Jump to content

Kleptography: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Undid revision 588480230 by Sohel Iqbal (talk)
rewrote the first sentence so that it doesn't require clarification.
Line 3: Line 3:
==Kleptographic attack==
==Kleptographic attack==
===Meaning===
===Meaning===
A [[kleptographic attack]] is a {{clarify-span|forward-engineering attack|date=September 2013}} that is built into a cryptosystem or cryptographic protocol providing an ''asymmetric [[Backdoor (computing)|backdoor]]''. Unlike a ''symmetric backdoor'', which can be accessed by anyone who has access to the implemented algorithm, an asymmetric backdoor can be used exclusively by the attacker who planted it. Even if the full specification of the backdoor is published, it would remain unusable without additional data (private key) possessed only by the attacker. Furthermore, the outputs of the infected cryptosystem are [[computationally indistinguishable]] from the outputs of the corresponding uninfected cryptosystem. Hence, in black-box implementations (e.g., smartcards) the attack is likely to go entirely unnoticed. The asymmetry ensures that even a well-funded [[reverse-engineer]] can at best detect the asymmetric backdoor &mdash; not use it.<ref>[http://www.cryptovirology.com/cryptovfiles/cryptovirologyfaqver1.html Cryptovirology FAQ]</ref>
A '''kleptographic attack''' involves [[forward-engineering]] a black-box cryptosystem or cryptographic protocol with an ''asymmetric [[Backdoor (computing)|backdoor]]''. Unlike a ''symmetric backdoor'', which can be accessed by anyone who has access to the implemented algorithm, an asymmetric backdoor can be used exclusively by the attacker who planted it. Even if the full specification of the backdoor is published, it would remain unusable without additional data (private key) possessed only by the attacker. Furthermore, the outputs of the infected cryptosystem are [[computationally indistinguishable]] from the outputs of the corresponding uninfected cryptosystem. Hence, in black-box implementations (e.g., smartcards) the attack is likely to go entirely unnoticed. The asymmetry ensures that even a well-funded [[reverse-engineer]] can at best detect the asymmetric backdoor &mdash; not use it.<ref>[http://www.cryptovirology.com/cryptovfiles/cryptovirologyfaqver1.html Cryptovirology FAQ]</ref>


===Construction===
===Construction===

Revision as of 23:22, 16 March 2014

Kleptography is the study of stealing information securely and subliminally. Kleptography is a subfield of cryptography and cryptovirology, and is a natural extension of the theory of subliminal channels that was pioneered by Gus Simmons while at Sandia National Labs.[1][2][3] Kleptography is also related to steganography. Kleptography was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology—Crypto '96.[4]

Kleptographic attack

Meaning

A kleptographic attack involves forward-engineering a black-box cryptosystem or cryptographic protocol with an asymmetric backdoor. Unlike a symmetric backdoor, which can be accessed by anyone who has access to the implemented algorithm, an asymmetric backdoor can be used exclusively by the attacker who planted it. Even if the full specification of the backdoor is published, it would remain unusable without additional data (private key) possessed only by the attacker. Furthermore, the outputs of the infected cryptosystem are computationally indistinguishable from the outputs of the corresponding uninfected cryptosystem. Hence, in black-box implementations (e.g., smartcards) the attack is likely to go entirely unnoticed. The asymmetry ensures that even a well-funded reverse-engineer can at best detect the asymmetric backdoor — not use it.[5]

Construction

Kleptographic attacks can be constructed as a cryptotrojan that infects a cryptosystem and opens a backdoor for the attacker, or can be implemented by the manufacturer of a cryptosystem. The attack does not necessarily have to reveal the entirety of the cryptosystem's output; a more complicated attack technique may alternate between producing uninfected output and insecure data with the backdoor present.[6]

Design

Kleptographic attacks have been designed for RSA key generation, the Diffie–Hellman key exchange, the Digital Signature Algorithm, and other cryptographic algorithms and protocols.[6] SSL, SSH, and IPSec protocols are vulnerable to kleptographic attacks.[7] In each case, the attacker is able to compromise the particular cryptographic algorithm or protocol by inspecting the information that the backdoor information is encoded in (e.g., the public key, the digital signature, the key exchange messages, etc.) and then exploiting the logic of the asymmetric backdoor using their secret key (usually a private key).

A. Juels and J. Guajardo[8] proposed a method (KEGVER) through which a third party can verify RSA key generation. This is devised as a form of distributed key generation in which the secret key is only known to the black box itself. This assures that the key generation process was not modified and that the private key cannot be reproduced through a kleptographic attack.[8][9]

Examples

Four practical examples of kleptographic attacks (including a simplified SETUP attack against RSA) can be found in JCrypTool 1.0,[10] the platform-independent version of the open-source CrypTool project.[11] A demonstration of the prevention of kleptographic attacks by means of the KEGVER method is also implemented in JCrypTool.

The Dual_EC_DRBG cryptographically secure pseudorandom number generator from the NIST SP 800-90A is thought to contain a kleptographic backdoor. Dual_EC_DRBG utilizes elliptic curve cryptography, and NSA is thought to hold a private key which together with a bias flaws in Dual_EC_DRBG allows NSA to decrypt for example SSL traffic between computers using Dual_EC_DRBG.[12]

References

  1. ^ G. J. Simmons, "The Prisoners' Problem and the Subliminal Channel," In Proceedings of Crypto '83, D. Chaum (Ed.), pages 51–67, Plenum Press, 1984.
  2. ^ G. J. Simmons, "The Subliminal Channel and Digital Signatures," In Proceedings of Eurocrypt '84, T. Beth, N. Cot, I. Ingemarsson (Eds.), pages 364-378, Springer-Verlag, 1985.
  3. ^ G. J. Simmons, "Subliminal Communication is Easy Using the DSA," In proceedings of Eurocrypt '93, T. Helleseth (Ed.), pages 218-232, Springer-Verlag, 1993.
  4. ^ A. Young, M. Yung, "The Dark Side of Black-Box Cryptography, or: Should we trust Capstone?" In Proceedings of Crypto '96, Neal Koblitz (Ed.), Springer-Verlag, pages 89–103, 1996.
  5. ^ Cryptovirology FAQ
  6. ^ a b A. Young, M. Yung, Malicious Cryptography: Exposing Cryptovirology, John Wiley & Sons, 2004.
  7. ^ http://kleptografia.im.pwr.wroc.pl/ SSL attack by Filip Zagórski, and prof. Mirosław Kutyłowski
  8. ^ a b A. Juels, J. Guajardo, "RSA Key Generation with Verifiable Randomness", in: D. Naccache, P. Pallier (Eds.), Public Key Cryptography: 4th International Workshop on Practice and Theory in Public Key Cryptosystems, Springer, 2002.
  9. ^ A. Juels, J. Guajardo, "RSA Key Generation with Verifiable Randomness" (Extended version)
  10. ^ https://github.com/jcryptool JCrypTool project website
  11. ^ http://www.kes.info/archiv/online/10-4-006.htm B. Esslinger, Die dunkle Seite der Kryptografie -- Kleptografie bei Black-Box-Implementierungen, <kes>, #4 / 2010, page 6 ff. (German language only)
  12. ^ Matthew Green. "The Many Flaws of Dual_EC_DRBG".