applied cryptography • Builds secure systems • Trained under Susan Hohenberger &Avi Rubin • Former senior research staff: AT&T Labs • On-going Research includes: o Techniques for privacy-enhanced information storage o Anonymous payment systems (including ZeroCoin) o Bilinear map-based cryptography • @matthew_d_green DEF CON 22 | 2014.08.08
counter & undermine “the use of ubiquitous encryption across the internet” • NIST technical standards “intentionally weakened” • BULLRUN: NSA actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets” The New York Times, 2013/09/05 See: www.eff.org/nsa-spying/timeline DEF CON 22 | 2014.08.08
of cryptographic work” — National Institute of Standards and Technology, Nov 2013 Recommends that the US government “fully support and not undermine efforts to create encryption standards” — Presidential Advisory Committee, Jan 2014 “[C]lassified [reports] have heightened concern over the possibility of a backdoor… after conducting its own review, NIST [has] removed DRBG” — National Institute of Standards and Technology, Apr 2014 DEF CON 22 | 2014.08.08
in volume headers • Small differences in distributed binaries vs. source • Windows vs. Mac & Linux • With exception of deniability volume, no formal cryptanalysis • Deterministic build? (Xavier de Carné de Carnavalet) • Last license review in 2008 by RedHat/Fedora/OSSI concluded “we would not be protected from a lawsuit” and “this license is non-free” DEF CON 22 | 2014.08.08
• Yes, we take Bitcoin. • Yes, the site is mobile-friendly. • No, we don’t take PayPal. • /sets up IndieGoGo site. • Yes! We take PayPal. DEF CON 22 | 2014.08.08
Economist, Nature, CIO, The Register, InfoWorld, PC World, Network World . . . • What do you mean you there’s $30,000 in PayPal?! DEF CON 22 | 2014.08.08
Economist, Nature, CIO, The Register, InfoWorld, PC World, Network World . . . • What do you mean you there’s $30,000 in PayPal?! DEF CON 22 | 2014.08.08
A U.S. non-profit organization, incorporated in the state of North Carolina, currently seeking federal 501c(3) tax-exempt designation DEF CON 22 | 2014.08.08
free open source software (“FOSS”) projects in the public interest o Coordinate volunteer technical experts in security, software engineering, and cryptography o Conduct analysis and research on FOSS and other widely software in the public interest DEF CON 22 | 2014.08.08
Nate Lawson o Runa Sandvik o Bruce Schneier o Thomas Ptacek o Jim Denaro o Moxie Marlinspike o Trevor Perrin o Joseph Lorenzo Hall DEF CON 22 | 2014.08.08
the small handful of organizations that are capable of doing this work • Great response from iSec Labs • Open Technology Fund matching grant DEF CON 22 | 2014.08.08
key derivation (low kdf iteration count) • Sensitive information could be paged out from kernel stacks • Issues in the boot loader decompressor • Use of memset() to clear sensitive data • Overall findings: “no evidence of backdoors or intentional flaws” DEF CON 22 | 2014.08.08
as always) • Vulnerabilities discovered would likely require physical access to a mounted volume to construct exploit chains (scape key material, page files, etc) • This is *not* a part of the TrueCrypt security model • If your machine is compromised, disk crypto will not help you (see Culp-White Law, earlier) • PSA: *All* major FDEs, including Bitlocker, DM-Crypt, and FileVault have identical attack vectors • So far, so good. DEF CON 22 | 2014.08.08
II (formal cryptanalysis) of the code • We have created a trusted repository of source and binaries for all platforms • Thomas Ptacek and Nate Lawson organizing Phase II • We are considering several post-audit scenarios, • /possibly/ including financial support for a trusted fork • *Many* challenges and questions remain DEF CON 22 | 2014.08.08
of view, between gross and tiny errors. Both of them are equally exploitable...This lesson is very hard to internalize. In the real world, if you build a bookshelf and forget to tighten one of the screws all the way, it does not burn down your house.” — Maciej Cegłowski DEF CON 22 | 2014.08.08
interesting. Everybody thinks if you have source code, you’re going to be able to find everything wrong with [a system]. That’s a misconception. It’s nice to have source code so if you see something funny happening, you can check and see why – try to dig down… But for somebody to [manually] analyze millions of lines of source code, it’s just not going to happen.” — Richard George Former Technical Director NSA Information Assurance Directorate Retrospective Keynote, June, 2014 vimeo.com/97891042 [35:50]
Review limitations of the language/framework • Understand compiler optimization side-effects • GCC 4.4+ (2009) offers a pragma for function-level optimization control or prevention (see: gcc.gnu.org/onlinedocs/gcc-4.4.0/gcc/Optimize-Options.html) • Learn from others’ experience DEF CON 22 | 2014.08.08
Review limitations of the language/framework • Understand compiler optimization side-effects • GCC 4.4+ (2009) offers a pragma for function-level optimization control or prevention (see: gcc.gnu.org/onlinedocs/gcc-4.4.0/gcc/Optimize-Options.html) • Learn from others’ experience DEF CON 22 | 2014.08.08
not crypto errors • Static analyzers are not enough • Manual inspection is not enough • Source code can result in unexpected binary code • Subject matter experts (protocols, crypto, network) may bring more perspective than “enough” eyes DEF CON 22 | 2014.08.08
April 23, 2014 • Beginning Phase II, to include: • Formal cryptanalysis • OSX & Linux review • Additional license work • Partnering with Linux Foundation Core Infrastructure Initiative • Auditing OpenSSL, possibly more • Looking ahead! • Trusted TC mirror: github.com/AuditProject/truecrypt-verified-mirror DEF CON 22 | 2014.08.08
• One-off bug bounties are not enough • Encourage secure coding practices • Support & create smarter test harnesses • Develop a workable model for public code review DEF CON 22 | 2014.08.08