Security Analysis Reports of Chat Clients
Below is the list of vulnerability reports I have received thus far.
Authors of chat clients with identified vulnerabilities are encouraged to
validate the reports.
Two contributors have noted already that the chat encryption was specified
such that all compatible chat clients use a deterministic encryption and
hence has limited security. This answer is therefore closed and will not
yield any more points, with the exception of the refinement mentioned
Mr. Klick (first report) noted correctly that this means none of the chat
clients is CPA secure.
Mr. Schmeisky (second report) claimed that the clients do not have
indistinguishable encryptions in the presence of an eavesdropper. This is
partially correct and is treated as eligible for points. However,
all participants are encouraged to review the report and to make his
statement more precise, based on what you have learned in class.
- All interoperable chat clients encrypt deterministically and are
vulnerable to a CPA attack. This is shown using the khalil_laemmel and
maishak chat clients.
- The khalil_laemmel chat client has a buffer overflow
vulnerability that can be triggered remotely.
Note: The referee requested an improvement of this report's clarity.
- The chat client encryption is deterministic and does not have
indistinguishable encryptions in the presence of an eavesdropper, as
demonstrated using the khalil_laemmel chat client.
- The philipp_ledermann chat client prints out the secret factors
of the RSA modulus during generation. A shoulder surfer with a camera
might capture the information.
- The telleis_akrap_junker chat client stores the secret key
store with access rights that make it world readable. Anyone with read
access to the user's home directory can retrieve a user's private key.
Reporter: Wallisch-Prinz, Pöhle
- The marzin_karger chat client can be crashed by sending a
single colon as the message (after the nick and the separating colon).
- The marzin_karger chat client splits messages into blocks with
a bit length that equals the bit length of the public exponent. If the
public exponent is small then this enables easy message recovery by brute
forcing the (small) plaintext space.