Linux Crypto Packages Demolished

SiliconEntity writes "Cryptographer and security expert Peter Gutmann has demolished several Linux security software packages in a recent posting to the cryptography mailing list. He says, 'It's possible to create insecure 'security' products just as readily with open-source as with closed-source software. CIPE and vtun must be the OSS community's answer to Microsoft's PPTP implementation. What's even worse is that some of the flaws were pointed out nearly two years ago, but despite the hype about open-source products being quicker with security fixes, some of the protocols still haven't been fixed.'"

thank you captin obvious

he points to CIPE, a tool which hasent been updated since jun 02 and Vtun since aug. 2001. he says TINC was just as bad but was fixed when users complained. I think the obvious conclusion is that if people use the software and email the person who maintains it, it will get fixed. if the project goes stagnent because the author doesnt maintain it or people dont use it then of corse it will be vunerable after time as more flaws are discovered and not patched.

GPG is also a disaster and other rants

All these years after Phil Zimmerman released the original PGP code, we STILL don't have anything which satisfies the need for a securing email. It would have these properties:

1. Be under a BSD-ish license, so it could be linked in to commercial and non-commercial products.

2. Be a LIBRARY, not a stand-alone executable, so it can be linked into anything at all.

Let's see, the Xiph people want their protocols to be used all over the place, so they make it a BSD-license LIBRARY that anyone can link to. Hmmm, seems to be working. The PNG backers want their format to be used all over the place, so they make it a BSD-license LIBRARY that anyone can link to. Hmm, seems to be working. The PGP/GPG people want their stuff to be used by people to send mail everywhere, so they make it either a non-Open Source license (PGP) or a GPL license (GPG) and also never ever make it a library for non-existant "security" reasons. Guess what! No one uses it!

Oh, and while I'm ranting about the horribleness of Open Source security stuff, why is it that there is STILL no well-integrated filesystem crypto in any of the Open Source operating systems, including the security-oriented OpenBSD? No, loopback crypto kludges don't count at all.

Re:GPG is also a disaster and other rants

[stevenj]

Be under a BSD-ish license, so it could be linked in to commercial and non-commercial products. Be a LIBRARY, not a stand-alone executable, so it can be linked into anything at all.

Right, that's why no one has succeeded in making GPG-encryption plugins for Mozilla, Eudora, Evolution, Outlook, and so on.

Those GNU folks are just evil; that's why they would never agree with something like the Vorbis BSD license.

Or it could be that most people don't really understand the need for encryption, are hopelessly confused by key management, and won't use it until it is bundled with their computer and employed by default in their email program.

Re:GPG is also a disaster and other rants

[PureFiction]

Be a LIBRARY, not a stand-alone executable, so it can be linked into anything at all.

If you read about GPG you would realize that the intentional lack of a library is a feature, not a bug. The GPG application relies on some cool extensions to protect memory areas used for the random pool (entropy source) the key generation algorithms, etc.

The moment you pull that out into a simple library you open up a number of attacks. Perhaps the application using the library got 0wn3d by an LD_PRELOAD trick. Perhaps it is allocating memory poorly and it gets swapped to disk, where another rogue process picks it up. Perhaps another rogue library is scanning application memory space and writing keys to a socket over the network. etc, etc.

There are a number of good reasons why there is no library (the current C libs are simply wrappers around exec to the gpg executable - they work fine, use them). Do you want convenience or real security?

Re:GPG is also a disaster and other rants

[SuperKendall]

The moment you pull that out into a simple library you open up a number of attacks. Perhaps the application using the library got 0wn3d by an LD_PRELOAD trick....

There are a number of good reasons why there is no library (the current C libs are simply wrappers around exec to the gpg executable - they work fine, use them.

Excuse me for my ignorance of how GPG is called, but isn't just loading an executable from your path subject to the same sorts of attacks (really, easier onces) than the LD_LIBRARY_PATH modification? I can just as easily sneak something somewhere in the users PATH ahead of the real GPG...

Re:GPG is also a disaster and other rants

[Tom7]

> Besides, a buffer overrun, or another flaw in your program could then enable the attacker to read your private key because
> it's decoded in your memory space now, not in the seperate GPG space. That's not a huge win, but it's a win.

And your passphrase, passed over IPC to GPG, isn't? That's just as good as having the private key.

I don't see any reason why the issues you list can't be addressed in a library. GPG.so can do its own page locking transparent to the client, it can ignore whatever environment variables it wishes, and it can use mutexes to make it thread safe. It doesn't need to change a default umask (??) when writing to a file that exists, and can simply set the file mode itself when it creat()s the file.

I'm all for OS-enforced abstractions like processes, but I think the issue here is in the design of GPG, not in its basic requirements.

You can't just slap together a security package.

[Meat+Blaster]

Cryptographic programming is one of those disciplines that comingles heavy mathematics, electrical engineering, and programming in the same field.

One can browse a manual on the topic and write an implementation that technically works (when paired with a similarly shoddily-designed decoder), but be fully unaware that the pseudorandom generator is just that. Or that the ones-complement portion of the crypto engine fails when X=0, weakening the whole thing by sixteen bits while not producing garbage.

Unlike a crappily-designed game, it's a lot harder to spot when crypto goes wrong. And most of those thousands of eyes supposedly peering over the code aren't looking that hard.

I'd still contend that commercial crypto has had more and bigger flaws overall, but he's right that the open source process alone isn't going to give you good crypto.

Well then, fix it!

[coinreturn]

Instead of making yourself look so great by "demolishing the security," why not offer the fixes? Yes, open source can be insecure, but at least it will be public knowledge what those insecurities are, and concerned individuals can make the mods themselves.

Re:Well then, fix it!

RTFA. He gave a list of what needs to be done to fix them.

Re:Well then, fix it!

[katre]

Instead of making yourself look so great by "demolishing the security," why not offer the fixes?

If you read the article, his advice is almost every case is "Scrap this, go learn basic crypto, and try again." I don't know crypto at all, but I'm willing to bet that's good advice. And if so, why on earth should he take the job of re-writing CIPE? I think it's great that he's getting the word out that it's insecure. These are the things that should be public knowledge.

Re:Arm chair security experts

[Codeak]

Oh lovely.... so now because these are OSS components, people can't be critical unless they actually code the changes? Informing those that are suppose to care isn't enough? The author made a good faith effort and freely shared his knowledge but instead of saying thank you we'll get someone right on it... it's code or shutup?! *sniff* *sniff* me thinks me smell an ungrateful, eleetist something in the wind.... *Blech*

Software popularity

[_iris]

The time it takes to fix software is inversely proportional to the popularity of that software. I know 0 people that use CIPE and vtun.

Ah.... reminds me of the early days.

[solios]

Back in the day, whenever I'd bitch about how window managers lacked basic functionality, how the default IP tools didn't do multiple hot-switchable configurations, about the lack of decent documentation in the distro, about some aspect of the application that didn't work, shouldn't work that way, or had TOO MANY OPTIONS.... the response was ALWAYS "dude. The source is THERE. FIX IT YOUR OWN DAMNED SELF." With "That's a FEATURE, not a BUG." being a close second. To which I'd usually reply "I'm an ARTIST, not a CODER," resulting in a flamewar about the quality of the Gimp, but that's a different story.

Things like this will get fixed when the people maintaining the packages start doing the gruntwork that gets those little bits enterprise grade- in other words, doing the hard, annoying, pain in the ass shit that you pretty much have to get paid to do, because nobody wants to do it in their free time. Big bonus points to open source software companies for making a BIG effort to do exactly that. :D

So some OSS crypto products suck... and?

[Coryoth]

I'm pretty sure there are some pretty pathetic, sad window managers out there too. Some of the text editors are rather less than impressive as well. There are all manner of dodgy MP3 managements systems. OSS creates all manner of bad software because ANYONE can code something up and release it.

The security and cryptography field just highlights the problem because there are so many opportunities to do something particularly stupid in those fields. Anyone can write a cryptosystem that they can't break themselves. Unfortunately a lot of people figure if they can't break it, then neither can anyone else...

Jedidiah

Re:So some OSS crypto products suck... and?

[AntiOrganic]

I don't think it's fair to say that "OSS creates all manner of bad software because anyone can code something up and release it" because they're perfectly capable of doing that without giving you the source too. At least here we have the ability to see the problems and avoid that software rather than taking the author's word that it's SUPAR 1337, which is much better than finding out much too late that our new IP tunneling solution that we've deployed on a 10,000-machine corporate network needs to be replaced with something else, like some people probably discovered with the PPTP issue.

Like is highlighted in the article, these problems with "dodgy" software tend to arise when the author decides to reinvent the wheel, but neglects the tire and the axle grease.

Everyone wants to make a name for themselves by being the next Richard Stallman, rather than working on the established products with comprehensive peer review and years of code history. Why write new protocols that are doing the same thing that SSH is doing? It's nonsensical.

There's usually very little real reason to create these abominations. If an existing project doesn't have a feature you want and you're capable of coding it, for God's sake, code it to work with the existing product. I'm willing to bet that the guys behind these protocols got flat-out laughed at by anyone doing real cryptography work, but still somehow felt that they were right all along.

my two cents

[jeffy124]

Linux in general is more popular than this project. That popularity gives it more eyes to keep watch on it, and shorter turnarounds when problems are found.

As for this project (CIPE), I personally have never heard of it. Indeed, neither has the poster from that mailing list: A friend of mine recently pointed me at CIPE, a Linux VPN tool that he claimed was widely used but that no-one else I know seems to have heard of.

Re:Well...

[noahm]

Linux is only considered more secure than windows because it has less attacks. Not to mention the script kiddies don't bother to learn Linux, they learn Windows which is on their systems at school, work, home, at the library, at kinkos, at their friends houses.... etc...

This crap got modded up??? I felt sure when I first saw the comment that it would it -1 at mach 3. Especially in light of articles like this one.

Not only that, but if you think about it, blaster and slammer and all those thing... They were only single "attacks", writen presumably by one single person. The nature of the insecurities is what allowed these worms to be as disruptive as they were. You imply with your post that the security of a system is inversely proportional to the scale of the deployment of that system. I'd love to see some evidence of that.

noah

vtun and ssh

[nilsjuergens]

Vtun is still far from being useless.
Just turn off vtun encryption and use it via a ssh tunnel. That works very well (i use it for securing wifi) and uses a proven protocol.

I also believe this is good practice and should be a widely accepted policy - re-use of good and proven software is not lame - it is crucial for easy, fun and secure software development. There really is no need for re-inventing the wheel.

Now if only ssl were so integrated into the operating system that i could use select() on a ssl-socket created with socket(), and thus making writing of ssl-enabled apps as easy as non-ssl-enabled ones, that would be great!

Re:Well...

[Abcd1234]

Of course it'll have a similar number of holes. After all, there's nothing about OSS that makes the software fundamentally more secure. BUT:

1) These holes are far less likely to be in the base operating system implementation, as the OSS mantra is generally to put as much logic in user-space as possible.

2) These holes won't be covered up and released only after the vendor has decided to let us know about them.

3) These holes will be fixed up very quickly (in general, anyway), in individual patches or point releases, without onerous licenses attached to them, and without fear that the release might break the rest of my operating system.

4) Because OSS products use open standards, if one particular package is simply too insecure, at least I can change to another product and have things interoperate (eg, switching from Sendmail to Qmail/Postfix/MTA-de-jour).

Talk about stating the obvious!

[polyp2000]

Open Source or Closed Source, its just as easy to write insecure software, either way.

The point is, that with open source you can see just how insecure or secure a particular product is by looking at the code.

Open source is inherently no more secure than closed source software. The difference is people like "Peter Gutmann" can see what is wrong and be at the ready with suggestions how to fix it.

Re:Give this man a PhD!

Peer Review != Open Source (Hint: 99% of the programming population don't count as peers for cryptography.)

+5 Insightful?

[Sanity]

Lets conduct a little case-study on what is wrong with /. moderation:

Cryptographic programming is one of those disciplines that comingles heavy mathematics, electrical engineering, and programming in the same field.

How much electrical engineering was required to create GPG? Are my emails less secure because I haven't got my GPG PCI board plugged in? Still, he did use the word "cryptographic" so +1 Insightful.

One can browse a manual on the topic and write an implementation that technically works (when paired with a similarly shoddily-designed decoder), but be fully unaware that the pseudorandom generator is just that.

A pseudorandom generator is pseudo-random? Give that man a cigar. Still - he did say "pseudo" so another +1 Insightful.

Or that the ones-complement portion of the crypto engine fails when X=0, weakening the whole thing by sixteen bits while not producing garbage.

Ooh! X=0 - why thats an equasion! +1 Insightful!

Unlike a crappily-designed game, it's a lot harder to spot when crypto goes wrong.

Brings gaming into it - we all like games - and we like the word "crap" - +1 Insightful!

I'd still contend that commercial crypto has had more and bigger flaws overall, but he's right that the open source process alone isn't going to give you good crypto.

Wow - criticizes the established doctrine of Open Source, what a rebel! +1 Insightful!

Re:+5 Insightful?

[Meat+Blaster]

Friend, your complete and utter misunderstanding of the pitfalls of cryptography implementation only reinforces my:

• Extreme depression with the level of technical expertise demonstrated on Slashdot in particular and within the computer industry in general
• Sincere belief that Freenet is nothing more than two ROT13s and a Caesar cipher (using original Roman) fed by a PRNG believed by all to be a RNG
• Renewed dedication to feed only well-decorated bullshit into this site, because I'm sick of wasting hard-earned knowledge on schmucks like you who already think they know it all

You don't use a pseudorandom number generator (such as that provided by rand() under C or the device /dev/random under Linux) because it's predictable and the measure of a good cipher is how random the output seems (a poor man's way of testing either closed or open ciphers is to try compressing the output -- generally good ciphers compress very poorly, but that's just one criterion).

Electrical engineering comes into play when you're having a discussion about what to base a solid random number generator on. One such interchange I witnessed was regarding using entropy from network devices to feed into /dev/urandom (Linux's 'secure' random number generator, which attempts to gather 'randomness' from various sources that are unlikely to generate a recognizable pattern) -- it isn't necessarily a good idea, because on some machines network traffic is very periodic. There is a tradeoff consideration in determining which sources of entropy to use within computer hardware: how quickly do you want to be able to draw on the sources of entropy vs. how secure do you want the final entropic stream to be?

I mention the 1's complement because it's an example of a problem I personally encountered. I had a 16-bit 1's complement checksum I implemented that worked quite well, except for the fact that the software it interfaced to used a zero value to indicate no checksum was present on the packet. However, there were cases where the checksum would really BE zero, and the thing to do was to subtract one in that event (leaving 0xFFFF, which pulled double-duty for values checksumming to 0xFFFF or 0).

I have it on good authority that similar errors have happened and are easy to make particularly in cryptographic implementations, while not necessarily making themselves evident to the implementor in the output. Feeding data through an encrypt -> decrypt phase isn't proof-positive your implementation is correct just because data comes back out unscathed -- maybe you forgot an XOR in two spots or are only putting blocks through 7 of the 8 S-Boxes because of an off-by-one error. Testing is non-trivial.

I mention games because they also combine several disciplines, and the evidence of poor design and implentation is much easier for the layperson to notice. If you think closer attention is paid to cryptography, you haven't been reading Crypto-Gram.

In conclusion, I don't normally give a sizeable rebuttal because that's usually the work of a terminal trollbiter, but frankly I'm kind of shocked at your response given your impressive choice of field in school and Open Source projects (going by your Slashdot description) and think maybe you'll benefit from the details.

Re:Give this man a PhD!

[Asprin]

#1 - He's right.
#2 - So are you, or better yet consider this:

If CIPE were closed source, would he have even been able to write this article? Unless I missed something, nobody ever claimed OS was flawless, just that the flaws were open to scrutiny.

Re:Arm chair security experts

[HidingMyName]

This is open source, figure out where to submit your patches or else you are nothing but an arm chair security expert.

This is a very unfair characterization of Gutmann's work. I read the posted article, and in it Peter Gutmann gives thoughtful analysis and cogent suggestions about how to fix the problems (although the complete rework of vtun sound's it will take a lot of time). I would much prefer Gutmann to do his analysis than have him doing package maintenance, he is far from being an arm chair security expert. I don't think it is an issue of his skill, it is an issue of how he should be allocating his time, and I think he is doing the right sorts of things for the community.

Re:Give this man a PhD!

[ceejayoz]

If the public can't review something, they can't know it's safe.

No, but they certainly can (and will!) assume. Look at Windows users, and look at the Linux zealots who'll gleefully tell you that Linux is invulnerable.

If there truly are zero vulnerabilities, security holes, bugs, etc., it's secure - whether the users trust it to be or not doesn't change that. It just changes whether they're likely to use it.

Re:CIPE

"Industrial strength" is an alternative way of saying "snake oil"

Re:Give this man a PhD!

[monkeydo]

No, what do you think "security" is?

In this context I think "security" is a process of minimizing risks to acceptable levels for an arbitrary application.

If the public can't review something, they can't know it's safe.

So? 99.999% of the population can't determine good programming even if the source is open. I guess by your theory there is no secure software in use at the CIA or the NSA because "the public" hasn't seen the code.

The sanely paranoid won't take anyone's word on security, they need the ability to check it personally.

"The sanely paranoid" != "The public"

Only those using the software need to know it is secure. This can be accomplished whether the software is Open Source or not.

Re:Give this man a PhD!

[1lus10n]

"Only those using the software need to know it is secure. This can be accomplished whether the software is Open Source or not."

i responded instead of modding you. Let me just point out that if the public is using it then it should be open source so that the neccasary non-corporate people (hackers) can take a look at the code and fix what is needed, in the case of microsoft they are saying "trust the people who we employ, and who depend on our products to make money" which is a very very bad thing to rely on.

The open source community might not be perfect, but its one hell of alot closer than any proprietary setup. (not to mention that the larger the OSS community gets the more people will be looking at the code, hence more security.)

the CIA and/or the NSA are bad examples of security in software. (as is anything in gov't) because politicians decide what gets done, and politiks do not mix well with software.

Re:Give this man a PhD!

[Minna+Kirai]

In this context I think "security" is a process of minimizing risks to acceptable levels for an arbitrary application.

To minimize you must first know. To know you must see.

So? 99.999% of the population can't determine good programming even if the source is open.

They can, if they care to, hire an arbitrary number of reputable cryptologists and software engineers to give independent opinions on the safety. The original authors can't have inserted secret backdoors for fear of being found out by these 3rd party reviews (and then being revealed as either untrustworthy or incompetent)

If the source is closed, that review process is either much more expensive, or impossible (if the country has forbidden reverse engineering).

For example, Microsoft today can get the data from any of their users. They simply have to release a "security patch" which instead of removing a buffer-overflow, inserts one in a way they know how to exploit.

Re:Give this man a PhD!

[Minna+Kirai]

If there truly are zero vulnerabilities, security holes, bugs, etc., it's secure

I thought I just explained the definition of "security". It's different from "safety". Check your local dictionary for more info: security is an assurance of safety.

You might be safe, but if you don't know it, you're not secure.

+5 Funny?

[Temporal]

Apparently your posting strategy went something like this:

1. Quote parent poster.
2. Ignore good points made by parent poster.
3. Invent bogus theory for why the moderators modded the guy up.
4. Declare that this was a stupid reason for him to get modded up.
5. +5 Funny!

Ironically, your post made for the better demonstration of the problems inherent in the Slashdot moderation system.

A pseudorandom generator is pseudo-random? Give that man a cigar. Still - he did say "pseudo" so another +1 Insightful.

Do you have any idea at all what he was talking about? Lots of cryptographic algorithms depend on random numbers. A common mistake by newbie cryptographers is to use a pseudo-random number generater which gives predictable values, leading to encryption which is easily broken. Real cryptography software must work very hard to find sources of unpredictable randomness in a system (like, say, the timing of a sequence of keypresses, if the computer has a keyboard). He was making a good point.

Ooh! X=0 - why thats an equasion! +1 Insightful!

Do you even know what ones-complement is? Again, he was making a point, but either you intentionally ignored it for the sake of your reply or if flew right over your head.

Brings gaming into it - we all like games - and we like the word "crap" - +1 Insightful!

He made a good point: If a programmer produces a buggy game, it's not a big problem, even if millions of people play it. But if a programmer produces a buggy cryptography library, and millions of people use it, that IS a problem.

Wow - criticizes the established doctrine of Open Source, what a rebel! +1 Insightful!

Wow - criticizes someone else's post without having a clue what it means! +5 Funny!

Gutmann deserves kudos, you twit

[0x0d0a]

This is open source, figure out where to submit your patches or else you are nothing but an arm chair security expert.

Absolutely absurd. I can't believe you wrote this. People who are good at writing code donate code to free software projects. People who are good artists donate art to free software projects. Yet, somehow, when a noted cryptographer does a (somewhat acerbic) security analysis of *three* open source packages and lists fixes, somehow you feel that he hasn't contributed anything.

Incidently, I'm curious if you're aware exactly how much it would cost in consulting fees to get someone like him to sit down and review a given product. This guy contributed a lot more in terms of intellectual value to those three projects than the forty-five people that sat down and wrote five-line patches to remove gcc warnings (not that their work isn't appreciated, but still).

He deserves our thanks, not scorn.