They just happened to use a library with a bug. The bug in the BigInt library affects DSA in OTR and ECDSA in group chat.Įvery 15th bit in the generated random numbers are zero. Oops forgot to mention, there is a timing attack possibility here, but if it is a good PRNG then knowing any part of its output will not let you determine any other part of its output. The expected amount of decimal digits per byte is 1.5625 (2 * (1 - 56 / 256)) vs 0.9766 (1 * (1 - 6 / 256)).Īnyways this really doesn't not hurt security that much. The heat death of the Universe will happen before then.Ĭrazy as it might seem dropping 56 out 256 values to get two decimal digits per byte is actually faster. The probability of a loop that goes through more than 24 values is 1 in 2^129.1 ((6 / 250) ^ 24). Such as in this case dropping 6 out of 256 values. Some people with limited math background might think it is odd to drop random data not in a range, but this is actually correct. Zero had a 26/251 chance and all the others had a 25/251 chance. Well I didn't really look at the good random data part but let's assume it's good. The bad random generation was a slight bias towards zero when they converted good random data into ASCII characters 0 through 9. Which is roughly 1500 computer-years and 40 petabytes. The bug I found and fixed on June 3rd, 2013 was the private key only being 10^32 instead of 256^32.Ī private key that is 10^32 can be broken with 10^16 (2^53.2) time and memory. #Forgot cryptocat password crackThis caused keys to be super easy to crack (2^27.1 time and memory). The masquerading bug was added May 7th, 2012 when they switched to ECDH and fixed April 19th, 2013. When I looked at their commit history I found that the small private key bug was worse because the key was a decimal string masquerading as an array of 17, 15 bit integers. I found three bugs small private keys for group chat, bad random generation, and improper use of random (this is in a library they use called BigInt). Which might let them decrypt old captured messages. They have generated a new private key, to prevent someone from breaking into their server and stealing it. Meaning we have to trust that Cryptocat didn't store/transfer encrypted messages or leak their SSL private key. So this just means that it was host based security. Yes this is scary but I believe everything is/was over https. #Forgot cryptocat password codeIf there is a next version I'll probably "steal" some code from curve25519-donna and add support for GPUs. I suggest doing a 2*10^8 and 10^8 split unless you actually have a bunch of captured conversations or you want to test if the people you are talking to have upgraded. This only requires tens of gigabytes to store.ĭoing a 2*10^8 and 10^8 split it will take an hour to generate and half an hour to crack any private key with that data. So 2^54.15 turns into 2^27.08 and 2^106.3 to 2^53.15.įor Cryptocat versions before 2.0.42, doing a split of 2*10^9 and 10^7 it takes about a day to calculate data needed to crack any key in few minutes. June 15th, 2013 FireFox approves first 2.x version of Cryptocat that is not using short ECDH private keys.ĭecryptoCat v0.1 cracks the group chat ECDH public keys generated by Cryptocat versions 1.1.147 through 2.0.41.Ĭryptocat version 2.0.42 was released which increased the key space from 2^54.15 to 2^106.3.ĭecryptocat takes advantage of a meet-in-the-middle attack called baby-step giant-step you can effectively square root the key space. June 3rd, 2013 I patched ECDH now private keys are uncrackable. May 7th, 2012 ECDH introduced and is broken with DecryptoCat.Īpril 19th, 2013 ECDH is no longer easy to break, but still crackable by governments and large companies. October 17th, 2011 Diffie-Hellman private keys were reduced to crackable. Here is the old post where I was less nice (it is a longer read with a little more detail). #Forgot cryptocat password updateYou must update Cryptocat to at least 2.1.12 to be safe from known problems. TLDR: If you used group chat in Cryptocat from October 17th, 2011 to June 15th, 2013 assume your messages were compromised.ĭSA is probably broken in one-to-one chat over OTR.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |