Skip to main content


Il (triste??) stato della crittografia (applicata) in Italia

Ho appena finito di scrivere a proposito dei miei 3 giorni trascorsi al Real World Crypto 2018 (il blog post per chi legge inglese e' qui) e mi sono accorto che non c'e' traccia di nessuna Universita' (ma anche azienda) italiana. Tutto cio' non puo' che rendermi un po' triste. L'Italia aveva una posizione di rilievo nell'"antica" crittografia. Non ci dimentichiamo dell'ormai super obsoleto (ma storicamente rilevante) Cifrario di Cesare per non parlare di volumi come "La crittografia diplomatica, militare e commerciale ossia l'arte di cifrare e decifrare le corrispondenze segrete" di Luigi conte Gioppi di Türkheim!! L'Italia ha tutt'ora crittografi di primo livello, basti pensare a Silvio Micali co-inventore delle Zero Knowledge Proof e vincitore della massima onoreficienza nel campo dell'informatica cioe' il Turing Award. Ora, scusate il mio sfogo, ma considerando che RWC e' di gran lunga la conferenz…
Recent posts

Real World Crypto 2018 (RWC 2018) brain dump

The 2018 edition of Real World Crypto (RWC) was in Zurich (you can find the conference full program here.). I live in Switzerland so I was extremely happy about it. RWC is basically the best conference I ever attended and it will probably be so for a while. I almost risked to skip it due to flu but I eventually managed to attend :)

Current status: -1 to #realworldcrypto . Me sick in bed :( — Antonio Sanso @ RWC (@asanso) January 9, 2018 This short blog post is my brain dump of the event. If you want to know more you can find all the videos of the presentations in this youtube channel. The event lasted 3 days and every day was great. Event like this allowed me to meet personally many people I have interacted previously in a way or the other  and it turns out that a big percentage of people that do (applied) crypto was indeed attending. FWIW I was even able to shortly  ask to the great Prof Boneh about the now legendary Coursera Crypto II :D
Day I The first day could not start any bette…

How to try to predict the output of Micali-Schnorr Generator (MS-DRBG) knowing the factorization. Part II

tl;dr In the previous article of the same series we tried to predict the output of Micali-Schnorr Generator (MS-DRBG) knowing the factorization. In this blog post we continue the effort started in part I showing different strategies.  If you want to skip all my failures and go directly to the (in my humble opinion) most promising approach you can read directly the Solinas Prime and Generalized Mersenne Numbers section below.

If you actually wonder what is MS-DRBG and why I am trying to do it I'd suggest to go back and read the first article.
What I am NOT claiming in this post though is that there is a NSA's backdoor in the ANSI and ISO standards. Introduction and Failure #1 So let's start from were we actually finished the last post. We focused on an easier version of the problem directly extracted from the original Micali Schnorr paper

where the known output is up to 3/4 of the RSA computation and secret state is only 1/4 of the RSA computation.

Assuming we know the fac…

Slack SAML authentication bypass

tl;dr  I found a severe issue in the Slack's SAML implementation that allowed me to bypass the authentication. This has now been solved by Slack.
Introduction IMHO the rule #1 of any bug hunter (note I do not consider myself one of them since I do this really sporadically) is to have a good RSS feed list.  In the course of the last years I built a pretty decent one and I try to follow other security experts trying to "steal" some useful tricks. There are many experts in different fields of the security panorama and too many to quote them here (maybe another post). But one of the leading expert (that I follow) on SAML is by far Ioannis Kakavas. Indeed he was able in the last years to find serious vulnerability in the SAML implementation of Microsoft and Github. Usually I am more an "OAuth guy" but since both, SAML and OAuth, are nothing else that grandchildren of Kerberos learning SAML has been in my todo list for long time. The Github incident gave me the final…

How to try to predict the output of Micali-Schnorr Generator (MS-DRBG) knowing the factorization

The article was modified since its publication. Last update was 09/10/2017 

tl;dr in this post we are going to describe how to try predict the output of Micali-Schnorr Generator (MS-DRBG)  knowing the factorization of the n value. If this sounds like, "why the hell should I care?", you might want to give a look at this great post from Matthew Green about the backdoor in Dual_EC_DRBG. But In a nutshell, quoting Matthew Green : Dual_EC_DRBG is not the only asymmetric random number generator in the ANSI and ISO standards (see at the bottom).   it’s not obvious from the public literature how one would attack the generator even if one knew the factorization of the n values above. What I am NOT claiming in this post though is that there is a backdoor in one of this standard.

The first time I heard about this problem is about couple of weeks ago via this Matthew's tweet: As a curiosity, the NSA didn’t just standardize Dual EC, they also standardized a second sketchy …

CVE-2017-7781/CVE-2017-10176: Issue with elliptic curve addition in mixed Jacobian-affine coordinates in Firefox/Java

tl;dr Firefox and Java suffered from a moderate vulnerability affecting the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result POINT_AT_INFINITY when it should not.

Few months ago I was working on a vulnerability affecting the internet standard JWE (slides here) and I got a stroke of luck. Yuppieeee  Basically I was constructing the malicious JWEs needed for the Demo Attack. When something weird happened :S
You can try and share with me the surprise I had, the gist is here

If you try to execute this class with Java 1.7 you basically have

Exception in thread "main" java.lang.IllegalStateException
    at Method)
    at javax.crypto.KeyAgreement.generateSecret(
    at orig.EccJava.getAgreedKey(
    at orig.EccJava.main(