Developers of the Cryptocat application for encrypting communications of activists and journalists have apologized for a critical programming flaw that made it trivial for third parties to decipher group chats.
The precise amount of time the vulnerability was active is in dispute, with Cryptocat developers putting it at seven months and a security researcher saying it was closer to 19 months. Both sides agree that the effect of the bug was that the keys used to encrypt and decrypt conversations among groups of users were easy for outsiders to calculate. As a result, activists, journalists, or others who relied on Cryptocat to protect their group chats from government or industry snoops got little more protection than is typically available in standard chat programs. Critics said it was hard to excuse such a rudimentary error in an open-source piece of software held out as a way to protect sensitive communications.
"It was simply a matter of what I would call a fairly rookie mistake," independent security researcher Adam Caudill told Ars. "They didn't understand the data they were working with. Key generation code is one of the most critical parts of a crypto system because it doesn't matter what else you get right if you get that wrong."
For their part, Cryptocat developers thanked researcher Steve Thomas for reporting the bug and apologized for the error. The vulnerability was fixed in Cryptocat version 2.0.42, although developers recommend users update to the 2.1.* branch of the application.
The bug stems from programming that confused the difference between strings of digits and an array of integers, according to Thomas's recently published autopsy of the bug. As a result, the number of possible keys generated by Cryptocat was 254.15, a number that's far too small to provide adequate protection against crack attacks. Using a technique known as a meet in the middle, Thomas was further able to significantly reduce the number of required key guesses by almost half from 254 to 227.
Thomas wrote an app called DecryptoCat that needed just one day to calculate all possible keys. Once the table is built, the app can locate the decryption key for a specific chat in a matter of minutes, he said. Cryptocat was still using the secure sockets layer protocol to encrypt communications, but SSL alone is inadequate since it's vulnerable to a variety of known attacks. That susceptibility is precisely why activists and other privacy-minded people frequently insist on using programs that offer a much stronger level of encryption.
Given recent revelations that National Security Agency officers routinely store encrypted communications indefinitely, it's reasonable to assume other governments do the same. That means encrypted data could conceivably be deciphered years or decades after it was intercepted as vulnerabilities are uncovered or as new attacks and faster computers become available.
"This is where an issue like this can be so devastating," Caudill wrote in his own analysis of the Cryptocat blunder. "If those encrypted messages have been saved anywhere—any users engaged in activity that their local government doesn't care for are now at risk."
He went on to recommend people not rely on Cryptocat to keep their conversations private until the code and the cryptography in it are thoroughly audited by professional penetration testers and cryptographers. "If a mistake like this was allowed in and overlooked for so long, I've no doubt that other weaknesses exist," Caudill said. Users looking for a safer chat encryption alternative should consider apps bundled with software from the TOR project switching to PGP-encrypted e-mail instead.
Article updated to clarify inadequacy of SSL protection alone, suggest encrypted e-mail instead of TOR bundle.
reader comments
49