David Wong | Cryptologie | Markdown http://www.cryptologie.net/ About my studies in Cryptography. en-us Sat, 01 Dec 2018 00:45:56 +0100 The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations David Wong Sat, 01 Dec 2018 00:45:56 +0100 http://www.cryptologie.net/article/461/the-9-lives-of-bleichenbachers-cat-new-cache-attacks-on-tls-implementations/ http://www.cryptologie.net/article/461/the-9-lives-of-bleichenbachers-cat-new-cache-attacks-on-tls-implementations/#comments
On May 15th, I approached Yuval Yarom with a few issues I had found in some TLS implementations. This led to a collaboration between Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, Yuval Yarom and I. Spearheaded by Eyal, [the research has now been published here](https://eprint.iacr.org/2018/1173). And as you can see, the inventor of RSA himself is now recommending you to deprecate RSA in TLS.

We tested 9 different TLS implementations against cache attacks and 7 were found to be vulnerable: [OpenSSL](http://openssl.org/), [Amazon s2n](https://aws.amazon.com/blogs/security/introducing-s2n-a-new-open-source-tls-implementation/), [MbedTLS](https://tls.mbed.org/), [Apple CoreTLS](https://opensource.apple.com/tarballs/coreTLS/), [Mozilla NSS](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS), [WolfSSL](https://www.wolfssl.com/), and [GnuTLS](https://www.gnutls.org/). The cat is not dead yet, with two lives remaining thanks to [BearSSL](https://bearssl.org/) (developed by my colleague Thomas Pornin) and Google's [BoringSSL](https://boringssl.googlesource.com/boringssl/).

The issues were disclosed back in August and the teams behind these projects were given time to resolve them. Everyone was very cooperative and CVEs have been dispatched (CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, CVE-2018-16870).

The attack leverages a side-channel leak via cache access timings of these implementations in order to break the RSA key exchanges of TLS implementations. The attack is interesting from multiple points of view (besides the fact that it affects many major TLS implementations):

* **It affects all versions of TLS (including TLS 1.3) and QUIC**. Where the latter version of TLS does not even offer an RSA key exchange! This prowess is achieve because of the only known downgrade attack on TLS 1.3.
* **It uses state-of-the-art cache attack techniques**. Flush+Reload? Prime+Probe? Branch-Predition? We have it.
* **The attack is very efficient**. We found ways to ACTIVELY target any browsers, slow some of them down, or use the long tail distribution to repeatdly try to break a session. We even make use of lattices to speed up the problem.
* **Manger and Ben-Or on RSA PKCS#1 v1.5**. You heard of Bleichenbacher's million messages attack? Guess what, we found better. We use Manger's OAEP attack on RSA PKCS#1 v1.5 and even Ben-Or's algorithm which is more efficient than and was published BEFORE Bleichenbacher's work in 1998. [I uploaded some of the code here](https://github.com/mimoo/RSA_PKCS1v1_5_attacks).

To learn more about the research, [you should read the white paper](http://cat.eyalro.net/). I will talk specifically about protocol-level exploitation in this blog post.

## Attacking RSA, The Origins

While [Ben-Or et al.](https://dl.acm.org/citation.cfm?id=808773) research was initially used to support the security proofs of RSA, it was none-the-less already enough to attack the protocol. But it is only in 1998 that Daniel Bleichenbacher discovers a padding oracle and devise his own practical attack on RSA. The consequences are severe, most TLS implementations could be broken, thus mitigations were designed to prevent Daniel's attack. Follows a series of "re-discovery" where the world realizes that it is not so easy to implement such mitigations:

* <a href="http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf">Bleichenbacher (CRYPTO 1998)</a> also called the 1 million message attack, BB98, padding oracle attack on PKCS#1 v1.5, etc.
* <a href="https://eprint.iacr.org/2003/052">Klima et al. (CHES 2003)</a>
* <a href="https://www.nds.rub.de/media/nds/veroeffentlichungen/2012/12/19/XMLencBleichenbacher.pdf">Blei­chen­ba­cher’s At­tack Strikes Again: Brea­king PKCS#1 V1.5 In Xml En­cryp­ti­on (ESORICS 2012)</a>
* <a href="https://eprint.iacr.org/2011/615.pdf">Degabriele et al. (CT-RSA 2012)</a>
* <a href="https://eprint.iacr.org/2012/417">Bardou et al. (CRYPTO 2012)</a>
* <a href="https://www.cs.unc.edu/~reiter/papers/2014/CCS1.pdf">Cross-Tenant Side-Channel Attacks in PaaS Clouds (CCS 2014)</a>
* <a href="https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/meyer">Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks (USENIX 2014)</a>
* <a href="https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf">On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption (CCS 2015)</a>
* <a href="https://drownattack.com/">DROWN (USENIX 2016)</a>
* <a href="https://robotattack.org/">Return Of Bleichenbacher's Oracle Threat (USENIX 2018)</a>
* <a href="https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-felsch.pdf">The Dangers of Key Reuse: Practical Attacks on IPsec IKE (USENIX 2018)</a>

Let's be realistic, **the mitigations that developers had to implement were unrealistic**. Furthermore, an implementation that would attempt to log such attacks would actually help the attacks. Isn't that funny?

The research I'm talking about today can be seen as one more of these "re-discovery". My previous boss' boss (Scott Stender) once told me: "you can either be the first paper on the subject, or the best written one, or the last one". We're definitely not the first one, I don't know if we write that well, but we sure are hopping to be the last one :)

## RSA in TLS?

Briefly, SSL/TLS (except TLS 1.3) can use an RSA key exchange during a handshake to negotiate a shared secret. An RSA key exchange is pretty straight forward: the client encrypts a shared secret under the server's RSA public key, then the server receives it and decrypts it. If we can use our attack to decrypt this value, we can then passively decrypt the session (and obtain a cookie for example) or we can actively impersonate one of the peer.

## Attacking Browsers, In Practice.

We employ the BEAST-attack model (in addition to being colocated with the victim server for the cache attack) which I have previously explained [in a video here](https://cryptologie.net/article/413/beast-an-explanation-of-the-cbc-attack-on-tls/).


With this position, we then attempt to decrypt the session between a victim client (Bob) and `bank.com`: we can serve him with some javascript content that will continuously attempt new connections on `bank.com`. (If it doesn't attempt a new connection, we can force it by making the current one fail since we're in the middle.)

**Why several connections instead of just one?** Because most browsers (except Firefox which we can fool) will time out after some time (usually 30s). If an RSA key exchange is negotiated between the two peers: it's great, we have all the time in the world to passively attack the protocol. If an RSA key exchange is NOT negotiated: we need to actively attack the session to either downgrade or fake the server's RSA signature (more on that later). This takes time, because the attack requires us to send thousands of messages to the server. It will likely fail. But if we can try again, many times? It will likely succeed after a few trials. And that is why we continuously send connection attempts to `bank.com`.

## Attacking TLS 1.3

There exist two ways to attack TLS 1.3. In each attack, the server needs
to support an older version of the protocol as well.

1. The first technique relies on the fact that the current server’s public key is an RSA public
key, used to sign its ephemeral keys during the handshake, and that the
older version of TLS that the server supports re-use the same keys.
1. The second one relies on the fact that both peers support an older version
of TLS with a cipher suite supporting an RSA key exchange.

While TLS 1.3 does not use the RSA encryption algorithm for its key
exchanges, it does use the signature algorithm of RSA for it; if the
server’s certificate contain an RSA public key, it will be used to sign
its ephemeral public keys during the handshake. A TLS 1.3 client can
advertise which RSA signature algorithm it wants to support (if any)
between RSA and RSA-PSS. As most TLS 1.2 servers already provide support
for RSA , most will re-use their certificates instead of updating to the
more recent RSA-PSS. RSA digital signatures specified per the standard
are really close to the RSA encryption algorithm specified by the same
document, so close that Bleichenbacher’s decryption attack on RSA
encryption also works to forge RSA signatures. Intuitivelly, we have
$pms^e$ and the decryption attack allows us to find $(pms^e)^d = pms$,
for forging signatures we can pretend that the content to be signed
$tbs$ ([see RFC 8446](https://tools.ietf.org/html/rfc8446#section-4.4.3)) is $tbs = pms^e$ and obtain $tbs^d$ via the attack, which is
by definition the signature over the message $tbs$. However, this
signature forgery requires an additional step (blinding) in the
conventional Bleichenbacher attack (in practice this can lead to
hundreds of thousands of additional messages).

![The TLS 1.3 signature forgery attack using a TLS 1.2 server as Bleichenbacher oracle.](https://www.cryptologie.net/upload/tls13signatures.png)

[Key-Reuse has been shown](https://drownattack.com/) in the past to allow
for complex cross-protocol attacks on TLS. Indeed, we can successfully
forge our own signature of the handshake transcript (contained in the
`CertificateVerify` message) by negotiating a previous version of TLS
with the same server. The attack can be carried if this new connection
exposes a length or bleichenbacher oracle with a certificate using the
same RSA key but for key exchanges.

## Downgrading to TLS 1.2

Every TLS connection starts with a negotiation of the TLS version and
other connection attributes. As the new version of TLS (1.3) does not
offer an RSA key exchange, the exploitation of our attack must first
begin with a downgrade to an older version of TLS. TLS 1.3 being
relatively recent (August 2018), most servers supporting it will also
support older versions of TLS (which all provide support for RSA key
exchanges). A server not supporting TLS 1.3 would thus respond with an
older TLS version’s (TLS 1.2 in our example) server hello message. To
downgrade a client’s connection attempt, we can simply spoof this answer
from the server. Besides protocol downgrades, other techniques exist to
force browser clients to fallback onto older TLS versions: network
glitches, a spoofed TCP RST packet, a lack of response, etc. (see [POODLE](https://www.openssl.org/~bodo/ssl-poodle.pdf))

![The TLS 1.3 attack downgrades the victim to an older version of TLS.](https://www.cryptologie.net/upload/tls13downgrade.png)

Continuing with a spoofed TLS 1.2 handshake, we can simply present the
server’s RSA certificate in a `ServerCertificate` message and then end
the handshake with a `ServerHelloDone` message. At this point, if the
server does not have a trusted certificate allowing for RSA key
exchanges, or if the client refuse to support RSA key exchanges or older
versions than TLS 1.2, the attack is stopped. Otherwise, the client uses
the RSA public key contained in the certificate to encrypt the TLS
premaster secret, sends it in a `ClientKeyExchange` message and ends its
part of the handshake with a `ChangeCipherSpec` and a `Finished`

![The Decryption Attack performs a new handshake with the server, using a modified encrypted premaster secret obtained from the victim’s `ChangeCipherSpec` message.](https://www.cryptologie.net/upload/attack.png)

At this point, we need to perform our attack in order to decrypt the RSA
encrypted premaster secret. The last Finished message that we send must
contains an authentication tag (with HMAC) of the whole transcript, in
addition of being encrypted with the transport keys derived from the
premaster secret. While some clients will have no handshake timeouts,
most serious applications like browsers will give up on the connection
attempt if our response takes too much time to arrive. While the attack
only takes a few thousand of messages, this might still be too much in
practice. Fortunately, several techniques exist to slow down the

* we can send the ChangeCipherSpec message which might reset the client’s timer
* [we can send TLS warning alerts to reset the handshake timer](https://weakdh.org/)

Once the decryption attack terminates, we can send the expected Finished
message to the client and finalize the handshake. From there everything
is possible, from passively relaying and observing messages to the
impersonated server through to actively tampering requests made to it.
This downgrade attack bypasses multiple downgrade mitigations: one
server-side and two client-side. TLS 1.3 servers that negotiate older
versions of TLS must advertise this information to their peers. This is
done by setting a quarter of the bytes from the `server_random` field in
the `ServerHello` message to [a known value](https://tools.ietf.org/html/rfc8446#section-4.1.3). TLS 1.3 clients that end
up negotiating an older version of TLS must check for these values and
abort the handshake if found. But as noted by the RFC, “It does not
provide downgrade protection when static RSA is used.” – Since we alter
this value to remove the warning bytes, the client has no opportunity to
detect our attack. On the other hand, a TLS 1.3 client that ends up
falling back to an older version of TLS [must advertise this information in their subsequent client hellos](https://tools.ietf.org/html/rfc7507), since
we impersonate the server we can simply ignore this warning.
Furthermore, a client also includes the version used by the client hello
inside of the encrypted premaster secret. For the same reason as
previously, this mitigation has no effect on our attack. As it stands,
RSA is the only known downgrade attack on TLS 1.3, which we are the
first to successfuly exploit in this research.

## Attacking TLS 1.2

As with the previous attack, both the client and the server targetted
need to support RSA key exchanges. As this is a typical key exchange
most known browsers and servers support them, although they will often
prefer to negotiate a forward secret key exchange based on ephemeral
versions of the Elliptic Curve or Finite Field Diffie-Hellman key
exchanges. This is done as part of the cipher suite negotiation during
the first two handshake messages. To avoid this outcome, the
`ClientHello` message can be intercepted and modified to strip it out of
any non-RSA key exchanges advertised. The server will then only choose
from a set of RSA-key-exchange-based cipher suites which will allow us
to perform the same attack as previously discussed. Our modification of
the `ClientHello` message can only be detected with the `Finished`
message authenticating the correct handshake transcript, but since we
are in control of this message we can forge the expected tag.

![The attack on TLS 1.2 modifies the client’s first packet to force an RSA key exchange.](https://www.cryptologie.net/upload/tls12attack.png)

On the other side, if both peers end up negotiating an RSA key exchange
on their own, we can passively observe the connection and take our time
to break the session.
Browser End-to-End Encryption David Wong Sat, 24 Nov 2018 00:25:16 +0100 http://www.cryptologie.net/article/460/browser-end-to-end-encryption/ http://www.cryptologie.net/article/460/browser-end-to-end-encryption/#comments
<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">“We use the standard Bellare-Rogaway definition of key exchange, which we briefly summarize below. [Fourteen pages of dense notation omitted] And in conclusion most Bluetooth devices use ‘000000’ as the hardcoded password.”</p>— Matthew Green (@matthew_d_green) <a href="https://twitter.com/matthew_d_green/status/1066080534110056449?ref_src=twsrc%5Etfw">November 23, 2018</a></blockquote>
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

I have seen this kind of things happen quite often in the cryptography and security community. While some companies are 100% snake oils, some others do play on the border with their marketing claims but very real research. For example, advances in encrypted databases are mostly pushed by companies while attacks come from researchers not happy with their marketing claims. But this is a story for another time.

Back to the question: can we provide end-to-end encryption with a web app? There are ways yes. You can for example create a one-page javascript web application, and have the client download it. In that sense it could be a "trust on first use" kind of application, because later you would only rely on your local copy. If you want to make it light, have the page use remotely served javascript, images, and other files and protect manipulations via the [subresource integrity mechanism](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) of web browsers (include a hash of the file in the single-page web app). It is not a "bad" scenario, but it's not the flow that most users are used to. And this is the problem here. We are used to access websites directly, install whatever, and update apps quickly.

If you look at it from the other side, are mobile applications that more secure? While the threat model is not THAT different, in both of these solutions (thanks Nik Kinkel and Mason Hemmel for pointing that out to me) no specific targetting can happen. And this is probably a good argument if you're paranoia stops at this level (and you trust the app store, your OS, your hardware, etc.)
Indeed, a webapp can easily target you, serving a different app depending on the client's IP, whereas mobile apps need the cooperation of the App store to do that. So you're one level deeper in your defense in depth.

What about Signal's "native" desktop application? Is it any better? Well... you're probably downloading it from their webserver anyway and you're probably updating the app frequently as well...

EmbeddedDisco David Wong Wed, 21 Nov 2018 03:41:52 +0100 http://www.cryptologie.net/article/459/embeddeddisco/ http://www.cryptologie.net/article/459/embeddeddisco/#comments
I've been implementing the [Disco protocol](https://www.cryptologie.net/article/432/introducing-disco/) in C. It makes sense since Disco was designed specifically for embedded devices. The library is only **1,000 lines-of-code**, including all the cryptographic primitives, and does everything the Go implementation does except for signing.

If you don't know what Disco is, it's a **cryptographic library** that allows you to secure communications (like TLS) and to hash, encrypt, authenticate, derive keys, generate random numbers, etc.

[Check it out here](https://github.com/mimoo/disco-c). It's **experimental**. I'd be happy to receive any feedback :)

It's not as plug-and-play as the Golang version. There are no wrappers yet to encrypt, authenticate, hash, derive keys, etc. and I haven't made a decision as to what algorithm I should support for signatures (ed25519 with strobe? Or Strobe's Schnorr-variant with Curve25519?)

So it's mostly for people who know what they're doing for now.

Don't let that deter you though! I need people to play with it in order to improve the library. If you need help I'm here! ]]>
The Cryptography Services of NCC Group is looking for summer interns! David Wong Thu, 01 Nov 2018 22:57:23 +0100 http://www.cryptologie.net/article/458/the-cryptography-services-of-ncc-group-is-looking-for-summer-interns/ http://www.cryptologie.net/article/458/the-cryptography-services-of-ncc-group-is-looking-for-summer-interns/#comments About Disco (again) David Wong Fri, 19 Oct 2018 23:45:47 +0200 http://www.cryptologie.net/article/457/about-disco-again/ http://www.cryptologie.net/article/457/about-disco-again/#comments
The funny one is this realistically proportional figure where the areas of the different circles are representing the number of lines-of-code of each libraries.

![Disco lines of code](/upload/LOC.png)

The C library is currently awful, so I won't link to it until I get it to a prettier place, but as a proof of concept it shows that this can be achieve in a mere 1,000 lines-of-code. That while supporting the same functionalities of a TLS library and even more. The following diagram is the dependency graph or "trust graph" of an implementation of Disco:

![Disco trust graph](/upload/Screen_Shot_2018-10-19_at_2.37_.40_PM_.png)

As one can see, Disco relies on Strobe (which further relies on keccak-f) for the symmetric cryptography, and X25519 for the asymmetric cryptography. The next diagram shows the trust graph of a biased TLS 1.3 implementation for comparison:


This was done mostly for fun, so I might be missing some things, but you can see that it's starting to get more involved. Finally, I made a final diagram on what most installations actually depend on:


In this one I included other versions of TLS, but not all. I also did not include their own trust graph. Thus, this diagram is actually less complex that it could be in reality, especially knowning that [some companies](https://sites.google.com/site/bughunteruniversity/nonvuln/commonly-reported-ssl-tls-vulnerabilities) continue to support SSL 3.0 and TLS 1.0.

I've also included non-cryptographic things like x509 certificates and their parsers, because it is a major dependency which was dubbed [the most dangerous code in the world](https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html) by M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov.
Real World Crypto 2019 registrations open David Wong Wed, 03 Oct 2018 10:51:20 +0200 http://www.cryptologie.net/article/456/real-world-crypto-2019-registrations-open/ http://www.cryptologie.net/article/456/real-world-crypto-2019-registrations-open/#comments ]]> Encrypting a file David Wong Thu, 27 Sep 2018 13:03:05 +0200 http://www.cryptologie.net/article/455/encrypting-a-file/ http://www.cryptologie.net/article/455/encrypting-a-file/#comments
Encrypting a file is hard. I often need to do it to protect confidential data before sending it to someone. Besides PGP (yerk) there doesn't seem to be any light tools to do that easily. The next best option is often to have a common messaging app like Signal. So I made my own. It's called [Eureka](https://github.com/mimoo/eureka) and it's available in [binaries](https://github.com/mimoo/eureka/releases) or if you have Golang installed on your device, directly by doing this:

$ go get github.com/mimoo/eureka

It's also 100 LOC. It's just doing a simple job that seems to be missing from most default tooling. ]]>
Want to implement something fun today? David Wong Wed, 05 Sep 2018 12:44:34 +0200 http://www.cryptologie.net/article/454/want-to-implement-something-fun-today/ http://www.cryptologie.net/article/454/want-to-implement-something-fun-today/#comments
Disco is a specification that once implemented allows you to encrypt sessions (like TLS) and encrypt, authenticate, hash, generate random numbers, derive keys, etc. (like a cryptographic library). **All of that usually only needs less than a thousand lines of code.**

Here's how you can do it:

**1. Strobe.** The first step is to find a [Strobe](https://strobe.sourceforge.io/) implementation (Disco uses Strobe for all the **symmetric crypto**). Reference implementations of Strobe exist in C and Python, unofficial ones exist in [Golang](https://github.com/mimoo/StrobeGo) (from yours truly) and in [Rust](https://github.com/rozbb/strobe-rs) (from Michael Rosenberg). but if you're dealing with another language, you'll have to implement the [Strobe specification](https://strobe.sourceforge.io/specs/) first!

**2. Noise.** Read the "*How to Read This Document and Implement Disco*" section of the [Disco specification](http://discocrypto.com/disco.html). What it tells you is to implement the [Noise specification](http://noiseprotocol.org/noise.html) but to ignore its `SymmetricState` and `CipherState` sections. (You can also ignore any symmetric crypto in there.) You can find Noise libraries in any languages, but implementing it yourself is usually pretty straight forward (here you only really have to implement the `HandshakeState`).

**3. Disco.** Once you have that (which should take 500 LOC top), implement the `SymmetricState` specified by [Disco](http://discocrypto.com/disco.html).

**4. Tada!**

PS: if you want to write one in **python**, that'd be really great! You can take a look at the [already existing implementations here](https://github.com/mimoo/disco/issues/4). ]]>
Tamuro meetup in London tonight David Wong Fri, 31 Aug 2018 13:48:45 +0200 http://www.cryptologie.net/article/453/tamuro-meetup-in-london-tonight/ http://www.cryptologie.net/article/453/tamuro-meetup-in-london-tonight/#comments
To know the location you need to solve one of the challenges [there](https://twitter.com/TamuroLondon/status/1032983065591721986) summarized here as well:

* **EASY**: Decrypt the cipertext (single byte XOR) to find the GPS coordinates of the next Tamuro London meetup:
6d69766d686f69747568766861686e (hex string)
* **MEDIUM**: Solve the easy challenge without a brute-force method.
* **HARD**: https://gist.github.com/tkeetch/b1b21f621813ff11a75930f80f1c9e5b ]]>
Advances in permutation-based cryptography David Wong Tue, 28 Aug 2018 11:51:49 +0200 http://www.cryptologie.net/article/452/advances-in-permutation-based-cryptography/ http://www.cryptologie.net/article/452/advances-in-permutation-based-cryptography/#comments
I'll personally introduce sponge constructions, Strobe and [Disco](https://www.discocrypto.com):

> Today, SSL/TLS is the de-facto standard for encrypting communication. While its last version (1.3) is soon to be released, new actors in the field are introducing more modern and better designed protocols. This talk is about the past, the present and the future of session encryption. We will see how TLS led the way, how the Noise protocol framework allowed the standardization of more modern and targeted protocols and how the duplex construction helped change the status quo. ]]>
Smart Contract Security @ Black Hat Asia David Wong Mon, 27 Aug 2018 23:35:17 +0200 http://www.cryptologie.net/article/451/smart-contract-security-black-hat-asia/ http://www.cryptologie.net/article/451/smart-contract-security-black-hat-asia/#comments
<iframe width="560" height="315" src="https://www.youtube.com/embed/95-pdnUQQSo" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>

It's a summary of what is available on [dasp.co](https://www.dasp.co) + what we've learned auditing smart contracts. ]]>
Facebook's TLS 1.3 library David Wong Thu, 16 Aug 2018 11:09:29 +0200 http://www.cryptologie.net/article/450/facebooks-tls-13-library/ http://www.cryptologie.net/article/450/facebooks-tls-13-library/#comments
> Using early data in TLS 1.3 has several caveats, however. An attacker can easily replay the data, causing it to be processed twice by the server. To mitigate this risk, we send only specific **whitelisted requests** as early data, and we’ve deployed a **replay cache alongside our load balancers to detect and reject replayed data**. Fizz provides simple APIs to be able to determine when transports are replay safe and can be used to send non-replay safe data.

My guess is that either all GET requests are considered safe, or only GET requests on the `/` route are considered safe.
I'm wondering why they use a replay cache on the other side as this overhead could nullify the benefits of 0-RTT.

They also mention every state transitions being stored in one place, this is [true](https://github.com/facebookincubator/fizz/blob/09ba244f83592ae89b1f9137f7b99ba58ae4f2a9/fizz/client/ClientProtocol.cpp#L32):




I think this is a great idea, which more TLS libraries should emulate. I had started a whitelist of transitions for TLS 1.3 draft 18 [here](https://gist.github.com/mimoo/779dcf8c44d80a2a34a1a2f2ed620711) but it's probably outdated. ]]>
Problems that UDP and only UDP has David Wong Mon, 13 Aug 2018 16:30:46 +0200 http://www.cryptologie.net/article/449/problems-that-udp-and-only-udp-has/ http://www.cryptologie.net/article/449/problems-that-udp-and-only-udp-has/#comments
To Simplify, TCP is just a collection of algorithms that extend UDP to make it support **in-order delivery** of **streams**. UDP on the other hand does not care about such streams and instead sends blocks of messages (called **datagrams**) in **whatever-order** and provides **no guarantee** what-so-ever that you will ever receive them.

TCP also provides some security guarantees on top of IP by starting a session with a **TCP handshake** it allows both endpoints of a communication to provide a proof of IP ownership, or at least that they can read whatever is sent to their claimed IPs. This means that to mess up with TCP, you need to be an **on-path** attacker man-in-the-middle'ing the connection between the two endpoints. UDP has none of that, **it has no notion of sessions**. Whatever packets are received from an IP, it'll just accept them. This means that an **off-the-path** attacker can trivially send packets that look like they are coming from any IP, effectively **spoofing the IP** of either one of the endpoint or anyone on the network. If the protocol built on top of UDP does not do anything to detect and prevent this, then bad things might happen (from complex attacks to simple denial of services).

This is not the only bad thing that can happen though. Sometimes (meaning for some protocols) a well-crafted message to an endpoint will trigger a large and disproportionate response. Malicious actors on the internet can use this to perform **amplification attacks**, which are denial-of-service attacks. To do that, the actor can send these special type of messages pretending to be a victim IP and then observe the endpoint respond with a large amount of data to the victim IP.

Intuitively, it sounds like both of these issues can be tackled by doing some sort of TCP handshake, but in practice it is rarely the case as the very first message of your protocol (which hasn't been able to provide a proof of IP ownership yet) can still trigger large messages. This is why in [QUIC](https://www.chromium.org/quic), the very first message from a client needs to be padded with `0`s in order to make it as large as the server's response. Meaning that an attacker would have to at least spend as much resources that is provided by the attack, nullifying its benefits.

Looking at another protocol built on top of UDP, [DTLS](https://tools.ietf.org/html/rfc6347) (TLS for UDP) has a notion of "cookie" which is really some kind of bearer token that the client will have to keep providing to the server in relevant messages, this in order to prove that it is indeed the same endpoint talking to the server. ]]>
TLS 1.3 is out! David Wong Sat, 11 Aug 2018 13:55:45 +0200 http://www.cryptologie.net/article/448/tls-13-is-out/ http://www.cryptologie.net/article/448/tls-13-is-out/#comments
* Will we see a fast deployment of the protocol? It seems like browsers are ready, but web servers will have to follow.
* Who will use 0-RTT? I'm expecting the big players to use it (largely because they've been requesting it) but what about the small ones?
* Are we going to see vulnerabilities in the protocol? It seems highly unlikely, TLS 1.2 itself (with AES-GCM) has remained solid for more than 10 years.
* Are we going to see vulnerabilities in the implementations? We will see about that. If anything happens, I'm expecting it to happen around 0-RTT, PSKs and key exports. But let's hope that libraries have learned their lessons.
* Is [BearSSL](https://bearssl.org/) going to implement TLS 1.3? It sounds like it.
WhatsApp, Secure Messaging, Transcript Consistency and Trust in a group chat David Wong Fri, 10 Aug 2018 11:54:10 +0200 http://www.cryptologie.net/article/447/whatsapp-secure-messaging-transcript-consistency-and-trust-in-a-group-chat/ http://www.cryptologie.net/article/447/whatsapp-secure-messaging-transcript-consistency-and-trust-in-a-group-chat/#comments
First, there is nothing new in being able to man-in-the-middle and decrypt your own TLS sessions (+ a simple protocol on top). Sure the tool is neat, but it is not breaking WhatsApp in this regard, it is merely allowing you to look at (and to modify) what you're sending to the WhatsApp server.

The blog post goes through some interesting ways to mess with a WhatsApp group chat, as it seems that the application relies in some parts on metadata that you are in control of. This is bad hygiene, but for me the interesting attack is attack number 3: you can send messages to SOME members of the group, and send different messages to OTHER members of the group.

At first I thought: this is nothing new. If you read the [WhatsApp whitepaper](https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf) it is a clear limitation of the protocol: you do not have **transcript consistency**. And by that I mean, nothing is **cryptographically enforcing** that all members of a group chat are seeing the exact same thing.

It is always hard to ensure that the last messages have been seen by everyone of course (some people might be offline), but transcript consistency really only cares about **ordering, dropping, and tampering** of the messages.

Let's talk about WhatsApp some more. Its protocol is very different from what Signal does and in group chats, each member shares their unique symmetric key with the other members of the group (separately). This means that when you join a group with `Alice` and `Bob`, you first create some random symmetric key. After that, you encrypt it under `Alice`'s public key and you send it to her. You then do the same thing with `Bob`. Once all the members have knowledge of your random symmetric key, you can encrypt all of your messages with it (perhaps using a ratchet). When a member leaves, you have to go through this dance again in order to provide **forward secrecy** to the group (leavers won't be able to read messages anymore). If you understood what I said, the protocol does not really gives you way to enforce transcript consistency, you are in control of the keys so you choose who you encrypt what messages to.

But wait! Normally, the server should distribute the messages in a fan-out way (the server distributes **one** encrypted message to **X** participants), forcing you to collude with a root@WhatsApp in order to perform this kind of shenanigans. In the [blog post's attack](https://github.com/romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint) it seems like you are able to bypass this and do not need the help of WhatsApp's servers. This is bad and I'm still trying to figure out what really happened.

By the way, to my knowledge no end-to-end encrypted protocol has this property of transcript consistency for group chats. Interestingly, the Messaging Layer Security (MLS) which is the latest community effort to standardize a messaging protocol does not have a solution for this either. I'll probably talk about MLS in a different blog post because it is still very interesting.

The last thing I wanted to mention is **trust inside of a group chat**. We've been trying to solve trust in a one-to-one conversation for many many years, and between PGP being broken and the many wars between the secure messaging applications, it seems like this is still something we're struggling with. Just yesterday, a post titled [I don't trust Signal](https://news.ycombinator.com/item?id=17723973) made the front page on hackernews. So is there hope for trust in a group chat anytime soon?

First, there are three kinds of group chat:

* large group chats
* medium-sized group chats
* small group chats

I'll argue that **large group chats have given up on trust**, as it is next to impossible to figure out who is who. Unless of course we're dealing with a PKI and a company enforcing onboarding with a CA. And even this is has issues (beyond the traitors and snoops).

I'll also argue that **small group chats are fine with the current protocols**, because you're probably trusting people not to run this kind of attacks.

**The problem is in medium-sized group chats**. ]]>
QUIC Crypto and simple state machines David Wong Thu, 09 Aug 2018 12:39:32 +0200 http://www.cryptologie.net/article/446/quic-crypto-and-simple-state-machines/ http://www.cryptologie.net/article/446/quic-crypto-and-simple-state-machines/#comments
* Google wanted to improve TCP (2.0™️)
* but TCP can't really be changed
* so they built it on top of UDP (which is just IP with ports, check the [2 page RFC for UDP](https://tools.ietf.org/html/rfc768) if you don't believe me)
* they made it with **encryption by default**
* and they called it **QUIC**, because it's quick, you know

There is more to it, it makes HTTP blazing fast with multiplexed streams and all, but I'm only interested about the crypto here.

Google QUIC's (or gQUIC) default encryption was provided by a home-made crypto protocol called QUIC Crypto. The thing is documented in a 14-page [doc file](https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/edit) and is more or less up-to-date. It was at some point agreed that things needed to get standardized, and thus [the process of making QUIC an RFC (or RFCs) began](https://datatracker.ietf.org/wg/quic/about/).

Unfortunately QUIC Crypto did not make it and the IETF decided to replace it with TLS 1.3 for diverse reasons.

**Why "Unfortunately" do you ask?**

Well, as Adam Langley puts it in some of [his slides](https://www.ietf.org/proceedings/92/slides/slides-92-saag-5.pdf). The protocol was dead simple:

![quic crypto](/upload/quiccrypto.jpg)

While the protocol had some flaws, in the end, it was still a beautiful and elegant protocol. At its core was an extremely straight forward and linear state machine summed up by this diagram:

![quic crypto diagram](/upload/quiccryptodiagram.jpg)

A few things to help you read it:

* a server config is just a blob that contains the server current semi-ephemeral keys. The server config is rotated every X days.
* an inchoate client hello is just an empty client hello, which prompts the server to send a REJ(ect) message containing its latest config (after that the client can try again with a full client hello)
* SHLO is a (encrypted) server hello which contains ephemeral keys

As you can see **there isn't much going on**, if you know the keys of the server you can do some 0-RTT magic, if you don't then request the keys and start the handshake again.

Compare that to [the state machine of TLS 1.3](https://tools.ietf.org/html/draft-ietf-tls-tls13-28#appendix-A.1):

![tls state machine](/upload/tlsstatemachine.jpg)

In the end, TLS 1.3 is a solid protocol, but I'd like to see more experimentation here instead of just relying on TLS. version 1.3 is built on top of numerous previous failed versions which means a great amount of complexity due to legacy and a multitude of use cases and extensions it needs to support. Simpler protocols should be better, simple state machines make for better analysis and more secure implementations. Just look at the [Noise protocol framework](http://noiseprotocol.org/) and its 1k LOC implementations and its symbolic proofs done with [ProVerif](https://noiseexplorer.com) and [Tamarin](https://www.wireguard.com/papers/wireguard-formal-verification.pdf). Actually, why haven't we started using Noise for everything? ]]>
About Bitcoin Transactions David Wong Wed, 08 Aug 2018 16:31:11 +0200 http://www.cryptologie.net/article/445/about-bitcoin-transactions/ http://www.cryptologie.net/article/445/about-bitcoin-transactions/#comments
That's right! when crafting a transaction to send money on the bitcoin network, you actually do not include `I am sending my BTC to _this address_`. Instead, you include a script called a **ScriptPubKey** which dictates a set of inputs that are allowed to redeem the monies. The **PubKey** in the name surely refers to the main use for this field: to actually let a unique public key redeem the money (the intended recipient). But that's not all you can do with it! There exist a multitude of ways to write ScriptPubKeys! You can for example:

* not allow anyone to redeem the BTCs, and even use the transaction to record arbitrary data on the blockchain (this is what a lot of applications built on top of bitcoin do, they "burn" bitcoins in order to create metadata transactions in their own blockchains)
* allow someone who has a password to use the BTCs (but to submit the password, you would need to include it in clear inside a transaction which would inevitably be advertised to the network before actually getting mined. This is dangerous)
* allow a subset of signatures from a fixed set of public keys to redeem the BTCs (this is what we call multi-sig transactions)
* allow someone who can break a hash function (SHA-1) to redeem the BTCs (This is what [Peter Todd did in 2013](https://en.bitcoin.it/wiki/Script#Incentivized_finding_of_hash_collisions))
* only allow the BTCs to be redeemed after some time in the future (via a timestamp)
* etc.

On the other hand, if you want to use the money you need to prove that you can use such a transaction's output. For that you include a **ScriptSig** in a new transaction, which is another script that runs and creates a number of inputs to be used by the **ScriptPubKey** I talked about. And you guessed it, in our prime use-case this will include a signature (the **Sig** in the name)!

Recap: when you send BTCs, you actually send it to whoever can give you a correct input (created by a ScriptSig) to your program (ScriptPubKey). In more details, a Bitcoin transaction includes a set of **input BTCs** to **spend** and a set of **output BTCs** that are now **redeemable** by whoever can provide a valid ScriptSig. That's right, **a transaction actually uses many previous transactions to collect money from, and spread them in possibly multiple pockets of money that other transactions can use**. Each input of a transaction is associated to a previous transaction output, along with the ScriptSig to redeem it. Each output is associated with a ScriptPubKey. By the way, an output that hasn't been spent yet is called an UTXO for unspent transaction output.

The scripting language of Bitcoin is actually quite limited and easy to learn. It uses a stack and must return `True` at the end. The limitations actually bothered some people who thought it might be interesting to create something more [turing-complete](https://en.wikipedia.org/wiki/Turing_completeness), and thus [Ethereum](https://en.wikipedia.org/wiki/Ethereum) was born. ]]>
CryptoMag is looking for articles David Wong Thu, 05 Jul 2018 14:16:06 +0200 http://www.cryptologie.net/article/444/cryptomag-is-looking-for-articles/ http://www.cryptologie.net/article/444/cryptomag-is-looking-for-articles/#comments
You want to teach someone about a crypto concept, something 101 that could be explained in 1-2 pages with a lot of diagrams? Look no more, we need you.

## Concept

The idea is to have a recurrent benevolent e-magazine (like [POC||GTFO](https://github.com/tylert/pocorgtfo)) that focuses on:

* **cryptography**: *duh!* That being said, cryptography does include: implementations, cryptocurrencies, protocols, at scale, politics, etc. so there are more topics that we deem interesting than just theoretical cryptography.
* **pedagogy**: heaps of *diagrams* and a focus on teaching. Taking an original writing style is a plus. We're looking not to bore readers.
* **101**: we're looking for *introductions* to concepts, not deeply technical articles that require a lot of initial knowledge to grasp.
* **short**: articles should be similar to a blog post, not a full-fledged paper. With that in mind articles should be around 1, 2 or 3 pages. We are not looking for something dense though, so no posters, rather a submission should be a light read that can be part of a series or influence the reader to read more about the topic.

## Topics

Preferably, authors should write about something they are familiar with, but here is a list of topics that would likely be interesting for such a light magazine:

* what is SSH?
* what is SHA-3?
* what is functional encryption?
* what is TLS 1.3?
* what is a linear differential attack?
* what is a cache attack?
* how does LLL work?
* what are common crypto implementation tricks?
* what is R-LWE?
* what is a hash-based signature?
* what is an RFC?
* what is the IETF?
* what is the IACR?
* why are companies encrypting databases?
* what is x509, .pem, asn.1 and base64?
* etc...

## Format

LaTeX if possible.

## Deadline

No deadline at the moment.

## How to submit

send me a dropbox link or something on the [contact page](/contact), you can also send it to me via [twitter](https://www.twitter.com/cryptodavidw)

PS: I am going to annoy you if you don't use diagrams in your article ]]>
Tamuro meetup in London David Wong Fri, 29 Jun 2018 12:20:15 +0200 http://www.cryptologie.net/article/443/tamuro-meetup-in-london/ http://www.cryptologie.net/article/443/tamuro-meetup-in-london/#comments Smart Contract Security @ IT Camp David Wong Fri, 08 Jun 2018 22:25:19 +0200 http://www.cryptologie.net/article/442/smart-contract-security-it-camp/ http://www.cryptologie.net/article/442/smart-contract-security-it-camp/#comments
<iframe width="560" height="315" src="https://www.youtube.com/embed/yIQUnV3dTBs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>

Yours truly. ]]>