Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online)...
Transcript of Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online)...
![Page 1: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/1.jpg)
Hunting Invisible Salamanders: Cryptographic (in)Security with Attacker-Controlled Keys
Paul GrubbsCornell Tech, New York University, University of Michigan
1
![Page 2: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/2.jpg)
About Me
Now: PhD student in Computer Science at Cornell’s NYC campus
This fall: starting postdoc at NYU
Next fall: starting as junior professor at Michigan EECS
2
![Page 3: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/3.jpg)
This Talk
This is a talk about cryptography. Some of the slides involve math.
This symbol: if you don’t understand all the details, don’t worry about it!
Intended audience: those who design, implement, and use cryptography.Others will find talk interesting and enjoyable but may lack some context.
3
![Page 4: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/4.jpg)
Cat Picture
4
Authenticated Encryption
Core of protocols like TLS, IPSec, SSH
Encrypt message with usingauthenticated encryption (AE)
(Galois/Counter Mode, Chacha20/Poly1305)
Agree on random key
If key is random + hidden:AE hides cat pictures, prevents modifications
???
![Page 5: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/5.jpg)
5
New Settings, New Needs
Attacker chooses key(s)
Attacker Message
Encrypt message with usingauthenticated encryption (AE)
(Galois/Counter Mode, Chacha20/Poly1305)
Increasingly important setting for AE:• Password-Based Encryption/PAKE• E2EE Group Messaging• Abuse Reporting in Encrypted Messaging
Key isn’t random + hidden!What security do we need?
What security do we expect?
![Page 6: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/6.jpg)
6
Describe “attacker-controlled keys” setting + examples, explain committing security property AE needs
Many widely-used AE schemes are not committing: can break for GCM, ChaCha20/Poly1305, others
Overview
Based on these research papers:Message Franking via Committing Authenticated Encryption
G., Lu, Ristenpart. IACR CRYPTO17. https://eprint.iacr.org/2017/664Fast Message Franking: From Invisible Salamanders to Encryptment
Dodis, G., Ristenpart, Woodage. IACR CRYPTO18. https://eprint.iacr.org/2019/016Partitioning Oracle Attacks
Len, G., Ristenpart. In submission.
Attacks resulting from non-committing AE:- Inconsistent plaintexts in multi-receiver encryption- Invisible salamanders in Facebook’s message franking- Key recovery via partitioning oracle attacks
6
![Page 7: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/7.jpg)
7
Describe “attacker-controlled keys” setting + examples, explain committing security property AE needs
Many widely-used AE schemes are not committing: can break for GCM, ChaCha20/Poly1305, others
Overview
Based on these research papers:Message Franking via Committing Authenticated Encryption
G., Lu, Ristenpart. IACR CRYPTO17. https://eprint.iacr.org/2017/664Fast Message Franking: From Invisible Salamanders to Encryptment
Dodis, G., Ristenpart, Woodage. IACR CRYPTO18. https://eprint.iacr.org/2019/016Partitioning Oracle Attacks
Len, G., Ristenpart. In submission.
Attacks resulting from non-committing AE:- Inconsistent plaintexts in multi-receiver encryption- Invisible salamanders in Facebook’s message franking- Key recovery via partitioning oracle attacks
7
![Page 8: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/8.jpg)
8
Attacker-Controlled Keys
Attacker Message
Message and encryption key both chosen by adversary
Cat Picture
is hidden, has lots of randomness
Try to learn message or change decryption output
![Page 9: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/9.jpg)
9
Example: Password-based AEGuess
password1
Can’t decrypt!123456
…
password1
Guess
If attacker doesn’t know decryption key,
can learn using (online) brute-force attack
Brute-force feasible if key is not very random(e.g. password/PIN) or if side channel leaks key bits
They’re using
password1!
Decryption succeeded!
![Page 10: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/10.jpg)
10
Example: Reporting PlaintextsFraudulent Records
AE.Decrypt( , )Fraudulent Records
Attacker chooses encryption and decryption key: tries to
lie about ciphertext contents
Decrypt outputs something other than fraudulent records
Can’t let the auditor see records…
Auditor
![Page 11: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/11.jpg)
Useful to imagine AE as a lockbox
???Intuition holds for hidden random key: • Can’t see inside (confidentiality)• Can’t change contents (integrity)
11
Committing Security for AE
No matter the key, only one thing can come out when it’s unlocked
![Page 12: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/12.jpg)
Useful to imagine AE as a lockbox
Intuition holds for hidden random key: • Can’t see inside (confidentiality)• Can’t change contents (integrity)
12
Committing Security for AE
Without this, AE lockboxes could unlock many ways…
Committing security binds attacker to a single AE decryption, preventsinvisible salamanders in ciphertexts
![Page 13: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/13.jpg)
13
Reporting Salamanders
AE.Decrypt( , )
If AE is committing, attacker can’t lie about plaintext by
choosing different key
Decrypt fails - can’t report salamanders
Auditor
Committing AE
Committing AE
![Page 14: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/14.jpg)
14
Describe “attacker-controlled keys” setting + examples, explain committing security property AE needs
Many widely-used AE schemes are not committing: can break for GCM, ChaCha20/Poly1305, others
Overview
Based on these research papers:Message Franking via Committing Authenticated Encryption
G., Lu, Ristenpart. IACR CRYPTO17. https://eprint.iacr.org/2017/664Fast Message Franking: From Invisible Salamanders to Encryptment
Dodis, G., Ristenpart, Woodage. IACR CRYPTO18. https://eprint.iacr.org/2019/016Partitioning Oracle Attacks
Len, G., Ristenpart. In submission.
Attacks resulting from non-committing AE:- Inconsistent plaintexts in multi-receiver encryption- Invisible salamanders in Facebook’s message franking- Key recovery via partitioning oracle attacks
14
![Page 15: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/15.jpg)
Derive Pad
IV
Derive Pad’ ⨁
15
Invisible Salamanders for CTR Mode
=
Plaintext
Pad
Ciphertext
=
⨁
Pad’
Plaintext’
![Page 16: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/16.jpg)
16
Galois/Counter Mode (GCM)GCM is a fast, modern AE.
NIST/IEEE/ISO standard
Uses AES-CTR + message authentication code (MAC) to prevent tampering AES-CTR
Tag
Message
MessageIV
Decryption recomputes, checks tag,fails if tags do not match
AES-CTR
Salamander
To get invisible salamanders for GCM,need to find with same MAC
output for and MessageIV
Tag
Input
Input
Output
MAC
MAC
![Page 17: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/17.jpg)
17
Colliding GCM’s MAC
IV
MAC is polynomial evaluation + XOR.Fast but not collision-resistant (cf. SHA-256)
Tag
MAC( , ):C1 = Blocks( )H = AES( , 0)Pad = AES( , )
= C1*H2 + len*H + Pad
IV
Tag
IV
1.
2.
3.
1. Split ciphertext into blocks (coefficients)2. Compute hash point (H) and pad (Pad)3. Evaluate polynomial at H, then XOR Pad
(‘len’ is encoded ciphertext length)
![Page 18: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/18.jpg)
18
Colliding GCM’s MACTag is a “simple” algebraic function of ciphertext:
solve one equation to collide for two keys
1. Choose any 2. For key , derive H1, Pad13. For key , derive H2, Pad24. Set tag equations equal, solve for C1:
5. Let be C1 , recompute 6. Output
IV
C1*H12 + len*H1 + Pad1
= C1*H22 + len*H2 + Pad2
TagMessageIV
Message Tag
C1*(H12 + H2
2) = len*(H1 + H2) + Pad1 + Pad2
C1 = [len*(H1 + H2) + Pad1 + Pad2]*(H12 + H2
2)-1
2x = 6
x = 3
IV
Tag
MAC( , ):C1 = Blocks( )H = AES( , 0)Pad = AES( , )
= C1*H2 + len*H + Pad
IV
Tag
IV
One equation, one unknown!
Not true for collision-resistant hashes like SHA-256
![Page 19: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/19.jpg)
19
From Two Keys to Many
𝐻!"#! ⋯ 𝐻!$⋮ ⋱ ⋮
𝐻%"#! ⋯ 𝐻%$
𝑇𝑎𝑔 + 𝑃𝑎𝑑! + 𝑙𝑒𝑛𝑠 ∗ 𝐻!⋮
𝑇𝑎𝑔 + 𝑃𝑎𝑑" + 𝑙𝑒𝑛𝑠 ∗ 𝐻"
𝐶!⋮𝐶"
=
IV
Tag
MAC( , ):C1 , …, Cm = Blocks( )H = AES( , 0)Pad = AES( , )
= ∑𝒊 C𝒊∗Hm+2−𝒊 + len*H + Pad
IV
Tag
IV
C1*(H12 + H2
2) = len*(H1 + H2) + Pad1 + Pad2
C1 = [len*(H1 + H2) + Pad1 + Pad2]*(H12 + H2
2)-1
C1*H12 + len*H1 + Pad1 = C1*H2
2 + len*H2 + Pad2
Linear Algebra
One equationper key
As many variables as ciphertext blocks: can solve when m ≥ k in O(k2) time
Polynomial MACs are very common:Poly1305 (libsodium, NaCL), GCM-SIV, etc.
Colliding GCM’s MAC on two keys is pretty easy.Can even collide many (>>2) keys: use interpolation
![Page 20: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/20.jpg)
</math>
𝐻!"#! ⋯ 𝐻!$⋮ ⋱ ⋮
𝐻%"#! ⋯ 𝐻%$
𝑇𝑎𝑔 + 𝑃𝑎𝑑! + 𝑙𝑒𝑛𝑠 ∗ 𝐻!⋮
𝑇𝑎𝑔 + 𝑃𝑎𝑑" + 𝑙𝑒𝑛𝑠 ∗ 𝐻"
𝐶!⋮𝐶"
=
IV
Tag
MAC( , ):C1 , …, Cm = Blocks( )H = AES( , 0)Pad = AES( , )
= ∑𝒊 C𝒊∗Hm+2−𝒊 + len*H + Pad
IV
Tag
IV
C1*(H12 + H2
2) = len*(H1 + H2) + Pad1 + Pad2
C1 = [len*(H1 + H2) + Pad1 + Pad2]*(H12 + H2
2)-1
C1*H12 + len*H1 + Pad1 = C1*H2
2 + len*H2 + Pad2
Linear Algebra
One equationper key
As many variables as ciphertext blocks: can solve when m ≥ k in O(k2) time
Polynomial MACs are very common:Poly1305 (libsodium, NaCL), GCM-SIV, etc.
20
Colliding GCM’s MAC on two keys is pretty easy.Can even collide many (>>2) keys: use interpolation
1. Widely-used AE schemes are not committing(though they are fine for use in TLS/IPSec/SSH!)
2. Crafting invisible salamanders for them is easy3. One ciphertext can have 100,000s+ invisible salamanders
(E.g., my colleague generated one with 131,072 correct decryptions)
![Page 21: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/21.jpg)
21
Describe “attacker-controlled keys” setting + examples, explain committing security property AE needs
Many widely-used AE schemes are not committing: can break for GCM, ChaCha20/Poly1305, others
Overview
Based on these research papers:Message Franking via Committing Authenticated Encryption
G., Lu, Ristenpart. IACR CRYPTO17. https://eprint.iacr.org/2017/664Fast Message Franking: From Invisible Salamanders to Encryptment
Dodis, G., Ristenpart, Woodage. IACR CRYPTO18. https://eprint.iacr.org/2019/016Partitioning Oracle Attacks
Len, G., Ristenpart. In submission.
Attacks resulting from non-committing AE:- Inconsistent plaintexts in multi-receiver encryption- Invisible salamanders in Facebook’s message franking- Key recovery via partitioning oracle attacks
21
![Page 22: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/22.jpg)
22
Multi-Receiver EncryptionIn group messaging applications, senders must encrypt and send messages to group
Keys shared pairwise; only one ciphertext
![Page 23: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/23.jpg)
23
Multi-Receiver Encryption
Cat Picture Cat Picture
Cat Picture
In group messaging applications, senders must encrypt and send messages to group
Used by Whatsapp, Keybase, others
Keys shared pairwise; only one ciphertext
![Page 24: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/24.jpg)
24
Multi-Receiver Encryption
Used by Whatsapp, Keybase, others
Message
Message
Message
If encryption is not committing:send different keys, ciphertextwith invisible salamander
In group messaging applications, senders must encrypt and send messages to group
Keys shared pairwise; only one ciphertext
Different receivers seedifferent messages!
Theoretical attack. Unclear if these are vulnerable (homework!)
![Page 25: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/25.jpg)
They said !%$#!
!%$#!!%$#!!%$#!
Abuse Reporting for Encrypted Messaging
[Facebook 2016]: Reporting via ad-hoc proof of contents: message franking
Service can’t tell if “!%$#!” was sent. Need secure reporting of message content
25
Attack: use of non-committing encryption means any sender could
have sent unreportable content
![Page 26: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/26.jpg)
Facebook’s Message Franking Protocol
!%$#!!%$#!
1. 2. 3.!%$#!
Message franking:1. GCM Encrypt w/sender-chosen per-message key2. Facebook stores, forwards ciphertexts3. Report all recent keys, FB
decrypts unique ciphertexts
26
![Page 27: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/27.jpg)
Evading Message Franking
!%$#! !%$#!
!%$#! !%$#!!%$#!
3. receiver sees both
Message franking:1. Encrypt w/sender-chosen per-message key2. Facebook stores, forwards ciphertexts3. Report all recent keys, FB
decrypts unique ciphertexts
4. Only the innocuous image appears in report to Facebook!
27
2. Send twice with /
1. Craft GCM ciphertext :• Decrypts under to innocuous image• Decrypts under to abusive image
!%$#!
!%$#!
![Page 28: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/28.jpg)
Proof of concept: ciphertext which decrypts tovalid JPEG under and valid BMP under
ff d8
42 4d
ff fe
L0 , L1 00 00
CL0,CL1 Junk
BMP data
JPEG data
Junk
ff d9
C0 , C1 , C2 , C3 C4 , C5 BMP ctxt Padding JPEG ctxt
Decryptwith K1
Decryptwith K2
1 2 31. Image headers2. BMP length and
comment header3. Comment length
(JPEG)
(BMP)
Crafting the Ciphertext
Abusive JPEG receiver sees, but not in abuse report
Innocuous BMPin abuse report
![Page 29: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/29.jpg)
29
Partitioning Oracles
Guess
password1
Can’t decrypt!123456
…
password1
Guess
Decryption succeeded!
Use of non-committing AE with passwordscan lead to partitioning oracles: speedupfor online brute-force key recovery for AE
![Page 30: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/30.jpg)
30
Partitioning Oracles
password1123456
password1
Found partitioning oracle attacks on:• Shadowsocks UDP proxying• Incorrect OPAQUE prototypesLatent vulnerabilities elsewhere
Decryption succeeded!
Guess
Check two guesses with one ciphertext
Worst-case exponential reduction in guesses!E.g., one million passwords = only 20 guesses
Use of non-committing AE with passwordscan lead to partitioning oracles: speedupfor online brute-force key recovery for AE
![Page 31: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/31.jpg)
31
Preventing Invisible Salamanders
Committing AE schemes do exist!E.g., CTR-then-HMAC (done correctly)
Not standardized, nor widely available in libraries(also can be less efficient than non-committing AE)
Needed only if attacker-controlled keys are part of threat model
![Page 32: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/32.jpg)
32
Describe “attacker-controlled keys” setting + examples, explain committing security property AE needs
Many widely-used AE schemes are not committing: can break for GCM, ChaCha20/Poly1305, others
Conclusion
Attacks resulting from non-committing AE:- Inconsistent plaintexts in multi-receiver encryption- Invisible salamanders in Facebook’s message franking- Key recovery via partitioning oracle attacks
Based on these research papers:Message Franking via Committing Authenticated Encryption
G., Lu, Ristenpart. IACR CRYPTO17. https://eprint.iacr.org/2017/664Fast Message Franking: From Invisible Salamanders to Encryptment
Dodis, G., Ristenpart, Woodage. IACR CRYPTO18. https://eprint.iacr.org/2019/016Partitioning Oracle Attacks
Len, G., Ristenpart. In submission.32
Thanks for listening! Any
questions?
Special thanks to all my coauthors, and Hugo Krawczyk, Katriel Cohn-Gordon, and BlackHat organizers
![Page 33: Hunting Invisible Salamanders · 2020. 7. 29. · know decryption key, can learn using (online) brute-force attack Brute-force feasible if key is not very random (e.g. password/PIN)](https://reader036.fdocuments.us/reader036/viewer/2022071019/5fd2d5a61ebc0d2de5518c56/html5/thumbnails/33.jpg)
33