The CRY.ME project consists in a secure messaging application based on the Matrix protocol containing many cryptographic vulnerabilities deliberately introduced for educational purposes. The CRY.ME application has been specified and developped by ANSSI and CryptoExperts to provide a practical security challenge especially targeting cryptography.

The application presents many different classes of vulnerabilities to identify and, whenever possible, to exploit. The scope of the vulnerabilities introduced in the CRY.ME covers many of the classical domains of cryptography.

All the code and documentation associated with CRY.ME are flawed and have been made specifically in the context of challenging cryptographic competencies.

It MUST NOT BE USED in any context other than educational purposes. We deny any responsability when using CRY.ME as a messaging application, or any part of the CRY.ME source code, in other contexts.

The authors of CRY.ME are from ANSSI and CryptoExperts.

ANSSI:

• Jérémy JEAN
• Louiza KHATI
• Ange MARTINELLI
• Chrysanthi MAVROMATI

CryptoExperts:

• Sonia BELAID
• Ryad BENADJILA
• Thibauld FENEUIL
• Matthieu RIVAIN
• Abdul Rahman TALEB

For questions or remarks regarding CRY.ME, please fill issues on this repository or send an email to cryme@ssi.gouv.fr.

The CRY.ME project is released under the Apache 2.0 license, please check the LICENSE file at the root folder of the project.

CRY.ME heavily relies on source code from the Android element (https://github.com/vector-im/element-android) project, the Matrix SDK project (https://github.com/matrix-org/matrix-android-sdk2), and the Android Yubikit (https://github.com/Yubico/yubikit-android) project. These three projects are under the Apache 2.0 license as well.

CRY.ME is based on Android element (https://github.com/vector-im/element-android), and it shares many features with the original messaging application. Please check the element user guide for more details on how the application works.

For a basic "getting started" documentation, you can refer to the brief howto.

Cryptographic specifications for the CRY.ME application can be found in the cryme_docs folder. We provide two documents for the specifications, as well as the security target that can be used for an evaluation to describe the scope to analyze. The first document crypto_specs_without_vulns contains the specifications without any mention to the cryptographic vulnerabilities and should be the one to use by anyone who wants to give the challenge a try. The second document crypto_specs_with_vulns contains the full cryptographic specifications with mentions of all the vulnerabilities voluntarily introduced in the application. It can be seen as the solution to the challenge.

NOTE: the documents in cryme_docs are in French. This is mainly due to CRY.ME being the result of a French challenge. We might consider translating parts of this documentation in the future. Anyways, any help on this translation through Pull Requests is welcome!

CRY.ME uses element as a basis for the messaging application. In cryme_app, all the source code of the application is present. Beware that this source code is annotated with the vulnerabilities (using comments with CRY.ME.VULN.XX, XX being a vulnerability number).

Of course, for someone wanting to explore the vulnerable source code without any information about the vulnerabilities, these annotations are spoilers. This is why we provide a dedicated way of bundling this source code without the annotations. To do so, go to the cryme_app folder and execute:

cryme_app$ make app_bundle_src
[+] Bundling the source code for vulnerability analysis, please wait ...
[+] You will find your source bundle without vulnerabilities comments here: cry.me.src.bundle.tar.gz at the project root folder!

The compressed bundle will be created in cry.me.src.bundle.tar.gz: you can uncompress it and explore it. The bundling script should only have python3 and tar as dependencies, but we also provide a Dockerfile (you will need docker):

cryme_app$ make app_bundle_src_docker
...

For those who do not want to recompile the CRY.ME application from scratch, it is possible to get the apk files from the following URL:

curl https://www.cryptoexperts.com/cry-me/cry.me.build.tar.gz -o cry.me.build.tar.gz

Once downloaded, you can extract this archive in the cryme_app folder, which will create a build/ subfolder.

The bundle contains debug and release apk both for the CRY.ME application, and for the Yubikit "demo" in order to test your Yubikey on Android if needed. Once untared, the CRY.ME debug apk files are in build/cryme/gplay/debug/and the release ones in build/cryme/gplay/release.

The vector-gplay-universal-debug.apk and vector-gplay-universal-release-unsigned.apk are of particular interest as they are "universal" and should be installable on physical devices or emulators (both arm and x86 flavours) with Android API level at least 29.

Please be aware, however, that the release packages are not signed, and hence not directly installable on target devices (which is not the case of debug packages). Signing apk release packages is out of the scope of the project, please refer to the appropriate Android resources to achieve this.

It is possible to compile the CRY.ME project (producing apk files for Android) using the following command:

cryme_app$ make app_build

This supposes that the following dependencies are installed on your system: openjdk-11-jdk-headless, make, gradle, git, curl. Depending on your system, you may need to adapt your environment variables to launch the build:

cryme_app$ JAVA_HOME=/usr/lib/jvm/default-java LD_LIBRARY_PATH=LD_LIBRARY_PATH:$JAVA_HOME/lib/server/ make app_build

If you do not want to bother with all these dependencies, a Docker version is also available (you will need docker):

cryme_app$ make app_build_docker

This will create a cryme_app/build folder with the various debug and release apk files.

We have tried to make compilation as easy and transparent as possible, but you might also want to install Android Studio and compile CRY.ME by your own means. If so, please follow the steps in the dedicated documentation. Using Android Studio implies to install a rather heavy software, but allows to use the debugger that can come handy when analyzing the application.

Due to the CRY.ME server heavy dependencies (mostly for the embedded Synapse server), we provide a docker-compose file to lauch it. Launching an instance of the server is as easy as going to the cryme_server folder and executing (you will need docker and docker-compose to be installed on your system):

cryme_server$ SYNAPSE_SERVER_NAME=cryme.fr make
...
Starting cryme-db ... done
Starting cryme-synapse ... done
Starting cryme-nginx   ... done
Attaching to cryme-db, cryme-synapse, cryme-nginx
...

NOTE: this command supposes that your user can manage Docker with non-root user. You might either follow this documentation, or use sudo for this make command.

The SYNAPSE_SERVER_NAME environment variable is used to provide the FQDN name of the server (needed by Synapse). We use cryme.fr in the command above. If everything goes well, you should see three containers successfully started: cryme-db, cryme-synapse and cryme-nginx.

Note that we provide two files for docker-compose: the default one (docker-compose.yml) used by the above make command pulls a public image from DockerHub that has been prebuilt for a simpler usage. The second one (docker-compose.build.yml) can be used in case you want to rebuild the server yourself. While this is not necessary for using the application, it might come in handy during a deeper analysis of the application. You can force the local build of the cryme-synapse docker with:

cryme_server$ SYNAPSE_SERVER_NAME=cryme.fr make launch_server_build_synapse

The users and conversation databases are handled by the cryme-db container: they should be consistent across executions of the server. If you want to purge the database and get a clean state with empty databases, you can execute:

cryme_server$ SYNAPSE_SERVER_NAME=cryme.fr make clean
docker-compose rm cryme-db
Going to remove cryme-db
Are you sure? [yN] y
Removing cryme-db ... done
docker-compose rm cryme-synapse
Going to remove cryme-synapse
Are you sure? [yN] y
Removing cryme-synapse ... done
docker-compose rm cryme-nginx
Going to remove cryme-nginx
Are you sure? [yN] y
Removing cryme-nginx ... done

Beware that with this command, you will loose all the existing users and conversations!

In order to make testing CRY.ME easier, we also provide a way to easily test the application on a single computer. We make use of a server instantiated on localhost, and as many emulators instances communicating with it as CRY.ME users you want to emulate. All the sequel have been tested on a x86_64 Linux environment with the following dependencies installed: docker, bash, curl, swig, pcscd, libpcsclite-dev and yubikey-manager. Although any Android emulator image could theoretically be used, the ones we provide are specifically suited to test CRY.ME for two reasons: first of all, they use a custom kernel and system modifications allowing for USB passthough (for communicating with physical Yubikeys), and secondly some system files have been modified for easy network lookups on localhost (for communicating with the local server instance).

Since CRY.ME makes use of Yubikeys as authentication tokens, you will need as many Yubikeys as the number of CRY.ME users you wan to emulate.

NOTE: emulation of CRY.ME uses images with around 12 GB. Beware of this rather large size that will grow with the number of users when creating multiple images!

First of all, launch an instance of the server using the server name cryme.fr (beware that this name is important to keep as it is embedded in the emulator images DNS lookup):

cryme_server$ SYNAPSE_SERVER_NAME=cryme.fr make

You can modify the SYNAPSE_SERVER_NAME with the name of another server instance running on a machine elsewhere in the network/internet, however you should make sure that this name can be properly resolved by a DNS server (which should be the case if the URL is indeed accessible, e.g., from a browser).

Then, go to the cryme_app_emulation folder and proceed with some steps. First, we will create as many emulators instances as we have users to create. For the sake of the example, we take two users (1 and 2) in the following. This supposes that you have two distinct Yubikeys, each one associated with each user: let's call them Yubikey 1 and Yubikey 2.

Create the CRY.ME user 1 emulator instance. Plug Yubikey 1 and execute the create_emulator_image.sh bash script (be sure that only one Yubikey is plugged in at a time):

cryme_app_emulation$ ./create_emulator_image.sh 1
...
[+] Creating image for user 1
[+] Yubikey found with serial 16146863
[+] Emulator base image not present, downloading it!
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 1991M  100 1991M    0     0   119M      0  0:00:16  0:00:16 --:--:--  119M
[+] Copying and untaring the base image ...
[+] Patching the configuration files ...
[+] All should be good for the CRY.ME emulator image 1 (CRYME1), you can launch the emulator now with this user number 1!

Do the same with Yubikey 2 and user 2 (replacing 1 by 2 of course in the previous command line). This might take a while as the base emulator images must be fetched and uncompressed. You can also provide as a second argument the Yubikey serial number to be used for the image to create: in this case, the script does not check that the Yubikey is plugged in (but beware that the serial number must be valid as during execution il will be checked against a physical Yubikey):

cryme_app_emulation$ ./create_emulator_image.sh 1 18283368
[+] Creating image for user 1
[+] We are asked to use Yubikey of serial number 18283368 (forced, NOT checking if the Yubikey is present)
...

All the created images can be cleaned with the same create_emulator_image.sh script using clean as a first argument (all the images will be clean without additional argument), and the image's user number to clean as a second optional argument:

Then, the instances can be launched using the launch_emulator_usb.sh bash script:

cryme_app_emulation$ ./launch_emulator_usb.sh 1
...

Of course, the Yubikey associated with the user must be plugged in. On the first launch, you might be asked to fetch and untar the SDK using make sdk_untar in the cryme_app folder: proceed with this (it should be done once). An emulator window should be opened.

Finally, you can install the compiled CRY.ME application in the emulator using adb. Supposing that the build folder is created following a proper compilation, you can go to the cryme_app folder and execute the make app_install command.

Please ensure that only one instance of the emulator is running when installing (so that there is no ambiguity for adb to know where to install the application).

cryme_app$ make app_install
...
[+] Installing the CRY.ME app
element/matrix-sdk-android/platform-tools/adb install build/cryme/gplay/debug/vector-gplay-universal-debug.apk
Performing Streamed Install
Success

After the installation of the application on every instance for every user, you can begin to use the CRY.ME app while launching all the instances and sign up/sign in users. Please ensure that all the Yubikeys associated to the users you "emulate" are plugged in when you launch the associated images and do not unplug them during your emulation session: qemu USB passthrough is not very resilient to hot (un)plugging. When asked for a server, enter cryme.fr and accept to "trust" it (this is asked because of the self-signed TLS certificates on the demo server). Since the Yubikey might not be necessary after a Sign Up / Sign In, you can also force launching the emulator instance associated to a user with noyubi as a second argument:

cryme_app_emulation$ ./launch_emulator_usb.sh 1 noyubi
[+] Launching the emulator WITHOUT the associated Yubikey (as forced by the command line)
...

NOTE: keep all the necessary Yubikeys plugged in during the whole emulation session.

Here is a little demo for the full workflow of local CRY.ME emulation:

NOTE: in this demo video, during the last part emulating CRY.ME with two users, the two Yubikeys were simultaneously plugged in during the whole emulation session. Please be aware that the emulator does not support hot (un)plugging, so do not unplug you Yubikeys when they are needed (or you will have to launch the instances again).