Subliminal Channels in High-Speed
Signatures Alexander Hartl,
Robert Annessi, and Tanja Zseby+ TU Wien, Vienna,
Austria alexander.hartl@student.tuwien.ac.at robert.annessi@nt.tuwien.ac.at tanja.zseby@tuwien.ac.at Abstract Subliminal channels in digital signatures can be used
to secretly transmit information between two or more communication partners.
If subliminal messages are embedded in standard signatures in network
protocols, neither network operators nor legitimate receivers notice any
suspicious activity. Subliminal channels already exist in older signatures,
such as ElGamal and ECDSA. Nevertheless, in
classical network protocols such signatures are used only sparsely, e.g.,
during authentication in the protocol setup. Therefore, the overall potential
subliminal bandwidth and their usability as carrier for hidden messages or
information leakage is limited. However, with the advent of high-speed
signatures such as EdDSA and MQ-based signatures
such as PFlash or MQQ-SIG, scenarios such as signed
broadcast clock synchronization or signed sensor data export become feasible.
In those scenarios large sequences of packets are each individually signed
and then transferred over the network. This increases the available bandwidth
for transmitting subliminal information significantly and makes subliminal
channels usable for large scale data exfiltration or even the operation of
command and control structures. In this paper, we show the existence of
subliminal channels in recent high-speed signatures and discuss the
implications of the ability to hide information in a multitude of packets in
different example scenarios: broadcast clock synchronization, signed sensor
data export, and classical TLS. In a previous paper we already presented
subliminal channels in the EdDSA signature scheme.
We here extend this work by investigating subliminal channels in MQ
signatures. We present specific results for existing MQ signatures but also
show that whole classes of MQ-based methods for constructing signature
schemes are prone to the existence of subliminal channels. We then discuss
the applicability of different countermeasures against subliminal channels
but conclude that none of the existing solutions can sufficiently protect
against data exfiltration in network protocols secured by EdDSA
or MQ signatures. Keywords: Information leakage, Insider threats, Subliminal channel, EdDSA. +: Corresponding author: Tanja Zseby,
Gusshausstraße 25 / E389, 1040
Wien, Austria, Tel: +43-(1)-58801-38910 Journal
of Wireless Mobile Networks, Ubiquitous Computing, and Dependable
Applications (JoWUA) Vol. 9, No. 1, pp. 30-53, March 2018 [pdf] |