Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Do one thing right…

Everybody’s favorite whipping boy, Cryptocat is back in the news today – and it’s bad. Really bad. Steve Thomas has found a major flaw in the way Cryptocat generated ECC keys. Due to this flaw, the keyspace was only $2^{54.15}$, well below a secure level. Add a meet in the middle attack, and this is further reduced to $2^{27.08}$ – which based on my rough estimates, is just slightly more secure than a paper bag.

The end result is of course, that anyone can crack the keys in a frighteningly short amount of time.

This flaw basically means that any group messages sent for nearly a year (a figure disputed by the project) are wide open to attack. Personally, I would operate under the assumption that any message sent during that time has been read (or will be) – hopefully by somebody not interested in you. Probably hasn’t, but there’s no way to know.

If you’re going to do one thing, do it right. #

Cryptocat has one mission, to provide secure communication – which is to say, to encrypt data. The most vital step in any crypto system is the key generation; if you get it wrong, nothing else matters. That code should be well reviewed and understood by multiple people. Cryptocat got this wrong.

Steve does a great job explaining the issue here; but the short version is that the person that wrote the code – and anyone that’s reviewed it since then, didn’t understand what they were doing. That simple.

When you release code like this to the public, and encourage people to use it – especially those that are at higher risk (i.e. activists), you take on a certain responsibility for ensuring that at least the core functionality is doing what’s expected. In this case, the team behind Cryptocat failed. For a year, the entire user base was at risk.

I recently mentioned Cryptocat in my OPSEC article:

Last year was painful for Cryptocat – the last audit may have been clean, but who knows what else may be found.

When I wrote that, I wasn’t expecting it to be a bug that rendered the group chat encryption nearly pointless. While in their blog post they seem to downplay the issue, I won’t – for a year, group chat was completely broken.

Crypto Is Hard #

There’s no doubt that crypto is hard, everybody agrees on that. Or said more accurately, doing it right is hard.

Writing key generation code scares me, I’m paranoid that I’ll get it wrong. So I take extra time to review it in detail. Then have other people review it in detail. I don’t release it to a ‘production’ environment until I’m sure as I can be that it’s right. Can mistakes still make it in that way? Sure – but the odds are a lot lower.

This kind of code needs to be reviewed by those competent in crypto systems, and built to a specification that was designed by a real cryptographer. It can be expensive and time consuming, but that’s what it takes to keep the promises an application like Cryptocat makes.

Just how bad could it be? #

Based on recent disclosures, we know that the NSA has decided to store encrypted communication for later analysis, and I think it’s safe to say that other countries follow suit. So it’s likely there are stored Cryptocat communications floating around in various spy agency archives. These agencies may have already found this issue and used it to view messages, or now that it’s public – they can do so easily.

This is where an issue like this can be so devastating, if those encrypted messages have been saved anywhere – any users engaged in activity that their local government doesn’t care for are now at risk.

Personally, I wouldn’t trust Cryptocat until it’s had a true code audit (the pen-test they had last year clearly doesn’t count), and the crypto systems reviewed by a true cryptographer. If a mistake like this was allowed in, and overlooked for so long, I’ve no doubt that other weaknesses exist.

Adam Caudill


Related Posts

  • Worried about the NSA? Try AES-512!

    …or, The Cost of Wild Speculation. “We need to boost our security – I think the NSA has broken everything we use. AES-256 is too weak, I don’t trust it. Find a way to implement AES-512.” Double-AES-256! It’d be easy, and double encrypting has never bitten us before. So, let’s write some code! def encrypt(msg, iv, key) return e(e(msg, iv, key.slice(0..31)), iv, key.slice(32..63)) end def decrypt(cipher, iv, key) return d(d(cipher, iv, key.

  • Crypto, the NSA, and Broken Trust

    Even as a child I was fascinated by cryptography – and often left the local librarians with puzzled looks thanks to the books I would check out. It’s so elegantly simple, and yet massively complex. There is one very unusual property of crypto though – it’s not about math or modes, it’s about trust. Cryptography, especially as used today, has the most wonderful dichotomy of trust; on one hand crypto, by its very nature, is used in situations lacking trust.

  • On Apple, Privacy, and Device Control

    If you’ve bothered to look at Twitter or any technology news source, you’ve seen that Apple made a major announcement: Expanded Protections for Children. This has been written about by countless outlets, so I’ll assume you’re familiar with the basics. The announcement covered a few new features being added to the next version of Apple’s operating systems, namely: Scanning of inbound and outbound messages for sexually explicit images. Scanning images being uploaded to iCloud for CSAM.

  • Confide, Screenshots, and Imaginary Threats

    Recently Vice published a story about a lawsuit against the makers of the ‘secure’ messaging application Confide. This isn’t just a lawsuit, it’s a class-action lawsuit and brought by Edelson PC – an amazingly successful (and sometimes hated1) law firm – this isn’t a simple case. The complaint includes a very important point: Specifically, Confide fails to deliver on two of the three requirements that it espouses as necessary for confidential communications: ephemerality and screenshot protection.

  • Crypto Crisis: Fear over Freedom

    Yesterday, President Obama spoke at SXSW on topics including the oft-discussed fight between Apple and the FBI – what he called for, while more thoughtful than some of the other comments that we have been hearing from Washington, was still tragically misinformed. He repeated the call for a compromise, and by compromise, he meant backdoors. Here, I feel I must paraphrase one of my favorite authors to properly express the magnitude of what’s being discussed here: