LIVE FROM COLUMBIA, IT'S #REALWORLDCRYPTO
First up is the TLS session 🔒
First talk is Johanna Amann on measuring TLS 1.3 deployment in the wild with active and passive methods

#realworldcrypto
The notary method is able to collect a lot of feature usage data but not all, on over 1 billion sessions since 2012 (😱)

#realworldcrypto
TLS 1.3 in the wild ❤️

#realworldcrypto
"The moment our scanner was able to speak a newer version (Draft) of TLS 1.3, we picked up servers supporting it." Fantastic!

#realworldcrypto
What drives support being relatively high in the beginning, such as in the Alexa top 1million? Possibly being operated by professionals, or because the site is being served/TLS terminated by another service who does stay on top of TLS versions.

#realworldcrypto
Cheers to Cloudflare for their aggressive adoption of multiple draft versions of TLS 1.3!

#realworldcrypto
Facebook started support at draft 23

#realworldcrypto
Don't have data for Google but they also joined late, but once they joined a lot of servers supported it all together (makes sense considering Google front end / terminator deployment strategies).

#realworldcrypto
Digital Ocean support spiked when the RFC was accepted, possibly due to Linux defaulting to the new version of TLS and well-patched droplets picking it up automatically. 💪

#realworldcrypto
"Clients would be using the new ClientOffered extension to advertise really ancient versions of TLS" 😆

#realworldcrypto
Some of these are private versions for companies like Google and Facebook that controlled their own clients and servers until the final draft was adopted.

#realworldcrypto
(Selected set, this list is actually like a hundred ciphersuites long)

#realworldcrypto
New TLS 1.3 feature usage

#realworldcrypto
Some features aren't scannable because they are encrypted, by design. ❤️

#realworldcrypto
60% of connections over TLS 1.3 go to Facebook! 😵

#realworldcrypto
ANDROID SUPPORT 🙏

Came with the release of Android Q, not including apps that shipped with their own TLS stack and negotiated their own connections earlier.

#realworldcrypto
So much faster adoption than previous versions due to investment by several large companies 🎉

#realworldcrypto
Q: Adoption in things like DTLS?
A: Only a tiny amount

#realworldcrypto
NEXT UP: The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations

#realworldcrypto
Speaker, Eyal Ronen

#realworldcrypto
RSAAAAAA

#realworldcrypto
"How is this still a thing?" Same man, same

#realworldcrypto
Backward compatibility, usually

#realworldcrypto
Why do we care if we can break 6% of TLS connections? Because it's not actually those 6% that are vulnerable, downgrade attacks affect more than that.

#realworldcrypto
Why PKCS 1.5

#realworldcrypto
But this is still vulnerable to Bleichenbacher's adaptive chosen-ciphertext attack

#realworldcrypto
Use this to decrypt the premaster secret and sniff session cookies

#realworldcrypto
Only 6% of connections use RSA key exchange, so instead, force a downgrade on servers that _support_ RSA kex but aren't overtly advertising it, using a MITM

#realworldcrypto
Need to keep the session alive during the padding attack, which the user might notice. Instead, use JS in the background to repeatedly reopen connections in the background, instead of reloading the full webpage which the user may notice.

#realworldcrypto
> cache timing side channel

"were caches a mistake???"

#realworldcrypto
Most browsers timeout connections after 30 seconds, so we need to parallelize

#realworldcrypto
Multiple sessions over multiple servers, looks similar to solving the hidden number problem, which can be attacked via the closest vector problem in a lattice

#realworldcrypto
Found these vulns in 7 out of 9 impls 🍵

#realworldcrypto
Paper includes layers of recommended mitigations , but if you really have to use RSA, separate your certificates.

But maybe just… please don't use RSA.

#realworldcrypto
Bleichenbacher attacks in 2020

#realworldcrypto
Next up! Deco: Liberating Web Data Using Decentralized Oracles for TLS

#realworldcrypto
Applying DECO to smart contracts, like on blockchain thingies

#realworldcrypto
Smart contracts need to be online to respond in a timely manner to things happening in the world.

#realworldcrypto
✨decentralization ✨

for your decentralized smart contracts thing on a blockchain

#realworldcrypto
Possible solutions:

- change TLS to sign data
- trusted hardware (SGX*)

* welp

#realworldcrypto
DECO facilitates privacy-preserving proofs about TLS data to oracles and can be used for these smart contracts

#realworldcrypto
The primary goal is to prove provenance of TLS ciphertext.

#realworldcrypto
(in zero knowledge)

#realworldcrypto
The three-party handshake logo is cut off, my apologies

#realworldcrypto
(That ⭐operation is an elliptic curve group operation)

#realworldcrypto
Results in a handshake circuit with AND complexity of ~770k, runs in ~1.40seconds on wired network. Plenty fast for DECO.

#realworldcrypto
Why forego privacy?

#realworldcrypto
So, if this is a proof based on the TLS connection of the data provider, what happens when the data provider gets social engineered or forgets to patch their database backend?

#realworldcrypto
Got more of the logo

#realworldcrypto
Q: In the MPC it's broken into two parts, what prevents a malicious input in the second part?

A: This will be caught later on in the protocol in the proof stage this will be caught, the two parties commit to their shares beforehand

#realworldcrypto
Short break ☕
Next up is the first symmetric crypto session, starting with Attacks only get better: The case of OCB2 by Tetsu Iwata

#realworldcrypto
"Say you want to encrypt a penguin"

#realworldcrypto
No authenticity, allowing the ciphertext to be manipulated.

#REALWORLDCRYPTO
Nonce changes for every* encryption operation

*except when it doesn't , like when you ask the user to provide a nonce

#REALWORLDCRYPTO
GCM, CCM are NIST-certified

IETF ones include GCM, ChaCha20-Poly1305

CAESAR includes 6 more

Some more in the ongoing NIST lightweight crypto competition

#realworldcrypto
OCB includes 3 versions, nonce-based AE with AD with strong features, including proof of security

#realworldcrypto
No known vulnerabilities. 'Yet'.

#realworldcrypto
Result: authenticity attack on OCB2, not related to the underlying block cipher.

#realworldcrypto
> SJCL affected

Free corgi pix to someone who collects metrics on real world usage of the SJCL in the wild. 🐕

#realworldcrypto
If we encrypt the same message twice, the nonce will* be different and the ciphertext will be different.

* CAVEAT EMPTOR

#realworldcrypto
Decryption:

#realworldcrypto
Simplest attack is a minimal forgery (existential forgery), adversary must know content of the message, it might not be that important but it's still not generated by the original sender.

#realworldcrypto
On its own may not mean much, but can be leveraged into more powerful attacks.

#realworldcrypto
Universal forgery: for any nonce and message (possibly chosen by the adversary), can compute ciphertext and tag that will be accepted as legit

#realworldcrypto
So if we have these attacks, what went wrong with OCB2's proof of security?

It is a complex proof so

#realworldcrypto
XEX and XE are _misused_

#realworldcrypto
Lesson: prove all the statements AND carefully check that they fit together

A good lesson for security in general

#realworldcrypto
Some fixes:

#realworldcrypto
A distinguishing attack was published in 2018, "I saw this paper and wrote my attack in two days and submitted to ePrint" 😆

#realworldcrypto
After the first chink in the armour, everything happened very quickly. "Attacks only get better", very quickly in this case 😬

#realworldcrypto
"OCB2 is broken. Should not be used in any applications."

Attacks not applicable to OCB1 or OCB3. The general structure of OCB is sound.

Even the most promising scheme can fail; active third-party verification of security proofs is important.

#realworldcrypto
Next up! All on Deck! by the Keccak team

#realworldcrypto
Moar authenticated encryption

#realworldcrypto
Part you can prove (blue), part you have to rely on an upper probabilistic bound (red)

#REALWORLDCRYPTO
New primitive: a deck function

#realworldcrypto
Incremental!

#realworldcrypto
And extendable output

#realworldcrypto
Deck-SANE authenticated encryption

#realworldcrypto
Ooo a nonce-misuse-resistant variant

#realworldcrypto
"Your decipher oracle needs to verify authenticity before releasing plaintext" 🤔

#realworldcrypto
Wide block cipher

#realworldcrypto
Gives us optimal expansion 👍

#realworldcrypto
How do you build deck functions?

Two approaches, serial and parallelizable

#realworldcrypto
Can be vectorized!

#realworldcrypto
XOODOO, not zulu 🙃

#realworldcrypto
Speed numbers

#realworldcrypto
Q: What is the security notion of the deck function?

A: PRF

#realworldcrypto
Q: Compared to chacha20?

A: Don't have comparison figures, but for hardware implementations we think it is more performant than chacha

#realworldcrypto
Next up, the Levchin Prize Ceremony

#realworldcrypto
Ralph Merkle! 👏👏👏

🎄🎄🌲

#realworldcrypto
Merkle proposed the inklings of public key crypto in 1974 while an _undergrad_ 😭

#realworldcrypto
"I submitted this to the ACM and it was rejected for quite some time." NEVERTHELESS.

#realworldcrypto
"I had to wait until [Diffie and Hellman's paper] was published and then it seemed more acceptable." 😉

#realworldcrypto
"Sometimes there is one reviewer on the committee who does not understand the ideas in your paper."

*audience snickers about reviewer #2*

#realworldcrypto
"Maybe we can introduce new ideas in committee-based reviews" yaaas

#realworldcrypto
"Things that are resistant to quantum computers are a Good Idea™️… oh and I introduced some quantum-resistant hash-based signatures" INDEED

#realworldcrypto
SHAttered!

#realworldcrypto
Demonstrating real collision attacks to drive deprecation of MD5 and now SHA-1

(ICYMI SHA-1 is hella broken now, don't use it)

#realworldcrypto
Lunch time!
We're back with Jennifer Granick on The Evolving Crypto War

#realworldcrypto
"There's been a shift in focus in the attack on strong encryption from terrorism to child sexual abusive imagery/materials" - @granick

#realworldcrypto
"Data in motion vs data at rest" - @granick

#RealWorldCrypto
Lawmakers: if E2E encryption is here to stay, what do we do able that?

#realworldcrypto

- "lawful" hacking
- client side scanning
- heavy reliance on metadata

#realworldcrypto
Facebook says "the device issue is separate from [WhatsApp|Messenger|Insta]", aka trying to divert attention from E2E services and focus on breaking/forcing decryption of the plaintext on the ends (your phones).

#realworldcrypto
"Technology has assured government access to more information about us than has even been available before, even if some of it is now being encrypted." Yes!

#realworldcrypto
So if we assume an E2E world, how do you fight abuse online?

We have to be careful about trading away compromises that we'll be sorry about later on.

#realworldcrypto
Backdoors are bad, but I think law enforcement hacking is _also_ really bad (incentivizes vuln hoarding, etc)

#realworldcrypto
What about metadata? If the government relies on metadata to pursue abuse, there is a disincentive to protect privacy and fix metadata leaks from their perspective.

#realworldcrypto
Q: Corporate rights to how their systems are being used (like email privacy for their employees)?

A: Usually terms of service are offered

#RealWorldCrypto
Q: How about homomorphic encryption?

A: This has never come up, the debate is not at this level of sophistication

#RealWorldCrypto
Q: How much of this is a result of the current political climate?

A: I don't think this is a problem of this admin, it's come up in each of the previous admins since the late 80s… Be prepared for the long run.

#realworldcrypto
Q: How can we listen to people who are victims of abuse online w/o compromising general privacy and security?

A: There are people who are hurt w/ & w/o strong encryption; can we learn from social graph analysis or metadata to ID perps or abuse acts privately.

#realworldcrypto
Next up, E-Voting session! Starting with Weaknesses in the Moscow internet voting system Pierrick Gaudry on Weaknesses in the Moscow internet voting system

#realworldcrypto
Let's compound the trust in Russian elections with the security of e-voting

#RealWorldCrypto
> blockchain voting

siiiiigh

#RealWorld
ElGamal, ElGamaaaaaal 🎶

#RealWorldCrypto
"Triple ElGamal, that I had never heard of before, for good reason" 😆

#RealWorldCrypto
No docs, had to just extract from the source code 😬

#realworldcrypto
The security here is additive not multiplicative, so it's only as hard as solving the 3 elgamal's individually. 🙃

#realworldcrypto
Why are all the p's less than 256 bits? Probably because they wanted to shove this into Ethereum smart contracts which is capped at 256 bit integers.

#realworldcrypto
Solving discrete log mod p of 256 bits? Using Number Field Sieve, took _less than 10 minutes_ with less than 1GB of space

Magma took 24 hours with 130 GB

SageMath didn't finish in 4 days :P

#realworldcrypto
So did they fix it?

(dat prime order subgroup ☕)

#realworldcrypto
Original took generators from the full Z so they probably also leaking bits with small subgroup attacks

#realworldcrypto
🤦‍♀️

especially in e-voting, 1bit can be the entire value of the plain text (candidate A or candidate B)

#realworldcrypto
2 days before the election they were patching the code and changing the protocol 🙀

#realworldcrypto
"The whole protocol is messed up!" 😭🗳️

No privacy, no coercion resistance, no vote buying prevention, only a little bit of verifiability.

#realworldcrypto
Guys voting is hard, e-voting is very hard. // @mattblaze

#realworldcrypto
@mattblaze Not a great way to encourage trust in the voting process

#realworldcrypto
@mattblaze The best blockchains are the ones that disappear

#realworldcrypto
At least the code was open source, I guess

#realworldcrypto
"I don't think internet voting is ready for deployment". Ayup.

#realworldcrypto
Q: Is there a good open source e-voting system anywhere? Why is internet voting not ready?

A: If you don't care about coercion resistance, there is one in Geneva that has not been deployed but is good. If you want coercion resistance this is very difficult

#realworldcrypto
Next up, Knights and Knaves Run Elections by Sarah Jamie Lewis, Olivier Pereira, Vanessa Teague

#realworldcrypto
Various ZKPs added for checking ballot validity and tallying

#realworldcrypto
I know these!

#realworldcrypto
"Just pick the trapdoor you need if you need to cheat" 👀

#RealWorldCrypto
"The secret proof just collapsed."

#realworldcrypto
Surprise! It was in use in an ongoing australian election! But the election commission claimed they were unaffected. 🤔🤔🤔

#realworldcrypto
Good job responding, Switzerland!

#RealWorldCrypto
Quick break!
Next up is the hardware session, starting with "Everybody be cool, this is a robbery!" from Jean-Baptiste Bédrune 🕵️‍♂️

#realworldcrypto
HSM attacks

#realworldcrypto
Definitely used in PKI, bacnking, DNSSEC (@tqbf ), cloud encryption/decryption, and cryptocurrency stuff now I bet

#realworldcrypto
Only a few vendors exist, no public prices, large range of models per vendor, of the numbers that are public, ~10K to 30K USD

#realworldcrypto
FIPS!

Level 1 is just software requirements, levels 2 3 and 4 have physical requirements (TIL!)

#realworldcrypto
Our beloved PKCS #11 /s

Few exposed functions (~70) but > 300 standard mechanisms & proprietary mechanisms.

#realworldcrypto
"Some take parameters, like a nonce" 😬

#realworldcrypto
Threats:

- unauth'd users gain access to private objects
- attacker extracts keys that shouldn't be extractable
- auth'd attacker gain access to unauth'd slots


#realworldcrypto
NO logical separation across HSM slots

All objects from slots are stored in same flash partition

#realworldcrypto
Code exec is trivial

No ASLR

But resuming execution is hard, `CreateSecretKEy` needs to be auth'd

#realworldcrypto
Fuzzing! I love fuzzing.

#realworldcrypto
14 vulns found, several classes of memory corruption bugs

#realworldcrypto #fuzzing
A single byte mutation triggers a crash during restore 👌

#realworldcrypto
Able to execute a payload with root 🙀

A single binary executed from the host

#realworldcrypto
Uh oh, a logic bug allows installation of a dummy cert and failing check on firmware updates 😬

#realworldcrypto
Critical bug 🐛

#realworldcrypto
Complete compromise. Woof.

#realworldcrypto
This is just one model from one vendor.

HSMs mostly certified against hardware attacks, but this demonstrates there are holes when it comes to software attacks.

#realworldcrypto
Next up, "TPM-Fail: TPM meets Timing and Lattice Attacks" from Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger

#realworldcrypto
TPMs in your car!

#realworldcrypto
Using TPMs for digital signatures is useful for trusted execution of signing and remote attestation ❤️

#realworldcrypto
So, are TPMs really side-channel resistant?

Ooo, some high resolution clocks ⏲️

#realworldcrypto
Variable time signatures!

#realworldcrypto
Hooo boy

#realworldcrypto
ECDSA
ECSchnorr
BN-256

all variable time via the nonce

🔥

#realworldcrypto
Intel fTPM, gets you key in a few minutes of collection (not computation)

Get you a key in 80 minutes of collection 👌

#RealWorldCrypto
Does the VPM client have direct access to the TPM?

#realworldcrypto
About 5 hours of handshakes breaks the VPN TPM key 🔑

#realworldcrypto
Ha, the vendor (Intel) forgot to update to the latest version of their own crypto library.

#realworldcrypto
Q: How remote were the clients in the remote attacks?

A: A single switch away 🤔

#RealWorldCrypto
Q: Did you suggest fixes to the vendors or did they come up with them?

A: For intel the only thing they needed to do was update their crypto lib version, which took 9 months, all under embargo. 😬

#RealWorldCrypto
Last talk today, "Protecting Memory Contents on ARM Cores"

#realworldcrypto
We keep sensitive data in RAM, so we need techniques to protect values in memory

#realworldcrypto
We don't want things to leak when running on your device, or you app running in the cloud. The HW's owner could be an adversary!

#realworldcrypto
"and this is why all our computers have microarchitectural side channels"

#realworldcrypto
''''sound''''

#RealWorldCrypto
Resulting primitives include

AES ('natch)
Deoxys (…wut)
QARMA (no really what)

#realworldcrypto
I hope it's not OCB2-like

#realworldcrypto
you get a mode, and you get a mode, everyone gets a mode

#realworldcrypto
Merkle trees and counter trees

#realworldcrypto
moar counters 🧛‍♂️

#realworldcrypto
If you can't read these labels I'm right there with you

#realworldcrypto
Expected slowdowns

#realworldcrypto
Highest protection requires almost twice as much memory bandwidth as unprotected. :/

#realworldcrypto
"I want to thank NIST. For rejecting Qameleon." 🌶️

#realworldcrypto
Q: Why do you need such a large MAC?

A: Still up to debate, I would feel uneasy with 32bit MACs at the bottom of the merkle tree. Still testing.

#realworldcrypto
Done for the day! Back tomorrow.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Deirdre Connolly¹

Deirdre Connolly¹ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @durumcrustulum

Jan 25
I need a black metal James Webb Space Telescope shirt
meh Image
better Image
Read 4 tweets
Jun 7, 2021
LOL DID THEY REUSE THE SHITTY RSA-1024 KEY
I think I'm fine with cybercom doing this
Read 5 tweets
Jan 11, 2021
🤞 fingers crossed 🤞 that #realworldcrypto 2022 will actually be in Amsterdam IRL 🦠
First up in the Group Messaging session:

#REALWORLDCRYPTO Image
Read 456 tweets
Jan 11, 2021
Netflix prompted me to watch The American President before it leaves and I've barely gotten through the opening credits and I'm not crying you're crying
Also it's weird to see a Sorkin white house that moves this (relatively) slow
Annette Benning is mesmerizing in this
Read 8 tweets
Jan 9, 2021
Just in case, I'm going to thread the weird emojis from now on, so you can mute the thread if needed 😘

EMOJI KITCHEN THREAD 👇
Read 257 tweets
Jan 10, 2020
If the attacker has <= Q guesses, access to the FSB bucket will give no advantage over baseline guessing. Higher Q, greater security loss

#realworldcrypto
Read 103 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(