当前位置:首页 > 报告详情

未密封:对去中心化抗审查协议 Nostr 的实际攻击.pdf

上传人: 竿*** 编号:981915 2025-11-29 70页 6.02MB

1、#BHUSA BlackHatEventsNot Sealed:Practical Attacks on Nostr,a Decentralized Censorship-Resistant ProtocolSpeakers:Hayato KimuraContributors:Ryoma Ito,Kazuhiko Minematsu,Shogo Shiraki and Takanori IsobeKeywords:Distributed SNS,signature verification bypass,CBC mode malleability,cache poisoning,plainte

2、xt recovery(Also,IEEE EuroS&P2025)#BHUSA BlackHatEventsOur Team2Ryoma Ito(NICT)Kazuhiko Minematsu(NEC)Shogo Shiraki(University of Hyogo)Takanori Isobe(The University of Osaka)Hayato Kimura Researcher at NICT,Japan(National Institute of information and Communications Technology)Ph.D.candidate at The

3、University of Osaka Research field:Applied Cryptography&Protocol Security#BHUSA BlackHatEvents3The dawn of the Distributed SNS#BHUSA BlackHatEventsSelf-sovereignFederatedAuthentication by a single service providerService providers are interconnectedBut identity managed like a centralized SNSSigned P

4、ostSigning Key(identity)Service providers are independentUsers identity is managed by userUser authPostDistributed SNS4#BHUSA BlackHatEventsSelf-sovereignFederatedAuthentication by a single service providerService providers are interconnectedBut identity managed like a centralized SNSSigned PostSign

5、ing Key(identity)Service providers are independentUsers identity is managed by userUser authPostDistributed SNS5Quite different architecture fromtraditional centralized SNS/messagingResearch QuestionsHow to trust public keys?New architecture,new attack surface?#BHUSA BlackHatEventsOpen,censorship-re

6、sistant social-network1.1 million registration users No centralizedauthority,users must manage Public-key-based identitiesA secp256k1 key pair defines who you are;every post carries a signatureZero barriers to participationAnyone can run a relay server or clientCovers most of the attractive features

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,以下是对全文主要内容的简明扼要概括: 1. **研究背景**:Nostr是一个去中心化的社交网络协议,具有去中心化、抗审查等特点,但存在安全漏洞。 2. **研究团队**:由日本NICT的研究人员组成,包括Ryoma Ito、Kazuhiko Minematsu、Shogo Shiraki、Takanori Isobe和Hayato Kimura。 3. **研究方法**:分析了56个Nostr规范和9个实现,发现了7个关键功能上的漏洞,并实现了8种攻击。 4. **主要发现**: - 破解加密消息的机密性。 - 破坏所有项目的完整性(如个人资料、联系人列表)。 - 模仿其他用户。 - 劫持小额支付。 5. **攻击原因**:密码协议设计缺陷和实现缺陷。 6. **攻击示例**: - 个人资料伪造。 - 加密消息伪造和URL恢复。 - 小额支付劫持。 7. **缓解措施**:建议使用认证加密(AE),如AES-GCM、ChaCha20-Poly1305,并分离密钥。 8. **总结**:去中心化架构存在未开发的风险和回报,需要多层安全和责任披露。
揭秘分布式社交网络的安全隐患" Nostr协议的潜在风险" Nostr的加密漏洞分析"
客服
商务合作
小程序
服务号
折叠