Cryptocat Key Generation Vulnerability Put Chats at Risk

Type threatpost
Reporter Michael Mimoso
Modified 2013-07-09T20:43:10


Cryptocat, an open source encrypted Web-based chat application, is taking heat from numerous places after a vulnerability was discovered that put chats at risk for relatively simple decryption, experts say.

Worse, says researcher Steve Thomas who found the flaw, is that it likely was present in the code base going back to 2011. Cryptocat, meanwhile, says the vulnerability was present between versions 2.0 and 2.0.42—a seven-month timeframe—and urges users to update the app to the 2.1 branch.

“Group conversations that were had during those seven months were likely vulnerable to being significantly easier to crack,” Cryptocat said on its development blog.

Thomas disagrees and says the bug has been present since October 2011, and wrote an app called DecryptoCat that cracks the ECC public keys generated by Cryptocat between versions 1.1.147 and 2.0.41. Using a meet-in-the-middle attack, which reduces the number of brute force attempts needed to crack a target, Thomas said his tool can crack a key in less than two hours of computing time. He added that changes made to the keyspace in Cryptcocat version 2.0.42 raises that timeframe to 1,000 computer years of calculations.

“Decryptocat takes advantage of a meet-in-the-middle attack called baby-step giant-step you can effectively square root the key space. So 2^54.15 turns into 2^27.08 and 2^106.3 to 2^53.15,” Thomas wrote. “For Cryptocat versions before 2.0.42, doing a split of 210^9 and 10^7 it takes about a day to calculate data needed to crack any key in few minutes. This only requires tens of gigabytes to store. Doing a 210^8 and 10^8 split it will take an hour to generate and half an hour to crack any private key with that data.”

Thomas said on his blog that Cryptocat has tried numerous encryption iterations, including RSA, Diffie-Hellman and ECC, but uses key sizes smaller than the minimums.

“Cryptocat has one mission, to provide secure communication – which is to say, to encrypt data,” wrote security researcher Adam Caudill on his blog. “The most vital step in any crypto system is the key generation; if you get it wrong, nothing else matters. That code should be well reviewed and understood by multiple people. Cryptocat got this wrong.”

Cryptocat is used by privacy-conscious parties to keep online conversations secure. Activists use it to communicate with people living under oppressive regimes to inform and organize activities; journalists use it with sources to keep interactions private; and there are commercial uses as well, for example, conversations between attorneys and clients.

“When you release code like this to the public, and encourage people to use it – especially those that are at higher risk (i.e. activists), you take on a certain responsibility for ensuring that at least the core functionality is doing what’s expected,” Caudill said. “In this case, the team behind Cryptocat failed. For a year, the entire user base was at risk.”

Cryptocat has apologized and clarified too that its SSL keys have not been compromised as had been rumored, and that it has rotated its SSL keys as a precaution.

“Every time there has been a security issue with Cryptocat, we have been fully transparent, fully accountable and have taken full responsibility for our mistakes,” Cryptocat said. “We will commit failures dozens, if not hundreds of times more in the coming years, and we only ask you to be vigilant and careful. This is the process of open source security.”