ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
ElevenPaths Cybersecurity Weekly Briefing 13-19 June Ripple 20 Vulnerabilities in TCP/IP Software JSOF researchers have discovered 19 0-day vulnerabilities, collectively called Ripple 20, in the TCP/IP software library developed by Treck that would affect more than...
Miguel Ángel Martos Has the Office as We Know It Come to an End? 2020 has had a difficult start. We have learned that what was “usual” may not be the best. We should reconsider this idea of “the office” as the centre...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
ElevenPaths Detected an extension in Chrome Web Store, active from February, that steals credit cards We have detected an extension for Google Chrome, still active, that steals data from web site forms visited by the victims. This extension, which is still available on Chrome...
ElevenPaths Trend Report: Hacktivist CyberThreats Report 2019 An analytical report that includes the periodic scanning of the hacktivist threat’s behavior in five observation rings: Europe and the United Kingdom, North America, Latin America, MENA / Asia...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (I) At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking...
Pablo Alarcón Padellano Securing your Cloud Native Applications in AWS in the New Normal The New Cloud Adoption Reality Yes, we are facing a New Normal, and we are living a new cloud adoption reality as well. Enterprise cloud adoption accelerates in face of...
ElevenPaths What Kind of Professionals Work in Our Security Operations Center (SOC)? Discover the different profiles of the SOC professionals in this post, who work day and night to provide the best security to our customers.
Rock, Paper, Scissors and Other Ways to Commit Now and Reveal LaterGonzalo Álvarez Marañón 17 November, 2020 Have you ever played rock, paper, scissors? I bet you have. Well, let’s put the tin lid on it: how would you play through the phone? One thing is clear: the first one to reveal his choice loses for sure. If you shout “rock”, the other will say “paper” and you will lose again and again. The question is: how do you get both of you to commit to a value without revealing it to the other party? In real life, paper envelopes and boxes are used to stick to a value without revealing it. For example, a judge of a jury writes his verdict on a piece of paper and puts it in a sealed envelope. When the envelopes are opened, you can no longer back out. Can cryptography create an even more secure envelope or digital box? What a question, of course! Let’s see how we can play rock, paper, scissors over the phone thanks to cryptography. Creating Commitment Schemes Through Cryptographic Protocols In cryptography, a commitment scheme allows one to stick to a value that will remain hidden until the moment it must be revealed and there will be no going back. Using the box analogy: you keep your message in a locked box and give the box to someone else. Without the key, they cannot read your message. Even you cannot change it, because the box is in their possession. When you give them the key, they will open the box and then, yes, they could read the message. As you can see from this simple example, a commitment scheme consists of two phases: The commitment phase: you keep the message under lock in a box and send the box.The disclosure phase: the receiver of the box opens it with your key and reads the message Mathematically, this scheme can be represented as follows: c = C (r, m) In other words, commitment c is the result of applying a public C function to a random value r and a message m. When the sender subsequently discloses the values of r and m, the receiver can recalculate c and, if it matches the original, will know that there has been no cheating. To consider it safe, any commitment scheme must satisfy the following two requirements: Secrecy (or concealment): at the end of the first phase, the receiver does not obtain any information about the committed value. This requirement must be met even if the recipient is cheating. Concealment protects the interests of the sender.Unambiguous (or linked): given the message committed in the first phase, the receiver will find the same value in the second phase after the legal “opening” of the commitment. This requirement must be met even if the sender is cheating. Linking protects the interests of the receiver. A simple way to perform this scheme digitally is by using cryptographically secure hash functions as a C-commitment function. Imagine that our good old friends Alice and Bob want to play rock, paper, scissors on the phone. They can send each other the following information using the generic H hash functionand a random value rA, as shown in the picture: At the end of the protocol, Bob needs to verify that the value of the hA hash sent by Alice is equal to the H ( rA || “rock” ) value calculated by himself. If both values match, he knows that Alice has not cheated. The result of this protocol is that Alice loses the game because paper wraps rock. Let’s follow the above protocol from Alice’s perspective. She first commits to the “rock” value by sending Bob the hA hash value. For his part, Bob will not yet be able to determine that Alice has committed to that value, as Bob doesn’t know the random rA value used and Bob is unable to reverse the hash function. The fact that Bob cannot determine which value has been committed is the “secret” (or “hidden”) property of the commitment scheme. As soon as Bob sends his own “paper” value to Alice, she knows that she has lost, but she is unable to cheat, since for tricking Bob she would have to invent a different value for the random rA value, let’s say rA’, that meets H( rA’ || “scissors” ) = H( rA || “rock” ). But this fraud would imply that Alice can find collisions in the hash function, which is considered (computationally) impossible (technically, the hash function is required to be resistant to the second preview). This is the “unambiguous” (or “linking”) property of the commitment scheme: that Alice cannot change her mind after the disclosure phase. The use of hashes as a commitment function is the simplest way to implement a commitment scheme. However, in real applications, the commitment may be required to exhibit some special properties, such as homomorphism, which require more sophisticated mathematical functions, based on variants of Diffie-Hellman, ElGamal or Schnorr. One of the best known examples is Pedersen commitment, which is very simple and has the following property, which is very useful in many situations: if you have committed two messages m1 and m2 m1 to the c1 and c2 values, respectively, then the product of the two commitments, c1 × c2, is equal to the commitment of the sum of the m1 + m2 messages. Applications of Commitment Schemes Commitment schemes are experiencing new applications thanks to the recent development of new cryptographic protocols: Just as we started the article by playing rock, paper, scissors over the phone, we could use versions of the commitment schemes for any other game of chance played remotely: from flipping a coin to playing mental poker and others.Another application of the commitment schemes together with the Zero-Knowledge Proof is the construction of zero knowledge databases, in which queries can be made that only reveal whether a property consulted is true or not, such as whether a person is of age or has a sufficient balance in his account, but without revealing either his age or his balance. In this application a special scheme called mercurial commitment is used.The commitment schemes are also a key part of a verifiable secrecy sharing scheme: the distribution of secrecy among several individuals is accompanied by commitments of the parts of the secret held by each. The commitments do not reveal anything that could help a dishonest party, but after the commitments of the parties have been revealed, each individual can verify whether the parties are correct.Commitment schemes are also being used in optimal and credible auctions, where the bidder must commit to the value of a bid without the possibility of backing out.Polyswarm uses commitment schemes along with smart contracts at Ethereum. Polyswarm is a decentralised threat intelligence marketplace where threat detection is encouraged by putting money into the game – NCT. Different manufacturers’ engines can bet money based on trust in their own detections. They commit their verdict by calculating the Keccak hash on the sample of potential malware along with a random number. This hash represents their commitment on the artefact. After an engine has been pronounced, there is no turning back. Once the commitment window has been closed, during which the engines could make their predictions, they reveal their original verdict and their random number. Those who made correct evaluations are rewarded, while those who failed in their prediction lose their bets. In this way, Polyswarm rewards honest market participation, encouraging quality and unique malware detection. Online auctions, Internet gambling, smart contract signing, secure database searches, secure multiparty computing, Zero-Knowledge Proof, … there are many applications that require information to be securely hidden until it can be revealed. As interest in public computing environments, such as blockchain, grows, commitment schemes will continue to provide confidence and encourage new secure technologies to flourish. How Traditional CA’s Are Losing Control of Certificates and Possible Reasons Why Chrome Will Have a New Root StoreThe Challenge of Online Identity (I): Identity Is the New Perimeter
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (I) At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking...
Innovation and Laboratory Area in ElevenPaths 46% Of the Main Spanish Websites Use Google Analytics Cookies Before the Consent Required by The Spanish Data Protection Agency (AEPD) Over the past few months, many IT departments have been busy carrying out this task of adaptation in order to comply with the new regulations on cookies. Every time...
Carlos Ávila WhatsApp terms and conditions update – a cheeky move? Surely by now many have already accepted the new terms and privacy policies without really knowing what they were about or their impact on the privacy of their data,...
ElevenPaths Cyber Security Weekly Briefing January 2-8 SolarWinds Update To end the year, Microsoft published an update of its findings regarding the impact of the SolarWinds incident on its systems. In this release, it emphasizes that neither...