Announcing the Underhanded Champs!

Congratulations!

Before we get into the details of the winning entries, we’d like to thank our fantastic team of judges:

Without the hours they spent pouring over submissions, testing, debating, and reviewing every detail, this would never have been possible.

John Meacham – tinyaesctr

tinyaesctr – A portable, minimal rfc3686 compliant implementation of AES encryption in CTR mode.

This implementation is specifically designed for resource constrained devices, It makes use of static memory buffers and minimal use of pointers to better fit the CPUs used in embedded systems.

Download (make sure you look at exploit/README.txt for all the details)

Gaëtan Leurent – Backdoored Implementation of Stern’s Zero-Knowledge Identification Protocol

Stern described a code-based zero-knowledge identification scheme in 1993, which became the basis of several improved variants. It is quite attractive because it is provably secure, but only uses simple operations (matrix multiplications and bit permutations).

In this work, we add a backdoor to a proof-of-concept implementation from Cayrel et al., with a subtle implementation flaw. The new version still accepts all legitimate provers, and reject almost all illegitimate ones. However, an adversary knowing that the flaw is present can fool the authentication. A similar backdoor can be planted in virtually any implementation of the scheme, and in most later variants.

Download

We will be publishing the remaining entries soon.

The winners will be getting their pick of prizes, provided by our sponsors:

NCC Group LogoLeast Authority

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *