WAC7 is an affiliated event at Crypto 2024 on Sunday, August 18, 2024 at University of California, Santa Barbara.
workshop description
Cryptography is often thought of as the bright spot of practical security, a mathematical paradise where security can be rigorously proven and issues like buffer overflows are in someone else’s department. However, there is a growing community of researchers who regularly find serious flaws in widely deployed cryptographic implementations and protocols. In recent years, this type of research has mostly been published in systems security conferences. This workshop will bring together researchers who work on cryptographic attacks and provide a showcase of their work for the Crypto community. This is the seventh edition of the WAC workshop, which was established by Nadia Heninger.
date and location
Date: Sunday, August 18, 2024
Location:
- Corwin West
- University of California, Santa Barbara
registration
Select WAC7 under “affiliated events” when registering for Crypto 2024.
program
| Sunday August 18, 2024 | |
|---|---|
| 09:00—09:05 (PDT) |
Authors:
|
| 09:05—09:40 (PDT) |
Abstract The SSH protocol provides secure access to network services, particularly remote terminal login and file transfer within organizational networks and to over 15 million servers on the open internet. SSH uses an authenticated key exchange to establish a secure channel between a client and a server, which protects the confidentiality and integrity of messages sent in either direction. The secure channel prevents message manipulation, replay, insertion, deletion, and reordering. At the network level, SSH uses the Binary Packet Protocol over TCP. In the Terrapin attack [1], we show that as new encryption algorithms and mitigations were added to SSH, the SSH Binary Packet Protocol is no longer a secure channel: SSH channel integrity (INT-PST, aINT-PTXT, and INT-sfCTF) is broken for three widely used encryption modes. This allows prefix truncation attacks where encrypted packets at the beginning of the SSH channel can be deleted without the client or server noticing it. We demonstrate several real-world applications of this attack. We show that we can fully break SSH extension negotiation (RFC 8308), such that an attacker can downgrade the public key algorithms for user authentication or turn off a new countermeasure against keystroke timing attacks introduced in OpenSSH 9.5. Further, we identify an implementation flaw in AsyncSSH that, together with prefix truncation, allows an attacker to redirect the victim's login into a shell controlled by the attacker. We also performed an internet-wide scan for affected encryption modes and support for extension negotiation. We find that 71.6% of SSH servers support a vulnerable encryption mode, while 63.2% even list it as their preferred choice. We identify two root causes that enable these attacks: First, the SSH handshake supports optional messages that are not authenticated. Second, SSH does not reset message sequence numbers when activating encryption keys. Based on this analysis, we propose effective and backward-compatible changes to SSH that mitigate our attacks. [1] https://terrapin-attack.com/ Authors:
|
| 09:40—10:15 (PDT) |
Abstract Who are the "ends" in end-to-end encryption? In this talk, we explore this question, using the Wire secure messenger as a case study. Wire implements a variant of the Signal protocol: a bespoke Double Ratchet implementation dubbed "Proteus", and bespoke eXtended Triple Diffie-Hellman keys exchange dubbed "XPDH". The security of both Proteus and XPDH is theoretically on par with Signal's equivalents: one could therefore hope that Wire is as secure as Signal. Yet, we discovered a wide range of vulnerabilities in Wire, ranging from message reordering and redirection attacks, to confidentiality and Post-Compromise Security (PCS) violations. These attacks emerge in Wire's implementation at different layers of abstraction:
As the "ends" in question change from "real" users to abstract parties, we will discuss how gaps in security arise, and draw lessons from mistakes in Wire and other secure messaging apps. Author:
|
| 10:15—10:45 (PDT) | break |
| 10:45—11:30 (PDT) |
Abstract This talk is about the importance of cryptography to censorship circumvention, taking as motivating case studies real cryptographic attacks that have affected widely deployed circumvention protocols. It is meant as an introduction to censorship threat modeling for the cryptography-capable, and to that end I will comment on how security notions like "attack" and "indistinguishability" map onto the censorship problem. Further information on this topic is available on the presenter's website [1]. [1] https://www.bamsoftware.com/papers/fep-flaws/ Author: |
| 11:30—12:15 (PDT) |
Abstract In 2020, the Federal Communications Commission (FCC) began mandating the adoption of the STIR/SHAKEN protocol by all telephone service providers operating in the United States. This protocol aims to reduce the number of fraudulent robocalls by creating a reputation system for providers, disincentivizing providers from permitting fraudulent calls to originate from their network. This talk will discuss our ongoing study of the privacy implications of STIR/SHAKEN. Our study has uncovered severe privacy issues stemming from the design and implementation of the cryptography in STIR/SHAKEN. Notably, STIR/SHAKEN requires, for every call, highly sensitive call metadata (e.g., caller and callee numbers) to be signed in a cryptographically non-repudiable way and transmitted unencrypted between providers; this gives anyone the ability to cryptographically assert a call took place. Further, because third-party signing-as-a-service is widespread, this highly sensitive metadata is often revealed to off-path third parties. The talk will give the relevant background on telephony and STIR/SHAKEN, describe these privacy issues in detail, and discuss our ongoing research on solutions. We will also highlight unusual real-world cryptography challenges that arise, such as blind verification for signatures. Authors:
|
| 12:15—14:05 (PDT) | lunch break |
| 14:05—14:45 (PDT) |
Abstract RADIUS may be one of the most important protocols you've never heard of. Used when logging into internet backbone routers, power-grid equipment, WiFi networks, VPNs, IoT devices, and more, RADIUS is an authentication/authorization protocol where credentials live on a central server instead of on the device you're logging into. You might assume that such a widely-used authentication protocol would be secured by strong cryptography. You'd assume wrong: it uses MD5. In this talk, we'll see how an attacker who can intercept and modify packets between a victim RADIUS device and the RADIUS server can successfully log into the victim device with no credentials whatsoever. The attack involves computing a chosen-prefix collision between two valid RADIUS packets in real time, before authentication times out, and then tricking the server into sending one of them. Along the way, we'll learn a little about MD5 collisions (and why the ones that can be computed in seconds on a laptop aren't good enough here) and about the RADIUS protocol and its packet format. We'll also look at some short-term and long-term mitigations (and non-mitigations) for this attack. Authors:
|
| 14:45—15:25 (PDT) |
Abstract The Kerberos protocol is used by millions of users and network administrators worldwide for secure authentication, key distribution, and access control management to enterprise networks and services. Since its initial public deployment in 1989, the protocol has undergone many revisions to incorporate new cryptographic primitives and improve security. For example, initially based solely on users' passwords and symmetric cryptographic primitives, current implementations also support smartcard-based authentication with asymmetric cryptographic primitives for improved security. However, this iterative revision process has resulted in implementations riddled with legacy crypto primitives and protocol designs. In this work, we show how we can exploit this legacy crypto to completely break the security of the enterprise network. Firstly, while arguably more secure, smartcard-based authentication uses RSA encryption with the notorious PKCS #1 v1.5 padding scheme. Although the RSA decryption is done securely inside the smartcard, a non-constant time unpadding code runs on the client's CPU. This makes both Windows's and several Linux distributions' implementations vulnerable to the Bleichenbacher attack that can recover cryptographic session tokens. Secondly, we show that the RSA smartcard-based authentication does not provide forward secrecy to the cryptographic tokens that the server provisions to the client. Thirdly, we propose and analyze different algorithmic approaches to minimize the overhead required to handle noisy oracles in the Bleichenbacher attack. This general Bleichenbacher attack analysis may be of independent interest. Finally, we demonstrate microarchitectural side channel-based end-to-end attacks on the Windows Kerberos implementation. We start by showing how to recover tokens used to encrypt session transferred remote files by Samba. We then show how to amplify the number of decryptions performed with a single user's PIN code input, allowing us to accelerate our attack and recover users' (and admins') credentials before expiration. In addition, we describe a remote attack vector that allows us to perform the attack and generate queries. Authors:
|
| 15:25—15:55 (PDT) | break |
| 15:55—16:30 (PDT) |
Abstract Encrochat was a communications network and service provider that offered modified Android smartphones offering end-to-end encrypted communication based on the Signal protocol. In 2020, French law enforcement — in collaboration with agencies in the UK and the Netherlands as well as the European Agency for Law Enforcement Cooperation (Europol) — compromised the Encrochat network and exfiltrated historical data as well as real-time messaging data and metadata for weeks. The compromise remained undetected for approximately two months, after which Encrochat administrators shut down the network. Encrochat was used by organised crime groups in Europe (and elsewhere), and the exfiltrated information was used as supporting evidence in over 6000 arrests and related prosecutions across Europe; the information also led to the seizure or freezing of over 900 million euros as criminal funds, and the seizure of hundreds of tonnes of illegal drugs. The London Metropolitan Police, which made use of the intelligence gathered, described this as “the most significant operation the Metropolitan Police Service has ever launched against serious and organised crime”. In this talk, we examine what is known about how Encrochat was compromised, and how we know what we know at this time. In particular, we will discuss: the security and cryptography features used in Encrochat; what is currently known about how law enforcement breached the Encrochat network in 2020 and a potential earlier compromise; how we pieced together what is currently known from public sources such as historical Internet data, court records, and news reports; and legal, practical, and social limitations on the attack. Authors:
|
| 16:30—17:00 (PDT) |
Abstract Microarchitectural side-channel attacks have shaken the foundations of modern processor design. The cornerstone defense against these attacks has been to ensure that security-critical programs do not use secret-dependent data as addresses. Put simply: do not pass secrets as addresses to, e.g., data memory instructions. Yet, the discovery of data memory-dependent prefetchers (DMPs) — which turn program data into addresses directly from within the memory system — calls into question whether this approach will continue to remain secure. Our work shows that the security threat from DMPs is significantly worse than previously thought and demonstrates the first end-to-end attacks on security-critical software using the Apple m-series DMP [1]. Undergirding our attacks is a new understanding of how DMPs behave which shows, among other things, that the Apple DMP will activate on behalf of any victim program and attempt to "leak" any cached data that resembles a pointer. From this understanding, we design a new type of chosen-input attack that uses the DMP to perform end-to-end key extraction on popular constant-time implementations of classical (OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) and post-quantum cryptography (CRYSTALS-Kyber and CRYSTALS-Dilithium). [1] GoFetch website: gofetch.fail Authors:
|
timeline
- April 22, 2024: open call for talks
- May 17, 2024 AoE: deadline for contributed talk submissions
- mid June 2024: notice of talk proposal acceptance/rejection
- June 2024: publish program
- August 18, 2024: workshop
- August 23, 2024: all slides are uploaded
organizers
Contact us by email to wac@cryptanalysis.fun.
University of California, San Diego
University of California, San Diego