Linux Crypto Packages Demolished

SiliconEntity writes "Cryptographer and security expert Peter Gutmann has demolished several Linux security software packages in a recent posting to the cryptography mailing list. He says, 'It's possible to create insecure 'security' products just as readily with open-source as with closed-source software. CIPE and vtun must be the OSS community's answer to Microsoft's PPTP implementation. What's even worse is that some of the flaws were pointed out nearly two years ago, but despite the hype about open-source products being quicker with security fixes, some of the protocols still haven't been fixed.'"

CIPE

[dnoyeb]

When I investigated CIPE for the first time two days ago, I read somewhere on the site that it didn't work yet, or that it provided no security. How can you critize a package for being insecure when they tell you it is?

Did I miss something?

Re:CIPE

[cmowire]

The CIPE FAQ claims that CIPE is "Industry Strength".

So use a Linux IPSEC implementation instead

[whoever57]

FreeS/WAN

Re:What a great Quote

[stinkfoot]

it's a reference to an episode of "The Brass Eye" by Chris Morris, brilliant comedian and media hacker. here's a transcript:

http://www.glgarden.org/foreverman/brasseye.html

(if you're impatient, click "page 2" and search for "sound wave".)

Debian to the rescue! (Re:GPG is also a disas...)

Package: libgpgme11
Description: GPGME - GnuPG Made Easy
GPGME is a wrapper library which provides a C API to access some of the GnuPG functions, such as encrypt, decrypt, sign, verify, ...

Can I hump your skull now?

Re:What a great Quote

[David+Gerard]

Ah, no, it was coined by makali, in a LiveJournal reply to said post.

Re:thank you captin obvious

[cmowire]

Aye, but the webpages for CIPE have been updated in 2003.

I think I see why these haven't been fixed.

[RealAlaskan]

From Freshmeat: CIPE
Rating: 8.35/10.00 (Rank N/A)
Vitality: 0.01% (Rank 4941)
Popularity: 2.72% (Rank 1001)

VTUN
Rating: 8.55/10.00 (Rank N/A)
Vitality: 0.02% (Rank 2787)
Popularity: 2.69% (Rank 1017)

Neither of these projects are dead, quite, but neither is terribly active, either. Sourceforge shows one developer for CIPE, for example.

As an earlier post said, crypto demands skills which aren't generally available, in an unusual combination. Many competent eyes make bugs shallow. Many competent coders make bugfixes quick. It looks as if those packages haven't drawn the competent eyes and coders yet.

Maybe Mr. Gutman's post will draw some good folks who are able to do the work to these projects. Or maybe it will inspire the maintainers to simply let them fade away. Either way, we're better off for his efforts.

A third possibility is that folks will just not care. Gutman tells us:

- These programs have been around for years (CIPE goes back to 1996 and vtun to 1998) and (apparently) have quite sizeable user communities without anyone having noticed (or caring, after flaws were pointed out) that they have security problems.

This kind of thing needs to be fixed or abandoned; bad security is worse than no security

False

[malaba]

VTun has been updated
in 2002 and 2003.
Check their homepage:

http://vtun.sourceforge.net/

Maybe only small update.

"Linux" Packages

[pete-classic]

It is eminently unfair to call these "Linux" packages.

Of course, none of them are GNU packages, either . . .

OTOH, tinc does have a linux.org homepage, but then it seems to not be "Demolished" by any reasonable definition. He says "This is a terrible way to use RSA, and usually compromises the key." and I'm no crypto geek, but I think what he means by "compromises" is "provides and avenue of attack that is mathematically simpler than brute force against the key" not "reveals the secret".

So, two seemingly abandoned projects are suspect, and one relatively arbitrary (but Open Source!) package has a theoretical weakness.

All that said, my question is: What has been demonstrated (or demolished)?

-Peter

Re:CIPE is a toy

[jpc]

hmm, not so sure.

First, the CRC32 problems only put it on par with ssh 1. Which is still in use by many people I suspect. ok it should have been fixed.

The padding iisue just means that aes cant be used. afaik cipe doesnt let you change ciphers anyway. Its not that bad - the algorithms it uses are probably safe for a few more years. Plaintext size leaks small amounts of information, so it is not best practise, but not fatal. aes would be nice though.

The message sequence issue (replay etc) is on the face of it rather bad, except that cipe is designed for carrying ip traffic. Repeating or removing udp messages is fine, and tcp messages do have sequence numbers. So I fail to see how that is a problem.

And the key exchange is fairly irrelevant as it is basically a private key protocol. They key exchange stuff was an afterthought and I doubt if anyone uses it. Designing public key encryption is much harder and cipe should have stuck to private key.

Re:Debian to the rescue! (Re:GPG is also a disas..

[tqbf]

GPGME is a wrapper library... Can I hump your skull now?

No, because GPGME is GPL, not LGPL, and all it does is make calls to the (GPL) GPG binary.

Re:Arm chair security experts

[Halo-]

Peter Gutmann is a serious expert. I write security code for a living. (For IBM) Peter Gutmann has writen a few seminal papers such as "A Layman's Guide to ASN.1" which is required reading for anyone coming on the team.

Re:POPTOP

[Huge+Pi+Removal]

I thought the whole point of poptop was that it used PPTP, which is inherently insecure.

L2TP replaces it, and MS seems to have got it right this time.