Do we have to take algorithm substitution attacks seriously?

Question

Bruce Schneier's blog drew my attention to algorithm substitution attacks which may leak symmetric keys through IV or padding or other covert channels, encrypted with escrow keys. The major premise is that cryptolibraries (or HSMs, or encryption chips) have been subverted by a "benevolent government agency".

Does this threat warrant extra review of software used in production, including libraries such as OpenSSL/BouncyCastle etc.?

Can we ensure that there are no covert channels in IV or padding by looking at the code?

Cryptology ePrint Archive: Report 2014/438. Security of Symmetric Encryption against Mass Surveillance. Mihir Bellare, Kenneth Paterson and Phillip Rogaway. June 21, 2014.

Answer 1

Yes, we need to take these issues seriously. In fairness, cryptographers have long been aware of such issues, and many protocols and ciphers are designed to at least reduce the scope for covert channels.

In different contexts the substituted algorithm will be more or less apparent:

• In the source code the data leakage would be fairly obvious. Usually a field that should be totally random would be leaking key data. I've not done a review of any library myself, but I think it unlikely such code would sit in the official repository.

• In compiled code the data leakage is still fairly obvious, but it takes an auditor with more tools and skills to find it. I doubt such code would be in the official version of a binary library (such as Microsoft's SSL) as there's too much chance of getting caught. But it is a way to back-door particular installations, and I expect this happens.

• In a black box settings (such as a smart card or TPM) it is virtually impossible to spot the data leakage.

I do think the paper has a good idea: remove all randomness from crypto protocols, and make everything deterministic and stateful. How important is this? Well, considering most desktop operating systems are at massive risk from malware, it's not the number 1 priority.