Subverting Decryption in AEAD

Armour, Marcel; Poettering, Bertram

doi:10.1007/978-3-030-35199-1_2

Cited by 15 publications

(7 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bellare et al improved over the attacks in [BPR14], proposing stateless attacks [BJK15] against all randomized schemes. While previous attacks [BPR14,BJK15] targeted the encryption algorithm, Armour and Poettering proposed an attack [AP19b] by subverting the decryption algorithm. Hodges and Stebila explored the detectability of ASAs via state resetting [HS21].…”

Section: Subversion Attacksmentioning

confidence: 99%

Subverting Telegram’s End-to-End Encryption

Cogliati

Ethan²,

Jha³

2023

ToSC

View full text Add to dashboard Cite

Telegram is a popular secure messaging service with third biggest user base as of 2021. In this paper, we analyze the security of Telegram’s end-to-end encryption (E2EE) protocol in presence of mass-surveillance. Specifically, we show >that Telegram’s E2EE protocol is susceptible to fairly efficient algorithm substitution attacks. While official Telegram clients should be protected against this type of attack due their open-source nature and reproducible builds, this could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either on individuals through a targeted attack or massively through some compromised third-party clients. We provide an efficient algorithm substitution attack against MTProto2.0 — the underlying authenticated encryption scheme — that recovers significant amount of encryption key material with a very high probability with few queries and fairly low latency. This could potentially lead to a very efficient state sponsored surveillance of private communications over Telegram, either through a targeted attack or a compromised third-party app. Our attack exploits MTProto2.0’s degree of freedom in choosing the random padding length and padding value. Accordingly, we strongly recommend that Telegram should revise MTProto2.0’s padding methodology. In particular, we show that a minor change in the padding description of MTProto2.0 makes it subversion-resistant in most of the practical scenarios. As a side-effect, we generalize the underlying mode of operation in MTProto2.0, as MTProto-G, and show that this generalization is a multi-user secure deterministic authenticated encryption scheme.

show abstract

Section: Subversion Attacksmentioning

confidence: 99%

Subverting Telegram’s End-to-End Encryption

Cogliati

Ethan²,

Jha³

2023

ToSC

View full text Add to dashboard Cite

show abstract

“…We show that this class of ASA can be applied to symmetric settings (authenticated encryption, message authentication codes, and data encapsulation mechanisms), as well as asymmetric settings (public key encryption and key encapsulation mechanisms). Our work brings together previous work targeting AEAD schemes [5] and MAC schemes [4] in a common framework, expanded to incorporate public key encryption.…”

Section: Contributionsmentioning

confidence: 99%

“…For any cryptographic scheme, the most devastating attack goal for an attacker is key recovery (KR): Users generate keys using their key generation algorithm (k S , k R ) ← $ .gen i gen . 5 Generated secret keys are kept hidden, and the adversary aims at recovering these keys through the subversion. Note that in the symmetric case, k S = k R , whereas in the asymmetric case the receiver's key k R represents the private key.…”

Section: Subversion Leading To Key Recoverymentioning

confidence: 99%

Algorithm substitution attacks against receivers

Armour

Poettering

2022

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

This work describes a class of Algorithm Substitution Attack (ASA) generically targeting the receiver of a communication between two parties. Our work provides a unified framework that applies to any scheme where a secret key is held by the receiver; in particular, message authentication schemes (MACs), authenticated encryption (AEAD) and public key encryption (PKE). Our unified framework brings together prior work targeting MAC schemes (FSE’19) and AEAD schemes (IMACC’19); we extend prior work by showing that public key encryption may also be targeted. ASAs were initially introduced by Bellare, Paterson and Rogaway in light of revelations concerning mass surveillance, as a novel attack class against the confidentiality of encryption schemes. Such an attack replaces one or more of the regular scheme algorithms with a subverted version that aims to reveal information to an adversary (engaged in mass surveillance), while remaining undetected by users. Previous work looking at ASAs against encryption schemes can be divided into two groups. ASAs against PKE schemes target key generation by creating subverted public keys that allow an adversary to recover the secret key. ASAs against symmetric encryption target the encryption algorithm and leak information through a subliminal channel in the ciphertexts. We present a new class of attack that targets the decryption algorithm of an encryption scheme for symmetric encryption and public key encryption, or the verification algorithm for an authentication scheme. We present a generic framework for subverting a cryptographic scheme between a sender and receiver, and show how a decryption oracle allows a subverter to create a subliminal channel which can be used to leak secret keys. We then show that the generic framework can be applied to authenticated encryption with associated data, message authentication schemes, public key encryption and KEM/DEM constructions. We consider practical considerations and specific conditions that apply for particular schemes, strengthening the generic approach. Furthermore, we show how the hybrid subversion of key generation and decryption algorithms can be used to amplify the effectiveness of our decryption attack. We argue that this attack represents an attractive opportunity for a mass surveillance adversary. Our work serves to refine the ASA model and contributes to a series of papers that raises awareness and understanding about what is possible with ASAs.

show abstract

“…In fact, his disclosures refueled the research over this area. Some literature [1]- [3], [15], [16] focused on studying the ASA problem on symmetric encryption schemes. Russell, Tang, Yung, and Zhou [17] generalized ASAs by permitting adversarial subversion of (randomized) key generation.…”

Section: B Related Workmentioning

confidence: 99%

On the Security of Symmetric Encryption Against Mass Surveillance

Sun

2020

IEEE Access

View full text Add to dashboard Cite

For mass surveillance, the algorithm substitution attacks (ASAs) are serious security threats to the symmetric encryption schemes. At CRYPTO 2014, Bellare, Paterson, and Rogaway (BPR) formally developed the security notions of decryptability, undetectability, and surveillance and presented a unique ciphertext symmetric encryption scheme against all possible ASAs. At FSE 2015, Degabriele, Farshim, and Poettering (DFP) relaxed the correctness of decryptability and presented an input-triggered ASA, which meets the BPR security definitions but violates the security of the BPR unique ciphertext scheme. Hence, DFP refined the security notions of detectability and subversion resistance to remove their ASA from the BPR unique ciphertext scheme. At CCS 2015, Bellare, Jaeger, and Kane (BJK) also developed the security notion of key recovery to make the input-triggered ASA infeasible. We investigate ASAs on the symmetric encryption scheme. Our contribution is twofold. (1) We propose a new trigger ASA against the symmetric encryption scheme. Our proposed ASA cannot be captured by the BJK security definitions. Comparatively, the DFP security definitions can detect our proposed ASA. In the view of ASAs, this result demonstrates that the DFP security definitions are not identical to the BJK security definitions. (2) We improve the DFP definition of subversion resistance. DFP proved that the BPR unique ciphertext scheme defeats the input-triggered ASA under their subversion resistance definition. However, we show that the BPR unique ciphertext scheme fails to meet the DFP subversion resistance definition due to our proposed ASA. Therefore, an improved definition on subversion resistance is proposed to cover all existing trigger ASAs. We prove that the BPR unique ciphertext scheme is secure under our improved definition. Therefore, we believe that our improved definition is more suitable to evaluate the ASA security of the symmetric encryption scheme.

show abstract

Subverting Decryption in AEAD

Cited by 15 publications

References 27 publications

Subverting Telegram’s End-to-End Encryption

Subverting Telegram’s End-to-End Encryption

Algorithm substitution attacks against receivers

On the Security of Symmetric Encryption Against Mass Surveillance

Contact Info

Product

Resources

About