Abstract
This work introduces Algorithm Substitution Attacks (ASAs) on message authentication schemes. In light of revelations concerning mass surveillance, ASAs were initially introduced by Bellare, Paterson and Rogaway as a novel attack class against the confidentiality of encryption schemes. Such an attack replaces one or more of the regular scheme algorithms with a subverted version that aims to reveal information to an adversary (engaged in mass surveillance), while remaining undetected by users. While most prior work focused on subverting encryption systems, we study options to subvert symmetric message authentication protocols. In particular we provide powerful generic attacks that apply e.g. to HMAC or Carter–Wegman based schemes, inducing only a negligible implementation overhead. As subverted authentication can act as an enabler for subverted encryption (software updates can be manipulated to include replacements of encryption routines), we consider attacks of the new class highly impactful and dangerous.
Highlights
Message authentication schemes are designed to provide a guarantee of integrity: that is, the assurance that a message really was sent by its purported sender
The reader is referred to the survey by Schneier et al [SFKR15], which provides a broad overview of subversion of cryptography, with some useful case studies detailing known subversion attempts
We examine the consequences of Algorithm Substitution Attacks (ASAs) to message authentication
Summary
Message authentication schemes are designed to provide a guarantee of integrity: that is, the assurance that a message really was sent by its purported sender. Keyed message authentication is a well-studied problem, and there exist many reliable and provably secure solutions (the most popular likely being HMAC). These solutions rely on the assumption that the software or hardware in which they are implemented behaves as expected. Was initiated in a line of work by Young and Yung that they named kleptography [YY96, YY97]. This area of study can be traced back to Simmons’ work on subliminal channels, e.g. The adversary’s goal in an ASA is to create a subverted implementation of a scheme that breaks some aspect of security (such as IND-CPA in the case of encryption) while remaining undetected by the user(s)
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
