DOCSLIB.ORG

Tamper-Evident Digital Signatures: Protecting Certification Authorities

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Tamper-Evident Digital Signatures: Protecting Certification Authorities Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware Jong Youl Choi Philippe Golle Markus Jakobsson Dept. of Computer Science Palo Alto Research Center School of Informatics Indiana Univ. at Bloomington 3333 Coyote Hill Rd Indiana Univ. at Bloomington Bloomington, IN 47405 Palo Alto, CA 94304 Bloomington, IN 47408 Abstract The threat of covert channels (also called subliminal channels) was first studied by Simmons [18, 19] and later We introduce the notion of tamper-evidence for digi- by, among others, Young and Yung [23, 24]. These authors tal signature generation in order to defend against attacks show how an attacker may leak bits of the private signing aimed at covertly leaking secret information held by cor- key in covert channels present in the randomized key gen- rupted signing nodes. This is achieved by letting observers eration or signing algorithm. For the sake of concreteness, (which need not be trusted) verify the absence of covert let us consider the RSA-PSS signature scheme (known as channels by means of techniques we introduce herein. We RSA's Probabilistic Signature Scheme [7]) as an example. call our signature schemes tamper-evident since any de- The message encoding scheme of RSA-PSS specifies that viation from the protocol is immediately detectable. We the hash of the message to be signed be concatenated with demonstrate our technique for the RSA-PSS (known as a random octet string known as a “salt”. A malicious im- RSA’s Probabilistic Signature Scheme) and DSA signature plementation of RSA-PSS may choose bits of the private schemes and show how the same technique can be ap- key for the salt, instead of a value produced by the pseudo- plied to the Schnorr and Feige-Fiat-Shamir (FFS) signature random number generator. One may argue that this simple schemes. Our technique does not modify the distribution of type of leakage is detectable: a third party could test (for the generated signature transcripts, and has only a mini- each signature) whether the salt is a substring of the secret mal overhead in terms of computation, communication, and key corresponding to the known public key of the signer (the storage. third party would need to be trusted with the secret key). Upon the detection of such an event, the signer would be isolated and decommissioned. However, an attacker could 1 Introduction just as easily leak an encryption of some of the bits of the secret signing key, under a symmetric or public-key encryp- Malware and insider attacks pose an increasing threat to tion scheme for which the attacker knows the decryption our cyber infrastructure. Current protection mechanisms key. For a semantically secure encryption scheme, and ap- against malware rely on the collection of malicious code propriate parameter choices, such a leakage could be made found in the wild. For this protection to be effective, mali- in a truly covert manner. cious code must be detected as quickly as possible after an RSA-PSS is not the only signature scheme that is vulner- attack is mounted. Unfortunately detecting malicious code able to covert channel attacks. To some extent, all signature quickly is difficult, particularly in the case of carefully tar- schemes are vulnerable to these attacks, since they all make geted attacks, such as for example an attack narrowly fo- use of randomness for key generation. Still, covert channel cussed on critical nodes in the infrastructure. attacks pose the greatest threat to signature schemes that use A perfect example of such a target is a certification au- randomness not just once in the initial key generation step, thority. The consequences would be severe if an attacker but for the generation of every signature. Thus discrete-log succeeded in corrupting a certification authority and man- based signatures schemes, such as Schnorr signatures [17] aged to cause it to leak its secret key material. The mere and DSA [20], are particularly vulnerable to covert chan- possibility of such an attack (as opposed to its actual occur- nels given their ongoing use of randomness in the genera- rence) may in fact weaken the trustworthiness of our public tion of each and every signature. Our techniques focus on key infrastructure. This threat is all the more severe as the eliminating covert channels from the signature algorithm of leak may be performed using a covert channel. discrete-log based signature schemes, but they can be com- bined with previously proposed techniques [9] that consider be the values of a hash chain such that si = h(si+1) only covert channels in the key generation phase. (0 ≤ i ≤ n − 1), for some secret seed sn which is known In this paper, we consider the problem of detecting (po- only to the signer. The value s0 is made public by the signer tentially covert) malicious behavior by corrupt certification during a setup phase. Afterward, the signer uses the value authorities and other generators of digital signatures. We si as a salt for signature i = 1; : : : ; n. An observer can propose to solve this problem with tamper-evident digital check the correctness of the salt used in the ith signature signatures. Tamper-evident signatures do not prevent cor- with the equation si−1 = h(si). If this verification fails, the ruption, but they ensure the immediate detection of any cor- observer raises an alarm. ruption that causes a signer to output signatures that are in any way different from those of an honest signer. Tamper- Properties. We describe next two important properties of evident signatures are useful to defend not only against mal- the tamper-evident signature schemes proposed in this pa- ware, but also against insider attacks. A typical insider per. attack [16] is performed by the implementor of a crypto- graphic application, who designs code that operates cor- 1. Undercover observers. In our RSA-PSS example, the rectly while under test, but switches to a corrupt mode of observer can verify the absence of covert channels operation after deployment. Insider attacks are notoriously without interacting with the signer. We say that our hard to prevent, given the difficulty of auditing even small observer is undercover. Undercover observers quietly pieces of software or hardware. Tamper-evident signatures “eavesdrop” on available network traffic to detect ir- do not prevent insider attacks, but ensure that such attacks regularities and need not expose their existence until are immediately detected if they cause a signer to output they raise an alarm. Undercover observers, by virtue of signatures that differ in any way from the signatures of an being hidden, cannot be targets of coercion attacks (un- honest signer. like the signer whose existence is of necessity public). While current security models for digital signatures con- Onwards, we only consider undercover observers, but sider the signer as an oracle, we take a large step towards note that interactive observers may be useful in other a more realistic threat model by allowing – in addition – contexts to design tamper-evident protocols. attackers to corrupt signers and attempt to make them leak 2. Distribution of signatures. In the simple example their secret information to the attacker. When an attacker given above, the distribution of the transcripts gener- corrupts a node, it replaces the code run by that node with ated by tamper-evident RSA-PSS is easily distinguish- code chosen by the attacker. We assume however that the able from that of standard RSA-PSS, given the relation attacker cannot create any new communication channels for of salts. This is undesirable and can easily be avoided. the nodes under its control. The goal of our attacker, as in The tamper-evident signature schemes that we propose the standard definition of security for signature schemes, is in this paper produce a distribution of signature tran- to generate a valid signature on a new message. scripts that is polynomial-time indistinguishable from We assume the existence of one or several observers. An regular transcripts (after removing the proofs consti- observer is an external node whose task is to inspect all sig- tuting evidence of tamper-freeness). nature transcripts produced by a signer and detect any devi- ation from honest signature generation. This task would be Assumptions. The tamper-evident signature schemes trivial if we gave the observer knowledge of all the secrets proposed in this paper make the following assumptions: known to the signer. However, we do not wish to place any trust with observers. Instead, the observers need to detect 1. Unencrypted traffic. We assume that traffic to and the presence of a covert channel given only publicly avail- from the signer is not encrypted. The adaptation of our able information. Once a covert channel is detected, the ob- methods to a model in which traffic is sent over an en- server alerts the public of this fact, and proves the existence crypted communication channel to which the observer of the covert channel to avoid false alarms. This allows cor- does not have decryption abilities is theoretically pos- rupted nodes to be manually disconnected and reconfigured, sible – given well-known results relating to general and minimizes the effects of the attack. multi-party computation. However, an efficient solu- tion that remains compatible with existing VPN tech- Example. To illustrate our techniques, we return to the niques is a challenging open problem. example of RSA-PSS. A small change to the signing al- 2. Timing attacks. Tamper-evident signatures do not pro- gorithm makes RSA-PSS tamper-evident. Let us replace tect against timing attacks. However, by imposing the sequence of random salt used in the message encoding strict requirements on synchronization, one can pro- scheme with successive pre-images of a fixed value by a tect against these as well, at the cost of a reduced (but one-way hash function.
Load more

Recommended publications
  • Bernhard Esslinger: Cryptool – Cryptography for the Masses
    CrypTool Cryptography for the masses Prof. Bernhard Esslinger (presentation layout done with some help from Gonzalo; pictures by pixabay) Cryptography everywhere … In the digital era, we are all cryptography consumers, whether we know it or not. Whenever we use the mobile telephone, withdraw money from an ATM, go shopping to an e-commerce site using SSL, or use a messenger, we are using cryptographic services which protect the confidentiality, integrity, and authenticity of our data. The world as we know it wouldn’t exist without cryptography. Cryptography challenges education Around all of us perceived as difficult lack of understanding curricula teachers need useful tools Context of Cryptography CrypTool today: 5 products version 1.x http://www.cryptool.org/en/cryptool1 http://www.cryptool.org/en/ct2 https://github.com/jcryptool/ http://www.cryptool-online.org http://www.mysterytwisterc3.org/ CrypTool Portal: website today JCrypTool: User presentation https://github.com/jcryptool/core/wiki/jcryptool_us er_presentation/jcryptool_presentation_en.pdf CrypTool 2: Sample screen CrypTool: founded 1998 like … • Attac, Paris • Google, Menlo Park • CrypTool, Frankfurt CrypTool 1: Two warnings • legal • worrywarts besides the warnings: CT1 still made it Playful learning Serious tool CrypTool can be used to visualize many concepts of cryptology: including digital signatures, symmetric, asymmetric and hybrid encryption, protocols, cryptanalysis, etc. CrypTool 1 package Self-contained Documentation (online help, readme, CTB, presentation; programs later website) Stories CrypTool 1 Self-contained programs Flash animations The Dialogue of the Sisters The Chinese Labyrinth There are two stories included dealing with number theory and cryptography: • In "The Dialogue of the Sisters" the title-role sisters use a variant of the RSA algorithm, in order to communicate securely.
    [Show full text]
  • Cryptology with Jcryptool V1.0
    www.cryptool.org Cryptology with JCrypTool (JCT) A Practical Introduction to Cryptography and Cryptanalysis Prof Bernhard Esslinger and the CrypTool team Nov 24th, 2020 JCrypTool 1.0 Cryptology with JCrypTool Agenda Introduction to the e-learning software JCrypTool 2 Applications within JCT – a selection 22 How to participate 87 JCrypTool 1.0 Page 2 / 92 Introduction to the software JCrypTool (JCT) Overview JCrypTool – A cryptographic e-learning platform Page 4 What is cryptology? Page 5 The Default Perspective of JCT Page 6 Typical usage of JCT in the Default Perspective Page 7 The Algorithm Perspective of JCT Page 9 The Crypto Explorer Page 10 Algorithms in the Crypto Explorer view Page 11 The Analysis tools Page 13 Visuals & Games Page 14 General operation instructions Page 15 User settings Page 20 Command line parameters Page 21 JCrypTool 1.0 Page 3 / 92 JCrypTool – A cryptographic e-learning platform The project Overview . JCrypTool – abbreviated as JCT – is a free e-learning software for classical and modern cryptology. JCT is platform independent, i.e. it is executable on Windows, MacOS and Linux. It has a modern pure-plugin architecture. JCT is developed within the open-source project CrypTool (www.cryptool.org). The CrypTool project aims to explain and visualize cryptography and cryptanalysis in an easy and understandable way while still being correct from a scientific point of view. The target audience of JCT are mainly: ‐ Pupils and students ‐ Teachers and lecturers/professors ‐ Employees in awareness campaigns ‐ People interested in cryptology. As JCT is open-source software, everyone is capable of implementing his own plugins.
    [Show full text]
  • Malicious Cryptography: Kleptographic Aspects
    Malicious Cryptography: Kleptographic Aspects Adam Young1 and Moti Yung2 1 Cigital Labs [email protected] 2 Dept. of Computer Science, Columbia University [email protected] Abstract. In the last few years we have concentrated our research ef- forts on new threats to the computing infrastructure that are the result of combining malicious software (malware) technology with modern cryp- tography. At some point during our investigation we ended up asking ourselves the following question: what if the malware (i.e., Trojan horse) resides within a cryptographic system itself? This led us to realize that in certain scenarios of black box cryptography (namely, when the code is inaccessible to scrutiny as in the case of tamper proof cryptosystems or when no one cares enough to scrutinize the code) there are attacks that employ cryptography itself against cryptographic systems in such a way that the attack possesses unique properties (i.e., special advantages that attackers have such as granting the attacker exclusive access to crucial information where the exclusive access privelege holds even if the Trojan is reverse-engineered). We called the art of designing this set of attacks “kleptography.” In this paper we demonstrate the power of kleptography by illustrating a carefully designed attack against RSA key generation. Keywords: RSA, Rabin, public key cryptography, SETUP, kleptogra- phy, random oracle, security threats, attacks, malicious cryptography. 1 Introduction Robust backdoor attacks against cryptosystems have received the attention of the cryptographic research community, but to this day have not influenced in- dustry standards and as a result the industry is not as prepared for them as it could be.
    [Show full text]
  • Elliptic Curve Kleptography
    IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.6, June 2010 183 Elliptic Curve Kleptography Elsayed Mohamed and Hassan Elkamchouchi Alexandria University, Alexandria, Egypt Summary This paper presents an approach to mount secretly embedded • Elliptic Curve Diffie-Hellman Problem (ECDHP) trapdoor with universal protection (SETUP) attacks on the elliptic curve discrete logarithm problem. The new approach Given a point P of order n in an elliptic curve E over a allows the attacker to obtain the secret key of a cryptographic finite field Fp and two points kP and lP where 0 ≤ k, l ≤ n device covertly. The attack demonstrates the manufacturer’s −1, the ECDHP is to find the point ( k × l × P ). This ability to embed a hidden trapdoor in cryptographic black-box problem is used in the elliptic curve Diffie-Hellman key devices used for key exchange. A contaminated device behaves exactly like an honest one while actually leaking the user’s secret exchange algorithm. key only to the attacker. The attacker can then use that secret key to decrypt all the subsequent communications. • Elliptic Curve Key Exchange Key words: Elliptic Curve Cryptography, Kleptography, Subliminal Channel, Suppose that users A and B want to agree upon a key that SETUP they will use with a symmetric-key cryptosystem. They choose an elliptic curve E defined over a finite field Fp. Users A and B now construct their public keys from a 1. Introduction randomly chosen and agreed upon point G lying on the elliptic curve E. E, Fp and G are made public.
    [Show full text]
  • Integrity, Authentication and Confidentiality in Public-Key Cryptography Houda Ferradi
    Integrity, authentication and confidentiality in public-key cryptography Houda Ferradi To cite this version: Houda Ferradi. Integrity, authentication and confidentiality in public-key cryptography. Cryptography and Security [cs.CR]. Université Paris sciences et lettres, 2016. English. NNT : 2016PSLEE045. tel- 01745919 HAL Id: tel-01745919 https://tel.archives-ouvertes.fr/tel-01745919 Submitted on 28 Mar 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT de l’Université de recherche Paris Sciences et Lettres PSL Research University Préparée à l’École normale supérieure Integrity, Authentication and Confidentiality in Public-Key Cryptography École doctorale n◦386 Sciences Mathématiques de Paris Centre Spécialité Informatique COMPOSITION DU JURY M. FOUQUE Pierre-Alain Université Rennes 1 Rapporteur M. YUNG Moti Columbia University et Snapchat Rapporteur M. FERREIRA ABDALLA Michel Soutenue par Houda FERRADI CNRS, École normale supérieure le 22 septembre 2016 Membre du jury M. CORON Jean-Sébastien Université du Luxembourg Dirigée par
    [Show full text]
  • Malicious Cryptography Exposing Cryptovirology
    Malicious Cryptography Exposing Cryptovirology Adam Young Moti Yung Wiley Publishing, Inc. Malicious Cryptography Malicious Cryptography Exposing Cryptovirology Adam Young Moti Yung Wiley Publishing, Inc. Executive Publisher: Robert Ipsen Executive Editor: Carol A. Long Developmental Editor: Eileen Bien Calabro Editorial Manager: Kathryn A. Malm Production Manager: Fred Bernardi This book is printed on acid-free paper. Copyright c 2004 by Adam Young and Moti Yung. All rights reserved. Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or trans- mitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clear- ance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-mail: [email protected]. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specif- ically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials.
    [Show full text]
  • Post-Quantum Cryptography: Prime Questions = Primary Questions
    Post-Quantum Cryptography: prime questions = primary questions Áron SZABÓ Hacktivity 2015 Budapest October 9, 2015 1 E-Group, https://www.egroup.hu/ About present and future 2 E-Group, https://www.egroup.hu/ About present and future Post-Quantum Cryptography: classical computers and quantum computers mathematics of cryptographic primitives and algorithms • MD5 collisions: Flame, modified signed Windows updates implementations of cryptographic primitives and algorithms • kleptography: Dual_EC_DRBG (PRNG) • entropy: Android JCA (Bitcoin ECDSA), OpenSSL (PRNG) • usage: ECDSA (Sony PlayStation 3) SSL/TLS: ECDHE vs. RSA(PRNG vs. PFS) • code audits: TrueCrypt 3 E-Group, https://www.egroup.hu/ About present and future 4 E-Group, https://www.egroup.hu/ About present and future 5 E-Group, https://www.egroup.hu/ About present and future Post-Quantum Cryptography: classical computers and quantum computers behaviours of cryptographic primitives and algorithms • superposition: classical computer vs. quantum computers • adiabatic qc: D-Wave Systems (sold to e.g. Lockheed Martin) 6 E-Group, https://www.egroup.hu/ About security levels Post-Quantum Cryptography: classical computers and quantum computers „Imagine that it's fifteen years from now. Somebody announces that he's built a large quantum computer. RSA is dead. DSA is dead. Elliptic curves, hyperelliptic curves, class groups, whatever, dead, dead, dead. So users are going to run around screaming and say 'Oh my God, what do we do?' Well, we still have secret-key cryptography, and we still have some public-key systems. There's hash trees. There's NTRU. There's McEliece. There's multivariate-quadratic systems.” http://pqcrypto.org/ OK, but why? Shor’s algorithm (finding order of a group) and Grover’s algorithm runs faster..
    [Show full text]
  • Нацiональний Авiацiйний Унiверситет Мiнiстерство Освiти I Науки України
    Нацiональний авiацiйний унiверситет Мiнiстерство освiти i науки України Квалiфiкацiйна наукова праця на правах рукопису КОВАЛЕНКО Богдан Анатолiйович УДК 004.056.55 ДИСЕРТАЦIЯ Методи побудови та оцiнки стiйкостi клептографiчних механiзмiв у гiбридних криптосистемах Спецiальнiсть 05.13.21 – Системи захисту iнформацiї Технiчнi науки Подається на здобуття наукового ступеня кандидата технiчних наук Дисертацiя мiстить результати власних дослiджень. Використання iдей, результатiв i текстiв iнших авторiв мають посилання на вiдповiдне джерело Коваленко Б.А. Науковий керiвник: Кудiн Антон Михайлович, доктор технiчних наук, старший науковий спiвробiтник, професор кафедри Київ 2020 Анотацiя Коваленко Б.А. Методи побудови та оцiнки стiйкостi клепто- графiчних механiзмiв у гiбридних криптосистемах. – Квалiфiкацiйна наукова праця на правах рукопису. Дисертацiя на здобуття наукового ступеня кандидата технiчних наук (доктора фiлософiї) за спецiальнiстю 05.13.21 ¾Системи захисту iнформацiї¿. – Нацiональний авiацiйний унiверситет, Мiнiстерство освiти i науки України, Київ, 2020. У дисертацiї розв’язано актуальну наукову задачу розробки методу побудови криптосистем з доведеною вiдсутнiстю клептографiчної модифiкацiї, а також оцiнцi клептографiчних ризикiв криптопримiтивiв на етапi їх стандартизацiї i впровадження. Метою робити є пiдвищення рiвня захищеностi гiбридних криптосистем шляхом зменшення клептографiчних ризикiв через запропонованi методи побудови протоколiв з доведеною вiдсутнiстю клептографiчних каналiв витоку секрету, методи оцiнки ризикiв наявностi
    [Show full text]
  • Control and Cybernetics Lightweight Digital Signature with Secretly
    Control and Cybernetics vol. 42 (2013) No. 4 Lightweight digital signature with secretly embedded warning∗† by Mirosław Kutyłowski and Przemysław Kubiak Institute of Mathematics and Computer Science Wrocław University of Technology ul. Wybrzeże Wyspiańskiego 27, 50-370 Wrocław, Poland {miroslaw.kutylowski; przemyslaw.kubiak}@pwr.wroc.pl Abstract: We show how a signatory can indicate coercion by embedding a secret message into the signature. Our scheme is prac- tical and applies to standard signature schemes unlike the recent construction of Durnoga et al. (2013). The construction follows di- rectly from kleptographic techniques due to Moti Yung and Adam Young. Keywords: coercion, digital signature, kleptography, funkspiel 1. Introduction We address the problem of coercing an owner of a signature creation device to sign a document. The idea is that the owner uses a coercion PIN and the device creates a signature, which is indistinguishable from the regular one – at least from the point of view of the coercer, but at the same time contains a secret warning. A scheme satisfying these requirements has been proposed in Durnoga et al. (2013). However, this scheme is quite inefficient in terms of computational complexity and incompatible with the signature schemes used in practice. In this note we propose a fairly simple solution to the same problem based on techniques from Young and Yung (1997) (also related to the funkspiel tech- niques, Håstad et al., 2000). It applies to any signature scheme based on the Discrete Logarithm Problem, where we compute r := gk for a k chosen at ran- dom, and either r is explicitly given or can be reconstructed from the final signature.
    [Show full text]
  • Nizks with an Untrusted CRS: Security in the Face of Parameter Subversion
    NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion Mihir Bellare1, Georg Fuchsbauer2, and Alessandra Scafuro3 1 Department of Computer Science & Engineering, University of California San Diego, USA. [email protected] 2 Inria, Ecole Normale Sup´erieure, CNRS and PSL Research University, Paris, France. [email protected]. 3 Department of Computer Science , North Carolina State University, USA. [email protected]. Abstract. Motivated by the subversion of \trusted" public parameters in mass-surveillance activities, this paper studies the security of NIZKs in the presence of a maliciously chosen common reference string. We provide definitions for subversion soundness, subversion witness indis- tinguishability and subversion zero knowledge. We then provide both negative and positive results, showing that certain combinations of goals are unachievable but giving protocols to achieve other combinations. 1 Introduction The summer of 2013 brought shocking news of mass surveillance being conducted by the NSA and its counter-parts in other countries. The documents revealed new ways in which the adversary compromises security, ways not covered by standard models and definitions in cryptography. This opens up a new research agenda, namely to formalize security goals that defend against these novel attacks, and study the achievability of these goals. This agenda is being pursued along several fronts. The front we pursue here is parameter subversion, namely the compromise of security by the malicious creation of supposedly trusted public parameters for cryptographic systems. The representative example is the Dual EC random number generator (RNG). Dual EC. Dual EC is an NSA-designed, elliptic-curve-based random number generator, standardized as NIST SP 800-90 and ANSI X9.82.
    [Show full text]
  • Kleptography Trapdoor Free Cryptographic Protocols
    Kleptography trapdoor free cryptographic protocols Bohdan Kovalenko1 and Anton Kudin2 1 National technical University of Ukraine ”KPI”, Kyiv, Ukraine, [email protected] 2 National Bank of Ukraine, [email protected] Abstract. Context. Methods of known kleptography implementations are being investigated. The article focuses mostly on SETUP design of subliminal data leakage channels. Aim. Suggest approach to develop SETUP resistant cryptosystems. Methods. The necessary conditions for SETUP implementation is building in entropy source (otherwise generated secret will be predictable). In this article it’s considered subscriber whose protocol implementation is suspected to be modified by Developer (malicious actor who is able to influence on cryptosystem implementation) to create subliminal leakage channel. Possible countermeasure is to prohibit usage own random sources for subscribers, enforce generate random values from public counters. Results. Formal model for basic SETUP scheme has been suggested. Approach to develop of SETUP resistant protocols has been described. Two basic SETUP- resistance protocols (nonce generation protocol and Diffie-Hellman key agreement protocol) have been proposed. Keywords: kleptography, SETUP, subliminal channel, secret leakage, DLP Introduction The ”kleptography” term was proposed by Adam Young and Moti Yung in 1996 [YY96]. Kleptography covers methods of implementation so-called ”back-doors” or ”subliminal channels” in cryptosystems that allow Developers to access certain secret information from customer’s cryptosystem. Developer is a kind of malicious actor who is able to make changes (illegally) into some parts of cryptosystem implementations. In general, by the level of construction, it is possible to distinguish two classes of kleptography mechanisms: embedded at the cryptosystem design stage or back-doors injection into the existing cryptosystem or protocol.
    [Show full text]
  • Post-Snowden Cryptography
    Post-Snowden Crypto June 2016 Bart Preneel Post-Snowden Cryptography Bart Preneel COSIC KU Leuven and iMinds, Belgium Bart.Preneel(at)esat.kuleuven.be June 2016 1 2 NSA calls the iPhone users public 'zombies' who pay for their own surveillance 3 4 Outline NSA: • Snowden revelation and mass surveillance “Collect it all, • Going after crypto know it all, • The end of crypto exploit it all” • Security research www.wired.com 5 6 1 Post-Snowden Crypto June 2016 Bart Preneel Snowden revelations Snowden revelations (2) most capabilities could have been extrapolated from open Most spectacular: active defense sources • networks But still… – Quantum insertion: answer before the legitimate website massive scale and impact (pervasive) – inject malware in devices level of sophistication both organizational and technical • devices – redundancy: at least 3 methods to get to Google’s data – malware based on backdoors and 0-days (FoxAcid) – many other countries collaborated (beyond five eyes) – supply chain subversion – industry collaboration through bribery, security letters*, … Translation in human terms: complete control of networks and • including industrial espionage systems, including bridging the air gaps undermining cryptographic standards with backdoors No longer deniable (Bullrun) … and also the credibility of NIST Oversight weak * Impact of security letters reduced by Freedom Act (2 June 2015) 7 8 Rule #1 of cryptanalysis: search for plaintext [B. Morris] AliceEve/NSA Bob CRY Clear Clear CRY Clear Clear PTO PTO text text text text BOX BOX 9 10 Where do you find plaintext? SSO: Special Source Operations 1. PRISM (server) 2. Upstream (fiber) 11 12 2 Post-Snowden Crypto June 2016 Bart Preneel Muscular (GCHQ) 3.
    [Show full text]