1 / 20

Kleptography: Using Cryptography Against Cryptography - A. Young & M. Yung

Kleptography: Using Cryptography Against Cryptography - A. Young & M. Yung. Srivaishnavi 2002A7PS149. Agenda . Black Box Cryptosystems Subliminal channel Kleptography Kleptographic attack on Diffie-Hellman key exchange protocol. Black Box Cryptosystems.

ide
Télécharger la présentation

Kleptography: Using Cryptography Against Cryptography - A. Young & M. Yung

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kleptography: Using Cryptography Against Cryptography- A. Young & M. Yung Srivaishnavi 2002A7PS149

  2. Agenda • Black Box Cryptosystems • Subliminal channel • Kleptography • Kleptographic attack on Diffie-Hellman key exchange protocol

  3. Black Box Cryptosystems • Implemented in such a way that the underlying implementation cannot be scrutinized. • Has public I/O specification and its general functionality is disclosed (though the true functionality could differ). • E.g. :Smart Cards, Cryptosystems implemented in software

  4. Subliminal Channel • An information transmission channel that can be used to send information out of (or potentially into) a cryptosystem. • Characterized by: the inability to be detected when in use

  5. Kleptography • Kleptography is the study of stealing information securely and subliminally. • It is dedicated to (re)searching ways of obtaining data in an undetectable fashion with high security guarantees. • It is a formal cryptographic study of backdoor designs (beyond the naïve common attacks that are detectable– e.g. weak random generation). • Extension of subliminal channel • Robust against reverse-engineering • confidentiality of the stolen information holds even after the black-box is opened and inspected.

  6. Goal of kleptography: • To develop a robust backdoor within a cryptosystem that: • Provides the attacker with the desired secret information (e.g., private key of the user) • Cannot be detected in black-box implementations except by the attacker • If a reverse-engineer (i.e., not the attacker) breaches the black-box, then the previously stolen information remains confidential. Ideally, confidentiality holds going forward as well.

  7. Secretly Embedded Trapdoor with Universal Protection (SETUP) If C is a black-box cryptosystem with a publicly known specification, a “SETUP” mechanism is an algorithmic modification made to C to get C’ such that • C & C’ are efficient algorithms • Input of C’ agrees with the public specification of the input of C • Output of C’ agrees with the public specification of the output of C. At the same time, it contains published bits (of the user’s secret key) which are easily derivable by the attacker and not by others. • Outputs C and C’ are polynomially indistinguishable to everyone except the attacker

  8. Leakage Bandwidth • Leakage Bandwidth: A (m,n) leakage scheme is a SETUP mechanism that leaks m keys over n keys that are output by the cryptographic device (m<=n).

  9. Diffie – Hellman protocol • Alice chooses a randomly • Alice sends A = ga mod p to Bob • Bob chooses b randomly • Bob sends B = gb mod p to Alice • Alice computes k = Ba mod p • Bob computes k = Ab mod p k = Ba = Ab mod p since gba = gab mod p

  10. Assumptions for the DH SETUP attack • The black-box can store state information across invocations of the Diffie-Hellman algorithm (non-volatile memory). • The attacker can act as a passive eavesdropper on all of Alice and Bob’s key exchanges.

  11. Parameters for the DH SETUP attack • xm: private key of attacker • ym: public key corresponding to xm. Hence, ym = gxm mod p. ym is placed inside the black-box that Alice uses. • ID: A random and secret bit string in Alice’s device (Identifier). • H: hash function generating values less than Φ(p)

  12. (1,2) SETUP Attack First exchange: • Alice’s device sends A1 = ga1 mod p to Bob • Alice’s device stores a1 in non-volatile memory • Bob’s device sends B1 = gb1 mod p to Alice • Alice and Bob’s devices compute k1 = ga1b1 mod p Second exchange: • Alice’s device computes a2 = H(ID || (yma1 mod p)) • Alice’s device sends A2 = ga2 mod p to Bob • Bob’s device sends B2 = gb2 mod p to Alice • Alice and Bob’s devices compute k2 = ga2b2 mod p

  13. Recovering the 2nd DH Shared Secret The attacker: • Obtains A1 and B2 via passive eavesdropping. • Computes a2 = H(ID || (A1xm mod p)) • Computes k2 = B2a2 mod p A1xm mod p = ga1xm = yma1 = gxma1 mod p Note: Only attacker can perform these calculations since xm is known only to him

  14. a2 calculated as follows: • t ε (0,1) chosen at random • z = ga1-Wt ym-c1a1-c2 mod p • a2 = H(z) • A2 = ga2 mod p W,c1 & c2 fixed values

  15. To show outputs of C & C’ are polynomially indistinguishable • Let g1 = g-xmc2-W, g2 = g-xmc2, g3 = g1-c1xm • yma1c1+c2gWtz = ga1 mod p • z = g-xmc2-Wtg(1-c1xm) a1 = gig3a1 mod p • gi = g3u mod p, for some integer u • z = g3 a1+u mod p • a1 uniformly chosen -> z is uniformly distributed • H is a pseudo-random function (whose domain is Zp-1). • Therefore, a2 is distributed uniformly -> values output by C & C’ are polynomially indistinguishable

  16. (l,l+1) leakage bandwidth • By chaining together the values that are leaked. • a3 = H(ID || (yma2 mod p)) • ga3 mod p used in the next exchange • When this is done l times, l contiguous DH keys are leaked. • After l times, a1 is chosen entirely random ensuring all contaminated keys behave differently.

  17. Conclusions • Vulnerability of black-box cryptosystems • “Security of kleptographic attack” shows that DH algorithm is “provably insecure” • Can be extended to RSA and other algorithms

  18. References • The Dark Side of “Black Box” Cryptography – A. Young & M.Yung • Kleptography: Using Cryptography against Cryptography - A. Young & M. Yung

  19. Questions?

  20. Thank You

More Related