How to Abuse and Fix Authenticated Encryption Without Key Commitment

Ange Albertini; Thai Duong; Shay Gueron; Stefan Kölbl; Atul Luykx; Sophie Schmieg

How to Abuse and Fix Authenticated Encryption Without Key Commitment

Ange Albertini, Thai Duong, Shay Gueron, Stefan Kölbl, Atul Luykx, Sophie Schmieg

School Of Business Administration

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Authenticated encryption (AE) is used in a wide variety of applications, potentially in settings for which it was not originally designed. Recent research tries to understand what happens when AE is not used as prescribed by its designers. A question given relatively little attention is whether an AE scheme guarantees “key commitment”: ciphertext should only decrypt to a valid plaintext under the key used to generate the ciphertext. Generally, AE schemes do not guarantee key commitment as it is not part of AE's design goal. Nevertheless, one would not expect this seemingly obscure property to have much impact on the security of actual products. In reality, however, products do rely on key commitment. We discuss three recent applications where missing key commitment is exploitable in practice. We provide proof-of-concept attacks via a tool that constructs AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM. Finally we discuss two solutions to add key commitment to AE schemes which have not been analyzed in the literature: a generic approach that adds an explicit key commitment scheme to the AE scheme, and a simple fix which works for AE schemes like AES-GCM and ChaCha20Poly1305, but requires separate analysis for each scheme.

Original language	English
Title of host publication	Proceedings of the 31st USENIX Security Symposium, Security 2022
Publisher	USENIX Association
Pages	3291-3308
Number of pages	18
ISBN (Electronic)	9781939133311
State	Published - 2022
Event	31st USENIX Security Symposium, Security 2022 - Boston, United States Duration: 10 Aug 2022 → 12 Aug 2022

Publication series

Name	Proceedings of the 31st USENIX Security Symposium, Security 2022

Conference

Conference	31st USENIX Security Symposium, Security 2022
Country/Territory	United States
City	Boston
Period	10/08/22 → 12/08/22

Bibliographical note

Funding Information:
The authors would like to thank Daniel Bleichenbacher for highlighting the impact of binary polyglots, Jean-Philippe Aumasson, Maria Eichlseder and Marc Stevens for helping with crypto-polyglots, Joseph Jaeger and Stefano Tessaro for pointing out an oversight in the key commitment definition, and Peter Valchev and Christoph Kern for their helpful feedback. This research was partly supported by: NSF-BSF Grant 2018640; The Israel Science Foundation (grant No. 3380/19); The BIU Center for Research in Applied Cryptography and Cyber Security, and the Center for Cyber Law and Policy at the University of Haifa, both in conjunction with the Israel National Cyber Bureau in the Prime Minister's Office.

Publisher Copyright:
© USENIX Security Symposium, Security 2022.All rights reserved.

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Cite this

@inproceedings{fba1462bdd4644819736dc1154db3753,

title = "How to Abuse and Fix Authenticated Encryption Without Key Commitment",

abstract = "Authenticated encryption (AE) is used in a wide variety of applications, potentially in settings for which it was not originally designed. Recent research tries to understand what happens when AE is not used as prescribed by its designers. A question given relatively little attention is whether an AE scheme guarantees “key commitment”: ciphertext should only decrypt to a valid plaintext under the key used to generate the ciphertext. Generally, AE schemes do not guarantee key commitment as it is not part of AE's design goal. Nevertheless, one would not expect this seemingly obscure property to have much impact on the security of actual products. In reality, however, products do rely on key commitment. We discuss three recent applications where missing key commitment is exploitable in practice. We provide proof-of-concept attacks via a tool that constructs AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM. Finally we discuss two solutions to add key commitment to AE schemes which have not been analyzed in the literature: a generic approach that adds an explicit key commitment scheme to the AE scheme, and a simple fix which works for AE schemes like AES-GCM and ChaCha20Poly1305, but requires separate analysis for each scheme.",

author = "Ange Albertini and Thai Duong and Shay Gueron and Stefan K{\"o}lbl and Atul Luykx and Sophie Schmieg",

note = "Funding Information: The authors would like to thank Daniel Bleichenbacher for highlighting the impact of binary polyglots, Jean-Philippe Aumasson, Maria Eichlseder and Marc Stevens for helping with crypto-polyglots, Joseph Jaeger and Stefano Tessaro for pointing out an oversight in the key commitment definition, and Peter Valchev and Christoph Kern for their helpful feedback. This research was partly supported by: NSF-BSF Grant 2018640; The Israel Science Foundation (grant No. 3380/19); The BIU Center for Research in Applied Cryptography and Cyber Security, and the Center for Cyber Law and Policy at the University of Haifa, both in conjunction with the Israel National Cyber Bureau in the Prime Minister's Office. Publisher Copyright: {\textcopyright} USENIX Security Symposium, Security 2022.All rights reserved.; 31st USENIX Security Symposium, Security 2022 ; Conference date: 10-08-2022 Through 12-08-2022",

year = "2022",

language = "English",

series = "Proceedings of the 31st USENIX Security Symposium, Security 2022",

publisher = "USENIX Association",

pages = "3291--3308",

booktitle = "Proceedings of the 31st USENIX Security Symposium, Security 2022",

}

Albertini, A, Duong, T, Gueron, S, Kölbl, S, Luykx, A & Schmieg, S 2022, How to Abuse and Fix Authenticated Encryption Without Key Commitment. in Proceedings of the 31st USENIX Security Symposium, Security 2022. Proceedings of the 31st USENIX Security Symposium, Security 2022, USENIX Association, pp. 3291-3308, 31st USENIX Security Symposium, Security 2022, Boston, United States, 10/08/22.

How to Abuse and Fix Authenticated Encryption Without Key Commitment. / Albertini, Ange; Duong, Thai; Gueron, Shay et al.

Proceedings of the 31st USENIX Security Symposium, Security 2022. USENIX Association, 2022. p. 3291-3308 (Proceedings of the 31st USENIX Security Symposium, Security 2022).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - How to Abuse and Fix Authenticated Encryption Without Key Commitment

AU - Albertini, Ange

AU - Duong, Thai

AU - Gueron, Shay

AU - Kölbl, Stefan

AU - Luykx, Atul

AU - Schmieg, Sophie

N1 - Funding Information: The authors would like to thank Daniel Bleichenbacher for highlighting the impact of binary polyglots, Jean-Philippe Aumasson, Maria Eichlseder and Marc Stevens for helping with crypto-polyglots, Joseph Jaeger and Stefano Tessaro for pointing out an oversight in the key commitment definition, and Peter Valchev and Christoph Kern for their helpful feedback. This research was partly supported by: NSF-BSF Grant 2018640; The Israel Science Foundation (grant No. 3380/19); The BIU Center for Research in Applied Cryptography and Cyber Security, and the Center for Cyber Law and Policy at the University of Haifa, both in conjunction with the Israel National Cyber Bureau in the Prime Minister's Office. Publisher Copyright: © USENIX Security Symposium, Security 2022.All rights reserved.

PY - 2022

Y1 - 2022

N2 - Authenticated encryption (AE) is used in a wide variety of applications, potentially in settings for which it was not originally designed. Recent research tries to understand what happens when AE is not used as prescribed by its designers. A question given relatively little attention is whether an AE scheme guarantees “key commitment”: ciphertext should only decrypt to a valid plaintext under the key used to generate the ciphertext. Generally, AE schemes do not guarantee key commitment as it is not part of AE's design goal. Nevertheless, one would not expect this seemingly obscure property to have much impact on the security of actual products. In reality, however, products do rely on key commitment. We discuss three recent applications where missing key commitment is exploitable in practice. We provide proof-of-concept attacks via a tool that constructs AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM. Finally we discuss two solutions to add key commitment to AE schemes which have not been analyzed in the literature: a generic approach that adds an explicit key commitment scheme to the AE scheme, and a simple fix which works for AE schemes like AES-GCM and ChaCha20Poly1305, but requires separate analysis for each scheme.

AB - Authenticated encryption (AE) is used in a wide variety of applications, potentially in settings for which it was not originally designed. Recent research tries to understand what happens when AE is not used as prescribed by its designers. A question given relatively little attention is whether an AE scheme guarantees “key commitment”: ciphertext should only decrypt to a valid plaintext under the key used to generate the ciphertext. Generally, AE schemes do not guarantee key commitment as it is not part of AE's design goal. Nevertheless, one would not expect this seemingly obscure property to have much impact on the security of actual products. In reality, however, products do rely on key commitment. We discuss three recent applications where missing key commitment is exploitable in practice. We provide proof-of-concept attacks via a tool that constructs AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM. Finally we discuss two solutions to add key commitment to AE schemes which have not been analyzed in the literature: a generic approach that adds an explicit key commitment scheme to the AE scheme, and a simple fix which works for AE schemes like AES-GCM and ChaCha20Poly1305, but requires separate analysis for each scheme.

UR - http://www.scopus.com/inward/record.url?scp=85132111085&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85132111085

T3 - Proceedings of the 31st USENIX Security Symposium, Security 2022

SP - 3291

EP - 3308

BT - Proceedings of the 31st USENIX Security Symposium, Security 2022

PB - USENIX Association

T2 - 31st USENIX Security Symposium, Security 2022

Y2 - 10 August 2022 through 12 August 2022

ER -

How to Abuse and Fix Authenticated Encryption Without Key Commitment

Abstract

Publication series

Conference

Bibliographical note

ASJC Scopus subject areas

Other files and links

Fingerprint

Cite this