February 20, 2014

Responsibly Bringing a new Cryptography Product to Market

by with 8 comments

Post Snowden, technologists have rushed a variety of “liberation tech” projects to market, making boastful claims about their cryptographic capabilities to ensure the privacy of their customers. These goals are noble but the results have sometimes been embarrassing.

We’re building a new crypto product ourselves: a high-level secure-by-default framework developers can use to build end-to-end cryptographic applications without writing crypto.

Here’s what we required:

  1. To be independently verifiable it must be open source
  2. Have a spec
  3. Have a threat model
  4. Have clear, well documented code
  5. Be audited by security professionals with a crypto background

In this post I’ll share how we’re going about #5. We’re committed to development in the open, including security review.

The first audit we could schedule was with 3 researchers from the Least Authority team. Among other reasons we chose them because they have deep experience building verifiable storage systems. For anyone in that market, Tahoe-LAFS is a must read.

Auditing is both expensive and hard to schedule, with leading organizations booked months in advance.  The best teams are not limited by their ability to sell their services but rather by their ability to hire and fulfill that work. Consequently there’s very little downward pressure on their rates.

To get the most from a security audit, it’s best to go in with the cleanest code possible. It’s like brushing your teeth before you visit the dentist. It’s impolite and ineffective to ask someone to puzzle over the subtleties of code you haven’t clarified [1].

We focused this first audit narrowly on a bare bones single-user (no collaboration or multi-user sharing) demo application built with the Crypton framework. Our goal was good coverage of the framework’s core fundamentals: account creation, authentication, and single-user data storage.

Unfortunately, at the time we could schedule the audit to begin, there were three issues that the Crypton team knew about but hadn’t a chance to fix or even document. The auditors independently discovered two of those three issues with a lead to the third issue (less severe) tagged [UNRESOLVED] in their report. Additionally they found three other serious issues unknown to the team. Overall, some of the best money we’ve ever spent!

Since the purpose of this post is to give clear expectations, I think it’s important to share real numbers and cleared this with Least Authority.

Zooko explained, “We gave SpiderOak a small discount on our normal price, and moreover we pushed back our other projects in order to get the work done for you first. We did these two things because we wanted to form a relationship with SpiderOak since you provide end-to-end-encrypted storage, and we wanted to support Crypton because it is end-to-end-encrypted and is fully Free and Open-Source Software.”

Our bill was $30,000, or about $5k/researcher per week.

We have a second audit with the nice folks at Leviathan Security, covering the multi-user features of Crypton, and we’ll share that report when it’s complete. In the meantime, here’s the report (rst, pdf) from the first audit by Least Authority.

Here are some of the resulting GitHub issues and pull requests to
resolve the findings. Issue B, C, D, and E.

The resolution for Issue A involves a switch to SRP based authentication. This was part of the longer term roadmap as it provides several additional benefits, but proved to be a nontrivial undertaking and that effort is still ongoing. Some attention is given to this implementation in the next audit by Leviathan Security.

Update: Zooko at Least Authority just published an article discussing their motivation for accepting the project.

Update 2: The originally published version of this post erroneously linked to a non-final draft of the report from Least Authority. That link is corrected; and the final audit report should say “Version 1, 2013-12-20″ at the top.

NOTES:


[1] Zooko shared a story about an experiment that was conducted by Ping Yee in 2007. The results of the experiment illustrate auditing challenges.

In short several very skilled security auditors examined a small Python program — about 100 lines of code — into which three bugs had been inserted by the authors. There was an “easy,” “medium,” and “hard” backdoor. There were three or four teams of auditors.

1. One auditor found the “easy” and the “medium” ones in about 70 minutes, and then spent the rest of the day failing to find any other bugs.

2. One team of two auditors found the “easy” bug in about five hours, and spent the rest of the day failing to find any other bugs.

3. One auditor found the “easy” bug in about four hours, and then stopped.

4. One auditor either found no bugs or else was on a team with the third auditor — the report is unclear.

See Chapter 7 of Yee’s report for these details.

I should emphasize that that I personally consider these people to be extremely skilled. One possible conclusion that could be drawn from this experience is that a skilled backdoor-writer can defeat skilled auditors. This hypothesis holds that only accidental bugs can be reliably detected by auditors, not deliberately hidden bugs.

Anyway, as far as I understand the bugs you folks left in were accidental bugs that you then deliberately didn’t-fix, rather than bugs that you intentionally made hard-to-spot.

Comments
  1. Here’s a blog post on the LeastAuthority.com blog about this, giving our side of the story:

    https://leastauthority.com/blog/least_authority_performs_security_audit_for_spideroak.html

    I thought the part about how the SpiderOak folks *knew* there were several security flaws in the software when they gave it to us, and they didn’t tell us that… I thought that was very interesting. It was a bit scary and challenging, of course, to realize that we might have appeared to be incompetent, if we hadn’t found them! Fortunately, we did a pretty good job of it.

    I actually think this should become a standard practice. Whenever you hire a security auditor, put some security flaws into the version of the software that you’re asking them to look at, and don’t tell them that you did. This will make life harder for we in the security auditing business, but it should be done!

  2. The adversarial part is interesting. You’d think it would make more sense to disclose as much as possible to get your money’s worth.

  3. Great post and great project. Liberation Tech is going to be a huge market, so it is important that developers get it right the first time. Keep in mind that the NSA’s Tailored Access Operation shares in a $500 million budget for breaking things. The best hope is for new secure communications systems is to force them to break the crypto. The expense of doing that is at least guessable.
    But know that they will try everything to find a hole in the implementation first, and steal the keys second.

  4. Intentionally injecting bugs is interesting. It might help you estimate the competence of the auditors.

    In a related vein, if you have multiple auditors, and they each find a certain number of bugs, then you can make a mathematical guess as to how many *unfound* bugs remain. There was an interesting article on that here:

    http://mindyourdecisions.com/blog/2013/09/09/monday-puzzle-unfound-errors/

    The tl;dr is:

    The formula for the number of unfound errors is:

    u = (a – c)(b – c)/c

    where
    a: errors found by person 1
    b: errors found by person 2
    c: errors commonly found
    u: unfound errors

  5. Bitcoin is a peer-to-peer payment set and digital currency introduced as unconditional author software in 2009 alongside pseudonymous developer Satoshi Nakamoto. It is a cryptocurrency, called because it uses cryptography to dominance the creation and transmission of money.] Conventionally, the capitalized word “Bitcoin” refers to the technology and network, whereas lowercase “bitcoins” refers to the currency itself.]
    Bitcoins are created by a take care of called mining, in which participants prove and document payments in trade for matter fees and newly minted bitcoins. Users send and show in bitcoins using billfold software on a private computer, mechanical appliance, or a web application. Bitcoins can be obtained during mining or in return for products, services, or other currencies.]
    Bitcoin has been a testee of investigation in arrears to ties with illicit activity. In 2013 the U.S. FBI leave off down the Silk Track online black market and seized 144,000 bitcoins worth US$28.5 million at the time.] The U.S. is considered Bitcoin-friendly compared to other governments, however.0] In China new rules circumscribe bitcoin exchange object of townsman currency. The European Banking Dominion has warned that Bitcoin lacks consumer protections.2] Bitcoins can be stolen and chargebacks are impossible.3]
    Commercial expend of Bitcoin, illicit or differently, is currently miniature compared to its utilize at hand speculators, which has fueled prize volatility.4] Bitcoin as a form of payment quest of products and services has seen evolution, howsoever, and merchants get an encouragement to receive the currency because negotiation fees are take down than the 2–3% typically imposed by means of credit card processors.5]

  6. Bitcoin is a peer-to-peer payment system and digital currency introduced as unagreed provenience software in 2009 on pseudonymous developer Satoshi Nakamoto. It is a cryptocurrency, so-called because it uses cryptography to control the the universe and hand on of money.] Conventionally, the capitalized high sign succinctly “Bitcoin” refers to the technology and network, whereas lowercase “bitcoins” refers to the currency itself.]
    Bitcoins are created sooner than a proceeding called mining, in which participants substantiate and take down payments in trade in behalf of action fees and newly minted bitcoins. Users send and give entr‚e bitcoins using purse software on a personal computer, mobile plot, or a web application. Bitcoins can be obtained by mining or in traffic for products, services, or other currencies.]
    Bitcoin has been a subject of investigation exactly to ties with illicit activity. In 2013 the U.S. FBI secure a switch down the Silk Direction online coloured demand and seized 144,000 bitcoins benefit US$28.5 million at the time.] The U.S. is considered Bitcoin-friendly compared to other governments, however.0] In China budding rules restrict bitcoin exchange on city currency. The European Banking Testimony has warned that Bitcoin lacks consumer protections.2] Bitcoins can be stolen and chargebacks are impossible.3]
    Commercial expend of Bitcoin, illicit or else, is currently miniature compared to its profit by by speculators, which has fueled price volatility.4] Bitcoin as a bearing of payment for products and services has seen growth, on the other hand, and merchants keep an encouragement to endure the currency because arrangement fees are cut than the 2–3% typically imposed by means of have faith be forthright processors.5]

  7. Bitcoin is a peer-to-peer payment set and digital currency introduced as announce author software in 2009 by pseudonymous developer Satoshi Nakamoto. It is a cryptocurrency, so-called because it uses cryptography to suppress the the universe and transmission of money.] Conventionally, the capitalized chit-chat “Bitcoin” refers to the technology and network, whereas lowercase “bitcoins” refers to the currency itself.]
    Bitcoins are created beside a proceeding called mining, in which participants verify and record payments in trade in regard to transaction fees and newly minted bitcoins. Users send and show in bitcoins using billfold software on a private computer, mechanical plot, or a net application. Bitcoins can be obtained during mining or in return for products, services, or other currencies.]
    Bitcoin has been a referred to of probe proper to ties with illicit activity. In 2013 the U.S. FBI conceal down the Silk Track online gloomy vend and seized 144,000 bitcoins benefit US$28.5 million at the time.] The U.S. is considered Bitcoin-friendly compared to other governments, however.0] In China budding rules delimit bitcoin the market for the benefit of local currency. The European Banking Authority has warned that Bitcoin lacks consumer protections.2] Bitcoins can be stolen and chargebacks are impossible.3]
    Commercial utilize consume of Bitcoin, illicit or otherwise, is currently close-fisted compared to its contemn at hand speculators, which has fueled value volatility.4] Bitcoin as a form of payment looking for products and services has seen spread, howsoever, and merchants have an inducement to accept the currency because arrangement fees are take down than the 2–3% typically imposed by means of commendation card processors.5]