Re: [dm-crypt] Truecrypt audit

Re: [dm-crypt] Truecrypt audit

[Arno Wagner]

Hi all,

I just want to warn everybody not to place too great stock 
into these results. I have participated in similar, non-public
analyses and they can only ever go so deep. Cleverly hidden or
disguised backdoors may easily be overlooked, as resources are
constrained and attackers will make sure tool-support fails
by running their backdoors against the usual tools to make sure
they are not found. The same, incidentally, is done by malware
writers that check their malware against current virus scanners
before deploying them. 

What you get with the report is a code-quality assessement which
is realistic under the assumption that the implementer was
non-malicious. That in itself has value, but it is a different
kind of statement than people may assume when looking at the
report. 

So what do do if you want to be sure security software you 
use has no backdoors? By now I am convinced that the only
cost-effective way is to have highly competent and careful 
people you trust implement it for you. Sure, that is expensive,
but there are good reasons to believe that an analysis that
has a good chance of finding most or all backdoors is a lot 
more effort and in addition requires a higher level of skill,
making it orders of magnitide more expensive.

The following quote is even more true for security aspects:

  "Debugging is twice as hard as writing the code in the first place.
   Therefore, if you write the code as cleverly as possible, you are,
   by definition, not smart enough to debug it." - Brian W. Kernighan

The only way to get the simplicity you need to be sure there
are no backdoors is to enforce it by writing it yourself.

Yes, I know that is far from ideal but it is how the
situation presents itself to me.

Arno



On Fri, May 16, 2014 at 07:02:57 CEST, Heinz Diehl wrote:
> Hi,
> 
> because cryptsetup is supporting truecrypt, I thought this one could
> be of interest:
> 
> http://tinyurl.com/n8z4tcu
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato

Re: [dm-crypt] Truecrypt audit

[Chris Drake]

Hi Arno,

I would go even a step further.  Since we know Truecrypt is popular,
and America alone spends $50billion+ annually to get 50,000+ of the
worlds smartest people to ensure they have back-door access to as much
as possible, I'd go so far as to say that some kind of back door is a
certainty.

Hiding cunning back doors in source code is one of the most
interestingly compelling intellectual tasks you could ever dream to
work on.  Lots of countries spend lots of money hiring lots of very
smart people to do just that...  (and, just one example, the source
uses /dev/random - the current worlds-most-famous-place for hiding
backdoors; yet they didn't care to dive into the kernel code behind
that, not that doing so is even possible on closed-source windows
platforms...)

The very start of the analysis reports that they didn't attempt to
build the binary we all use, from the source they examined.  That's
pretty much as far as you need to read :-(

Kind Regards,
Chris Drake


Friday, May 16, 2014, 9:11:39 PM, you wrote:

AW> Hi all,

AW> I just want to warn everybody not to place too great stock 
AW> into these results. I have participated in similar, non-public
AW> analyses and they can only ever go so deep. Cleverly hidden or
AW> disguised backdoors may easily be overlooked, as resources are
AW> constrained and attackers will make sure tool-support fails
AW> by running their backdoors against the usual tools to make sure
AW> they are not found. The same, incidentally, is done by malware
AW> writers that check their malware against current virus scanners
AW> before deploying them. 

AW> What you get with the report is a code-quality assessement which
AW> is realistic under the assumption that the implementer was
AW> non-malicious. That in itself has value, but it is a different
AW> kind of statement than people may assume when looking at the
AW> report. 

AW> So what do do if you want to be sure security software you 
AW> use has no backdoors? By now I am convinced that the only
AW> cost-effective way is to have highly competent and careful 
AW> people you trust implement it for you. Sure, that is expensive,
AW> but there are good reasons to believe that an analysis that
AW> has a good chance of finding most or all backdoors is a lot 
AW> more effort and in addition requires a higher level of skill,
AW> making it orders of magnitide more expensive.

AW> The following quote is even more true for security aspects:

AW>   "Debugging is twice as hard as writing the code in the first place.
AW>    Therefore, if you write the code as cleverly as possible, you are,
AW>    by definition, not smart enough to debug it." - Brian W. Kernighan

AW> The only way to get the simplicity you need to be sure there
AW> are no backdoors is to enforce it by writing it yourself.

AW> Yes, I know that is far from ideal but it is how the
AW> situation presents itself to me.

AW> Arno



AW> On Fri, May 16, 2014 at 07:02:57 CEST, Heinz Diehl wrote:
>> Hi,
>> 
>> because cryptsetup is supporting truecrypt, I thought this one could
>> be of interest:
>> 
>> http://tinyurl.com/n8z4tcu
>> 
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt

Re: [dm-crypt] Truecrypt audit

[Arno Wagner]

Hi Chris,

On Fri, May 16, 2014 at 16:40:56 CEST, Chris Drake wrote:
> Hi Arno,
> 
> I would go even a step further.  Since we know Truecrypt is popular,
> and America alone spends $50billion+ annually to get 50,000+ of the
> worlds smartest people to ensure they have back-door access to as much
> as possible, I'd go so far as to say that some kind of back door is a
> certainty.

Honestly, I am not sure. I think it is possible that there are
no backdoors (i.e. placed vulnerabilities). I am sure, however,
that some accidental vulnerabilities (i.e. mistakes) are known. 
And then there are all these attempts to sabotage random number
generation, e.g. by that EC generator and by RDRAND. If you have
bad random numbers, the actual crypto does not need to be sabotaged
anymore.
 
> Hiding cunning back doors in source code is one of the most
> interestingly compelling intellectual tasks you could ever dream to
> work on.  Lots of countries spend lots of money hiring lots of very
> smart people to do just that...  (and, just one example, the source
> uses /dev/random - the current worlds-most-famous-place for hiding
> backdoors; yet they didn't care to dive into the kernel code behind
> that, not that doing so is even possible on closed-source windows
> platforms...)

Indeed. Own the CPRNG, and you own basically everything. However,
I think that FOSS software has few or no insertred backdoors. What
I do believe is that there may be some inserted incompetent people
(the systemd-leaders come to mind) that produce plenty of 
vulnerabilities and those nobody else finds are by definition well 
hidden. A similar angle may bepresent by efforts to make
crypto harder to get right, for example with IPSec. Just make
it complex and non-KISS enough, and those 50'000+ bright people 
you mention _will_ find something.
 
> The very start of the analysis reports that they didn't attempt to
> build the binary we all use, from the source they examined.  That's
> pretty much as far as you need to read :-(

Actually not. Some people already did that and posted hashes.
I really do not think there is a problem from this angle.

The thing you need to keep in mind is that they need to 
hide their information assets (i.e. vulnerabilities they
know) well, or they will lose them. And these better intel
they get, the less they can actually do with it, because
every use risks exposing the source. That was the whole
reason for the "parallell construction" (i.e. lying to the
judge and jury under oath) used by law enforcement when they
got tips from the NSA about drug and other activities: They
committed perjury to protect their source. These things can 
only go so far, at some point correclations become obvious.

Anyways, thanks for your thoughts!

Arno




> Kind Regards,
> Chris Drake
> 
> 
> Friday, May 16, 2014, 9:11:39 PM, you wrote:
> 
> AW> Hi all,
> 
> AW> I just want to warn everybody not to place too great stock 
> AW> into these results. I have participated in similar, non-public
> AW> analyses and they can only ever go so deep. Cleverly hidden or
> AW> disguised backdoors may easily be overlooked, as resources are
> AW> constrained and attackers will make sure tool-support fails
> AW> by running their backdoors against the usual tools to make sure
> AW> they are not found. The same, incidentally, is done by malware
> AW> writers that check their malware against current virus scanners
> AW> before deploying them. 
> 
> AW> What you get with the report is a code-quality assessement which
> AW> is realistic under the assumption that the implementer was
> AW> non-malicious. That in itself has value, but it is a different
> AW> kind of statement than people may assume when looking at the
> AW> report. 
> 
> AW> So what do do if you want to be sure security software you 
> AW> use has no backdoors? By now I am convinced that the only
> AW> cost-effective way is to have highly competent and careful 
> AW> people you trust implement it for you. Sure, that is expensive,
> AW> but there are good reasons to believe that an analysis that
> AW> has a good chance of finding most or all backdoors is a lot 
> AW> more effort and in addition requires a higher level of skill,
> AW> making it orders of magnitide more expensive.
> 
> AW> The following quote is even more true for security aspects:
> 
> AW>   "Debugging is twice as hard as writing the code in the first place.
> AW>    Therefore, if you write the code as cleverly as possible, you are,
> AW>    by definition, not smart enough to debug it." - Brian W. Kernighan
> 
> AW> The only way to get the simplicity you need to be sure there
> AW> are no backdoors is to enforce it by writing it yourself.
> 
> AW> Yes, I know that is far from ideal but it is how the
> AW> situation presents itself to me.
> 
> AW> Arno
> 
> 
> 
> AW> On Fri, May 16, 2014 at 07:02:57 CEST, Heinz Diehl wrote:
> >> Hi,
> >> 
> >> because cryptsetup is supporting truecrypt, I thought this one could
> >> be of interest:
> >> 
> >> http://tinyurl.com/n8z4tcu
> >> 
> >> _______________________________________________
> >> dm-crypt mailing list
> >> dm-crypt@saout.de
> >> http://www.saout.de/mailman/listinfo/dm-crypt
> 
> 
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato

Re: [dm-crypt] Truecrypt audit

[Heinz Diehl]

On 16.05.2014, Arno Wagner wrote: 

> I just want to warn everybody not to place too great stock 
> into these results. I have participated in similar, non-public
> analyses and they can only ever go so deep. Cleverly hidden or
> disguised backdoors may easily be overlooked...

I agree.

I posted the article because of TC's widespread use, and I'm not aware
of any comprehensive review/audit of its source (I'm not using TC
myself).

Re: [dm-crypt] Truecrypt audit

[Arno Wagner]

On Sat, May 17, 2014 at 09:08:06 CEST, Heinz Diehl wrote:
> On 16.05.2014, Arno Wagner wrote: 
> 
> > I just want to warn everybody not to place too great stock 
> > into these results. I have participated in similar, non-public
> > analyses and they can only ever go so deep. Cleverly hidden or
> > disguised backdoors may easily be overlooked...
> 
> I agree.
> 
> I posted the article because of TC's widespread use, and I'm not aware
> of any comprehensive review/audit of its source (I'm not using TC
> myself).

Posting it is fine. It does contain valuable information.

For example, I think from the report one can deduce that 
TrueCrypt is not very likely to have low-value vulnerabilities, 
hence, for example, ordinary law-enforcement and ordinary 
criminals will likely not get in and more widely available 
forensics tools will likely also not work.

I just wanted to give context which may be non-obvious to
people that have not done something like this themselves.

And yes, I am using TC, but not for secret things. "Business
Confidential" is the highest level I am willing to trust it 
with.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato

[dm-crypt] Truecrypt audit

[Heinz Diehl]

Hi,

because cryptsetup is supporting truecrypt, I thought this one could
be of interest:

http://tinyurl.com/n8z4tcu