Episode 10: Exploiting Authenticated Encryption Key Commitment!
Ange Albertini and Stefan Kölbl discuss how new research from
Google, the University of Haifa and Amazon is exploiting
authenticated encryption to make a PDF decrypt into... a different
PDF. And much more.
47 Minuten
Podcast
Podcaster
In-depth, substantive discussions on the latest news and research in applied cryptography.
Beschreibung
vor 5 Jahren
Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is
used in a wide variety of applications, including potentially in
settings for which it was not originally designed. A question given
relatively little attention is whether an authenticated encryption
scheme guarantees “key commitment”: the notion that ciphertext
should decrypt to a valid plaintext only under the key that was
used to generate the ciphertext. In reality, however, protocols and
applications do rely on key commitment. A new paper by engineers at
Google, the University of Haifa and Amazon demonstrates three
recent applications where missing key commitment is exploitable in
practice. They construct AES-GCM ciphertext which can be decrypted
to two plaintexts valid under a wide variety of file formats, such
as PDF, Windows executables, and DICOM; and the results may shock
you. Links and papers discussed in the show: * How to Abuse and Fix
Authenticated Encryption Without Key Commitment
(https://eprint.iacr.org/2020/1456) * Mitra, Ange's software tool
for generating binary polyglots (https://github.com/corkami/mitra)
* Shattered and other research into hash collisions
(https://github.com/corkami/collisions) Music composed by Toby Fox
and performed by Sean Schafianski
(https://seanschafianski.bandcamp.com/). Special Guests: Ange
Albertini and Stefan Kölbl.
used in a wide variety of applications, including potentially in
settings for which it was not originally designed. A question given
relatively little attention is whether an authenticated encryption
scheme guarantees “key commitment”: the notion that ciphertext
should decrypt to a valid plaintext only under the key that was
used to generate the ciphertext. In reality, however, protocols and
applications do rely on key commitment. A new paper by engineers at
Google, the University of Haifa and Amazon demonstrates three
recent applications where missing key commitment is exploitable in
practice. They construct AES-GCM ciphertext which can be decrypted
to two plaintexts valid under a wide variety of file formats, such
as PDF, Windows executables, and DICOM; and the results may shock
you. Links and papers discussed in the show: * How to Abuse and Fix
Authenticated Encryption Without Key Commitment
(https://eprint.iacr.org/2020/1456) * Mitra, Ange's software tool
for generating binary polyglots (https://github.com/corkami/mitra)
* Shattered and other research into hash collisions
(https://github.com/corkami/collisions) Music composed by Toby Fox
and performed by Sean Schafianski
(https://seanschafianski.bandcamp.com/). Special Guests: Ange
Albertini and Stefan Kölbl.
Weitere Episoden
49 Minuten
vor 2 Jahren
53 Minuten
vor 2 Jahren
52 Minuten
vor 2 Jahren
47 Minuten
vor 4 Jahren
43 Minuten
vor 4 Jahren
In Podcasts werben
Kommentare (0)