ASAP: Algorithm Substitution Attacks on Cryptographic Protocols

The security of digital communication relies on few cryptographic protocols that are used to protect internet traffic, from web sessions to instant messaging. These protocols and the cryptographic primitives they rely on have been extensively studied and are considered secure.Yet, sophisticated attackers are often able to bypass rather than break security mechanisms. Kleptography or algorithm substitution attacks (ASA) describe techniques to place backdoors right into cryptographic primitives. While highly relevant as a building block, we show that the real danger of ASAs is their use in cryptographic protocols. In fact, we show that a highly desirable security property of these protocols—forward secrecy—implies the applicability of ASAs. We then analyze the application of ASAs in three widely used protocols: TLS, WireGuard, and Signal. We show that these protocols can be easily subverted by carefully placing ASAs. Our analysis shows that careful design of ASAs makes detection unlikely while leaking long-term secrets within a few messages in the case of TLS and WireGuard, allowing impersonation attacks. In contrast, Signal’s double-ratchet protocol shows high immunity to ASAs, as the leakage requires much more messages. But once Signal’s long-term key is leaked, the security of the Signal messenger is completely subverted by our attack due to unfortunate choices in the implementation of Signal’s multi-device support.

[1]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[2]  Marc Fischlin,et al.  Self-Guarding Cryptographic Protocols against Algorithm Substitution Attacks , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[3]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption against Mass Surveillance , 2014, IACR Cryptol. ePrint Arch..

[4]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[5]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[6]  Pooya Farshim,et al.  A More Cautious Approach to Security Against Mass Surveillance , 2015, FSE.

[7]  Jean-Philippe Aumasson,et al.  The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC) , 2015, RFC.

[8]  Yevgeniy Dodis,et al.  A Formal Treatment of Backdoored Pseudorandom Generators , 2015, EUROCRYPT.

[9]  Ilya Mironov,et al.  Cryptographic Reverse Firewalls , 2015, EUROCRYPT.

[10]  Jason A. Donenfeld WireGuard: Next Generation Kernel Network Tunnel , 2017, NDSS.

[11]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[12]  Giuseppe Ateniese,et al.  Subversion-Resilient Signature Schemes , 2015, IACR Cryptol. ePrint Arch..

[13]  Tibor Jager,et al.  On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments , 2021, Journal of Cryptology.

[14]  Moti Yung,et al.  Cliptography: Clipping the Power of Kleptographic Attacks , 2016, ASIACRYPT.

[15]  Mihir Bellare,et al.  Mass-surveillance without the State: Strongly Undetectable Algorithm-Substitution Attacks , 2015, IACR Cryptol. ePrint Arch..

[16]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.

[17]  Hugo Krawczyk,et al.  HMAC-based Extract-and-Expand Key Derivation Function (HKDF) , 2010, RFC.

[18]  Douglas Stebila,et al.  A Formal Security Analysis of the Signal Messaging Protocol , 2017, Journal of Cryptology.

[19]  Cas J. F. Cremers,et al.  On Post-compromise Security , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[20]  Moti Yung,et al.  The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone? , 1996, CRYPTO.

[21]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[22]  Julien Devigne,et al.  Multi-Device for Signal , 2020, IACR Cryptol. ePrint Arch..

[23]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[24]  Moti Yung,et al.  Kleptography: Using Cryptography Against Cryptography , 1997, EUROCRYPT.

[25]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol , 2020 .

[26]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[27]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[28]  Moti Yung,et al.  Subvert KEM to Break DEM: Practical Algorithm-Substitution Attacks on Public-Key Encryption , 2020, IACR Cryptol. ePrint Arch..

[29]  David A. McGrew,et al.  An Interface and Algorithms for Authenticated Encryption , 2008, RFC.

[30]  Adam Langley,et al.  Elliptic Curves for Security , 2016, RFC.

[31]  Maciej Liskiewicz,et al.  Algorithm Substitution Attacks from a Steganographic Perspective , 2017, CCS.