Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is used in a wide variety of applications, including potentially in settings for which it was not originally designed. A question given relatively little attention is whether an authenticated encryption scheme guarantees “key commitment”: the notion that ciphertext should decrypt to a valid plaintext only under the key that was used to generate the ciphertext.
In reality, however, protocols and applications do rely on key commitment. A new paper by engineers at Google, the University of Haifa and Amazon demonstrates three recent applications where missing key commitment is exploitable in practice. They construct AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM; and the results may shock you.
Links and papers discussed in the show:
* How to Abuse and Fix Authenticated Encryption Without Key Commitment (https://eprint.iacr.org/2020/1456)
* Mitra, Ange's software tool for generating binary polyglots (https://github.com/corkami/mitra)
* Shattered and other research into hash collisions (https://github.com/corkami/collisions)
Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guests: Ange Albertini and Stefan Kölbl.