Abstract

This work introduces Algorithm Substitution Attacks (ASAs) on message authentication schemes. In light of revelations concerning mass surveillance, ASAs were initially introduced by Bellare, Paterson and Rogaway as a novel attack class against the confidentiality of encryption schemes. Such an attack replaces one or more of the regular scheme algorithms with a subverted version that aims to reveal information to an adversary (engaged in mass surveillance), while remaining undetected by users. While most prior work focused on subverting encryption systems, we study options to subvert symmetric message authentication protocols. In particular we provide powerful generic attacks that apply e.g. to HMAC or Carter–Wegman based schemes, inducing only a negligible implementation overhead. As subverted authentication can act as an enabler for subverted encryption (software updates can be manipulated to include replacements of encryption routines), we consider attacks of the new class highly impactful and dangerous.

Highlights

  • Message authentication schemes are designed to provide a guarantee of integrity: that is, the assurance that a message really was sent by its purported sender

  • The reader is referred to the survey by Schneier et al [SFKR15], which provides a broad overview of subversion of cryptography, with some useful case studies detailing known subversion attempts

  • We examine the consequences of Algorithm Substitution Attacks (ASAs) to message authentication

Read more

Summary

Introduction

Message authentication schemes are designed to provide a guarantee of integrity: that is, the assurance that a message really was sent by its purported sender. Keyed message authentication is a well-studied problem, and there exist many reliable and provably secure solutions (the most popular likely being HMAC). These solutions rely on the assumption that the software or hardware in which they are implemented behaves as expected. Was initiated in a line of work by Young and Yung that they named kleptography [YY96, YY97]. This area of study can be traced back to Simmons’ work on subliminal channels, e.g. The adversary’s goal in an ASA is to create a subverted implementation of a scheme that breaks some aspect of security (such as IND-CPA in the case of encryption) while remaining undetected by the user(s)

Our Work
Preceding work
Notation
Combinatorics
Message Authentication Schemes
Notions of Subversion against Message Authentication
Undetectable Subversion
Subversion Leading to Key Recovery
Passive Attack
16 Return k
Active Attack
10 While k incorrect:
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call