158 research outputs found
Security Analysis of End-to-End Encryption for Zoom Meetings
In the wake of the global COVID-19 pandemic, video conference systems have become essential for not only business purposes, but also private, academic, and educational uses. Among the various systems, Zoom is the most widely deployed video conference system. In October 2020, Zoom Video Communications rolled out their end-to-end encryption (E2EE) to protect conversations in a meeting from even insiders, namely, the service provider Zoom. In this study, we conduct thorough security evaluations of the E2EE of Zoom (version 2.3.1) by analyzing their cryptographic protocols. We discover several attacks more powerful than those expected by Zoom according to their whitepaper. Specifically, if insiders collude with meeting participants, they can impersonate any Zoom user in target meetings, whereas Zoom indicates that they can impersonate only the current meeting participants. Besides, even without relying on malicious participants, insiders can impersonate any Zoom user in target meetings though they cannot decrypt meeting streams. In addition, we demonstrate several impersonation attacks by meeting participants or insiders colluding with meeting participants. Although these attacks may be beyond the scope of the security claims made by Zoom or may be already mentioned in the whitepaper, we reveal the details of the attack procedures and their feasibility in the real-world setting and propose effective countermeasures in this paper. Our findings are not an immediate threat to the E2EE of Zoom; however, we believe that these security evaluations are of value for deeply understanding the security of E2EE of Zoom
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
This paper studies two types of attacks on the hash function Shabal. The first attack is a
low-weight pseudo collision attack on Shabal. Since a pseudo collision attack is trivial for Shabal, we
focus on a low-weight pseudo collision attack. It means that only low-weight difference in a chaining
value is considered. By analyzing the difference propagation in the underlying permutation, we
can construct a low-weight (45-bits) pseudo collision attack on the full compression function with
complexity of 2^84. The second attack is a preimage attack on variants of Shabal-512. We utilize a
guess-and-determine technique, which is originally developed for a cryptanalysis of stream ciphers,
and customize the technique for a preimage attack on Shabal-512. As a result, for the weakened
variant of Shabal-512 using security parameters (p; r) = (2; 12), a preimage can be found with
complexity of 2^497 and memory of 2^400. Moreover, for the Shabal-512 using security parameters
(p; r) = (1:5; 8), a preimage can be found with complexity of 2^497 and memory of 2^272. To the best
of our knowledge, these are best preimage attacks on Shabal variants and the second result is a first
preimage attack on Shabal-512 with reduced security parameters
Generic Key Recovery Attack on Feistel Scheme
We propose new generic key recovery attacks on Feistel-type block ciphers. The
proposed attack is based on the all subkeys recovery approach presented in SAC 2012, which
determines all subkeys instead of the master key. This enables us to construct a key recovery
attack without taking into account a key scheduling function. With our advanced techniques,
we apply several key recovery attacks to Feistel-type block ciphers. For instance, we show
8-, 9- and 11-round key recovery attacks on n-bit Feistel ciphers with 2n-bit key employing
random keyed F-functions, random F-functions, and SP-type F-functions, respectively.
Moreover, thanks to the meet-in-the-middle approach, our attack leads to low-data complexity.
To demonstrate the usefulness of our approach, we show a key recovery attack on the
8-round reduced CAST-128, which is the best attack with respect to the number of attacked
rounds. Since our approach derives the lower bounds on the numbers of rounds to be secure
under the single secret key setting, it can be considered that we unveil the limitation of
designing an efficient block cipher by a Feistel scheme such as a low-latency cipher
Some cryptanalytic results on Lizard
Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120 bit Secret Key and a 64 bit IV. The authors claim that Lizard provides 80 bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing random trials it is possible to a set of triplets such that the Key-IV pairs and produce identical keystream bits. Second, we show that by performing only around random trials it is possible to obtain Key-IV pairs and that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around random IV encryptions
and around bits of memory. Finally, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions
Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers
The all-subkeys recovery (ASR) attack is an extension of the meet-in-the-middle
attack, which allows evaluating the security of a block cipher without analyzing its key
scheduling function. Combining the ASR attack with some advanced techniques such as the
function reduction and the repetitive ASR attack, we show the improved ASR attacks on the
7-round reduced FOX64 and FOX128. Moreover, the improved ASR attacks on the 119-, 105-
and 99-round reduced KATAN32, KATAN48 and KATAN64, and the 42-round reduced SHACAL-2
are also presented, respectively. As far as we know, all of those attacks are the best single-key
attacks with respect to the number of attacked rounds in literature
Key Committing Security Analysis of AEGIS
Recently, there has been a surge of interest in the security of authenticated encryption with associated data (AEAD) within the context of key commitment frameworks. Security within this framework ensures that a ciphertext chosen by an adversary does not decrypt to two different sets of key, nonce, and associated data. Despite this increasing interest, the security of several widely deployed AEAD schemes has not been thoroughly examined within this framework. In this work, we assess the key committing security of AEGIS, which emerged as a winner in the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR). A recent assertion has been made suggesting that there are no known attacks on AEGIS in the key committing settings and AEGIS qualifies as a fully committing AEAD scheme in IETF document. However, contrary to this claim, we propose a novel O(1) attack applicable to all variants of AEGIS. This demonstrates the ability to execute a key committing attack within the FROB game setting, which is known to be one of the most stringent key committing frameworks. This implies that our attacks also hold validity in other, more relaxed frameworks, such as CMT-1, CMT-4, and so forth
New Key Recovery Attacks on Minimal Two-Round Even-Mansour Ciphers
Chen et al. proved that two variants of the two-round n-bit
Even-Mansour ciphers are secure up to 22n/3 queries against distinguish-
ing attacks. These constructions can be regarded as minimal two-round
Even-Mansour ciphers delivering security beyond the birthday bound,
since removing any component from the ciphers causes security to drop
back to 2n/2 queries. On the other hand, for the minimal two-round con-
structions, the proved lower bounds on the product of data and time
complexities (DT) against the other attacks including key recovery at-
tacks is 2n. However, an attack requiring DT close to the lower bound
has not been known yet, and thus its tightness is not clear. In this pa-
per, we propose new key recovery attacks on the two minimal two-round
Even-Mansour ciphers by using the advanced meet-in-the-middle tech-
nique. In particular, we introduce novel matching techniques called partial
invariable pair and matching with input-restricted public permutation
, which enable us to compute one of permutations without knowing
a part of the key information. Moreover, we present two improvements of
the proposed attack: one significantly reduces data complexity and the
other reduces time complexity by dynamically finding partial invariant
pairs. Compared with the previously known attacks, when blocksize is
64 bits, our attacks drastically reduce the required data from 245 to 226
with keeping time complexity required by the previous attacks, though
our attack requires chosen plaintexts. Importantly, the previous attacks
never break the birthday barrier of data complexity due to the usage
of multicollisions in the internal state. Furthermore, by increasing time
complexity up to 262, the required data is further reduced to 28, and
DT = 270 which is close to the proved lower bound 264. We show that
our data-optimized attack on the minimal two-round Even-Mansour ci-
phers requires DT = 2n+6 in general cases. This implies that adding
one round does not sufficiently improve the security against key recovery
attacks of the Even-Mansour ciphers
Security Analysis of SFrame
As people become more and more privacy conscious, the need for end-to-end encryption (E2EE) has become widely recognized. We study herein the security of SFrame, an E2EE mechanism recently proposed to the Internet Engineering Task Force for video/audio group communications over the Internet. Despite being a quite recent project, SFrame is going to be adopted by a number of real-world applications. We inspect the original specification of SFrame and find critical issues that will lead to impersonation (forgery) attacks with a practical complexity by a malicious group member. We also investigate the several publicly available SFrame implementations and confirm that this issue is present in these implementations
Preimages and Collisions for Up to 5-Round Gimli-Hash Using Divide-and-Conquer Methods
The Gimli permutation was proposed in CHES 2017 and the hash mode Gimli-Hash is now included in the Round 2 candidate Gimli in NIST\u27s Lightweight Cryptography Standardization process. In the Gimli document, the security of the Gimli permutation has been intensively investigated. However, little is known about the security of Gimli-Hash. The designers of Gimli have claimed security against all attacks on Gimli-Hash, whose hash is a 256-bit value. Firstly, we present the trivial generic preimage attack on the structure of Gimli-Hash matching the security bound, both, in time and memory complexity. Following such a generic preimage attack framework, we then describe specific preimage attacks on the first 2/3/4/5 rounds and the last 2/3/4 rounds (out of 24) of Gimli-Hash using the divide-and-conquer methods. As will be shown, the application of the divide-and-conquer methods much benefits from the properties of the SP-box and the linear layer of Gimli. Therefore, this work can also be viewed as a first step to exploit specific properties of the SP-box. Finally, the divide-and-conquer method was also applied to a collision attack on up to 5-round Gimli-Hash. Among all the attacks, the preimage attacks on the first and the last 2 rounds of Gimli-Hash are practical. The collision attack on the first 3 rounds of Gimli-Hash is practical. The collision attack and second preimage attack on the last 3 rounds of Gimli-Hash are practical. All practical attacks are experimentally verified. We hope our analysis can advance the understanding of Gimli-Hash
- …