On The (In-)Security Of JavaScript Object Signing And Encryption

Detering, Dennis; Somorovsky, Juraj; Mainka, Christian; Mladenov, Vladislav; Schwenk, Jörg

doi:10.1145/3150376.3150379

Cited by 11 publications

(13 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…9 Another short-term mitigation would be enforcing a policy were unencrypted objects are not allowed to access encrypted content anymore -similar to "mixed content" warnings in the web, which are thrown by modern web browsers, for example, when JavaScript code from an insecure resource is to be executed on a secure website (see [7]). In the long term, the PDF 2.x specification should drop support for mixed content altogether 10 -the authors consider it to be a security nightmare. Instead, an encryption scheme should be preferred where the whole document -including its structure -is encrypted to leave no room for injection or wrapping attacks, and to minimize the overall attack surface significantly.…”

Section: Countermeasuresmentioning

confidence: 99%

“…It should strictly prevent a PDF viewer from displaying manipulated content instead of simply showing a warning that 9 We analyzed a dataset of 8,840 encrypted PDF documents obtained from crawling the Alexa top 1 million websites and found only 353 to contain "partial encryption", all of them due to unencrypted metadata streams. 10 Note that there seems to be a trend towards the opposite direction and newer PDF specifications often added flexibility (e.g., "Unencrypted Wrappers" in PDF 2.0). users might just choose to ignore.…”

Section: Countermeasuresmentioning

confidence: 99%

“…The authors abused weaknesses related to the CBC mode of operation and the PKCS#1 v1.5 encryption to reveal encrypted content without having the corresponding password. In 2017, Detering et al adapted the same attacks to the JSON data format [10]. Garman et al presented research on Apple's iMessage protocol and revealed a novel chosen ciphertext attack, which allows an attacker the retrospective decryption of encrypted messages [16].…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Practical Decryption exFiltration

Müller

Ising

Mladenov

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

The Portable Document Format, better known as PDF, is one of the most widely used document formats worldwide, and in order to ensure information confidentiality, this file format supports document encryption. In this paper, we analyze PDF encryption and show two novel techniques for breaking the confidentiality of encrypted documents. First, we abuse the PDF feature of partially encrypted documents to wrap the encrypted part of the document within attacker-controlled content and therefore, exfiltrate the plaintext once the document is opened by a legitimate user. Second, we abuse a flaw in the PDF encryption specification to arbitrarily manipulate encrypted content. The only requirement is that a single block of known plaintext is needed, and we show that this is fulfilled by design. Our attacks allow the recovery of the entire plaintext of encrypted documents by using exfiltration channels which are based on standard compliant PDF properties.We evaluated our attacks on 27 widely used PDF viewers and found all of them to be vulnerable. We responsibly disclosed the vulnerabilities and supported the vendors in fixing the issues. CCS CONCEPTS• Security and privacy → Cryptanalysis and other attacks; Management and querying of encrypted data; Block and stream ciphers; Digital rights management.

show abstract

Section: Countermeasuresmentioning

confidence: 99%

Section: Countermeasuresmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Practical Decryption exFiltration

Müller

Ising

Mladenov

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…As sensor data pieces are collaborated, the trustworthiness of sensor collaborations is not just the matter of sensor devices or sensor data but, also, the trusted communications. In order to achieve the trustworthiness of sensor data communications, sensor data encryption over JSON has been discussed [26]. The format of data transmission in JSON is in dictionary, where pairs of key and values are listed [5].…”

Section: Jsonmentioning

confidence: 99%

Trustworthiness of Dynamic Moving Sensors for Secure Mobile Edge Computing

Yoon

2018

Computers

View full text Add to dashboard Cite

Wireless sensor network is an emerging technology, and the collaboration of wireless sensors becomes one of the active research areas for utilizing sensor data. Various sensors collaborate to recognize the changes of a target environment, to identify, if any radical change occurs. For the accuracy improvement, the calibration of sensors has been discussed, and sensor data analytics are becoming popular in research and development. However, they are not satisfactorily efficient for the situations where sensor devices are dynamically moving, abruptly appearing, or disappearing. If the abrupt appearance of sensors is a zero-day attack, and the disappearance of sensors is an ill-functioning comrade, then sensor data analytics of untrusted sensors will result in an indecisive artifact. The predefined sensor requirements or meta-data-based sensor verification is not adaptive to identify dynamically moving sensors. This paper describes a deep-learning approach to verify the trustworthiness of sensors by considering the sensor data only. The proposed verification on sensors can be done without having to use meta-data about sensors or to request consultation from a cloud server. The contribution of this paper includes (1) quality preservation of sensor data for mining analytics. The sensor data are trained to identify their characteristics of outliers: whether they are attack outliers, or outlier-like abrupt changes in environments; and (2) authenticity verification of dynamically moving sensors, which was possible. Previous unknown sensors are also identified by deep-learning approach.

show abstract

“…As sensor data pieces are collaborated, the trustworthiness of sensor collaborations is not just the matter of sensor devises or sensor data but also the trusted communications. In order to achieve the trustworthiness of sensor data communications, sensor data encryption over JSON has been discussed [24]. The format of data transmission in JSON is in dictionary, where pairs of key and values are listed [2].…”

Section: Wireless Network Securitymentioning

confidence: 99%

Trustworthiness of Dynamic Moving Sensors for Secure Mobile Edge Computing

Yoon¹

2018

Preprint

View full text Add to dashboard Cite

Wireless Sensor Network is an emerging technology and the collaboration of wireless sensors becomes one of the active research areas to utilize sensor data. Various sensors collaborate to recognize the changes of a target environment, to identify, if occurs, any radical change. For the accuracy improvement, the calibration of sensors has been discussed, and sensor data analytics are becoming popular in research and development. However, they are not satisfactorily efficient for the situations where sensor devices are dynamically moving, abruptly appearing or disappearing. If the abrupt appearance of sensors is a zero-day attack and the disappearance of sensors is an ill-functioning comrade, then sensor data analytics of untrusted sensors will result in an indecisive artifact. The pre-defined sensor requirements or meta-data based sensors verification is not adaptive to identify dynamically moving sensors. This paper describes a deep-learning approach to verify the trustworthiness of sensors by considering the sensor data only, without having to use meta-data about sensors or to request consultation from a cloud server. The contribution of this paper includes 1) quality preservation of sensor data for mining analytics and 2) authenticity verification of dynamically moving sensors with no external consultation.

show abstract

On The (In-)Security Of JavaScript Object Signing And Encryption

Cited by 11 publications

References 20 publications

Practical Decryption exFiltration

Practical Decryption exFiltration

Trustworthiness of Dynamic Moving Sensors for Secure Mobile Edge Computing

Trustworthiness of Dynamic Moving Sensors for Secure Mobile Edge Computing

Contact Info

Product

Resources

About