Skip to main content


On Verifiable Delay Functions - How to Slow Burning the Planet Down (Verifiably)

In this blog post I am going to talk about some really cool cryptographic research done by Luca De Feo, Simon Masson, Christophe Petit and myself around a relatively new cryptographic construction called Verifiable Delay Functions (VDF from now on). I know at this point you are thinking that the title of this blog post was yet another clickbait link but I promise that if you bear with me until the end you are not going to be disappointed. If you never heard about VDF fret not I will try to ELI5 this concept. So fasten your seat belt.
The history of VDF is actually pretty neat indeed it seems that the concept was growing slowly through the years before finally being formalized. This is somehow evident looking at the links in .
 VDF were formally introduced by (the legendary) Boneh, Bonneau, Bünz and Fish in a seminal paper less than a year ago (June 2018).  The paper contained only some weak form of VDF construction (based on univariate permutation …
Recent posts

Persistent XSRF on Kubernetes Dashboard using Redhat Keycloak Gatekeeper on Microsof Azure

tl;dr I found an  XSRF in the OAuth implementation of Redhat Keycloak Gatekeeper. This would be a bit worse for people using Gatekeeper to protect their Kubernetes Dashboard (especially in Microsof Azure). The Issue in Keycloak GatekeeperKeycloak Gatekeeper is an OpenID Proxy service for Keycloak, an Identity and Access Management solution developed and opensourced by RedHat (now IBM). 
Solutions like this are often used to protect things like Kubernetes Dashboard (unless you want to do like Tesla and expose your Kubernetes Dashboard unauthenticated to the internet) and this (for the record) is why I came across to the issue. I will postpone a deeper analysis of the Kubernetes Dashboard to a future post. The issue is dead simple and I already talked about this several times. This was also  defined by Egor Homakov as the the Most Common OAuth2 Vulnerability (and it looks he was right :p) . Basically the Keycloak Gatekeeper  developers forgot to implement a  really important piece (in OA…

Billion Laugh Attack in

tl;dr suffered from a Billion Laugh Attack vulnerability that made the containerized environment to crash with a single invocation.
Introduction Few months ago I applied for a talk at a security conference titled Soyouwanna be a Bug Bounty Hunter but it was rejected :(. The reason behind it is that I have been on/off in the bug bounty business for a while as you can see here:
Funny. Found in a forgotten drawer from the time I was a bug hunter :p — Antonio Sanso (@asanso) November 30, 2018 and I would have liked to share some of the things I have learned during these years (not necessary technical advises only). You can find a couple of these advises here:

Rule #1 of any bug hunter is to have a good RSS feed list
and here

The rule #2 of any bug hunter is to DO NOT be to fussy with 'food' specifically with "left over"
Today's rule is: The rule #3 of any bug hunter is DO LOOK at the old stuff


Micali-Schnorr Generator (MS-DRBG) Part III - Zero Knowledge Proof Wanted!!

See  also Part I and Part II  of this series
This is going to be a short blog post about the (in)famous Micali-Schnorr  Random Number Generator (MS-DRBG). See Part I and Part II  of this series  for more information about this topic.

WHO: NIST published the specification for Micali-Schnorr  Random Number Generator (MS-DRBG) in NIST Special Publication 800-90 ISO 18031.  Along with the explanation of the core algorithm the documents contains the specification's moduli with the claim to be of the form  n = pq with p = 2p1 + 1, q = 2q1 + 1, where p1 and q1 are (lg(n)/2 – 1)-bit primes.
N.B. a prime of the form p = 2p1 + 1 where p1 is also a prime goes under the name of Safe Prime and they are often used in cryptography for both RSA and DH.
WHAT: Now we can look at the NIST Special Publication 800-90 ISO 18031's moduli and simply believe that those modulis are of the claimed form but maybe is not a great idea (see the WHY section). Going to N(SA)IST and just asking for the factori…

The Ugly Duckling in factoring aka the filtering steps part I

People that knows me well are well aware that prime numbers have been my obsession since my childhood andtheyare source of continue interest for me. Actually thanks to cryptography they are a relevant part of my everyday life. One of the most important problem in cryptography since the discovery of RSA is factoring. The factoring problem consists of finding the prime numbers p and q given a large number , N = p x q.
Unless you are still convinced that factoring is an easy peasy problem, you should know that, while probably not NP-complete, factoring is indeed reaaally hard.
The faster known method for factoring is currently NFS (Number Field Sieve) and if you are interested in the topic I suggest you to read  this beautiful article from the great Carl Pomerance titled "A Tale of Two Sieves" . But it is not what I wanted to talk about today, mainly because the complete algorithm and all its shades go well beyond my current knowledge.
Today instead I want to talk you about one…

Bug bounty left over (and rant) Part III (Google and Twitter)

tl;dr in this blog post I am going to talk about some bug bounty left over with a little rant.

Here you can find bug bounty left over part I and II
Here you can find bug bounty rant part I and II
Introduction In one of my previous post I was saying that: 

"The rule #1 of any bug hunter... is to have a good RSS feed list."
Well well well allow me in this post to state rule #2 (IMHO)

"The rule #2 of any bug hunter is to DO NOT be to fussy with 'food' specifically with left over"

aka even if the most experience bug hunter was there (and it definitely was my case here, given the fact we are talking about no one less than filedescriptor) do not assume that all the vulnerabilities have been found! So if you want some examples here we go.
Part I - GoogleI have the privilege to receive from time to time Google Vulnerability Research Grant. One of the last I received had many target options to choose from, but one in particular caught my attention, namely Google Issue T…

Il (triste??) stato della crittografia (applicata) in Italia

Ho appena finito di scrivere a proposito dei miei 3 giorni trascorsi al Real World Crypto 2018 (il blog post per chi legge inglese e' qui) e mi sono accorto che non c'e' traccia di nessuna Universita' (ma anche azienda) italiana. Tutto cio' non puo' che rendermi un po' triste. L'Italia aveva una posizione di rilievo nell'"antica" crittografia. Non ci dimentichiamo dell'ormai super obsoleto (ma storicamente rilevante) Cifrario di Cesare per non parlare di volumi come "La crittografia diplomatica, militare e commerciale ossia l'arte di cifrare e decifrare le corrispondenze segrete" di Luigi conte Gioppi di Türkheim!! L'Italia ha tutt'ora crittografi di primo livello, basti pensare a Silvio Micali co-inventore delle Zero Knowledge Proof e vincitore della massima onoreficienza nel campo dell'informatica cioe' il Turing Award. Ora, scusate il mio sfogo, ma considerando che RWC e' di gran lunga la conferenz…