Details

Autor(en) / Beteiligte

• Albrecht, Martin R.
• Celi, Sofia
• Dowling, Benjamin
• Jones, Daniel

Titel

Practically-exploitable Cryptographic Vulnerabilities in Matrix

Ist Teil von

• 2023 IEEE Symposium on Security and Privacy (SP), 2023, p.164-181

Ort / Verlag

IEEE

Erscheinungsjahr

2023

Quelle

IEEE Xplore

Beschreibungen/Notizen

• We report several practically-exploitable cryptographic vulnerabilities in the Matrix standard for federated real-time communication and its flagship client and prototype implementation, Element. These, together, invalidate the confidentiality and authentication guarantees claimed by Matrix against a malicious server. This is despite Matrix' cryptographic routines being constructed from well-known and -studied cryptographic building blocks. The vulnerabilities we exploit differ in their nature (insecure by design, protocol confusion, lack of domain separation, implementation bugs) and are distributed broadly across the different subprotocols and libraries that make up the cryptographic core of Matrix and Element. Together, these vulnerabilities highlight the need for a systematic and formal analysis of the cryptography in the Matrix standard.