CRYPTO AND PRIVACY VILLAGE - The Underhanded Crypto(graphy) Contest: 2018 Winners

Video thumbnail (Frame 0) Video thumbnail (Frame 927) Video thumbnail (Frame 1680) Video thumbnail (Frame 4341) Video thumbnail (Frame 6062) Video thumbnail (Frame 7651) Video thumbnail (Frame 9751) Video thumbnail (Frame 13342) Video thumbnail (Frame 15381)
Video in TIB AV-Portal: CRYPTO AND PRIVACY VILLAGE - The Underhanded Crypto(graphy) Contest: 2018 Winners

Formal Metadata

CRYPTO AND PRIVACY VILLAGE - The Underhanded Crypto(graphy) Contest: 2018 Winners
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Taylor series Cryptography Personal digital assistant Information technology consulting Cryptography
Point (geometry) Implementation Code Primitive (album) Cryptography Element (mathematics) Product (business) Category of being Cryptography Type theory Pattern language Communications protocol Information security Traffic reporting Backdoor (computing) Vulnerability (computing)
Group action Service (economics) Computer file Code Mountain pass Letterpress printing Password Electronic mailing list Information privacy Shift operator Information technology consulting Element (mathematics) Internetworking String (computer science) Hash function Energy level Gamma function Information security Multiplication Area Scripting language Software developer Division (mathematics) Bit Cryptography Entire function Password Encryption
NP-hard Random number generation Cryptosystem Cloud computing Numbering scheme Parameter (computer programming) Inverse element Inversion (music) Number 2 (number) Usability Case modding Read-only memory Binary multiplier Backdoor (computing) Modulo (jargon) Multiplication Key (cryptography) Interior (topology) Inverse element Menu (computing) Bit Public-key cryptography System call Modulo (jargon) Category of being Backdoor (computing) Communications protocol RSA (algorithm)
Group action Service (economics) Curve Ellipse Plastikkarte Subgroup Cryptography Strategy game Touch typing Communications protocol Information security Backdoor (computing) Vorwärtsfehlerkorrektur Curve Vulnerability (computing) Projective plane Sampling (statistics) Sound effect Planning Bit Cryptography Elliptic curve Category of being Prime ideal Order (biology) Formal verification Lipschitz-Stetigkeit Musical ensemble Communications protocol
Adam Caudill and Taylor Hornby will be presenting the underhanded crypto contest winners take the way guys thank you so much and thank you everybody for showing up today so here we are at the end of the fifth annual underhanded crypto contest underhanded cryptography contest let's let's make that clear so I am Adam Caudill one of the cofounders of the contest here with Taylor Hornby and Taylor I will let you take it away all right cool Thanks so just in case you
haven't heard about us we've been doing this for five years basically the way it works is every year we ask you to send us your best ideas for cryptography backdoors whether it's in the protocols or implementations or whatever as long as it has something to do with backdoors and something to do with cryptography then we're going to be interested in it and you really do want to send us your ideas because we hand out prizes every year so well why do we do this
obviously we're derived from the underhanded sea contest and one of the things I really liked about the underhanded sea contest was it's the perfect thing you can point to if someone says oh all these people have looked over this code and they haven't found any problems in it so it must be okay we're kind of you can kind of point to the underhanded sea contest and say no actually if someone's trying to hide mistakes and code it can be actually quite hard to find them and we're kind of the same thing for cryptography so if the company is claiming their product is secure because they're using a s 256 and all these secure primitives no that's actually not enough you need to dive deeper and look at the protocol and look at the designs and look at the implementation and find the problems there another another reason we do this is because I think once we start to collect a lot of examples of what people do when they try to put backdoors into things we'll start to catch on to the patterns that people try to use to hide backdoors and once we see enough examples maybe we'll get better at finding actual intentional backdoors and crypto and practice and my favorite reason for doing this is it's kind of like a it's kind of like a like a playground where you can invent your own vulnerabilities so imagine imagine you're doing a security audit and and you're you're chasing a vulnerability and it just turns out that by some accident the vulnerability isn't exploitable and you can't write it up in your audit report because it's not not exploitable well submit it to this contest because that would be a good backdoor if it's something that could happen by accident that's a great property of a back door because it's deniable yeah so that's that's why we do this so this year we
were sponsored by the Z cash foundation and NCC group cryptography services so just a little bit about our sponsors the Z cash foundation is a 501 C 3 non-profit supporting research and development for Internet payment and privacy stuff so they focus on Z cash but I think their scope is a little broader than that so if you work in that area you might want to check out their biannual grants they might be able to help you fund your work NCC group if you haven't heard of them they're one of the top firms doing security consulting especially with their cryptography services division they're really talented people and before we get into the actual three submissions that we got this year I want to give a really special thanks to JP for helping us judge again he's been with us since the beginning and to be honest sometimes some of the entries are like way above my level of understanding so if it wasn't for his expertise it would be hard to do this contest so okay let's let's see you came in third this is a
bash script James sent us and basically what it is is you're supposed to give it a bunch of files as command-line arguments and what it's going to do is it's going to encrypt each file with a random password and then at the end print out all the passwords so that you can save them and then do your fires later but the way it does that is its appending the passwords to a temporary file which is fine but then it reads the reads the entire file full of password it's into an array and so the password we want to use to encrypt this file is going to be the last element in the array it's the last password that was generated and what this code here in bold does is it supposed to access the last element of the array but of course it doesn't it accesses one passed the last element and that means all the files are going to be basically encrypted with the empty string so trivially decrypt able the house moving
on to second place LRO's sent us a needs key agreement protocol and the way this works is there's two public parameters called E and n and so when alice is generating her key pair she just generates a random 256 bit number called X and that's her private key and then to get her public key she takes X multiplies it by this huge number e adds another random number R which I won't tell you the details of and then does that modulo N and then that's her public key Bob does the same thing to get a public and private key pair and then when Alice and Bob come together and they want to agree on a shared secret they basically Alice will take her private key multiply it with Bob's public key and Bob will take his private key and multiply that with Alice's public key and because of the way the sizes of all these numbers are tuned if they just chop off everything except the first 256 bits they those those 256 bits that are left will agree and they can use those as a key so this is the backdoor key agreement scheme where's the backdoor well the backdoor is in this parameter e here and I'll explain how that works so basically we're gonna
pick e to be special in some way and the way that we're going to do that is well first idea of the simplest way to do this is just pick ease so that it's multiplicative inverse is small modulo n and so we'll call its multiplicative inverse D and if you have a small multiplicative inverse D then you can just take Alice's Alice's public key which is X sorry it's a Y plus C so sorry no that's not it it's e^x + R and if you multiply that with D the D and the e are gonna cancel out because D is he is multiplicative inverse mod N and so what you're left with is X plus D armada and now you can actually pick you can pick ease so that D is small enough so that X plus D R is less than n so taking the mod is not doing anything you actually have X plus D R and then once you have X plus D are you can further constrain e so that D has the property that X is less than D and then once you have X plus D are you just take that mod D the D are turns into a zero and you just get X so we've recovered Alice's private key that's kind of too easy because like everybody in the world knows E it's a public parameter of the crypto system so we need to make this like a little bit harder for like other people to exploit and the way that this works is instead of making e have a small multiplicative inverse mod n you make it have a small multiplicative inverse mod n minus K where K is some random number and it turns out that if you pick the size of K just right then it's still true that if you multiply a by D and then and then do mod D you still get Alice's private key so it still works but it also the contestant makes an argument that actually if you don't know K if you don't know the secret K then you can't actually use the backdoor it's as hard as breaking RSA to use the backdoor so yeah I think that's pretty cool now onto the first-place winner this one
is actually really simple but it's kind of effective so the idea is if you're gonna do a lip to curve cryptography then you ought to just use a standard curve that like people have researched and study it and like believe is like a good curve to used for elliptic curve cryptography and obviously either there are curves that aren't safe for use with elliptic curve cryptography the curve to make sure that's secure and what this what this submission does is it's basically saying you can you can have the protocol make a bunch of checks of properties of the curve that's checking for all these properties it needs to have in order to be secure but unless you're cartographer and you're familiar with lip to curve crypto you're probably not going to be aware of every single check that needs to be made so you can just leave one of them out and then everybody who doesn't read obscure look the curve papers will not realize that the protocol is actually vulnerable to using a curve that's insecure yeah that's the winner so now that we've seen
the entries they're only three this year but I'll talk a little bit about what our plans are for the future so over the five years that we've been doing this we've accumulated 32 backdoors that people have designed and I think that's enough of a sample size that we can start to draw some general conclusions about what what maybe we can classify backdoors according to certain techniques or something like that or come up with some strategies to be able to detect them and things like that and I actually think that this would be a really good project for an undergraduate if they're doing a research project so if you are an undergraduate or you know one who might be interested in looking over all of their entries we have received so far and distilling knowledge out of that and writing a paper definitely get in touch with us because I will provide as much support for that research as I can and of course if you missed participating this year we're going to be doing this again next year hopefully we'll get a little more entries next year maybe some better prizes so stay tuned for that and before I wrap up I just want to thank our sponsors the Z cash foundation and NCC group cryptography services again because really the prizes are white people send entries so yeah thank you for your attention [Music]