Skip to main content

Real World Crypto 2018 (RWC 2018) brain dump

The 2018 edition of Real World Crypto (RWC) was in Zurich (you can find the conference full program here.). I live in Switzerland so I was extremely happy about it. RWC is basically the best conference I ever attended and it will probably be so for a while. I almost risked to skip it due to flu but I eventually managed to attend :)

This short blog post is my brain dump of the event. If you want to know more you can find all the videos of the presentations in this youtube channel. The event lasted 3 days and every day was great. Event like this allowed me to meet personally many people I have interacted previously in a way or the other  and it turns out that a big percentage of people that do (applied) crypto was indeed attending. FWIW I was even able to shortly  ask to the great Prof Boneh about the now legendary Coursera Crypto II :D

Day I

The first day could not start any better. Shay Gueron (from Amazon) did a deep dive into the cryptography behind the AWS cloud. It basically described a  new method AWS uses to avoid the AES GCM Forbidden attack caused by key/nonce reuse (see the great blog post from agl for details). The  Key management services session continued with a talk from Anand Kanagala (Google) where he talked about Google internal KMS and told the story of Gmail outage and how one small bug can have a dramatic impact on billions of accounts and steps taken in order to change the system design. After a small break was the turn of the real crypto (lol) aka  Crypto currencies session
So there were talks about Mimblewimble (featured by Andrew Poelstra from Blockstream) the new crypto-child solution proposed in a text file posted on a Tor hidden service!!! Then (Ian Miers) talked about the genesis, the present and the future of my favorite crypto currencies aka ZCash. And eventually this session concluded with a third talk about some clever attack on Zero Knowledge protocol (Zero knowledge, subversion-resistance, and concrete attacks, tl;dr be careful who is doing the trusted setup in a Zero Knowledge protocol). Sweet.
With no break arrived one of the most important moment of the conference: the award ceremony of Levchin prize. And drumroll the well deserved winners were Hugo Krawczyk (for the development of real-world crytographic schemes with strong security guarantees and proofs) and the entire OpenSSL team (for dramatic improvements to the code quality of OpenSSL). Time for lunch and mingle. And here was the afternoon  sessions. Time for the Attack I session and my favorite talk of the day where Yuval Yarom (University of Adelaide) and Daniel Genkin (UPenn/UMD) showed (with brave demo included) a Side channel attacks on implementations of Curve25519. The day ended with the Usability and privacy session where Emily Stark (Google) talked about Certificate Transparency (great stuff). The day ended with the talk about end-to-end security of group chats where a glitch in Signal/Whatsapp was presented (see Matthew Green's post).

Day II

The second day  started with  the Post-quantum crypto and other new hardware session where people from Microsoft (Melissa Chase  and Patrick Longa) presented Microsoft's owned proposal for the Post-Quantum Cryptography NIST Standardization. After the break the Broken standards session started with a funny Shattered (aka the famous SHA-1 collision) talk delivered by Pierre Karpman. Then (and this is was probably the most awaited talk of the day) THE MAN aka Jann Horn in person presented Spectre and Meltdown. Awesome. Before lunch was the time for several 1 minute long Lightning talks. For the record there were many little rooms that people can use to study or whatever and. E.g. some of us tried to find their way toward zk-snark

The sessions resumed with the TLS session where the ever innovative Nick Sullivan pleased the audience with some pairing and identity-based broadcast encryption used in  Cloudflare's Geo Key Manager. The TLS session could not end without not one but 2 talks about TLS 1.3 delivered by Thyla van der Merwe (Royal Holloway) and David Benjamin (Google). Both were pleasant and (specially the one from David) funny (for us) talks. The day at  Volkshaus Zurich ended with Crypto in the clouds session where Manish Mehta (Netflix) presented the way Netflix handle secrets (in AWS) and the Facebook folks showed how to Scale backend authentication at Facebook . But while the official RWC day ended here pretty many of us were lucky enough to be invited in the Google Zurich Office for an after conference gathering sponsored by Google Research. Someone was even luckier to taste the fateful and tasteful SHA-1 Chartreuse formerly survivor of the Shattered battle

 courtesy of Ange. Thanks!!!


The third and last day was a bit shorter but as good as the others.  It started with fireworks , indeed Trevor Perrin presented his baby The Noise protocol framework in the New crypto session. Then was the time for an innovative use of Bloom Filter. The Attacks II session were a series of a bit shorter interesting talks and the day ended with the Verification and provable security session that had as highlight the talk about the new formal verification in Firefox.

This was the last talk hence

Risultati immagini per screw guys

see you (hopefully for me) next year for RWC 2019 in California.

I want to thank you anyone I interacted with on these 3 days. It was really fun and formative.

For more crypto goodies, follow me on Twitter.


Nick Szabo said…

Thanks for sharing about Real World Crypto Conference 2018 and also for the YouTube channel. The entire blog was very refined and precisely explained. I looking for some blog sites regarding crypto conferences and came across with yours and which seems to be very knowledgeable. Another resource I would like to suggest here is . I came accross with this website while I was researching. I must say he has come up with a lot of of wonderful blogs

Popular posts from this blog

Slack SAML authentication bypass

tl;dr  I found a severe issue in the Slack's SAML implementation that allowed me to bypass the authentication. This has now been solved by Slack.
Introduction IMHO the rule #1 of any bug hunter (note I do not consider myself one of them since I do this really sporadically) is to have a good RSS feed list.  In the course of the last years I built a pretty decent one and I try to follow other security experts trying to "steal" some useful tricks. There are many experts in different fields of the security panorama and too many to quote them here (maybe another post). But one of the leading expert (that I follow) on SAML is by far Ioannis Kakavas. Indeed he was able in the last years to find serious vulnerability in the SAML implementation of Microsoft and Github. Usually I am more an "OAuth guy" but since both, SAML and OAuth, are nothing else that grandchildren of Kerberos learning SAML has been in my todo list for long time. The Github incident gave me the final…

Cross-origin brute-forcing of Github SAML and 2FA recovery codes

Yesterday while reading my Twitter stream I found this interesting article about  downloading GitHub SSO bypass codes. Same as Yasin Soliman I was invited to a Github pre-release of the organisation SAML single sign-on (SSO) private program. And same as him I found an issue in the same endpoint. So I thought to write a quick blog post about it. Github already published a tl;dr about this,

 I will try to fill the blanks here.

As mentioned by Yasin, Github offers an endpoint where privileged users can recover bypass codes. These recovery codes were accessible for download as plaintext and had the content-type as text/plain, something like:

What immediately caught my attention was that the format of the code forms (with some exceptions) a valid JavaScript file with lines in the format of XXXXX-XXXXX, ten hex digits separated by a hyphen. This is interpreted in JavaScript as the subtraction of two variables! This remember an old blog post of mine where I could possibly exfiltrate informa…

Critical vulnerability in JSON Web Encryption (JWE) - RFC 7516

tl;dr if you are using go-jose, node-jose, jose2go, Nimbus JOSE+JWT or jose4j with ECDH-ES please update to the latest version. RFC 7516 aka JSON Web Encryption (JWE) hence many software libraries implementing this specification used to suffer from a classic Invalid Curve Attack. This would allow an attacker to completely recover the secret key of a party using JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES), where the sender could extract receiver’s private key.

In this blog post I assume you are already knowledgeable about elliptic curves and their use in cryptography. If not Nick Sullivan's A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography or Andrea Corbellini's series Elliptic Curve Cryptography: finite fields and discrete logarithms are great starting points. Then if you further want to climb the elliptic learning curve including the related attacks you might also want to visit…