Episode 10: Exploiting Authenticated Encryption Key Commitment!
Description
Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is used in a wide variety of applications, including potentially in settings for which it was not originally designed. A question given relatively little attention is whether an authenticated encryption scheme guarantees “key commitment”: the notion that ciphertext should decrypt to a valid plaintext only under the key that was used to generate the ciphertext.
In reality, however, protocols and applications do rely on key commitment. A new paper by engineers at Google, the University of Haifa and Amazon demonstrates three recent applications where missing key commitment is exploitable in practice. They construct AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM; and the results may shock you.
Links and papers discussed in the show:
- How to Abuse and Fix Authenticated Encryption Without Key Commitment
- Mitra, Ange's software tool for generating binary polyglots
- Shattered and other research into hash collisions
Music composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Ange Albertini and Stefan Kölbl.
Sponsored By:
- Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.
United States
