Recovering Secret Keys from E2EE Chat Messages using SAT Solvers
We looked into the end-to-end encrypted chat app ginlo and found that it uses the non-cryptographically secure pseudorandom number generator (non-CSPRNG) R250 for some of its random number generation on iOS. This allowed an attacker to recover a user’s long-term identity and message encryption keys from 75 consecutively received messages within a few seconds on a consumer laptop.
To break other non-CSPRNGs, SAT solvers have been employed in the past. This talk will first discuss how to identify PRNGs that can efficiently be attacked with SAT solvers and what a SAT solver is, before introducing the example of the R250 PRNG in detail, along with its use in ginlo’s end-to-end encryption protocol implemention in its iOS app. Finally, the knowledge is combined to develop the proof of concept attack on ginlo.