Carelessness versus craftsmanship in cryptography#1911
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Carelessness versus craftsmanship in cryptography#1911carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://blog.trailofbits.com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/ Content Categories: Based on the analysis, this content was categorized under "🕵️ Crypto -> Symmetric Crypto (add a subsection on AES-CTR nonce/IV reuse exploitation, known-plaintext keystream recovery, and CTR malleability vs AEAD/GCM-SIV); cross-link from TLS & Certificates for X.509 known-plaintext angles". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
What the post is about
Trail of Bits describes an ecosystem-scale cryptography footgun: the JavaScript library
aes-jsand the Python librarypyaesimplement AES-CTR in a way that makes misuse extremely likely. Specifically, their CTR APIs do not require callers to provide an IV/nonce; if none is provided, both libraries silently default to the constant value:This design choice (and ...
🔧 Technical Details
CTR/GCM nonce (IV) reuse exploitation: In stream-like modes (CTR, and GCM when nonces are reused), encrypting two messages with the same
(key, nonce/IV)reuses the keystream. An attacker who observes both ciphertexts computesC1 ⊕ C2 = P1 ⊕ P2, leaking structure immediately. If any plaintext is known/guessable, the attacker derives keystream bytes (KS = C ⊕ P) and decrypts other ciphertexts produced under that reused nonce/IV.Known-plaintext keystream extraction via structured formats: If one reused-IV ciphertext contains highly structured/predictable data (e.g., X.509 certificates, protocol headers, file magic/ASN.1 regions), XORing the known plaintext with ciphertext recovers the keystream for those offsets, which can then be applied to decrypt other secrets encrypted at the same offsets under the same reused keystream.
Leveraging alignment in serialized secrets: When multiple serialized secrets of the same t...
🤖 Agent Actions
Updated crypto/symmetric/README.md with deeper AES-CTR/GCM nonce-reuse exploitation guidance: keystream recovery from known plaintext, structured format leverage (X.509, PKCS#8 alignment), dangers of constant default IVs, and CTR malleability vs AEAD (GCM/GCM-SIV) protections, plus cross-reference to TLS certificates and added reference to the Trail of Bits post.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.