Episode 10: Exploiting Authenticated Encryption Key Commitment!

Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is used in a wide variety of applications, including potentially in settings for which it was not originally designed. A question given relatively little attention is whether an authenticated encryption scheme guarantees “key commitment”: the notion that ciphertext should decrypt to a valid plaintext only under the key that was used to generate the ciphertext. In reality, however, protocols and applications do rely on key commitment. A new paper by engineers at Google, the University of Haifa and Amazon demonstrates three recent applications where missing key commitment is exploitable in practice. They construct AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM; and the results may shock you. Links and papers discussed in the show: How to Abuse and Fix Authenticated Encryption Without Key Commitment Mitra, Ange's software tool for generating binary polyglots Shattered and other research into hash collisions Music composed by Toby Fox and performed by Sean Schafianski . Special Guests: Ange Albertini and Stefan Kölbl.

You can listen to Episode 10: Exploiting Authenticated Encryption Key Commitment! online on Radio and Podcast. Open the player on this page to stream the available audio.

Episode 10: Exploiting Authenticated Encryption Key Commitment! is an episode from Cryptography FM by Symbolic Software.

This episode is 46:34 long.

This episode was published on Dec 1, 2020.

Yes. Use the heart button on the episode page to add it to your favorite episodes list.

Yes. This page shows related episodes from Cryptography FM when more episodes are available from the podcast feed.