Bitcoin Bounty ๐ฐ
shushcli opened this issue ยท 2 comments
I've used shush
to...
generate
a keyencrypt
a tarball containing a bitcoin private key among other thingssplit
a 3 of 5 shamir of the key
bounty_files.zip contains 2 of the shards and the encrypted payload containing a private key for this address.
If you successfully break the AES or the shamir shares, then you can transfer ~$200 of BTC to your own wallet.
If you submit an issue explaining how you did it, or better yet how to fix it, I'll double the reward.
You're using SSS to split an AES key, and then encrypting a message (with AES-GCM) with the key you hope your recipients recover. This has a weakness that won't let me pilfer your Bitcoin private key from your zip file, but it will allow a different attack that might be relevant to your users' threat models.
A little bit of background: AES-GCM is not key- or message-committing.
What an attacker can do with this knowledge is substitute shares that will recover a different AES key, which will decrypt to a different plaintext. This is true because:
- AES-GCM is not robust against random key replacement, and
- SSS provides no integrity guarantees of the original key (due to its information-theoretic nature).
There's a few ways you can prevent this:
- Commit HMAC-SHA256(some constant || nonce, key) alongside the ciphertext. This defeats the information theoretic security guarantees of SSS by providing an oracle they can query to validate that they have the correct key when performing the analysis, but that might not matter for this application.
- Replace AES-GCM with AES-{CBC, CTR} (select appropriate) then HMAC-SHA256 of the ciphertext.
You can find related research here.