Partition Oracles from Weak Key Forgeries

Armour, Marcel; Cid, Carlos

doi:10.1007/978-3-030-92548-2_3

Cited by 1 publication

(3 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In practice, a subversion with negligible detection probability, say 2 −128 , should be considered undetectable. 2 As DFP note, decryption failures may happen for reasons other than a subverted encryption algorithm, and if they occur sporadically may easily go unnoticed. Thus, a subverted encryption scheme that exhibits decryption failure with a very low probability is a good candidate for a practical ASA that is hard to detect.…”

Section: Symmetric Encryptionmentioning

confidence: 99%

“…We emphasise that our results reach far beyond this: our subversion attacks are generic (rather than being focused on one specific MAC) and we do not require exotic technical conditions like randomised tag generation. 3…”

Section: Macsmentioning

confidence: 99%

“…Recent work on so-called partitioning oracles[2,3,46] relies on the ability to observe whether or not decryption succeeds and demonstrates that this is a realistic assumption in practice; for example, in the context of proxy servers, a "logical side-channel" is observable as a port is opened when a ciphertext is accepted (and otherwise not).…”

mentioning

confidence: 99%

See 2 more Smart Citations

Algorithm substitution attacks against receivers

Armour

Poettering

2022

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

This work describes a class of Algorithm Substitution Attack (ASA) generically targeting the receiver of a communication between two parties. Our work provides a unified framework that applies to any scheme where a secret key is held by the receiver; in particular, message authentication schemes (MACs), authenticated encryption (AEAD) and public key encryption (PKE). Our unified framework brings together prior work targeting MAC schemes (FSE’19) and AEAD schemes (IMACC’19); we extend prior work by showing that public key encryption may also be targeted. ASAs were initially introduced by Bellare, Paterson and Rogaway in light of revelations concerning mass surveillance, as a novel attack class against the confidentiality of encryption schemes. Such an attack replaces one or more of the regular scheme algorithms with a subverted version that aims to reveal information to an adversary (engaged in mass surveillance), while remaining undetected by users. Previous work looking at ASAs against encryption schemes can be divided into two groups. ASAs against PKE schemes target key generation by creating subverted public keys that allow an adversary to recover the secret key. ASAs against symmetric encryption target the encryption algorithm and leak information through a subliminal channel in the ciphertexts. We present a new class of attack that targets the decryption algorithm of an encryption scheme for symmetric encryption and public key encryption, or the verification algorithm for an authentication scheme. We present a generic framework for subverting a cryptographic scheme between a sender and receiver, and show how a decryption oracle allows a subverter to create a subliminal channel which can be used to leak secret keys. We then show that the generic framework can be applied to authenticated encryption with associated data, message authentication schemes, public key encryption and KEM/DEM constructions. We consider practical considerations and specific conditions that apply for particular schemes, strengthening the generic approach. Furthermore, we show how the hybrid subversion of key generation and decryption algorithms can be used to amplify the effectiveness of our decryption attack. We argue that this attack represents an attractive opportunity for a mass surveillance adversary. Our work serves to refine the ASA model and contributes to a series of papers that raises awareness and understanding about what is possible with ASAs.

show abstract

Section: Symmetric Encryptionmentioning

confidence: 99%

Section: Macsmentioning

confidence: 99%