Showing posts with the label The Internet of Broken Protocols
(Joint work with Sophie Schmieg , but mistakes are mine alone) Nobody remembers why, but poor Bob was arrested and is in jail. He wants to send Alice a secret message. Wilson the warden, however, wants to read and censor messages he doesn't like. To compromise, everybody agrees to use the following hybrid encryption protocol: 1/ Bob obtains Alice's public key and Wilson's public key. 2/ Bob symmetrically encrypts his message with a randomly generated message key K. 3/ Bob wraps K under Alice's public key. 4/ Bob wraps K under Wilson's public key. 5/ The final message is a concatenation of 2/, 3/ and 4/. Wilson can decrypt, and drop the message if he doesn't like it. Otherwise he forwards the encrypted message to Alice. Bob doesn't have any privacy w.r.t Wilson, but he still can maintain his privacy w.r.t the rest of the world. There are two implementations of the protocol: 1/ DJB-certified - symmetric key encryption in step 2/ is ChaCh...
(complete list of showcases: https://vnhacker.blogspot.com/search/label/The%20Internet%20of%20Broken%20Protocols ) In cryptography, a construction consisting of multiple encryption algorithms in a sequential order is called a cascade. For example, TripleSec by Keybase encrypts data with XSalsa20 then AES in counter mode. Contrary to popular belief, cascading may not always improve security. Matthew Green wrote a nice blog post explaining why. In this showcase, you're asked to analyze a cascade of MAC and digital signature algorithms. Please send your solutions to thaidn@gmail.com. -- The Hooli Photos app wanted to protect the integrity of media files stored in SSD card. Initially, they used GMAC (the MAC of AES-GCM) with a secret key. Later on, the requirement was changed. They wanted other apps to be able to verify the integrity of the media files produced by the Photos app. Toward that end, they applied a digital signature on top of the existing MAC, and settled on t...
(complete list of showcases: https://vnhacker.blogspot.com/search/label/The%20Internet%20of%20Broken%20Protocols . Showcase #6 was taken down because the protocol is not public) I think I figured out the answer to this new challenge, but I haven't verified it yet. So be aware that it may be unsolvable. Update: Without one more modification, the challenge is unsolvable AFAICT. The modification is: the public keys are sent as SubjectPublicKey . The challenge is the Bluetooth ECDHE protocol with a twist: the public keys are now validated as valid points on curve. Everything else is kept the same. Can you break it? The Bluetooth ECDHE protocol been found vulnerable to an elegant invalid curve attack. The full paper can be found here . I summarized the attack in this tweet . Tal Be'ery wrote a longer explanation .
(complete list of showcases: https://vnhacker.blogspot.com/search/label/The%20Internet%20of%20Broken%20Protocols ) It's been a while :-). Today I found this little gem while auditing an obscure security system. Please identify any weaknesses. You can post your solution as a comment or email me at thaidn@gmail.com. Enjoy! Notation: * E(K, bytes) is 3DES in CBC mode with zero padding and zero IV. Client and server share two 3DES keys K1 and K2, each has 24 bytes. 1/ Client sends hello. 2/ Server randomly generates and caches 8-byte RAND_S. Denote the first 4 bytes of RAND_S as S1, and the next 4 bytes as S2. Server sends RAND_S. 3/ Client randomly generates and caches 8-byte RAND_C. Denote the first 4 bytes of RAND_C as C1, and the next 4 bytes as C2. Client sends E(K1, RAND_S) || RAND_C. At this point the client computes the session key. It computes T = E(K2, C1 || S1 || C2 || S2). Denote the first 8 bytes of T as T1, and the next 8 bytes as T2. The session key K...
(complete list of protocols: https://vnhacker.blogspot.com/search/label/The%20Internet%20of%20Broken%20Protocols ) Administrative note: I've posted solutions to the first 4 challenges. Some readers again found attacks that I wasn't aware of, but I'm not surprised anymore :=). I'm interested in making my puppy protocols less broken, so please share with me your "patches". I'm also open to challenge submissions, please drop me a line if you have something cool to share. --- In the past few years I've found many use cases in which doing crypto in Javascript makes a lot of sense. This challenge is one of those cases. Although the crypto is trivial the whole protocol is complex, involves many players and requires a basic knowledge of web security. Your task is to identify any weaknesses and propose a fix. You can leave your findings in a comment or email me at thaidn@gmail.com. I'll update the post with my solution in a few days. This protoc...
(complete list of showcases: https://vnhacker.blogspot.com/search/label/The%20Internet%20of%20Broken%20Protocols ) Administrative note: I just posted the solution to showcase #1 . Some readers are way smarter than me, and they've taught me a lot with their answers. Now some of you would found this new showcase really lame, but it's pretty much what I found in the wild (with some minor changes to simplify the protocol). So beautiful, that's my first thought. I guess some people love collecting stamps and I love collecting terrible protocols ;=) Updated: solution posted, sorry for the delay! --- This is an one time password (OTP) protocol. It gives users an OTP that they can use to authenticate against a server. Your task again is to identify any weaknesses. You can leave your findings in a comment or email me at thaidn@gmail.com. I'll update the post with my solution in a few days (I have reason for the delay). Let Alice denote the user and Bob the server. Bo...
(complete list of showcases: https://vnhacker.blogspot.com/search/label/The%20Internet%20of%20Broken%20Protocols ) Administrative note: I'm going to post my solution for showcase #1 soon. The answers that I got from readers are great, I've already learned something new. Thank you and please keep them coming! Updated: solution posted! Sorry for the delay :) --- Bob bought a smart lock. The lock has a small screen, supports Bluetooth, and once paired with a phone it automatically unlocks itself when the phone is nearby. The manufacturer doesn't rely on Bluetooth for security, but designed their own protocol. You'll find the description of the protocol below, please identify any weaknesses. You can comment or email me at thaidn@gmail.com with your solution. I'll update this post with my solution in 48 hours. The protocol consists of two sub protocols: pairing and unlocking. Bob needs an app made by the lock manufacturer. # Pairing 1/ The lock and the app...
(complete list of showcases: https://vnhacker.blogspot.com/search/label/The%20Internet%20of%20Broken%20Protocols ) Administrative note: showcase #1 is not easy, and so far I got only two emails. The following protocol is a bit easier. In case you wonder whether I made up these protocols, the answer is no. I actually found them on the Internet of Things :). Updated: solution posted ;-) -- Alice buys a new smart TV and wants to connect it to, of course, the Internet. She downloads an app from the TV's manufacturer. The app allows her to securely send her WiFi password to the TV. The app and the TV run the following protocol. Your task is to analyze this protocol and find all weaknesses. You might email me at thaidn@gmail.com if you want some privacy. I'll update this post with my solution in 48 hours. 1/ The TV in setup mode acts as an open WiFi hotpot. The SSID is a random string that starts with "SmartTV". 2/ The app automatically finds and connects ...
(complete list of showcases: https://vnhacker.blogspot.com/search/label/The%20Internet%20of%20Broken%20Protocols ) Updated: scroll down for solutions. Alice and Bob have a pre-shared secret PSS. They want to build a secure channel. Someone designed the following protocol for them. Your task is to analyze this protocol and find all weaknesses. You might email me at thaidn@gmail.com if you want some privacy. I'll update this post with my solution in 48 hours. The protocol consists of two sub protocols: key exchange and data encryption. # Authenticated key exchange 1/ Remind: Alice and Bob have a pre-shared secret PSS. 2/ They perform an unauthenticated Curve25519 key exchange. Let K denote the raw 32-byte shared key. 3/ Alice generates and sends 32-byte random alice_nonce. Bob generates and sends 32-byte random bob_nonce. 4/ Alice sends alice_proof = HMAC-SHA256(K, alice_nonce + PSS). Bob verifies and closes the connection if alice_proof is invalid. 5/ Bob sends bo...