Huston: KeyTrap!

Posted Mar 12, 2024 16:11 UTC (Tue) by auerswal (subscriber, #119876)
Parent article: Huston: KeyTrap!

I would not say that "the" vulnerability was described by a University of Twente student five years ago:

1. The KeyTrap[1] paper from ATHENE describes four related vulnerabilities. The University of Twente Bachelor Thesis[2] describes one of these vulnerabilities.

2. The KeyTrap paper describes combining vulnerabilities to create quadratic algorithmic complexity attacks, while the University of Twente Bachelor Thesis only describes a linear algorithmic complexity attack.

3. The University of Twente student did not manage to create a denial of service (DoS), although they tried. The ATHENE researchers could create DoS situations with all their attack methods.

I guess the issue was that the student failed in their attempts to demonstrate a DoS attack, while the ATHENE project demonstrated a 16h DoS of BIND9 with a single DNS request (and more DoS attacks against quite a few DNS resolvers). ;-)

[1]: https://www.athene-center.de/fileadmin/content/PDF/Keytra...
[2]: https://essay.utwente.nl/78777/1/Research_paper.pdf

Huston: KeyTrap!

Posted Mar 16, 2024 2:02 UTC (Sat) by gdt (subscriber, #6284) [Link]

In academic terms, enough that the student's work should have been cited, could have explicitly compared in the Related Work section. Hopefully that will be corrected when the paper meets peer review prior to academic publication. The summary of the ATHENE contribution at the concluding paragraph of the literature review in Related Work is still solid: "In contrast to previous work our KeyTrap attacks do not require multiple packets..." [which itself has a small error -- 'packets' -- which peer review will also hopefully correct].