DOCSLIB.ORG

Eindhoven University of Technology MASTER Kleptography

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Eindhoven University of Technology MASTER Kleptography Eindhoven University of Technology MASTER Kleptography cryptography with backdoors Antheunisse, M. Award date: 2015 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Master Thesis Kleptography Cryptography with Backdoors Author: Milou Antheunisse (student number: 780190) Supervisor: Prof. Dr. Tanja Lange Eindhoven University of Technology Department of Mathematics and Computer Science October 26, 2015 Abstract In a black-box cryptosystem, only the input and output of the system are accessible for the user. This means that the user does not have any knowledge of the internals of the device. This principle has been used regularly, for example in the Capstone project, launched by the US government in 1993. In 1996, Adam Young and Moti Yung showed that black-box cryptography should not be trusted. They designed an attack for black-box cryptosystems: SETUP (Secretly Embedded Trapdoor with Universal Protection). The SETUP mechanism enables the attacker to exfiltrate users' private information without the users noticing. This field of study is denoted by the term \kleptography". First, a general introduction to cryptography is presented. This chapter serves as a step- ping stone towards the next chapter on kleptography. Formal definitions of SETUP are given, followed by a distinction between weak, regular and strong SETUP. Furthermore, the notion of leakage bandwidth is introduced. SETUP implementations in RSA key gen- eration, ElGamal key generation and signature scheme and Diffie-Hellman key exchange are shown and explained in detail. Finally, some measures are given to protect against a SETUP attack. I Contents List of Algorithms IV List of Examples V List of Figures VII 1 Introduction 1 1.1 Motivation . .1 1.2 Thesis Outline . .1 2 An Introduction to Cryptography 3 2.1 Terminology . .3 2.1.1 Encryption and Decryption . .3 2.1.2 Symmetric vs. Asymmetric Cryptography . .4 2.2 Number Theory . .4 2.2.1 Euclidean Algorithm . .5 2.2.2 Prime Numbers . .7 2.2.3 Congruences . .9 2.2.4 Discrete Logarithm and Integer Factorization . 16 2.3 Classical Cryptosystems . 16 2.3.1 Caesar Cipher . 16 2.3.2 Vigen`ereCryptosystem . 17 2.3.3 Vernam Cipher . 18 2.4 Modern Cryptosystems . 18 2.4.1 Cryptographic Primitives . 19 2.4.2 Diffie-Hellman Key Exchange . 22 2.4.3 ElGamal . 23 2.4.4 RSA . 27 2.5 Applications of Cryptography . 29 2.5.1 Bank Cards and Credit Cards . 29 2.5.2 Online Banking . 30 2.5.3 Pretty Good Privacy . 30 3 Kleptography 33 3.1 Background Information . 33 3.1.1 Subliminal Channels . 33 3.1.2 Key Escrow . 37 3.2 A History of Kleptography . 39 3.3 SETUP . 40 3.3.1 Secretly Embedded Trapdoor with Universal Protection . 41 3.3.2 Definition of SETUP . 41 3.3.3 Weak SETUP . 42 3.3.4 Strong SETUP . 43 3.3.5 Weak, Regular or Strong SETUP? . 43 III CONTENTS 3.3.6 Leakage Bandwidth . 43 3.4 SETUP in RSA . 44 3.4.1 SETUP in RSA Key Generation I . 44 3.4.2 SETUP in RSA Key Generation II (PAP) . 46 3.5 SETUP in ElGamal . 53 3.5.1 SETUP in ElGamal Key Generation I . 53 3.5.2 SETUP in ElGamal Key Generation II . 58 3.5.3 SETUP in ElGamal Signature Scheme . 63 3.6 SETUP in Diffie-Hellman . 71 3.6.1 SETUP in Diffie-Hellman Key Exchange . 72 4 Conclusions 83 4.1 SETUP Attacks . 83 4.2 Protection against SETUP Attacks . 84 4.3 Further Research . 84 4.4 Final Words . 85 A SETUP in RSA 87 A.1 SETUP in RSA Key Generation I . 87 A.2 SETUP in RSA Key Generation II (PAP) . 88 B SETUP in ElGamal 91 B.1 SETUP in ElGamal Key Generation I . 91 B.2 SETUP in ElGamal Key Generation II . 93 B.3 SETUP in ElGamal Signature Scheme . 95 C SETUP in Diffie-Hellman 97 C.1 SETUP in Diffie-Hellman Key Exchange . 97 D Safe Primes 99 IV List of Algorithms 2.1 Euclidean algorithm . .5 2.2 Extended Euclidean algorithm . .6 A.1 SETUP in RSA key generation I . 87 A.2 SETUP in RSA key generation I - Modulus factoring by attacker . 87 A.3 SETUP in RSA key generation II (PAP) . 88 A.4 SETUP in RSA key generation II (PAP) - Modulus factoring by attacker . 89 B.1 SETUP in ElGamal key generation I . 91 B.2 SETUP in ElGamal key generation I - Recovery of private key by attacker . 92 B.3 SETUP in ElGamal key generation II . 93 B.4 SETUP in ElGamal key generation II - Recovery of private key by attacker . 94 B.5 SETUP in ElGamal signature scheme I - First signature . 95 B.6 SETUP in ElGamal signature scheme I - Second signature . 95 B.7 SETUP in ElGamal signature scheme I - Recovery of private key by attacker . 95 B.8 SETUP in ElGamal signature scheme II - First signature . 96 B.9 SETUP in ElGamal signature scheme II - Second signature . 96 C.1 SETUP in Diffie-Hellman key pair generation - First key pair generation . 97 C.2 SETUP in Diffie-Hellman key pair generation - Second key pair generation . 97 C.3 SETUP in Diffie-Hellman key pair generation - Recovery of private key by attacker . 97 V List of Examples 2.1 Euclidean algorithm . .6 2.2 Extended Euclidean algorithm . .7 2.3 Residue classes, complete residue system and reduced residue system . .9 2.4 Modular inverse using extended Euclidean algorithm . 10 2.5 Chinese remainder theorem . 15 2.6 Caesar cipher . 17 2.7 Vigen`erecryptosystem . 17 2.8 Kasiski's method . 18 2.9 Vernam cipher . 18 2.10 The Diffie-Hellman key exchange method . 23 2.11 Key pair generation, encryption and decryption with ElGamal . 25 2.12 Authentication with ElGamal signature scheme . 26 2.13 Key pair generation, encryption and decryption with RSA . 29 3.1 Authentication with ElGamal signature scheme with subliminal channel . 36 3.2 SETUP in RSA key generation I . 45 3.3 SETUP in RSA key generation II - U and U +1 ....................... 48 3.4 SETUP.
Load more

Recommended publications
  • Bernhard Esslinger: Cryptool – Cryptography for the Masses
    CrypTool Cryptography for the masses Prof. Bernhard Esslinger (presentation layout done with some help from Gonzalo; pictures by pixabay) Cryptography everywhere … In the digital era, we are all cryptography consumers, whether we know it or not. Whenever we use the mobile telephone, withdraw money from an ATM, go shopping to an e-commerce site using SSL, or use a messenger, we are using cryptographic services which protect the confidentiality, integrity, and authenticity of our data. The world as we know it wouldn’t exist without cryptography. Cryptography challenges education Around all of us perceived as difficult lack of understanding curricula teachers need useful tools Context of Cryptography CrypTool today: 5 products version 1.x http://www.cryptool.org/en/cryptool1 http://www.cryptool.org/en/ct2 https://github.com/jcryptool/ http://www.cryptool-online.org http://www.mysterytwisterc3.org/ CrypTool Portal: website today JCrypTool: User presentation https://github.com/jcryptool/core/wiki/jcryptool_us er_presentation/jcryptool_presentation_en.pdf CrypTool 2: Sample screen CrypTool: founded 1998 like … • Attac, Paris • Google, Menlo Park • CrypTool, Frankfurt CrypTool 1: Two warnings • legal • worrywarts besides the warnings: CT1 still made it Playful learning Serious tool CrypTool can be used to visualize many concepts of cryptology: including digital signatures, symmetric, asymmetric and hybrid encryption, protocols, cryptanalysis, etc. CrypTool 1 package Self-contained Documentation (online help, readme, CTB, presentation; programs later website) Stories CrypTool 1 Self-contained programs Flash animations The Dialogue of the Sisters The Chinese Labyrinth There are two stories included dealing with number theory and cryptography: • In "The Dialogue of the Sisters" the title-role sisters use a variant of the RSA algorithm, in order to communicate securely.
    [Show full text]
  • Cryptology with Jcryptool V1.0
    www.cryptool.org Cryptology with JCrypTool (JCT) A Practical Introduction to Cryptography and Cryptanalysis Prof Bernhard Esslinger and the CrypTool team Nov 24th, 2020 JCrypTool 1.0 Cryptology with JCrypTool Agenda Introduction to the e-learning software JCrypTool 2 Applications within JCT – a selection 22 How to participate 87 JCrypTool 1.0 Page 2 / 92 Introduction to the software JCrypTool (JCT) Overview JCrypTool – A cryptographic e-learning platform Page 4 What is cryptology? Page 5 The Default Perspective of JCT Page 6 Typical usage of JCT in the Default Perspective Page 7 The Algorithm Perspective of JCT Page 9 The Crypto Explorer Page 10 Algorithms in the Crypto Explorer view Page 11 The Analysis tools Page 13 Visuals & Games Page 14 General operation instructions Page 15 User settings Page 20 Command line parameters Page 21 JCrypTool 1.0 Page 3 / 92 JCrypTool – A cryptographic e-learning platform The project Overview . JCrypTool – abbreviated as JCT – is a free e-learning software for classical and modern cryptology. JCT is platform independent, i.e. it is executable on Windows, MacOS and Linux. It has a modern pure-plugin architecture. JCT is developed within the open-source project CrypTool (www.cryptool.org). The CrypTool project aims to explain and visualize cryptography and cryptanalysis in an easy and understandable way while still being correct from a scientific point of view. The target audience of JCT are mainly: ‐ Pupils and students ‐ Teachers and lecturers/professors ‐ Employees in awareness campaigns ‐ People interested in cryptology. As JCT is open-source software, everyone is capable of implementing his own plugins.
    [Show full text]
  • Malicious Cryptography: Kleptographic Aspects
    Malicious Cryptography: Kleptographic Aspects Adam Young1 and Moti Yung2 1 Cigital Labs [email protected] 2 Dept. of Computer Science, Columbia University [email protected] Abstract. In the last few years we have concentrated our research ef- forts on new threats to the computing infrastructure that are the result of combining malicious software (malware) technology with modern cryp- tography. At some point during our investigation we ended up asking ourselves the following question: what if the malware (i.e., Trojan horse) resides within a cryptographic system itself? This led us to realize that in certain scenarios of black box cryptography (namely, when the code is inaccessible to scrutiny as in the case of tamper proof cryptosystems or when no one cares enough to scrutinize the code) there are attacks that employ cryptography itself against cryptographic systems in such a way that the attack possesses unique properties (i.e., special advantages that attackers have such as granting the attacker exclusive access to crucial information where the exclusive access privelege holds even if the Trojan is reverse-engineered). We called the art of designing this set of attacks “kleptography.” In this paper we demonstrate the power of kleptography by illustrating a carefully designed attack against RSA key generation. Keywords: RSA, Rabin, public key cryptography, SETUP, kleptogra- phy, random oracle, security threats, attacks, malicious cryptography. 1 Introduction Robust backdoor attacks against cryptosystems have received the attention of the cryptographic research community, but to this day have not influenced in- dustry standards and as a result the industry is not as prepared for them as it could be.
    [Show full text]
  • Tamper-Evident Digital Signatures: Protecting Certification Authorities
    Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Philippe Golle Markus Jakobsson Dept. of Computer Science Palo Alto Research Center School of Informatics Indiana Univ. at Bloomington 3333 Coyote Hill Rd Indiana Univ. at Bloomington Bloomington, IN 47405 Palo Alto, CA 94304 Bloomington, IN 47408 Abstract The threat of covert channels (also called subliminal channels) was first studied by Simmons [18, 19] and later We introduce the notion of tamper-evidence for digi- by, among others, Young and Yung [23, 24]. These authors tal signature generation in order to defend against attacks show how an attacker may leak bits of the private signing aimed at covertly leaking secret information held by cor- key in covert channels present in the randomized key gen- rupted signing nodes. This is achieved by letting observers eration or signing algorithm. For the sake of concreteness, (which need not be trusted) verify the absence of covert let us consider the RSA-PSS signature scheme (known as channels by means of techniques we introduce herein. We RSA's Probabilistic Signature Scheme [7]) as an example. call our signature schemes tamper-evident since any de- The message encoding scheme of RSA-PSS specifies that viation from the protocol is immediately detectable. We the hash of the message to be signed be concatenated with demonstrate our technique for the RSA-PSS (known as a random octet string known as a “salt”. A malicious im- RSA’s Probabilistic Signature Scheme) and DSA signature plementation of RSA-PSS may choose bits of the private schemes and show how the same technique can be ap- key for the salt, instead of a value produced by the pseudo- plied to the Schnorr and Feige-Fiat-Shamir (FFS) signature random number generator.
    [Show full text]
  • Elliptic Curve Kleptography
    IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.6, June 2010 183 Elliptic Curve Kleptography Elsayed Mohamed and Hassan Elkamchouchi Alexandria University, Alexandria, Egypt Summary This paper presents an approach to mount secretly embedded • Elliptic Curve Diffie-Hellman Problem (ECDHP) trapdoor with universal protection (SETUP) attacks on the elliptic curve discrete logarithm problem. The new approach Given a point P of order n in an elliptic curve E over a allows the attacker to obtain the secret key of a cryptographic finite field Fp and two points kP and lP where 0 ≤ k, l ≤ n device covertly. The attack demonstrates the manufacturer’s −1, the ECDHP is to find the point ( k × l × P ). This ability to embed a hidden trapdoor in cryptographic black-box problem is used in the elliptic curve Diffie-Hellman key devices used for key exchange. A contaminated device behaves exactly like an honest one while actually leaking the user’s secret exchange algorithm. key only to the attacker. The attacker can then use that secret key to decrypt all the subsequent communications. • Elliptic Curve Key Exchange Key words: Elliptic Curve Cryptography, Kleptography, Subliminal Channel, Suppose that users A and B want to agree upon a key that SETUP they will use with a symmetric-key cryptosystem. They choose an elliptic curve E defined over a finite field Fp. Users A and B now construct their public keys from a 1. Introduction randomly chosen and agreed upon point G lying on the elliptic curve E. E, Fp and G are made public.
    [Show full text]
  • Integrity, Authentication and Confidentiality in Public-Key Cryptography Houda Ferradi
    Integrity, authentication and confidentiality in public-key cryptography Houda Ferradi To cite this version: Houda Ferradi. Integrity, authentication and confidentiality in public-key cryptography. Cryptography and Security [cs.CR]. Université Paris sciences et lettres, 2016. English. NNT : 2016PSLEE045. tel- 01745919 HAL Id: tel-01745919 https://tel.archives-ouvertes.fr/tel-01745919 Submitted on 28 Mar 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT de l’Université de recherche Paris Sciences et Lettres PSL Research University Préparée à l’École normale supérieure Integrity, Authentication and Confidentiality in Public-Key Cryptography École doctorale n◦386 Sciences Mathématiques de Paris Centre Spécialité Informatique COMPOSITION DU JURY M. FOUQUE Pierre-Alain Université Rennes 1 Rapporteur M. YUNG Moti Columbia University et Snapchat Rapporteur M. FERREIRA ABDALLA Michel Soutenue par Houda FERRADI CNRS, École normale supérieure le 22 septembre 2016 Membre du jury M. CORON Jean-Sébastien Université du Luxembourg Dirigée par
    [Show full text]
  • Malicious Cryptography Exposing Cryptovirology
    Malicious Cryptography Exposing Cryptovirology Adam Young Moti Yung Wiley Publishing, Inc. Malicious Cryptography Malicious Cryptography Exposing Cryptovirology Adam Young Moti Yung Wiley Publishing, Inc. Executive Publisher: Robert Ipsen Executive Editor: Carol A. Long Developmental Editor: Eileen Bien Calabro Editorial Manager: Kathryn A. Malm Production Manager: Fred Bernardi This book is printed on acid-free paper. Copyright c 2004 by Adam Young and Moti Yung. All rights reserved. Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or trans- mitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clear- ance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-mail: [email protected]. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specif- ically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials.
    [Show full text]
  • Post-Quantum Cryptography: Prime Questions = Primary Questions
    Post-Quantum Cryptography: prime questions = primary questions Áron SZABÓ Hacktivity 2015 Budapest October 9, 2015 1 E-Group, https://www.egroup.hu/ About present and future 2 E-Group, https://www.egroup.hu/ About present and future Post-Quantum Cryptography: classical computers and quantum computers mathematics of cryptographic primitives and algorithms • MD5 collisions: Flame, modified signed Windows updates implementations of cryptographic primitives and algorithms • kleptography: Dual_EC_DRBG (PRNG) • entropy: Android JCA (Bitcoin ECDSA), OpenSSL (PRNG) • usage: ECDSA (Sony PlayStation 3) SSL/TLS: ECDHE vs. RSA(PRNG vs. PFS) • code audits: TrueCrypt 3 E-Group, https://www.egroup.hu/ About present and future 4 E-Group, https://www.egroup.hu/ About present and future 5 E-Group, https://www.egroup.hu/ About present and future Post-Quantum Cryptography: classical computers and quantum computers behaviours of cryptographic primitives and algorithms • superposition: classical computer vs. quantum computers • adiabatic qc: D-Wave Systems (sold to e.g. Lockheed Martin) 6 E-Group, https://www.egroup.hu/ About security levels Post-Quantum Cryptography: classical computers and quantum computers „Imagine that it's fifteen years from now. Somebody announces that he's built a large quantum computer. RSA is dead. DSA is dead. Elliptic curves, hyperelliptic curves, class groups, whatever, dead, dead, dead. So users are going to run around screaming and say 'Oh my God, what do we do?' Well, we still have secret-key cryptography, and we still have some public-key systems. There's hash trees. There's NTRU. There's McEliece. There's multivariate-quadratic systems.” http://pqcrypto.org/ OK, but why? Shor’s algorithm (finding order of a group) and Grover’s algorithm runs faster..
    [Show full text]
  • Нацiональний Авiацiйний Унiверситет Мiнiстерство Освiти I Науки України
    Нацiональний авiацiйний унiверситет Мiнiстерство освiти i науки України Квалiфiкацiйна наукова праця на правах рукопису КОВАЛЕНКО Богдан Анатолiйович УДК 004.056.55 ДИСЕРТАЦIЯ Методи побудови та оцiнки стiйкостi клептографiчних механiзмiв у гiбридних криптосистемах Спецiальнiсть 05.13.21 – Системи захисту iнформацiї Технiчнi науки Подається на здобуття наукового ступеня кандидата технiчних наук Дисертацiя мiстить результати власних дослiджень. Використання iдей, результатiв i текстiв iнших авторiв мають посилання на вiдповiдне джерело Коваленко Б.А. Науковий керiвник: Кудiн Антон Михайлович, доктор технiчних наук, старший науковий спiвробiтник, професор кафедри Київ 2020 Анотацiя Коваленко Б.А. Методи побудови та оцiнки стiйкостi клепто- графiчних механiзмiв у гiбридних криптосистемах. – Квалiфiкацiйна наукова праця на правах рукопису. Дисертацiя на здобуття наукового ступеня кандидата технiчних наук (доктора фiлософiї) за спецiальнiстю 05.13.21 ¾Системи захисту iнформацiї¿. – Нацiональний авiацiйний унiверситет, Мiнiстерство освiти i науки України, Київ, 2020. У дисертацiї розв’язано актуальну наукову задачу розробки методу побудови криптосистем з доведеною вiдсутнiстю клептографiчної модифiкацiї, а також оцiнцi клептографiчних ризикiв криптопримiтивiв на етапi їх стандартизацiї i впровадження. Метою робити є пiдвищення рiвня захищеностi гiбридних криптосистем шляхом зменшення клептографiчних ризикiв через запропонованi методи побудови протоколiв з доведеною вiдсутнiстю клептографiчних каналiв витоку секрету, методи оцiнки ризикiв наявностi
    [Show full text]
  • Control and Cybernetics Lightweight Digital Signature with Secretly
    Control and Cybernetics vol. 42 (2013) No. 4 Lightweight digital signature with secretly embedded warning∗† by Mirosław Kutyłowski and Przemysław Kubiak Institute of Mathematics and Computer Science Wrocław University of Technology ul. Wybrzeże Wyspiańskiego 27, 50-370 Wrocław, Poland {miroslaw.kutylowski; przemyslaw.kubiak}@pwr.wroc.pl Abstract: We show how a signatory can indicate coercion by embedding a secret message into the signature. Our scheme is prac- tical and applies to standard signature schemes unlike the recent construction of Durnoga et al. (2013). The construction follows di- rectly from kleptographic techniques due to Moti Yung and Adam Young. Keywords: coercion, digital signature, kleptography, funkspiel 1. Introduction We address the problem of coercing an owner of a signature creation device to sign a document. The idea is that the owner uses a coercion PIN and the device creates a signature, which is indistinguishable from the regular one – at least from the point of view of the coercer, but at the same time contains a secret warning. A scheme satisfying these requirements has been proposed in Durnoga et al. (2013). However, this scheme is quite inefficient in terms of computational complexity and incompatible with the signature schemes used in practice. In this note we propose a fairly simple solution to the same problem based on techniques from Young and Yung (1997) (also related to the funkspiel tech- niques, Håstad et al., 2000). It applies to any signature scheme based on the Discrete Logarithm Problem, where we compute r := gk for a k chosen at ran- dom, and either r is explicitly given or can be reconstructed from the final signature.
    [Show full text]
  • Nizks with an Untrusted CRS: Security in the Face of Parameter Subversion
    NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion Mihir Bellare1, Georg Fuchsbauer2, and Alessandra Scafuro3 1 Department of Computer Science & Engineering, University of California San Diego, USA. [email protected] 2 Inria, Ecole Normale Sup´erieure, CNRS and PSL Research University, Paris, France. [email protected]. 3 Department of Computer Science , North Carolina State University, USA. [email protected]. Abstract. Motivated by the subversion of \trusted" public parameters in mass-surveillance activities, this paper studies the security of NIZKs in the presence of a maliciously chosen common reference string. We provide definitions for subversion soundness, subversion witness indis- tinguishability and subversion zero knowledge. We then provide both negative and positive results, showing that certain combinations of goals are unachievable but giving protocols to achieve other combinations. 1 Introduction The summer of 2013 brought shocking news of mass surveillance being conducted by the NSA and its counter-parts in other countries. The documents revealed new ways in which the adversary compromises security, ways not covered by standard models and definitions in cryptography. This opens up a new research agenda, namely to formalize security goals that defend against these novel attacks, and study the achievability of these goals. This agenda is being pursued along several fronts. The front we pursue here is parameter subversion, namely the compromise of security by the malicious creation of supposedly trusted public parameters for cryptographic systems. The representative example is the Dual EC random number generator (RNG). Dual EC. Dual EC is an NSA-designed, elliptic-curve-based random number generator, standardized as NIST SP 800-90 and ANSI X9.82.
    [Show full text]
  • Kleptography Trapdoor Free Cryptographic Protocols
    Kleptography trapdoor free cryptographic protocols Bohdan Kovalenko1 and Anton Kudin2 1 National technical University of Ukraine ”KPI”, Kyiv, Ukraine, [email protected] 2 National Bank of Ukraine, [email protected] Abstract. Context. Methods of known kleptography implementations are being investigated. The article focuses mostly on SETUP design of subliminal data leakage channels. Aim. Suggest approach to develop SETUP resistant cryptosystems. Methods. The necessary conditions for SETUP implementation is building in entropy source (otherwise generated secret will be predictable). In this article it’s considered subscriber whose protocol implementation is suspected to be modified by Developer (malicious actor who is able to influence on cryptosystem implementation) to create subliminal leakage channel. Possible countermeasure is to prohibit usage own random sources for subscribers, enforce generate random values from public counters. Results. Formal model for basic SETUP scheme has been suggested. Approach to develop of SETUP resistant protocols has been described. Two basic SETUP- resistance protocols (nonce generation protocol and Diffie-Hellman key agreement protocol) have been proposed. Keywords: kleptography, SETUP, subliminal channel, secret leakage, DLP Introduction The ”kleptography” term was proposed by Adam Young and Moti Yung in 1996 [YY96]. Kleptography covers methods of implementation so-called ”back-doors” or ”subliminal channels” in cryptosystems that allow Developers to access certain secret information from customer’s cryptosystem. Developer is a kind of malicious actor who is able to make changes (illegally) into some parts of cryptosystem implementations. In general, by the level of construction, it is possible to distinguish two classes of kleptography mechanisms: embedded at the cryptosystem design stage or back-doors injection into the existing cryptosystem or protocol.
    [Show full text]