ABSTRACT
The security of digital communication relies on few cryptographic protocols that are used to protect internet traffic, from web sessions to instant messaging. These protocols and the cryptographic primitives they rely on have been extensively studied and are considered secure. Yet, sophisticated attackers are often able to bypass rather than break security mechanisms. Kleptography or algorithm substitution attacks (ASA) describe techniques to place backdoors right into cryptographic primitives. While highly relevant as a building block, we show that the real danger of ASAs is their use in cryptographic protocols. In fact, we show that highly desirable security properties of these protocols - forward secrecy and post-compromise security - imply the applicability of ASAs. We then analyze the application of ASAs in three widely used protocols: TLS, WireGuard, and Signal. We show that these protocols can be easily subverted by carefully placing ASAs. Our analysis shows that careful design of ASAs makes detection unlikely while leaking long-term secrets within a few messages in the case of TLS and WireGuard, allowing impersonation attacks. In contrast, Signal's double-ratchet protocol shows higher immunity to ASAs, as the leakage requires much more messages.
Supplemental Material
- M. Meeker, "Internet Trends 2019," https://www.bondcap.com/pdf/Internet_Trends_2019.pdf, accessed 2020-10-08.Google Scholar
- R. Bergman and F. Fassihi, "Iranian hackers found way into encrypted apps, researchers say," 2020, https://www.nytimes.com/2020/09/18/world/middleeast/iran-hacking-encryption.html. Accessed 2020-10-13.Google Scholar
- J. Cox, "How police secretly took over a global phone network for organized crime," Motherboard Tech by VICE, July 2, 2020, https://www.vice.com/en/article/3aza95/how-police-took-over-encrochat-hacked. Accessed 2020-10-13.Google Scholar
- C. Xiao, "Novel malware xcodeghost modifies xcode, infects apple ios apps and hits app store," Palo Alto Networks Blog, Sept. 17, 2015, https://unit42.paloaltonetworks.com/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/. Accessed 2020-10-14.Google Scholar
- A. Birsan, "Dependency confusion: How i hacked into apple, microsoft and dozens of other companies," Medium, February 9, 2021, https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610. Accessed 2021-04-29.Google Scholar
- S. Checkoway, R. Niederhagen, A. Everspaugh, M. Green, T. Lange, T. Ristenpart, D. J. Bernstein, J. Maskiewicz, H. Shacham, and M. Fredrikson, "On the practical exploitability of dual EC in TLS implementations," in Proc. USENIX. USENIX Association, 2014, pp. 319--335.Google Scholar
- B. Schneier, "Did nsa put a secret backdoor in new encryption standard?" 2007, https://www.schneier.com/essays/archives/2007/11/did_nsa_put_a_secret.html.Google Scholar
- D. Shumow and N. Ferguson, "On the possibility of a back door in the nist sp800--90 dual ec prng," Presentation at the CRYPTO 2007 Rump Session, 2007.Google Scholar
- Q. Wu and K. Lu, "On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits," 2021, https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf (withdrawn from S&P 2021). Accessed 2021-05-05.Google Scholar
- A. Young and M. Yung, "The dark side of ?black-box" cryptography or: Should we trust capstone?" in Proc. CRYPTO, ser. Lecture Notes in Computer Science, vol. 1109. Springer, 1996, pp. 89--103.Google Scholar
- ----, "Kleptography: Using cryptography against cryptography," in Proc. EUROCRYPT, ser. Lecture Notes in Computer Science, vol. 1233. Springer, 1997, pp. 62--74.Google Scholar
- M. Bellare, K. G. Paterson, and P. Rogaway, "Security of symmetric encryption against mass surveillance," in Proc. CRYPTO, ser. Lecture Notes in Computer Science, vol. 8616. Springer, 2014, pp. 1--19.Google Scholar
- J. Wichelmann, S. Berndt, C. Pott, and T. Eisenbarth, "Help, my signal has bad device! - breaking the signal messenger's post-compromise security through a malicious device," in DIMVA, ser. Lecture Notes in Computer Science, vol. 12756. Springer, 2021, pp. 88--105.Google Scholar
- J. P. Degabriele, P. Farshim, and B. Poettering, "A more cautious approach to security against mass surveillance," in Proc. FSE, ser. Lecture Notes in Computer Science, vol. 9054. Springer, 2015, pp. 579--598.Google Scholar
- G. Ateniese, B. Magri, and D. Venturi, "Subversion-resilient signature schemes," in Proc. CCS. ACM, 2015, pp. 364--375.Google Scholar
- M. Bellare, J. Jaeger, and D. Kane, "Mass-surveillance without the state: Strongly undetectable algorithm-substitution attacks," in Proc. CCS. ACM, 2015, pp. 1431--1440.Google Scholar
- S. Berndt and M. Liśkiewicz, "Algorithm substitution attacks from a steganographic perspective," in Proc. CCS. ACM, 2017, pp. 1649--1660.Google Scholar
- R. Chen, X. Huang, and M. Yung, "Subvert KEM to break DEM: practical algorithm-substitution attacks on public-key encryption," in ASIACRYPT (accepted), 2020.Google Scholar
- J. Katz and Y. Lindell, Introduction to Modern Cryptography, Second Edition. CRC Press, 2014.Google ScholarCross Ref
- A. Russell, Q. Tang, M. Yung, and H. Zhou, "Cliptography: Clipping the power of kleptographic attacks," in ASIACRYPT (2), ser. Lecture Notes in Computer Science, vol. 10032, 2016, pp. 34--64.Google Scholar
- M. Mitzenmacher and E. Upfal, Probability and computing: Randomization and probabilistic techniques in algorithms and data analysis. Cambridge university press, 2017.Google ScholarDigital Library
- H. Krawczyk, "HMQV: A high-performance secure diffie-hellman protocol," in CRYPTO, ser. Lecture Notes in Computer Science, vol. 3621. Springer, 2005, pp. 546--566.Google Scholar
- K. Cohn-Gordon, C. J. F. Cremers, and L. Garratt, "On post-compromise security," in CSF. IEEE Computer Society, 2016, pp. 164--178.Google Scholar
- Qualys, Inc, "SSL Pulse," https://www.ssllabs.com/ssl-pulse/, accessed 2020-10-07.Google Scholar
- E. Rescorla, "The transport layer security (TLS) protocol version 1.3," RFC, vol. 8446, pp. 1--160, 2018.Google Scholar
- H. Krawczyk and P. Eronen, "Hmac-based extract-and-expand key derivation function (HKDF)," RFC, vol. 5869, pp. 1--14, 2010.Google Scholar
- D. Diemert and T. Jager, "On the tight security of TLS 1.3: Theoretically-sound cryptographic parameters for real-world deployments," IACR Cryptol. ePrint Arch., vol. 2020, p. 726, 2020.Google Scholar
- T. Dierks and E. Rescorla, "The transport layer security (TLS) protocol version 1.2," RFC, vol. 5246, pp. 1--104, 2008.Google ScholarDigital Library
- P. Rogaway, "Authenticated-encryption with associated-data," in ACM Conference on Computer and Communications Security. ACM, 2002, pp. 98--107.Google Scholar
- P. Rogaway and T. Shrimpton, "A provable-security treatment of the key-wrap problem," in EUROCRYPT, ser. Lecture Notes in Computer Science, vol. 4004. Springer, 2006, pp. 373--390.Google Scholar
- D. A. McGrew, "An interface and algorithms for authenticated encryption," RFC, vol. 5116, pp. 1--22, 2008.Google Scholar
- Y. Nir and A. Langley, "Chacha20 and poly1305 for IETF protocols," RFC, vol. 8439, pp. 1--46, 2018.Google Scholar
- B. Moller, "Security of cbc ciphersuites in ssl/tls: Problems and countermeasures," http://www. openssl. org/ bodo/tls-cbc. txt, 2004.Google Scholar
- J. A. Donenfeld, "Wireguard: Next generation kernel network tunnel," https://www.wireguard.com/papers/wireguard.pdf, 2020, accessed 2020--10-08.Google Scholar
- M. O. Saarinen and J. Aumasson, "The BLAKE2 cryptographic hash and message authentication code (MAC)," RFC, vol. 7693, pp. 1--30, 2015.Google Scholar
- A. Langley, M. Hamburg, and S. Turner, "Elliptic curves for security," RFC, vol. 7748, pp. 1--22, 2016.Google Scholar
- O. W. Systems, "Signal protocol specifications," https://signal.org/docs/, accessed 2020-09--28.Google Scholar
- WhatsApp, "Whatsapp encryption overview," https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf, 2017, accessed 2020-09-28.Google Scholar
- Microsoft, "Skype private conversation," https://az705183.vo.msecnd.net/onlinesupportmedia/onlinesupport/media/skype/documents/skype-private-conversation-white-paper.pdf, 2018, accessed 2020-09-28.Google Scholar
- S. Malladi, J. Alves-Foss, and R. B. Heckendorn, "On preventing replay attacks on security protocols," IDAHO UNIV MOSCOW DEPT OF COMPUTER SCIENCE, Tech. Rep., 2002.Google Scholar
- M. Fischlin and F. Gü nther, "Replay attacks on zero round-trip time: The case of the TLS 1.3 handshake candidates," in EuroS&P. IEEE, 2017, pp. 60--75.Google Scholar
- C. Boyd and K. Gellert, "A modern view on forward security," Comput. J., vol. 64, no. 4, pp. 639--652, 2021.Google ScholarCross Ref
- F. Gü nther, B. Hale, T. Jager, and S. Lauer, "0-rtt key exchange with full forward secrecy," in EUROCRYPT (3), ser. Lecture Notes in Computer Science, vol. 10212, 2017, pp. 519--548.Google Scholar
- I. Mironov and N. Stephens-Davidowitz, "Cryptographic reverse firewalls," in EUROCRYPT (2), ser. Lecture Notes in Computer Science, vol. 9057. Springer, 2015, pp. 657--686.Google Scholar
- Y. Dodis, I. Mironov, and N. Stephens-Davidowitz, "Message transmission with reverse firewalls - secure communication on corrupted machines," in CRYPTO (1), ser. Lecture Notes in Computer Science, vol. 9814. Springer, 2016, pp. 341--372.Google Scholar
- A. Russell, Q. Tang, M. Yung, and H. Zhou, "Correcting subverted random oracles," in CRYPTO (2), ser. Lecture Notes in Computer Science, vol. 10992. Springer, 2018, pp. 241--271.Google Scholar
- P. Bemmann, R. Chen, and T. Jager, "Subversion-resilient public key encryption with practical watchdogs," in Public Key Cryptography (1), ser. Lecture Notes in Computer Science, vol. 12710. Springer, 2021, pp. 627--658.Google Scholar
- M. Fischlin and S. Mazaheri, "Self-guarding cryptographic protocols against algorithm substitution attacks," in CSF. IEEE Computer Society, 2018, pp. 76--90.Google Scholar
- Y. Dodis, C. Ganesh, A. Golovnev, A. Juels, and T. Ristenpart, "A formal treatment of backdoored pseudorandom generators," in EUROCRYPT (1), ser. Lecture Notes in Computer Science, vol. 9056. Springer, 2015, pp. 101--126.Google Scholar
Index Terms
- ASAP: Algorithm Substitution Attacks on Cryptographic Protocols
Recommendations
Actor Key Compromise: Consequences and Countermeasures
CSF '14: Proceedings of the 2014 IEEE 27th Computer Security Foundations SymposiumDespite Alice's best efforts, her long-term secret keys may be revealed to an adversary. Possible reasons include weakly generated keys, compromised key storage, subpoena, and coercion. However, Alice may still be able to communicate securely with other ...
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityWe introduce the key reinstallation attack. This attack abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key's associated parameters such as transmit nonces and receive replay counters. ...
Release the Kraken: New KRACKs in the 802.11 Standard
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityWe improve key reinstallation attacks (KRACKs) against 802.11 by generalizing known attacks, systematically analyzing all handshakes, bypassing 802.11's official countermeasure, auditing (flawed) patches, and enhancing attacks using implementation-...
Comments