A Subliminal Channel in EdDSA: Information Leakage with High-Speed Signatures
Hartl, Alexander and Annessi, Robert and
Zseby, Tanja
9th ACM CCS International Workshop on Managing Insider Security Threats (MIST), 2017, (acceptance rate: 39%)
Subliminal channels in digital signatures provide a very effective method to clandestinely leak information from inside a system to a third party outside. Information can be hidden in signature parameters in a way that both, network operators and legitimate receivers, would not notice any suspicious traces.
Subliminal channels have previously been discovered in other signatures, such as ElGamal and ECDSA. Those signatures are usually just sparsely exchanged in network protocols, e.g. during authentication. Therefore the usability for leaking information is limited and the existence of the subliminal channel may be tolerable in some scenarios. However, with the advent of high-speed signatures, such as EdDSA, now scenarios become feasible where numerous packets with individual signatures are transferred between communicating parties. This significantly increases the bandwidth for transmitting subliminal information. Examples are broadcast clock synchronization or signed sensor data export. A subliminal channel in signatures appended to a large number of packets allows the transmission of a high amount of hidden information, suitable for large scale data exfiltration or even the operation of command and control structures.
In this paper, we show the existence of a broadband subliminal channel in the EdDSA signature scheme. We then discuss the implications of the subliminal channel in practice using thee different scenarios: broadcast clock synchronization, signed sensor data export and classical TLS. We perform several experiments to show the use of the subliminal channel and measure the actual bandwidth of the subliminal information that can be leaked. We then discuss the applicability of different countermeasures against subliminal channels from other signature schemes to EdDSA but conclude that none of the existing solutions can sufficiently protect against data exfiltration in network protocols that are secured by EdDSA.
@inproceedings{SubliminalEdDSA2017,
author = {Alexander Hartl and Robert Annessi and Tanja Zseby},
title = {A Subliminal Channel in EdDSA: Information Leakage with High-Speed Signatures},
booktitle = {Proceedings of the 2017 International Workshop on Managing Insider Security Threats},
series = {MIST '17},
year = {2017},
isbn = {978-1-4503-5177-5},
location = {Dallas, Texas, USA},
pages = {67--78},
numpages = {12},
doi = {10.1145/3139923.3139925},
acmid = {3139925},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {censorship circumvention, cyber-physical systems, data exfiltration, digital signatures, ed25519, eddsa, information hiding, information leakage, network protocols, network security, subliminal channels},
}