Challenging Channels: Encrypted Covert Channels within Challenge-Response Authentication

Challenge-response authentication is an essential and omnipresent network service. Thus, it is a lucrative target for attackers to transport covert information. We present two covert channels in nonce-based network authentication that allow the encrypted transfer of covert information. Both channels exploit fundamental problems, not contained to the specific implementation or cryptographic mechanisms. We provide implementations and evaluations for hash- and key-based challenge-response authentication. Our implementation achieves hard detectability and acceptable throughput rates. Further, we analyze how the throughput can be maximized by applying compression and codebook techniques. We also describe how the presented approach is suitable for the extraction of sensitive information and performing command-and-control communication, showcased by the exfiltration of three different malware code snippets. Further, we discuss potential countermeasures, that can detect, limit and eliminate the proposed covert channels.