缺失蝾螈：矩阵媒体可以使用不同的密钥解密为多个有效的明文

End-to-end encryption pitfalls: Failing to verify ciphertext-key or ciphertext-plaintext associations when an attacker can specify the key.
Matrix's issue: Matrix doesn't perform authenticated encryption for end-to-end encrypted chat media. It stores encrypted media as plain ciphertext with message details, detaching ciphertext from encryption parameters.
- Timeline: Unsure when discovered. Looked at matrix security issues in May 2024, sent report on 2024-05-18, announced disclosure date on 2024-07-13, security team recommended publishing on 2024-08-02, and article went live on 2024-08-18.
- Gripes with the spec: The spec for encrypted attachment has some issues. "Should" statements may lead to client ambiguity and hardcoding. It duplicates encryption parameters and doesn't specify the hash algorithm. Matrix started adopting RFC2119 in its spec process 4 days before the post went live.
Invisible Salamanders attack: A novel attack on AES-GCM shows it's possible to construct a ciphertext-auth tag pair that decrypts to multiple plaintexts. GMAC used by AES-GCM and Poly1305 aren't cryptographic hash functions. Mitigations include using a cryptographic MAC or generating encryption keys from the secret key. Megolm messages in Matrix are MAC-ed with HMAC-SHA256 but truncated to 8 bytes, which can be brute-forced.
Missing Salamanders attack on media encryption: Matrix's media encryption is affected by the invisible Salamanders attack. The hashes field only considers the ciphertext, allowing any key and IV for a ciphertext/plaintext combination. Up to 23842³⁸⁴ different plaintexts are possible.
Proof of concept: Combined PNG, JPEG, and ZIP files into a hybrid file. Encrypted the hybrid file with AES-CTR using different nonces. Fixed the PNG CRC and re-encrypted the file. Uploaded the encrypted file in an unencrypted chat with different metadata for each file type.
Why it's a problem: Allows sending malicious files and hiding content. Admins need a secret 384-bit key to detect.
Fixing the issue: Potential remediation involves changing the EncryptedFile structure and encryption method. The key should be randomly generated and only used for one file. The version and AAD should be updated. It might be useful to cryptographically link uploaded files to events with Megolm ratchet.
Going further: Deriving the key from the Megolm ratchet for media access authentication. Add event ID to AAD for more security but increase upload complexity.
Blog details: This is the second long-form vulnerability writeup. Comments can be left on the fediverse. Special thanks to Soatok. Ko-Fi link for buying a coffee.