logo
episode-header-image
Dec 2020
46m 34s

Episode 10: Exploiting Authenticated Enc...

Symbolic Software
About this episode

Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is used in a wide variety of applications, including potentially in settings for which it was not originally designed. A question given relatively little attention is whether an authenticated encryption scheme guarantees “key commitment”: the notion that ciphertext should decrypt to a valid plaintext only under the key that was used to generate the ciphertext.

In reality, however, protocols and applications do rely on key commitment. A new paper by engineers at Google, the University of Haifa and Amazon demonstrates three recent applications where missing key commitment is exploitable in practice. They construct AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM; and the results may shock you.

Links and papers discussed in the show:

Music composed by Toby Fox and performed by Sean Schafianski.

Special Guests: Ange Albertini and Stefan Kölbl.

Sponsored By:

Up next
Feb 2023
Episode 24: CryptoHack's Collection of Cryptic Conundrums!
For several years, CryptoHack has been a free platform for learning modern cryptography through fun and challenging programming puzzles. From toy ciphers to post-quantum cryptography, CryptoHack has a wide-ranging and ever increasing library of puzzles for both the aspiring and a ... Show More
49m 18s
Jan 2023
Episode 23: Psychic Signatures in Java!
On April 19th 2022, Neil Madden disclosed a vulnerability in many popular Java runtimes and development kits. The vulnerability, dubbed "Psychic Signatures", lies in the cryptography for ECDSA signatures and allows an attacker to bypass signature checks entirely for these signatu ... Show More
53m 20s
Jan 2023
Episode 22: Three Lessons from Threema: Breaking a Secure Messenger!
Threema is a Swiss encrypted messaging application. It has more than 10 million users and more than 7000 on-premise customers. Prominent users of Threema include the Swiss Government and the Swiss Army, as well as the current Chancellor of Germany, Olaf Scholz. Threema has been w ... Show More
52m 12s
Recommended Episodes
Nov 2021
Using bidirectionality override characters to obscure code. [Research Saturday]
Guests Nicholas Boucher and Ross Anderson from the University of Cambridge join Dave Bittner to discuss their research, "Trojan Source: Invisible Vulnerabilities." The researchers present a new type of attack in which source code is maliciously encoded so that it appears differen ... Show More
25m 10s
Mar 2021
S15:E6 - What is cryptography and how to get into it (Marcus Carey)
In this episode, we talk about cryptography with Marcus Carey, enterprise architect at ReliaQuest. Marcus talks about going to the military and learning cryptography, what cryptography is, and the foundational things you need to know in order to make sure the apps you’re building ... Show More
35m 36s
Apr 2023
How Does Historical Cryptology Work?
To crack ciphers written centuries ago, historical cryptologists have to be half artist, half accountant, and use some of the most powerful computing tools known today. Learn how a team cracked Mary, Queen of Scots's code in this episode of BrainStuff, based on this article: http ... Show More
8m 12s
May 2021
brute-force attack (noun) [Word Notes]
A cryptographic hack that relies on guessing all possible letter combinations of a targeted password until the correct codeword is discovered. 
6m 32s
Aug 2023
Quantum computing: A threat to asymmetric encryption.
Rick Howard, the CSO, Chief Analyst, and Senior Fellow at N2K Cyber, discusses the meaning of quantum computing through a cybersecurity perspective with CyberWire Hash Table guests Dr. Georgian Shea, Chief Technologist at the Foundation for Defense of Democracies, and Jonathan Fr ... Show More
17m 33s
Jan 2024
High-assurance Post-Quantum Crypto with Franziskus Kiefer and Karthik Bhargavan
We welcome Franziskus and Karthik from Cryspen to discuss their new high-assurance implementation of ML-KEM (the final form of Kyber), discussing how formal methods can both help provide correctness guarantees, security assurances, and performance wins for your crypto code! Trans ... Show More
56m 13s
Dec 2023
Software Supply Chain Security with Michael Lieberman
One of the most famous software exploits in recent years was the SolarWinds attack in 2020. In this attack, Russian hackers inserted malicious code into the SolarWinds Orion system, allowing them to infiltrate the systems of numerous corporations and government agencies, includin ... Show More
43m 6s
Jan 2024
2787: Navigating the Evolving Landscape of Application Security With Checkmarx
In this compelling episode, we delve into the strategic importance of application security as businesses undergo digital transformation. Sandeep Johri, with his rich experience at Checkmarx, sheds light on this domain's multifaceted challenges and opportunities. We discuss how vu ... Show More
25m 34s
Listen to millions of songs and podcasts on Anghami