KIRA Network Team is pleased to announce the winners and runners-up of our Security Challenge that was launched on October 22, 2020 at 1AM UTC and was announced on our twitter.
Participants had a chance to win an allocation of 2 ETH worth of KEX and 20 USDT by solving cryptographic challenges posted once every hour on our telegram channel. The main goal of the challenge was to simulate a real life scenario where KIRA Team publicly communicates a highly important message, such as the public round announcement, contract addresses or other information that everyone must trust. To fulfill that goal, contestants were asked to verify the PGP signature and submit, in the provided Google Form, information regarding whether or not the message signed can be trusted (or cannot be trusted) to have been generated by KIRA Team.
Statistics
In the overall statistics we only took into account YES and NO answers to the following two questions:
- Do you think that the PGP signature provided in the challenge is valid?
- Can the signed message be trusted to be generated by the KIRA Team?
In total we received 138 solutions to all 5 challenges out of which over 51% of all answers were incorrect. Fortunately not all incorrect results would result in potential money loss in real life, for example, if a malicious actor would try to fabricate a real signature. However, results imply that majority of participants found it difficult to verify the signature or to distinguish between potentially malicious and real messages.
Out of those who submitted incorrect answers almost 10% have trusted an entirely invalid signature and over 39% trusted the signature generated by an account that did not have a verified https://kira.network DNS. This implies that in case of potentially malicious acts, approx. 24%-51% of all participants could have been misled and potentially coerced into sending assets to attacker’s account. The most common mistake by far was inability to distinguish that although the signature is valid it might not be signed by a valid PGP key associated with the trusted DNS. Furthermore, none of the contestants, who submitted correct answers, attempted to verify the PGP key in at least 2 sources, such as Keybase and GitHub. It should be noted that GitHub also enables you to verify when the file was last modified — another opportunity to exercise diligence when trusting even a seemingly correct key.
Challenges
Out of the 5 challenges only the last one, #5, contained a message that can be trusted, while the first 4 were generated to mislead and test true due diligence of the contestants. To better understand the different ways through which a malicious actor can potentially harm others we will analyze each of the challenges.
Challenge #1
Challenge Task: link
Correct solution:
- Is the signature valid: NO
- Can message be trusted: NO
- Explanation: The signature could not be verified (checksum mismatch)
First challenge was one of the simplests with only a single verification step required. Despite that 21% of all participants trusted the unsigned message.
The signature was invalid (which you can verify for example at https://verify.kira.network) implying that the message simply can’t be trusted by any means. One of the most misleading characteristics of the signature is that it is a copy of a real and valid signature. All, who might have seen the correct signature before but only relied on the visual verification, would not be able to spot a single character difference and could be potentially misled by a false message. In this challenge it is important to never rely on one’s memory and never blindly trust just because you see some elements resembling cryptography provided to you by a seemingly real person or entity. Don’t Trust. Verify.
Challenge #2
Challenge Task: link
Correct solution:
- Is the signature valid: YES
- Can message be trusted: NO
- Explanation: The account with associated PGP key on Keybase does not have a verified DNS https://kira.network. Furthermore the associated PGP key does not match the one in the GitHub repository. Finally the “klracore” resembles a potentially malicious account exploiting the “L” letter typo to resemble the real “kiracore” account.
Second challenge was the most difficult for majority of the participants. Over 72% failed to provide the correct answer and over 39% trusted the fictitious account failing to check if the correct DNS is associated with that account. One of the most misleading characteristics of this challenge was that account, which signed the message, had a typo “kLracore” and resembled the real account username “kiracore”. Participants often missed that the name of the account is not as important as the verified DNS associated with the account and whether the PGP key belonging to that account can be verified via multiple sources such as GitHub and https://pgp.kira.network.
Challenge #3
Challenge Task: link
Correct solution:
- Is the signature valid: YES
- Can message be trusted: NO
- Explanation: The account with associated PGP key on Keybase does not have a verified DNS https://kira.network. Furthermore the associated PGP key does not match the one in the GitHub repository. Finally the “klranetwork” resembles a potentially malicious account exploiting the “L” letter typo to resemble the “kiranetwork” account.
It is encouraging to see that in the third challenge over 8% of participants improved their solutions by previously encountering similar exploits. One of the most misleading characteristics of this challenge was that the account which signed the message had a typo “kLiranetwork” and resembled the real account username “kiranetwork”. Again, participants often missed that the name of the account is not as important as the verified DNS associated with the account and whether the PGP key belonging to that account can be verified via multiple sources such as GitHub and https://pgp.kira.network.
Challenge #4
Challenge Task: link
Correct solution:
- Is the signature valid: YES
- Can message be trusted: NO
- Explanation: The account with associated PGP key on Keybase does not have a verified DNS https://kira.network. Furthermore the associated PGP key does not match the one in the GitHub repository. The “kiranetwork” has verified DNS such as https://kira.foundation which belongs to KIRA Team, however the only trusted DNS is https://kira.network, so the signed message can’t be trusted.
Fourth challenge was by far one of the most difficult, despite that almost 13% of all participants improved their solutions in comparison to the challenge #2. The most misleading characteristics of this challenge was the fact that the account which signed the message can be identified as belonging to KIRA Team due to verified DNS records belonging to the corporate company as indicated by ICANN. However there is no verified https://kira.network DNS and the PGP key belonging to that account can’t be verified via multiple sources such as GitHub and https://pgp.kira.network. Furthermore the account has a verified Twitter account “@kiranetwork_” however that is not the same account as the legitimate one https://twitter.kira.network. All this hints and implies that the message can’t be trusted.
Challenge #5
Challenge Task: link
Correct solution:
- Is the signature valid: YES
- Can message be trusted: YES
- Explanation: The account with associated PGP key on Keybase has a verified DNS https://kira.network. Furthermore the associated PGP key matches the one in the GitHub repository.
Final challenge had a real signature and 80% of all participants managed to correctly identify that the message was indeed signed by the KIRA Team. The 20% failure rate can be associated with many participants following mathematical induction principle and assuming that the next message can’t be trusted because all previous messages couldn’t be trusted. This approach is especially dangerous when applied in reverse scenarios where multiple published signed messages might be valid so many do not check diligently enough every single one due to high confidence in communication channels.
Results
The rules of the competition stated that only one person can win each challenge and that both time and accuracy of responses provided on the Google Form count. This was done to create stress conditions in which participants have to rush despite having all the information necessary to solve the challenge provided to them in our previous article: Don’t Trust. Verify. We decided to reward with allocation allowing to acquire up to 1 ETH worth of KEX all those who were not first but still provided sufficiently detailed responses, demonstrating full understanding of the verification and validation process. Although it was not possible to edit submissions, it was possible to re-submit results until midnight allowing everyone to learn from the mistakes and potentially provide correct and fully detailed answers after analyzing all of the challenges.
The five winners who provided the most accurate responses in the most timely manner receive 20 USDT each and the whitelist allocation allowing to acquire up to 2 ETH worth of KEX. The email addresses of the winners are Blake3 hashed as follow:
- Challenge #1: 283e7f…d78927
- Challenge #2: 4dbd68…c28773
- Challenge #3: 49752f…81f9ef
- Challenge #4: 431f86…7bb05e
- Challenge #5: c800e2…0339ee
We would want to further distinguish all those who submitted the most accurate responses in at least one of the challenges but did not manage to do it in the timely manner. They all will be eligible to acquire up to 1 ETH worth of KEX. The email addresses of the runner-ups are Blake3 hashed as follow:
- 65676f…cc85bf
- c229b5…d4d7f9
- 94f1d5…a996f6
- c8ed98…c52eda
- 65e29a…71511a
- 5c7219…d4feb6
- 430a09…f058e6
- b9f191…645d63
- a42324…d2f25b
- aa9f15…74cb38
To verify if you are one of the winners:
Step 1: Visit: https://connor4312.github.io/blake3/index.html
Step 2: Input the email address that you provided in your submission form
Step 3: Output will be a Blake3 hash of your email
Step 4: Search first 6 and last 6 characters of your Hash in the list of winners
Summary
We hope that through this challenge many more people became aware of potential threats and can secure themselves in the upcoming public round. It is amazing to see many participants greatly improving their solutions through learning from the challenges and provided material. We want to congratulate all winners and those who participated, trying their best to exercise due diligence. We hope that many of you will join us soon in the upcoming public testnet and thus further contribute to building KIRA Network together.
