Unlinkable credentials made easy via confidential computing

Member states of the European Union shall soon implement the updated regulation on electronic identity and introduce digital identity wallets (EUDIW). The accompanying Architecture and Reference Framework (ARF), still under development, has been criticized for the lack of unlinkability of credential presentations. The rather straightforward linkability follows from the properties of common public-key signature schemes. Anonymous credentials and zero-knowledge proofs have repeatedly been suggested as a more suitable, or even the only practical way to achieve unlinkability. I propose confidential computing as a simpler, more practical and more secure alternative.

continue reading

Root certificates, eIDAS and the commendable laws of mathematics

A couple of months ago, many members of the cybersecurity community urged EU legislators to reconsider parts of the future eIDAS regulation. Since 2021, opposition has repeatedly been voiced by the industry, academia and NGOs.

The experts criticize the plan to mandate the (unconditional) inclusion of government-approved certificate authorities in the trust stores of all web browsers and thus shift control from tech companies towards governments.

The approach to anonymous credentials within digital wallets is also of concern. The regulation shall enable privacy-preserving technologies in certain scenarios, many in the cybersecurity community prefer to make them mandatory.

It appears that the EU refuses to budge and the scientists are not happy. Neither am I, but for different reasons.

continue reading

Two kinds of cryptography - can a government tell the difference?

Some three decades ago, Bruce Schneier famously wrote:

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.

I remembered the quote as I came across a (minor) government using the wrong kind of cryptography. As one would expect, they do have some reasonable security protocols in place. These are complemented, rather surprisingly, by several examples of cryptography your kid sister can break. Why cannot a government tell the difference?

continue reading

Tampering with ZRTP encrypted calls

I built a small encrypted VoIP system based on SIP. After a few experiments I settled for a Freeswitch server and Linphone clients and configured the use of ZRTP, probably the only reasonably documented interoperable protocol for encrypted calls. ZRTP offers what is now commonly called "end-to-end" encryption. The call is encrypted and the key is only available to the clients. Getting the system up and running was surprisingly easy, making it secure turned out to be a challenge. The way SIP and ZRTP are implemented in Linphone and other free software clients allows the server to listen to the calls.

continue reading

The ciphertext that was not

A couple of days ago I wrote about universal ElGamal ciphertexts and about the importance of digital signatures. Although the story of a rather unremarkable piece of malware served us well as an example, it was not an example a reader could easily relate to or get their hands on. This time, I provide real-world examples in the form of actual messages and keys made of genuine bits.

ElGamal encryption is a mandatory part of OpenPGP, a comprehensive cryptographic standard also used to secure electronic mail. Until about 2009, ElGamal was the default public-key encryption method of GNU Privacy Guard, a free software implementation of OpenPGP. This text is about universal OpenPGP ciphertexts, fake encryption keys silently disabling encryption and about the importance of digital signatures.

continue reading

Mallory messages Mallory

In typical applications of cryptography, there usually are several distinct parties involved in a protocol. That might be part of the reason why cryptography has become so complicated. Even in simpler scenarios, where the sender and the recipient of a message are essentially the same person, there are applications for the arguably more advanced public-key primitives. There is also plenty of room for mistakes to be made.

Mallory has managed to install malware onto a machine she normally has no business of accessing. To carry out her evil plans, she has set up a way to control the victim machine remotely. She is able to send commands to and receive responses from the malware running there. This text is about the way Mallory applies cryptography to secure her messages.

continue reading

MELANI meets Peter

It was recently revealed that the network of the Swiss company RUAG had been compromised. The GovCERT unit of the federal Reporting and Analysis Centre for Information Assurance MELANI was involved in the investigation and released a technical report on the espionage case.

On a few dozen pages, the document explains how the attack was probably carried out. The report also provides information on the malware used by the attackers. There is a rather remarkable five-page section on how a particular piece of malware implemented cryptography. Let us have a closer look at what GovCERT had to say and what was missing.

continue reading