Abstract
In this paper, we propose the Midgame Security attack model, where it is assumed that at some point in the middle of computation with a secret key, and after some secure work (typically but not necessarily initial one), the powerful adversary sees the entire internal state and attempts key recovery/forgery. This security model is motivated by a few trends: First and primarily, it may represent a model in which part of the computation is done in a possibly insecure environment (e.g., the emerging modes of cloud server delegation, hosting environment, general pc, the cloud, etc.), where the insecure environment performs the bulk of the work, after some initial or intermediate (relatively small amount of) work at a trusted location which holds the cryptographic keys (client, co-processor, trusted hardware with leakage countermeasures, an enclave in the cloud, etc.). Secondly, from a leakage perspective, the model represents a total leakage in the system at some point after some secured work has been done without leakage (perhaps at a different location). The model is novel (though, superficially, it has a flavor of forward security), and is most meaningful to demonstrate exposures of constructions where there is an obvious lengthy progress of computation (e.g., MACing or (Authenticated) Encrypting of long messages) which is done without the cryptographic keys present, and when we want short usage of keys (to minimize their exposure). In these cases, initially in secure periods the key may be blended into the state of the computation and an attacker task is to recover that key in spite of the blending from the leakage from the environment which never hold any key. We employ the new model to analyze numerous concrete cryptosystems and mainly find key recovery or forgery attacks. We first compare HMAC based on the SHA-3 finalists in this new midgame security model. One thing we show is that the domain extension of Keccak, called the sponge construction, is exposed in a HMAC-Keccak mode, and thus if there is an exposed state, the key is recoverable. Secondly, we analyze the midgame security of several popular message authentication codes, encryption, and authenticated-encryption (AE) schemes. We show that all known (authenticated) encryption schemes based on block ciphers, and that six ECRYPT stream ciphers out of the seven we examined are not secure against the midgame attacks. We note that from the point of view of risk analysis of overall systems, midgame attacks which may use a strong (but realizable) state exposure attack, may nevertheless open the door for new exposure deserving of considerations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aumasson, J., Henzen, L., Meier, W., Phan, R.C.-W.: SHA-3 proposal BLAKE-version 1.3 (2010). https://131002.net/blake/blake.pdf
Babbage, S., Dodd, M.: The stream cipher MICKEY 2.0. The eSTREAM Projosemanukect - eSTREAM Phase 3. http://www.ecrypt.eu.org/stream/
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_1
Bellare, M., Yee, B.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_1
Bellizia, D., et al.: Mode-level vs. implementation-level physical security in symmetric cryptography a practical guide through the leakage-resistance jungle. http://eprint.iacr.org/2020/211.pdf
Berbain, C., et al.: SOSEMANUK, a fast software-oriented stream cipher. The eSTREAM Project - eSTREAM Phase 3. http://www.ecrypt.eu.org/stream/
Bernstein, D.J.: Salsa20 specification. The eSTREAM Project - eSTREAM Phase 3. http://www.ecrypt.eu.org/stream/
Berti, F., Koeune, F., Pereira, O., Peters, T., Standaert, F.-X.: Ciphertext integrity with misuse and leakage: definition and efficient constructions with symmetric primitives. In: AsiaCCS 2018, pp. 37–50 (2018)
Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Keccak sponge function family main document. Submission to NIST (Round 1) (2008). http://keccak.noekeon.org/Keccak-main-1.0.pdf
Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Duplexing the sponge: single-pass authenticated encryption and other applications. Submission to the NIST second SHA-3 workshop (2010). http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/DAEMEN_DuplexSponge.pdf
Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak SHA-3 submission. Submission to NIST (Round 3) (2011). http://keccak.noekeon.org/Keccak-submission-3.pdf
Blaze, M.: High-bandwidth encryption with low-bandwidth smartcards. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 33–40. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_40
Blaze, M., Feigenbaum, J., Naor, M.: A formal treatment of remotely keyed encryption. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 251–265. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054131
Boesgaard, M., Vesterager, M., Christensen, T., Zenner, E.: The Stream Cipher Rabbit. The eSTREAM Project - eSTREAM Phase 3. http://www.ecrypt.eu.org/stream/
Cannière, C.D., Preneel, B.: Trivium Specifications. The eSTREAM Project - eSTREAM Phase 3. http://www.ecrypt.eu.org/stream/
Dworkin, M.: Recommendation for Block Cipher Modes of Operation. NIST Special Publication 800-38A 2001 Edition. http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Dworkin, M.: Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality. NIST Special Publication 800-38C 2004 Edition. http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
Dworkin, M.: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. NIST Special Publication 800-38B 2005 Edition. http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
Dworkin, M.: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. NIST Special Publication 800-38D 2005 Edition. http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Dworkin, M.: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping Morris Dworkin. NIST Special Publication 800-38F 2011 Edition. http://csrc.nist.gov/publications/drafts/800-38F/Draft-SP800-38F_Aug2011.pdf
Ferguson, N., et al.: The Skein Hash Function Family. Submission to NIST (Round 3) (2010). http://www.skein-hash.info/sites/default/files/skein1.3.pdf
Gauravaram, P., et al.: Grøstl - a SHA-3 candidate. Submission to NIST (Round 3) (2011). http://www.groestl.info/Groestl.pdf
Halderman, J.A., et al.: Lest we remember: cold boot attacks on encryption keys. In: USENIX Security Symposium, pp. 91–98 (2008)
Hell, M., Johansson, T., Meier, W.: A Stream Cipher Proposal: Grain-128. The eSTREAM Project - eSTREAM Phase 3. http://www.ecrypt.eu.org/stream/
Hoerder, S., Wójcik, M., Tillich, S., Page, D.: An evaluation of hash functions on a power analysis resistant processor architecture. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 160–174. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21040-2_11
Petit, C., Standaert, F., Pereira, O., Malkin, T., Yung, M.: A block cipher based pseudo random number generator secure against side-channel key recovery. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2008, pp. 56–65 (2008)
Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_27
Preneel, B., van Oorschot, P.C.: On the security of two MAC algorithms. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 19–32. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_3
Rogaway, P., Bellare, M., Black, J.: OCB: a block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. (TISSEC) 6(3), 365–403 (2003)
Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_26
Wu, H.: The Stream Cipher HC-128. The eSTREAM Project - eSTREAM Phase 3. https://www.ecrypt.eu.org/stream/
Wu, H.: The Hash Function JH. Submission to NIST (Round 3) (2011). https://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf
Yasuda, K.: “Sandwich’’ is indeed secure: how to authenticate a message with just one hashing. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 355–369. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73458-1_26
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chang, D., Yung, M. (2023). Midgame Attacks and Defense Against Them. In: Dolev, S., Gudes, E., Paillier, P. (eds) Cyber Security, Cryptology, and Machine Learning. CSCML 2023. Lecture Notes in Computer Science, vol 13914. Springer, Cham. https://doi.org/10.1007/978-3-031-34671-2_33
Download citation
DOI: https://doi.org/10.1007/978-3-031-34671-2_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-34670-5
Online ISBN: 978-3-031-34671-2
eBook Packages: Computer ScienceComputer Science (R0)