Multiple Bugs in Multi-Party Computation: Breaking Cryptocurrency's Strongest Wallets

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=iNIWQ5quzio


Duration: 40:06
74 views
2

Omer Shlomovits | Co-Founder, KZen Networks
Jean-Philippe Aumasson | VP Technology, Kudelski Security / Co-Founder, Taurus Group
Date: Thursday, August 6 | 10:00am-10:40am
Format: 40-Minute Briefings
Tracks: Cryptography, Exploit Development

Cryptocurrency wallets in exchange platforms or banks require strong security because they protect vast amounts of money. Some solutions rely on advanced cryptographic methods that distribute trust across multiple parties, in the spirit of Shamir's secret-sharing. These include multi-party computation (MPC) and threshold signature schemes (TSS), which are a special case of MPC to sign data in a distributed, yet trustless manner. TSS has notably been tested and deployed in major organizations where secret key generation and digital signing are needed. But these techniques, although powerful and "magic" on paper, can prove fragile in practice, as this talk will show.

We introduce MPC and TSS in a way suitable for non-experts, highlighting their unique properties and showing how they can be used to protect enterprise-grade wallets. We review TSS' building blocks such as verifiable secret sharing and Schnorr signatures and explain the design and security goals of TSS libraries, and how these goals differ from those of traditional cryptography, in terms of managing complexity, interactiveness, and composition of protocols.

MPC and TSS seem very secure and state-of-the-art, so what could go wrong?

Complexity is the enemy of security, and this complexity is what we exploit. We describe a new type of logical vulnerability, enabled by extra layers of complexity in TSS implementations, which opens up a new attack surface and devastating attacks allowing a malicious participant to sabotage key generation and break TSS's security. This attack could allow an attacker, for example, to empty an organization's cold wallet. We describe a related attack on a major MPC solution used by a leading organization.

We conclude with lessons learned and best practices across the development pipeline of complex cryptographic software, including extensive testing, defense-in-depth controls, how to implement new academic work, and how an audit by specialists should be done to be the most effective.

Black Hat - USA - 2020 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-09HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges
2022-01-09Making an Impact from India to the Rest of the World by Building & Nurturing Women Infosec Community
2022-01-09Election Security: Securing America's Future
2022-01-09Breaking Brains, Solving Problems: Lessons Learned from Two Years for InfoSec Professionals
2022-01-09Emulating Samsung's Baseband for Security Testing
2022-01-09Hunting Invisible Salamanders: Cryptographic (in)Security with Attacker-Controlled Keys
2022-01-09Mind Games Using Data to Solve for the Human Element
2022-01-09Breaking Samsung's Root of Trust: Exploiting Samsung S10 Secure Boot
2022-01-09I calc'd Calc - Exploiting Excel Online
2022-01-09Engineering Empathy: Adapting Software Engineering Principles and Process to Security
2022-01-09Multiple Bugs in Multi-Party Computation: Breaking Cryptocurrency's Strongest Wallets
2022-01-09Breaking VSM by Attacking SecureKernel
2022-01-09Escaping Virtualized Containers
2022-01-09Experimenting with Real Time Event Feeds
2022-01-09My Cloud is APT's Cloud Investigating and Defending Office 365
2022-01-09Building a Vulnerability Disclosure Program that Works for Election Vendors and Hackers
2022-01-09EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet Attacks
2022-01-09Exploiting Kernel Races through Taming Thread Interleaving
2022-01-09Needing the DoH: The Ongoing Encryption and Centralization of DNS
2022-01-09Building Cyber Security Strategies for Emerging Industries in Sub Saharan Africa
2022-01-09FASTCash and INJX Pure How Threat Actors Use Public Standards for Financial Fraud


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
digital
virus
information
hack
online
password
code
web
concept
network
secure
system
firewall
communication
business
privacy
binary
account
spy
programmer
program
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Omer Shlomovits
Jean-Philippe Aumasson
cryptography
exploit development
cryptocurrency
MPC
TSS