Session
Fahrplan 34C3
Security

We should share our secrets

Shamir secret sharing: How it works and how to implement it
Saal Clarke
Daan Sprenkels
Backing up private keys in a secure manner is not straightforward. Once a backup has been compromised you need to refresh all your key material. For example, the disclosure of a private key of a Bitcoin wallet gives access to the coins inside. This makes it unattractive to store a complete backup of your private key(s) with your bank or your spouse. The better option would be to split the key into multiple parts. The recommended way to do this securely is to use the Shamir secret sharing scheme. This talk provides a detailed breakdown of how the scheme works and explains how it is implemented in C in a new library called SSS.

Shamir secret sharing is a mechanism that securely splits private keys or passwords into independent parts. These parts do not give away the secret on their own. Instead, the user defines the minimal amount of shares needed to restore the original secret. In this way, there is no need to trust a single entity. Additionally, compromise or loss of one share does not mean a compromise or loss of the entire secret. This makes it very suitable for backing up private keys, such as Bitcoin keys. Shamir secret sharing can also be used for passing on your secrets to your trusted successors, in case you get hit by a bus.

In this talk, I will explain in detail how the scheme works. Although it is provably secure for confidentiality, we will see how it fails for integrity and how to fix that. While Shamir published his article almost 30 years ago, most existing libraries for Shamir secret sharing are still implemented poorly in terms of security and side-channel resistance.

I will talk about writing the definitive library for Shamir secret sharing. We will choose suitable parameters and implement the scheme in C. We will see a couple of tricks that cryptographers use for building fast algorithms while still maintaining side-channel resistance. In the end, we (hope to) have produced a robust algorithm ready for easy integration into your favorite project.

Basic understanding of some mathematical topics (such as group theory) may be helpful for this talk, but is not required.

Additional information

Type lecture
Language English

More sessions

12/27/17
Security
oranav
Saal Dijkstra
How I hacked Sasmung eMMC chips: from an indication that they have a firmware - up until code execution ability on the chip itself, relevant to a countless number of devices. It all started when Samsung Galaxy S3 devices started dying due to a bug in their eMMC firmware. I will cover how I figured out there's a firmware inside the chip, how I obtained it, and my journey to gaining code execution on the chip itself — up until the point in which I could grab a bricked Galaxy S3, and fix it ...
12/27/17
Security
Mathias Dalheimer
Saal Adams
Wir retten das Klima mit Elektroautos — und bauen die Ladeinfrastruktur massiv aus. Leider werden dabei auch Schwachstellen auf allen Ebenen sichtbar: Von fehlender Manipulationssicherheit der Ladesäulen bis hin zu inhärent unsicheren Zahlungsprotokollen und kopierbaren Zahlkarten. Ladesäulenhersteller und Ladenetzbetreiber lassen ihre Kunden im Regen stehen — geht das schnelle Wachstum des Marktanteils zu Lasten der Kundensicherheit?
12/27/17
Security
Filippo Valsorda
Saal Dijkstra
The Go implementation of the P-256 elliptic curve had a small bug due to a misplaced carry bit affecting less than 0.00000003% of field subtraction operations. We show how to build a full practical key recovery attack on top of it, capable of targeting JSON Web Encryption.
12/27/17
Security
Artem Kondratenko
Saal Clarke
Year 2017 was rich in vulnerabilities discovered for Cisco networking devices. At least 3 vulnerabilities leading to a remote code execution were disclosed. This talk will give an insight on exploit development process for Cisco IOS for two of the mentioned critical vulnerabilities. Both lead to a full takeover of the target device. Both PowerPC and MIPS architectures will be covered. The presentation will feature an SNMP server exploitation demo.
12/27/17
Security
Saal Borg
Positive Technologies researchers Maxim Goryachy and Mark Ermolov have discovered a vulnerability that allows running unsigned code. The vulnerability can be used to activate JTAG debugging for the Intel Management Engine processor core. When combined with DCI, this allows debugging ME via USB.
12/27/17
Security
argp
Saal Clarke
This talk presents the technical details and the process of reverse engineering and re-implementation of the evasi0n7 jailbreak's main kernel exploit. This work was done in late 2013, early 2014 (hence the "archaeology" in the title), however, it will provide insight into the kernel debugging setup for iOS devices (iDevices), the encountered difficulties and how they were overcome, all of which can be useful for current iOS kernel vulnerability research.
12/27/17
Security
Saal Dijkstra
Do you want to learn how modern binary code obfuscation and deobfuscation works? Did you ever encounter road-blocks where well-known deobfuscation techniques do not work? Do you want to see a novel deobfuscation method that learns the code's behavior without analyzing the code itself? Then come to our talk and we give you a step-by-step guide.