Subversion in Practice: How to Efficiently Undermine Signatures
Algorithm substitution attack (ASA) on signatures can have severe consequences as the authentication services of numerous systems and applications rely on signature schemes. In this paper, we present a highly efficient ASA on the widely-used digital signature algorithm (DSA). Compared with the gener...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2019-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/8721046/ |
| _version_ | 1818347922378457088 |
|---|---|
| author | Joonsang Baek Willy Susilo Jongkil Kim Yang-Wai Chow |
| author_facet | Joonsang Baek Willy Susilo Jongkil Kim Yang-Wai Chow |
| author_sort | Joonsang Baek |
| collection | DOAJ |
| description | Algorithm substitution attack (ASA) on signatures can have severe consequences as the authentication services of numerous systems and applications rely on signature schemes. In this paper, we present a highly efficient ASA on the widely-used digital signature algorithm (DSA). Compared with the generic ASAs on signature schemes proposed in the literature, our attack provides fast and undetectable subversion, which can extract the user's private signing key by collecting the maximum three signatures arbitrarily. Moreover, our ASA is proven to be robust against state reset. We implemented the proposed ASA by replacing the original DSA in Libgcrypt (a popular cryptographic library used in many applications) with our subverted DSA. Our experiment shows that the user's private key can readily be recovered once the subverted DSA is used to sign messages. In our implementation, various measures have been considered to significantly reduce the possibility of detection through comparing the running time of the original DSA and the subverted one (i.e. timing analysis). To our knowledge, this is the first implementation of the ASA in practice, which shows that the ASA is a real threat rather than only theoretical speculation. |
| first_indexed | 2024-12-13T17:41:51Z |
| format | Article |
| id | doaj.art-6cf18de99f0c42858f6d567e5a075e90 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-12-13T17:41:51Z |
| publishDate | 2019-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-6cf18de99f0c42858f6d567e5a075e902022-12-21T23:36:43ZengIEEEIEEE Access2169-35362019-01-017687996881110.1109/ACCESS.2019.29185508721046Subversion in Practice: How to Efficiently Undermine SignaturesJoonsang Baek0https://orcid.org/0000-0003-2613-2127Willy Susilo1https://orcid.org/0000-0002-1562-5105Jongkil Kim2Yang-Wai Chow3Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, AustraliaInstitute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, AustraliaInstitute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, AustraliaInstitute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, AustraliaAlgorithm substitution attack (ASA) on signatures can have severe consequences as the authentication services of numerous systems and applications rely on signature schemes. In this paper, we present a highly efficient ASA on the widely-used digital signature algorithm (DSA). Compared with the generic ASAs on signature schemes proposed in the literature, our attack provides fast and undetectable subversion, which can extract the user's private signing key by collecting the maximum three signatures arbitrarily. Moreover, our ASA is proven to be robust against state reset. We implemented the proposed ASA by replacing the original DSA in Libgcrypt (a popular cryptographic library used in many applications) with our subverted DSA. Our experiment shows that the user's private key can readily be recovered once the subverted DSA is used to sign messages. In our implementation, various measures have been considered to significantly reduce the possibility of detection through comparing the running time of the original DSA and the subverted one (i.e. timing analysis). To our knowledge, this is the first implementation of the ASA in practice, which shows that the ASA is a real threat rather than only theoretical speculation.https://ieeexplore.ieee.org/document/8721046/Mass surveillancedigital signaturecryptographic librarysoftware security |
| spellingShingle | Joonsang Baek Willy Susilo Jongkil Kim Yang-Wai Chow Subversion in Practice: How to Efficiently Undermine Signatures IEEE Access Mass surveillance digital signature cryptographic library software security |
| title | Subversion in Practice: How to Efficiently Undermine Signatures |
| title_full | Subversion in Practice: How to Efficiently Undermine Signatures |
| title_fullStr | Subversion in Practice: How to Efficiently Undermine Signatures |
| title_full_unstemmed | Subversion in Practice: How to Efficiently Undermine Signatures |
| title_short | Subversion in Practice: How to Efficiently Undermine Signatures |
| title_sort | subversion in practice how to efficiently undermine signatures |
| topic | Mass surveillance digital signature cryptographic library software security |
| url | https://ieeexplore.ieee.org/document/8721046/ |
| work_keys_str_mv | AT joonsangbaek subversioninpracticehowtoefficientlyunderminesignatures AT willysusilo subversioninpracticehowtoefficientlyunderminesignatures AT jongkilkim subversioninpracticehowtoefficientlyunderminesignatures AT yangwaichow subversioninpracticehowtoefficientlyunderminesignatures |