One Bad Apple: Back­wards Com­pa­ti­bi­li­ty At­tacks on Sta­te-of-the-Art Cryp­to­gra­phy

Tibor Jager, Ken­neth G. Pa­ter­son, Juraj So­mo­rovs­ky

In Pro­cee­dings of the Net­work and Di­stri­bu­ted Sys­tem Se­cu­ri­ty Sym­po­si­um (NDSS), 2013

Ab­stract

Back­wards com­pa­ti­bi­li­ty at­tacks are based on the com­mon prac­tical sce­na­rio that a cryp­to­gra­phic stan­dard of­fers a choice bet­ween se­ver­al al­go­rith­ms to per­form the same cryp­to­gra­phic task. This often in­clu­des se­cu­re sta­te-of-the-art crypto­sys­tems, as well as in­se­cu­re le­ga­cy crypto­sys­tems with known vul­nerabi­li­ties that are made avail­able for back­wards com­pa­ti­bi­li­ty re­a­sons.

Ob­vious­ly using in­se­cu­re le­ga­cy crypto­sys­tems is dan­ge­rous. Howe­ver, we show the less ob­vious fact that even if users have the best of in­ten­ti­ons to use only the most up-to-da­te, vul­nerabi­li­ty-free ver­si­on of a sys­tem, the mere exis­tence of sup­port for old ver­si­ons can have a ca­ta­stro­phic ef­fect on se­cu­ri­ty.

We de­mons­tra­te the prac­tical re­le­van­ce of our re­sults by de­scri­bing at­tacks on cur­rent ver­si­ons of im­portant cryp­to­gra­phic Web stan­dards: W3C XML En­cryp­ti­on and XML Si­gna­tu­re, and JSON Web En­cryp­ti­on and Web Si­gna­tu­re. We fur­ther­mo­re pro­po­se prac­tical and ef­fec­tive coun­ter­me­a­su­res thwar­ting back­wards com­pa­ti­bi­li­ty at­tacks, which could be ap­p­lied in new ver­si­ons of these stan­dards as well as in re­la­ted spe­ci­fi­ca­ti­ons ap­p­ly­ing cryp­to­gra­phic pri­mi­ti­ves.

The di­stri­bu­ted do­cu­ment has been pro­vi­ded by the cont­ri­bu­ting aut­hors as a means to en­su­re ti­me­ly dis­se­mi­na­ti­on of scho­lar­ly and tech­ni­cal work on a non­com­mer­ci­al basis. Co­py­right and all rights the­r­ein are main­tained by the aut­hors or by other co­py­right hol­ders, not­wi­th­stan­ding that they have of­fe­red their works here elec­tro­ni­cal­ly. It is un­ders­tood that all per­sons co­py­ing this in­for­ma­ti­on will ad­he­re to the terms and cons­traints in­vo­ked by each aut­hor's co­py­right. These works may not be re­pos­ted wi­thout the ex­pli­cit per­mis­si­on of the co­py­right hol­der.

Some ideas of this paper were used as a basis for our Dob­ber­tin Cryp­to­ch­al­len­ge: http://​cryptochallenge.​nds.​rub.​de:​50080/​

You can run this chal­len­ge also on your ma­chi­ne and prac­tice off­line. The sour­ces are in­clu­ded below.

[Cryp­to­Ch­al­len­ge] [paper]

Tags: back­wards com­pa­ti­bi­li­ty, JSON Web En­cryp­ti­on, Pad­ding Ora­cle At­tacks, Web Ser­vices, XML En­cryp­ti­on