Episode 10: Exploiting Authenticated Encryption Key Commitment! episode artwork

EPISODE · Dec 1, 2020 · 46 MIN

Episode 10: Exploiting Authenticated Encryption Key Commitment!

from Cryptography FM · host Symbolic Software

Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is used in a wide variety of applications, including potentially in settings for which it was not originally designed. A question given relatively little attention is whether an authenticated encryption scheme guarantees “key commitment”: the notion that ciphertext should decrypt to a valid plaintext only under the key that was used to generate the ciphertext. In reality, however, protocols and applications do rely on key commitment. A new paper by engineers at Google, the University of Haifa and Amazon demonstrates three recent applications where missing key commitment is exploitable in practice. They construct AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM; and the results may shock you. Links and papers discussed in the show: How to Abuse and Fix Authenticated Encryption Without Key Commitment Mitra, Ange's software tool for generating binary polyglots Shattered and other research into hash collisions Music composed by Toby Fox and performed by Sean Schafianski.Special Guests: Ange Albertini and Stefan Kölbl.

Episode metadata supplied by the publisher feed · Published Dec 1, 2020

Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is used in a wide variety of applications, including potentially in settings for which it was not originally designed. A question given relatively little attention is whether an authenticated encryption scheme guarantees “key commitment”: the notion that ciphertext should decrypt to a valid plaintext only under the key that was used to generate the ciphertext. In reality, however, protocols and applications do rely on key commitment. A new paper by engineers at Google, the University of Haifa and Amazon demonstrates three recent applications where missing key commitment is exploitable in practice. They construct AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM; and the results may shock you. Links and papers discussed in the show: How to Abuse and Fix Authenticated Encryption Without Key Commitment Mitra, Ange's software tool for generating binary polyglots Shattered and other research into hash collisions Music composed by Toby Fox and performed by Sean Schafianski.Special Guests: Ange Albertini and Stefan Kölbl.Sponsored By:Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Episode 10: Exploiting Authenticated Encryption Key Commitment!

0:00 46:34

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Frequently Asked Questions

How long is this episode of Cryptography FM?

This episode is 46 minutes long.

When was this Cryptography FM episode published?

This episode was published on December 1, 2020.

What is this episode about?

Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is used in a wide variety of applications, including potentially in settings for which it was not originally designed. A question given relatively little attention is whether an...

Can I download this Cryptography FM episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!