,
or whatever usual mistakes people do). I don't think anyone has done that,
at least systematically, so it would be appreciated.

// Ulf
Permalink | Reply |
headers
Max Vozeler | 3 Aug 2006 21:34

Crypto reviews (was: Re: Possible packages - seccure)

On Thu, Aug 03, 2006 at 08:16:39PM +0200, Ulf Harnhammar wrote:
> On Wed, Aug 02, 2006 at 10:47:00PM +0000, Brian M. Carlson wrote:
> > Oh, and hi.  I've been reading for a while, but I just haven't gotten
> > around to auditing anything lately.  Just for the record, I am not a
> > cryptographer, but I know enough about cryptography to know how things
> > work and what problems usually happen with it.  I also write crypto code
> > on occasion.

Welcome, Brian :-)

> Nice! It would be useful if you would take a look at various Debian packages
> that implement some kind of encryption and start making noise if you find
> things that are obviously insecure (Caesar ciphers, hiding data with XOR,
> or whatever usual mistakes people do). I don't think anyone has done that,
> at least systematically, so it would be appreciated.

In case you are interested in other packages that could stand a
crypto review, let me just quickly plug my own :-) 

We have recently done lots of work on partman-crypto (block
device encryption support in debian-installer) to the point that
we think we can release it with etch. It adds support for both
dm-crypt(LUKS) and loop-AES and _should_ have as sound basic
primitives as those underlying crypto systems.

That said, there are actually several steps in setting up the
crypto systems that we have to handle ourselves, mostly related
to key generation/handling and protecting things from getting
swapped out to disk. Overall that makes me quite cautious about
releasing it for production use before someone knowledge- able
(Continue reading)

Permalink | Reply |

Gmane