We are pleased to announce the details for the for the 2015 Crypto & Privacy Village Challenges!
In cooperation with the DEF CON Crypto & Privacy Village, we are running two special challenges, with the winners to be announced on Saturday, August 8th. The challenges are are in two categories: backdooring existing software, and designing something from scratch.
Each category will be judged independently:
- GPG Key Leaking: Patch the GPG source code, to leak the user’s private key in a subtle way. The leak should be performed in such a way that the average user would not notice it. Annotated samples must be included to demonstrate the technique and its effectiveness.
- Password Hashing Backdoor: Design and optionally implement a password hashing system or password-based authentication protocol that, when a secret value is supplied, will allow an attacker to authenticate to any account. The system should appear secure under a typical peer review. Bonus points for a working implementation. The design should be documented in a plain text ASCII file, or PDF file.
The secret value may depend on the account, and it is acceptable if the attacker must first steal the stored hashes in order to learn it. The more your entry assumes about the attacker’s capabilities, the less highly it will rank, unless those assumptions make the backdoor harder to detect. You may also give the attacker capabilities as part of your submission, e.g. by including a side-channel vulnerability that lets them leak the stored hash, instead of just assuming they have stolen the hash database.
Special thanks to the Crypto & Privacy Village team for helping to make this a reality. We greatly appreciate all those that support and participate in this contest.
For more information, please see the rules.