Security Researcher Vetting? #59
Comments
|
Sorry for the late reply. I have no immediate plans to engage an audit. There are a lot of things I'd like to see refactored before I feel that would be productive. However, the code was tangentially reviewed as part of Cryptocat and the library's dependencies were found wanting. Crypto.js is subject to cache-access leaks, bigint.js's powmod isn't constant time and its rng was biased. That doesn't instill a lot of confidence. Moreover, bigint.js isn't maintained upstream and probably wasn't ever intended for production. A rewrite on sjcl (which also hasn't had commits in a few months) or with the webcrypto api (though that doesn't have any plans to implement DSA last I checked) may be prudent. There is an emscripten compiled version of libotr, though that doesn't lend itself very well to auditability. If xul is your thing, there're js-ctypes bindings to libotr. For node, native bindings might be good. However, the most promising looks like Google's end-to-end, when it's ready. That exhausts the ecosystem of which I'm aware. |
|
👍 |
Pardon my ignorance, but why would that be the case? |
|
The emscripten version depends on bigint.js for the following functions: I'm inclined to agree with @arlolra with respect to auditability of the emscripten compiled version of libotr, since the library is a combination of pure javascript + asm.js compiled code of the native C library. So an audit would have to cover the javascript code, native C library, and the emscripten/asm.js compilers. Can you think of any other reasons? |
How bad is the slowdown? I think it'd be preferable to pay the penalty and remove that dependency.
I wrote that sentence because at face value it seemed adding another layer of indirection would increase the audit surface. Particularly, I was worried about subtle timing leaks from the compiler. However, a little digging leads me to believe that asm compiled code may be less likely to introduce side channels. It may be worth spending some time producing deterministic builds of the compiled libotr to increase trust in the obfuscated code. |
|
Last time I checked the slowdown was significant. Which made SMP and DSA key generation slow. But I tried rebuilding libotr4.js in otr4-em without the bigint dependancy, and strangely I don't see much slow down in SMP and key generation. Performance in browsers is very good (better than in node) probably because of the asm.js optimisation in the browsers? So I think I will take your advice an remove bigint.js from otr4-em Deterministic builds sounds very important. It should be easy todo. I would have to skip the closure compiler and minifying steps in emscripten to remove obfuscation and produce more deterministic javascript. Will definitely look into that. Thanks Arlo for your insight and helpful feedback as always :) |
Is it the FIPS test? |
|
Yes it seems the FIPS test is the slow one. I timed the tests: With bigint override: Without bigint: Is the FIPS DSA version used in libotr ? |
Nope. The difference being the extra work to generate a seed which is never used. |
Will this be evaluated by security researchers? I'm interested in using this for some projects, but I don't know how to test for effectiveness.
The text was updated successfully, but these errors were encountered: