Victory by KO: Attacking OpenPGP Using Key Overwriting

OPEN ACCESS

Downloads

Full text (accepted version) (PDF, 562.47 KB)

Author / Producer

Bruseghini, Lara Huigens, Daniel Paterson, Kenneth G.

Date

2022-11-07

Publication Type

Conference Paper

ETH Bibliography

yes

Citations

Altmetric
OPEN ACCESS

Downloads

Full text (accepted version) (PDF, 562.47 KB)

Data

Rights / License

In Copyright - Non-Commercial Use Permitted north_east

Abstract

We present a set of attacks on the OpenPGP specification and implementations of it which result in full recovery of users’ private keys. The attacks exploit the lack of cryptographic binding between the different fields inside an encrypted private key packet, which include the key algorithm identifier, the cleartext public parameters, and the encrypted private parameters. This allows an attacker who can overwrite certain fields in OpenPGP key packets to perform cross-algorithm attacks, causing a user’s software to, for example, misinterpret an ECC private key as being a DSA key. It also allows an attacker to replace the legitimate public parameters with adversarially chosen ones, e.g. allowing them to select the DSA group. We refer to this class of attacks as Key Overwriting (KO) attacks. We provide a detailed analysis of the vulnerability of different OpenPGP libraries to KO attacks, showing in particular that in some cases additional key validation steps performed by libraries that should prevent the attacks in fact allow variant attacks. We also assess the applicability of KO attacks in the context of specific OpenPGP-based applications that reflect different threat models. Finally, we explain how KO attacks can be completely prevented (and the need for key validation obsoleted) at the OpenPGP specification level by expanding the existing proposal of using AEAD schemes for key packet protection to have all the security-relevant public fields included as Associated Data.

Permanent link

https://doi.org/10.3929/ethz-b-000545839

Publication status

published

External links

https://doi.org/10.1145/3548606.3559363 north_east

Editor

Yin, Heng north_east Stavrou, Angelos north_east Cremers, Cas north_east

Book title

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Journal / series

Volume

Pages / Article No.

411 - 423

Publisher

Association for Computing Machinery

Event

29th ACM Conference on Computer and Communications Security (CCS 2022)

Edition / version

Methods

Software

Geographic location

Date collected

Date created

Subject

Organisational unit

09653 - Paterson, Kenneth / Paterson, Kenneth check_circle

Notes

Conference lecture held on November 10, 2022

Funding

Related publications and datasets

More

Show all metadata