Caching Attack on NaCL's crypto_box function

NaCL cryptographic library is currently growing in use as more engineers and cryptographers are painfully aware of the downsides of SSL/TLS and the libraries supporting the SSL/TLS protocol. The NaCL library has been from the start designed to be an easy to use cryptographic library with no insecure options.

Despite the friendly nature of the NaCL library, possibility of misusing the library and thus weakening it's security claims can occur. In this article, a theoretical caching attack can be exploited on improperly implemented versions of the NaCL library.

NaCL library consists of methods for creating a cryptographic envelope called a crypto_box for encrypting messsages using Curve25519-Salsa20 -PolyAES algorithm. NaCL also includes the ability to use Ed25519 to sign messages whenever message signing is necessary.

The improper use of the Curve25519-Salsa20-PolyAES function may lead to disasterous effects on cryptographic security and thus allows atatckers (i.e malware) to defeat the security NaCL promises.

NaCL's crypto_box function requires a sender's Curve25519 private key, a recipient's Curve25519 public key, a nonce and message to instantiate a crypto_box operation.

The sender's private key and recipient's public key is computed over a ECDH function over Curve25519 to produce a shared secret key (sk). The sk is then used to feed into a keystream generator based off Salsa with a nonce to provide a keystream for message cryptography and integrity checking functionalities.

The attack described below requires a misuse of the crypto_box function by not refreshing new Curve25519 keypairs between parties that want to perform secure communications for the attack to be effective.

The result from such compromise would effectively break the security model of NaCL by making all past and future messages insecure and thus breaking the forward secrecy when misused.

The attacker captures the shared secret key (sk) and then proceeds to cache the sk in a convenient and hidden location only the attacker knows . When a new or old message is detected, the nonce is read from the message and then proceeds to be fed to a keystream generator with the cached sk and thus bypassing for the need of the recipient from having to utilize the private key to produce the keystream. This allows the attacker to conveniently read all old and new messages exchanged between a particular party using this caching attack methodology.

Even under the circumstance that the both parties (sender and recipient) were to use secure hardware to protect their private keys and compute for the sk over Curve25519 function, as long as the sk is captured by an attacker, it is considered compromised if both party uses the same Curve25519 keypairs for more than a single message for the crypto_box function.

The remedy to this caching attack on the improper use of NaCL library's crypto_box function is to consistently use new Curve25519 keypairs for key exchange while using a properly secured Ed25519 signing key to sign every one-time-use Curve25519 keypairs and ensure that the Curve25519 keypairs would never be re-used again thus mitigating the caching attack on the improper implementation of crypto_box function.

Publication Info
Written On: 8 Sep 2017
Published On: 8 Sep 2017
Author: Thotheolh