The Internet of Broken Protocols: Showcase #9

(Joint work with Sophie Schmieg, but mistakes are mine alone)

Nobody remembers why, but poor Bob was arrested and is in jail. He wants to send Alice a secret message. Wilson the warden, however, wants to read and censor messages he doesn't like.

To compromise, everybody agrees to use the following hybrid encryption protocol:

1/ Bob obtains Alice's public key and Wilson's public key.

2/ Bob symmetrically encrypts his message with a randomly generated message key K.

3/ Bob wraps K under Alice's public key.

4/ Bob wraps K under Wilson's public key.

5/ The final message is a concatenation of 2/, 3/ and 4/.

Wilson can decrypt, and drop the message if he doesn't like it. Otherwise he forwards the encrypted message to Alice. Bob doesn't have any privacy w.r.t Wilson, but he still can maintain his privacy w.r.t the rest of the world.

There are two implementations of the protocol:

1/ DJB-certified
- symmetric key encryption in step 2/ is ChaCha20Poly1305 with a randomly generated nonce.
- key wrapping in step 3/ and 4/ is libsodium's seal boxes.

2/ FIPS-certified
- symmetric key encryption is AESGCM with a randomly generated nonce.
- key wrapping in step 3/ and 4/ is Tink's ECIES with NIST P-256, HKDF, and AESGCM.

Your challenge, if you accept it, is to help Bob bypass the censorship!

Bonus: does your attack work if the protocol is Saltpack, JWE, AWS envelope encryption (i.e., Wilson and Alice allow Bob to access their master key in AWS KMS), or AGE?

Please email with your writeup.

Update: let's assume nonces are honestly generated and keys are wrapped correctly. Otherwise they can be used as trivial covert channels. I have to admit that this challenge is way less cool now :-(. H/T to Manoj Kasichainula for pointing this out.

Past challenges:


This comment has been removed by the author.