A Subliminal Channel in EdDSA: Information Leakage with High-Speed Signatures

Subliminal channels in digital signatures provide a very effective method to clandestinely leak information from inside a system to a third party outside. Information can be hidden in signature parameters in a way that both network operators and legitimate receivers would not notice any suspicious traces. Subliminal channels have previously been discovered in other signatures, such as ElGamal and ECDSA. Those signatures are usually just sparsely exchanged in network protocols, e.g. during authentication, and their usability for leaking information is therefore limited. With the advent of high-speed signatures such as EdDSA, however, scenarios become feasible where numerous packets with individual signatures are transferred between communicating parties. This significantly increases the bandwidth for transmitting subliminal information. Examples are broadcast clock synchronization or signed sensor data export. A subliminal channel in signatures appended to numerous packets allows the transmission of a high amount of hidden information, suitable for large scale data exfiltration or even the operation of command and control structures. In this paper, we show the existence of a broadband subliminal channel in the EdDSA signature scheme. We then discuss the implications of the subliminal channel in practice using thee different scenarios: broadcast clock synchronization, signed sensor data export, and classic TLS. We perform several experiments to show the use of the subliminal channel and measure the actual bandwidth of the subliminal information that can be leaked. We then discuss the applicability of different countermeasures against subliminal channels from other signature schemes to EdDSA but conclude that none of the existing solutions can sufficiently protect against data exfiltration in network protocols secured by EdDSA.

[1]  Carlos Scott,et al.  Network Covert Channels : Review of Current State and Analysis of Viability of the use of X . 509 Certificates for Covert Communications , 2008 .

[2]  Ning Li,et al.  Reversible Watermarking with Subliminal Channel , 2008, Information Hiding.

[3]  María Isabel González Vasco,et al.  A Subliminal-Free Variant of ECDSA , 2006, Information Hiding.

[4]  Guozhen Xiao,et al.  A Subliminal-Free Variant of ECDSA Using Interactive Protocol , 2010, 2010 International Conference on E-Product E-Service and E-Entertainment.

[5]  Rainer Steinwandt,et al.  On Subliminal Channels in Deterministic Signature Schemes , 2004, ICISC.

[6]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[7]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[8]  Joachim Fabini,et al.  SecureTime: Secure Multicast Time Synchronization , 2017, ArXiv.

[9]  Gustavus J. Simmons,et al.  Subliminal Communication is Easy Using the DSA , 1994, EUROCRYPT.

[10]  Simon Josefsson,et al.  Edwards-Curve Digital Signature Algorithm (EdDSA) , 2017, RFC.

[11]  Zbigniew Golebiewski,et al.  Stealing Secrets with SSL/TLS and SSH - Kleptographic Attacks , 2006, CANS.

[12]  Moti Yung,et al.  Space-Efficient Kleptography Without Random Oracles , 2007, Information Hiding.

[13]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[14]  Michael Hamburg,et al.  Ed448-Goldilocks, a new elliptic curve , 2015, IACR Cryptol. ePrint Arch..

[15]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[16]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[17]  Simon Josefsson,et al.  Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier , 2018, RFC.

[18]  Serge Vaudenay,et al.  The Newton Channel , 1996, Information Hiding.

[19]  Benny Pinkas,et al.  The Design and Implementation of Protocol-Based Hidden Key Recovery , 2003, ISC.

[20]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[21]  Justin Merrill Covert Channels in SSL Session Negotiation Headers , 2015 .

[22]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[23]  Robert Edmonds,et al.  Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC , 2017, RFC.

[24]  Xiaoqing Li,et al.  Provably Secure and Subliminal-Free Variant of Schnorr Signature , 2013, ICT-EurAsia.

[25]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[26]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004, JACM.

[27]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[28]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[29]  Dong Hoon Lee,et al.  Provably Secure Encrypt-then-Sign Composition in Hybrid Signcryption , 2002, ICISC.

[30]  Sean Turner,et al.  Transport Layer Security , 2014, IEEE Internet Computing.