Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ
Ξ We've updated our CA certificate. All members need to be using the latest ones by Dec 22. See this page for more infoΞ

The Triangle of Secure Code Delivery

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.

Topic Author
sarciszewski
Posts: 1
Joined: Sun Sep 13, 2015 7:11 pm
Contact:

The Triangle of Secure Code Delivery

Postby sarciszewski » Tue Sep 15, 2015 11:43 am

From Defuse Security, The Triangle of Secure Code Delivery is defined as:

  1. Reproducible Builds
  2. Userbase Consistency Verification
  3. Cryptographic Signatures

Reproducible builds, in practice, requires access to the source code, and furthermore being able to reliably and consistently produce a bit-for-bit deliverable. In PHP land, I've built a utility called Pharaoh to diff two .phar files to further this aim.

Userbase Consistency Verification is simply implemented by building a linked list atop a distributed Merkle tree (e.g. the Bitcoin block chain) of the SHA2-512/256 or BLAKE2b hashes, version ID, a timestamp, and any other metadata appropriate for permanently storing this information in a globally verifiable manner.

Cryptographic signatures are the easiest of the three legs of this triangle to solved: Just use crypto_sign() and crypto_sign_open() from Libsodium.

So far there aren't a lot of great tools available for #1 and #2. (Pharaoh is a narrow use-case; it will only help people who produce or consume .phar files in PHP environments.) If we want to achieve a verifiably secure internet, more research and development efforts should focus on these problems. (EdDSA solves #3 for now, and EdDSA-SPHINCS solves it in the distant future.)
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises

Return to “crypto, VPN & security news”

Who is online

Users browsing this forum: No registered users and 6 guests

cron

Login