Kleptography: Using Cryptography Against Cryptography - A. Young - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Kleptography: Using Cryptography Against Cryptography - A. Young

Description:

Kleptography: Using Cryptography Against Cryptography - A. Young & M. Yung Srivaishnavi 2002A7PS149 – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 21
Provided by: csisBits6
Category:

less

Transcript and Presenter's Notes

Title: Kleptography: Using Cryptography Against Cryptography - A. Young


1
Kleptography Using Cryptography Against
Cryptography- A. Young M. Yung
  • Srivaishnavi
  • 2002A7PS149

2
Agenda
  • Black Box Cryptosystems
  • Subliminal channel
  • Kleptography
  • Kleptographic attack on Diffie-Hellman key
    exchange protocol

3
Black Box Cryptosystems
  • Implemented in such a way that the underlying
    implementation cannot be scrutinized.
  • Has public I/O specification and its general
    functionality is disclosed (though the true
    functionality could differ).
  • E.g. Smart Cards, Cryptosystems implemented in
    software

4
Subliminal Channel
  • An information transmission channel that can be
    used to send information out of (or potentially
    into) a cryptosystem.
  • Characterized by the inability to be detected
    when in use

5
Kleptography
  • Kleptography is the study of stealing information
    securely and subliminally.
  • It is dedicated to (re)searching ways of
    obtaining data in an undetectable fashion with
    high security guarantees.
  • It is a formal cryptographic study of backdoor
    designs (beyond the naïve common attacks that are
    detectable e.g. weak random generation).
  • Extension of subliminal channel
  • Robust against reverse-engineering
  • confidentiality of the stolen information holds
    even after the black-box is opened and inspected.

6
Goal of kleptography
  • To develop a robust backdoor within a
    cryptosystem that
  • Provides the attacker with the desired secret
    information (e.g., private key of the user)
  • Cannot be detected in black-box implementations
    except by the attacker
  • If a reverse-engineer (i.e., not the attacker)
    breaches the black-box, then the previously
    stolen information remains confidential. Ideally,
    confidentiality holds going forward as well.

7
Secretly Embedded Trapdoor with Universal
Protection (SETUP)
  • If C is a black-box cryptosystem with a
    publicly known specification, a SETUP mechanism
    is an algorithmic modification made to C to get
    C such that
  • C C are efficient algorithms
  • Input of C agrees with the public specification
    of the input of C
  • Output of C agrees with the public specification
    of the output of C. At the same time, it contains
    published bits (of the users secret key) which
    are easily derivable by the attacker and not by
    others.
  • Outputs C and C are polynomially
    indistinguishable to everyone except the attacker

8
Leakage Bandwidth
  • Leakage Bandwidth A (m,n) leakage scheme is a
    SETUP mechanism that leaks m keys over n keys
    that are output by the cryptographic device
    (mltn).

9
Diffie Hellman protocol
  • Alice chooses a randomly
  • Alice sends A ga mod p to Bob
  • Bob chooses b randomly
  • Bob sends B gb mod p to Alice
  • Alice computes k Ba mod p
  • Bob computes k Ab mod p
  • k Ba Ab mod p since gba gab mod p

10
Assumptions for the DH SETUP attack
  • The black-box can store state information across
    invocations of the Diffie-Hellman algorithm
    (non-volatile memory).
  • The attacker can act as a passive eavesdropper on
    all of Alice and Bobs key exchanges.

11
Parameters for the DH SETUP attack
  • xm private key of attacker
  • ym public key corresponding to xm. Hence, ym
    gxm mod p. ym is placed inside the black-box that
    Alice uses.
  • ID A random and secret bit string in Alices
    device (Identifier).
  • H hash function generating values less than F(p)

12
(1,2) SETUP Attack
  • First exchange
  • Alices device sends A1 ga1 mod p to Bob
  • Alices device stores a1 in non-volatile memory
  • Bobs device sends B1 gb1 mod p to Alice
  • Alice and Bobs devices compute k1 ga1b1 mod p
  • Second exchange
  • Alices device computes a2 H(ID (yma1 mod
    p))
  • Alices device sends A2 ga2 mod p to Bob
  • Bobs device sends B2 gb2 mod p to Alice
  • Alice and Bobs devices compute k2 ga2b2 mod p

13
Recovering the 2nd DH Shared Secret
  • The attacker
  • Obtains A1 and B2 via passive eavesdropping.
  • Computes a2 H(ID (A1xm mod p))
  • Computes k2 B2a2 mod p
  • A1xm mod p ga1xm yma1 gxma1 mod p
  • Note Only attacker can perform these
    calculations since xm is known only to him

14
  • a2 calculated as follows
  • t e (0,1) chosen at random
  • z ga1-Wt ym-c1a1-c2 mod p
  • a2 H(z)
  • A2 ga2 mod p
  • W,c1 c2 fixed values

15
To show outputs of C C are polynomially
indistinguishable
  • Let g1 g-xmc2-W, g2 g-xmc2, g3 g1-c1xm
  • yma1c1c2gWtz ga1 mod p
  • z g-xmc2-Wtg(1-c1xm) a1 gig3a1 mod p
  • gi g3u mod p, for some integer u
  • z g3 a1u mod p
  • a1 uniformly chosen -gt z is uniformly distributed
  • H is a pseudo-random function (whose domain is
    Zp-1).
  • Therefore, a2 is distributed uniformly -gt values
    output by C C are polynomially
    indistinguishable

16
(l,l1) leakage bandwidth
  • By chaining together the values that are leaked.
  • a3 H(ID (yma2 mod p))
  • ga3 mod p used in the next exchange
  • When this is done l times, l contiguous DH keys
    are leaked.
  • After l times, a1 is chosen entirely random
    ensuring all contaminated keys behave differently.

17
Conclusions
  • Vulnerability of black-box cryptosystems
  • Security of kleptographic attack shows that DH
    algorithm is provably insecure
  • Can be extended to RSA and other algorithms

18
References
  • The Dark Side of Black Box Cryptography A.
    Young M.Yung
  • Kleptography Using Cryptography against
    Cryptography - A. Young M. Yung

19
Questions?
20
Thank You
Write a Comment
User Comments (0)
About PowerShow.com