Skip to main content

Real World Crypto 2018 (RWC 2018) brain dump

The 2018 edition of Real World Crypto (RWC) was in Zurich (you can find the conference full program here.). I live in Switzerland so I was extremely happy about it. RWC is basically the best conference I ever attended and it will probably be so for a while. I almost risked to skip it due to flu but I eventually managed to attend :)

This short blog post is my brain dump of the event. If you want to know more you can find all the videos of the presentations in this youtube channel. The event lasted 3 days and every day was great. Event like this allowed me to meet personally many people I have interacted previously in a way or the other  and it turns out that a big percentage of people that do (applied) crypto was indeed attending. FWIW I was even able to shortly  ask to the great Prof Boneh about the now legendary Coursera Crypto II :D

Day I

The first day could not start any better. Shay Gueron (from Amazon) did a deep dive into the cryptography behind the AWS cloud. It basically described a  new method AWS uses to avoid the AES GCM Forbidden attack caused by key/nonce reuse (see the great blog post from agl for details). The  Key management services session continued with a talk from Anand Kanagala (Google) where he talked about Google internal KMS and told the story of Gmail outage and how one small bug can have a dramatic impact on billions of accounts and steps taken in order to change the system design. After a small break was the turn of the real crypto (lol) aka  Crypto currencies session
So there were talks about Mimblewimble (featured by Andrew Poelstra from Blockstream) the new crypto-child solution proposed in a text file posted on a Tor hidden service!!! Then (Ian Miers) talked about the genesis, the present and the future of my favorite crypto currencies aka ZCash. And eventually this session concluded with a third talk about some clever attack on Zero Knowledge protocol (Zero knowledge, subversion-resistance, and concrete attacks, tl;dr be careful who is doing the trusted setup in a Zero Knowledge protocol). Sweet.
With no break arrived one of the most important moment of the conference: the award ceremony of Levchin prize. And drumroll the well deserved winners were Hugo Krawczyk (for the development of real-world crytographic schemes with strong security guarantees and proofs) and the entire OpenSSL team (for dramatic improvements to the code quality of OpenSSL). Time for lunch and mingle. And here was the afternoon  sessions. Time for the Attack I session and my favorite talk of the day where Yuval Yarom (University of Adelaide) and Daniel Genkin (UPenn/UMD) showed (with brave demo included) a Side channel attacks on implementations of Curve25519. The day ended with the Usability and privacy session where Emily Stark (Google) talked about Certificate Transparency (great stuff). The day ended with the talk about end-to-end security of group chats where a glitch in Signal/Whatsapp was presented (see Matthew Green's post).

Day II

The second day  started with  the Post-quantum crypto and other new hardware session where people from Microsoft (Melissa Chase  and Patrick Longa) presented Microsoft's owned proposal for the Post-Quantum Cryptography NIST Standardization. After the break the Broken standards session started with a funny Shattered (aka the famous SHA-1 collision) talk delivered by Pierre Karpman. Then (and this is was probably the most awaited talk of the day) THE MAN aka Jann Horn in person presented Spectre and Meltdown. Awesome. Before lunch was the time for several 1 minute long Lightning talks. For the record there were many little rooms that people can use to study or whatever and. E.g. some of us tried to find their way toward zk-snark

The sessions resumed with the TLS session where the ever innovative Nick Sullivan pleased the audience with some pairing and identity-based broadcast encryption used in  Cloudflare's Geo Key Manager. The TLS session could not end without not one but 2 talks about TLS 1.3 delivered by Thyla van der Merwe (Royal Holloway) and David Benjamin (Google). Both were pleasant and (specially the one from David) funny (for us) talks. The day at  Volkshaus Zurich ended with Crypto in the clouds session where Manish Mehta (Netflix) presented the way Netflix handle secrets (in AWS) and the Facebook folks showed how to Scale backend authentication at Facebook . But while the official RWC day ended here pretty many of us were lucky enough to be invited in the Google Zurich Office for an after conference gathering sponsored by Google Research. Someone was even luckier to taste the fateful and tasteful SHA-1 Chartreuse formerly survivor of the Shattered battle

 courtesy of Ange. Thanks!!!

Day III

The third and last day was a bit shorter but as good as the others.  It started with fireworks , indeed Trevor Perrin presented his baby The Noise protocol framework in the New crypto session. Then was the time for an innovative use of Bloom Filter. The Attacks II session were a series of a bit shorter interesting talks and the day ended with the Verification and provable security session that had as highlight the talk about the new formal verification in Firefox.

This was the last talk hence

Risultati immagini per screw guys

see you (hopefully for me) next year for RWC 2019 in California.

I want to thank you anyone I interacted with on these 3 days. It was really fun and formative.


For more crypto goodies, follow me on Twitter.



Comments

Nick Szabo said…

Thanks for sharing about Real World Crypto Conference 2018 and also for the YouTube channel. The entire blog was very refined and precisely explained. I looking for some blog sites regarding crypto conferences and came across with yours and which seems to be very knowledgeable. Another resource I would like to suggest here is jaredschlar.blogspot.com . I came accross with this website while I was researching. I must say he has come up with a lot of of wonderful blogs

Popular posts from this blog

Billion Laugh Attack in https://sites.google.com

tl;dr https://sites.google.com suffered from a Billion Laugh Attack vulnerability that made the containerized environment to crash with a single invocation.
Introduction Few months ago I applied for a talk at a security conference titled Soyouwanna be a Bug Bounty Hunter but it was rejected :(. The reason behind it is that I have been on/off in the bug bounty business for a while as you can see here:
Funny. Found in a forgotten drawer from the time I was a bug hunter :p #facebook#bug#bountypic.twitter.com/Tt4saGZVLI — Antonio Sanso (@asanso) November 30, 2018 and I would have liked to share some of the things I have learned during these years (not necessary technical advises only). You can find a couple of these advises here:


Rule #1 of any bug hunter is to have a good RSS feed list
and here


The rule #2 of any bug hunter is to DO NOT be to fussy with 'food' specifically with "left over"
Today's rule is: The rule #3 of any bug hunter is DO LOOK at the old stuff

and…

Top 10 OAuth 2 Implementation Vulnerabilities

Some time ago I posted a blogpost abut  Top 5 OAuth 2 Implementation Vulnerabilities.
This week I have extended the list while presenting Top X OAuth 2 Hacks at OWASP Switzerland.

This blog post (like the presentation) is just a collection of interesting attack OAuth related.

#10 The Postman Always Rings Twice  I have introduced this 'attack' in last year post . This is for provider implementer, it is not extremely severe but, hey, is better to follow the spec. Specifically

The client MUST NOT use the authorization code  more than once.  If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.

It turned out that even Facebook and Googledid it wrong... :)

#9 Match Point To all OAuth Providers be sure to follow section 4.1.3 of the spec in particular

...if the "redirect_uri" parameter was included in the initial authorization requ…

OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)

Usual Mandatory Disclaimer: IANAC (I am not a cryptographer) so I might likely end up writing a bunch of mistakes in this blog post...

tl;dr The OpenSSL 1.0.2 releases suffer from a Key Recovery Attack on DH small subgroups. This issue got assigned CVE-2016-0701 with a severity of High and OpenSSL 1.0.2 users should upgrade to 1.0.2f. If an application is using DH configured with parameters based on primes that are not "safe" or not Lim-Lee (as the one in RFC 5114) and either Static DH ciphersuites are used or DHE ciphersuites with the default OpenSSL configuration (in particular SSL_OP_SINGLE_DH_USE is not set) then is vulnerable to this attack.  It is believed that many popular applications (e.g. Apache mod_ssl) do set the  SSL_OP_SINGLE_DH_USE option and would therefore not be at risk (for DHE ciphersuites), they still might be for Static DH ciphersuites.
Introduction So if you are still here it means you wanna know more. And here is the thing. In my last blog post I was …