Kleptography Explained

Kleptography is the study of stealing information securely and subliminally. The term was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology – Crypto '96.[1] Kleptography is a subfield of cryptovirology and is a natural extension of the theory of subliminal channels that was pioneered by Gus Simmons while at Sandia National Laboratory.[2] [3] [4] A kleptographic backdoor is synonymously referred to as an asymmetric backdoor. Kleptography encompasses secure and covert communications through cryptosystems and cryptographic protocols. This is reminiscent of, but not the same as steganography that studies covert communications through graphics, video, digital audio data, and so forth.

Kleptographic attack

Meaning

A kleptographic attack is an attack which uses asymmetric cryptography to implement a cryptographic backdoor.[5] For example, one such attack could be to subtly modify how the public and private key pairs are generated by the cryptosystem so that the private key could be derived from the public key using the attacker's private key. In a well-designed attack, the outputs of the infected cryptosystem would be computationally indistinguishable from the outputs of the corresponding uninfected cryptosystem.[6] [7] If the infected cryptosystem is a black-box implementation such as a hardware security module, a smartcard, or a Trusted Platform Module, a successful attack could go completely unnoticed.

A reverse engineer might be able to uncover a backdoor inserted by an attacker, and when it is a symmetric backdoor, even use it themself. However, by definition a kleptographic backdoor is asymmetric and the reverse-engineer cannot use it. A kleptographic attack (asymmetric backdoor) requires a private key known only to the attacker in order to use the backdoor. In this case, even if the reverse engineer was well-funded and gained complete knowledge of the backdoor, it would remain useless for them to extract the plaintext without the attacker's private key.

Construction

Kleptographic attacks can be constructed as a cryptotrojan that infects a cryptosystem and opens a backdoor for the attacker, or can be implemented by the manufacturer of a cryptosystem. The attack does not necessarily have to reveal the entirety of the cryptosystem's output; a more complicated attack technique may alternate between producing uninfected output and insecure data with the backdoor present.[8]

Design

Kleptographic attacks have been designed for RSA key generation, the Diffie–Hellman key exchange, the Digital Signature Algorithm, and other cryptographic algorithms and protocols. SSL, SSH, and IPsec protocols are vulnerable to kleptographic attacks.[9] In each case, the attacker is able to compromise the particular cryptographic algorithm or protocol by inspecting the information that the backdoor information is encoded in (e.g., the public key, the digital signature, the key exchange messages, etc.) and then exploiting the logic of the asymmetric backdoor using their secret key (usually a private key).

A. Juels and J. Guajardo[10] proposed a method (KEGVER) through which a third party can verify RSA key generation. This is devised as a form of distributed key generation in which the secret key is only known to the black box itself. This assures that the key generation process was not modified and that the private key cannot be reproduced through a kleptographic attack.

Examples

Four practical examples of kleptographic attacks (including a simplified SETUP attack against RSA) can be found in JCrypTool 1.0,[11] the platform-independent version of the open-source CrypTool project.[12] A demonstration of the prevention of kleptographic attacks by means of the KEGVER method is also implemented in JCrypTool.

The Dual_EC_DRBG cryptographic pseudo-random number generator from the NIST SP 800-90A is thought to contain a kleptographic backdoor. Dual_EC_DRBG utilizes elliptic curve cryptography, and NSA is thought to hold a private key which, together with bias flaws in Dual_EC_DRBG, allows NSA to decrypt SSL traffic between computers using Dual_EC_DRBG for example.[13] The algebraic nature of the attack follows the structure of the repeated Dlog Kleptogram in the work of Young and Yung.

Notes and References

  1. Book: Koblitz . Neal . Neal Koblitz. Advances in Cryptology — CRYPTO '96: 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 1996, Proceedings . Springer Berlin Heidelberg . Lecture Notes in Computer Science . 1996 . 978-3-540-68697-2 . https://books.google.com/books?id=9lurCAAAQBAJ&pg=PA89 . 89–103 . The Dark Side of Black-Box Cryptography, or: Should we trust Capstone? . A. . Young . Moti Yung. M. . Yung.
  2. Book: Simmons, G. J. . Gustavus Simmons. The Prisoners' Problem and the Subliminal Channel . Proceedings of Crypto '83 . D. . Chaum . 51–67 . Plenum Press . 1984 . 978-1-4684-4732-3 . 10.1007/978-1-4684-4730-9_5.
  3. Book: Simmons, G. J. . The Subliminal Channel and Digital Signatures . Proceedings of Eurocrypt '84 . Lecture Notes in Computer Science . T. . Beth . N. . Cot . I. . Ingemarsson . 364–378 . Springer-Verlag . 1985 . 209 . 978-3-540-16076-2 . 10.1007/3-540-39757-4_25.
  4. Book: Simmons, G. J. . Subliminal Communication is Easy Using the DSA . Proceedings of Eurocrypt '93 . Lecture Notes in Computer Science . T. . Helleseth . 218–232 . Springer-Verlag . 1993 . 765 . 978-3-540-57600-6 . 10.1007/3-540-48285-7_18.
  5. The Dark Side of Cryptography: Kleptography in Black-Box Implementations . Esslinger . Bernhard . Vacek . Patrick . 20 February 2013 . Infosecurity Magazine . 18 March 2014.
  6. Web site: Cryptovirology FAQ . Young . Adam . 2006 . Cryptovirology.com . 18 March 2014 . 9 May 2017 . https://web.archive.org/web/20170509070759/http://www.cryptovirology.com/cryptovfiles/cryptovirologyfaqver1.html . dead .
  7. Book: Easttom . Chuck. Electrical Engineering (ICEE), Iranian Conference on. A Study of Cryptographic Backdoors in Cryptographic Primitives. May 2018. 1664–1669. 10.1109/ICEE.2018.8472465. 978-1-5386-4914-5. 52896242.
  8. Book: Young . A. . Yung . M. . Moti Yung . Malicious Cryptography: Exposing Cryptovirology . Wiley . 2004 . 978-0-7645-6846-6.
  9. Web site: Bezpieczeństwo protokołów SSL/TLS i SSL w kontekście ataków kleptograficznych . Security of SSL/TLS and SSL protocols in the context of kleptographic attacks. Filip . Zagórski . Mirosław . Kutyłowski . kleptografia.im.pwr.wroc.pl . https://web.archive.org/web/20060423133130/http://kleptografia.im.pwr.wroc.pl/ . 2006-04-23 . dead . pl.
  10. Book: Juels . Ari . Guajardo . Jorge . Public Key Cryptography: 4th International Workshop on Practice and Theory in Public Key Cryptosystems . RSA Key Generation with Verifiable Randomness . D. . Naccache . P. . Pallier. Springer Berlin Heidelberg . 2002 . 978-3-540-43168-8 . 0302-9743 . 10.1007/3-540-45664-3_26 . 357–374. http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/kegver/kv-extended.pdf . https://web.archive.org/web/20130512223201/http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/kegver/kv-extended.pdf . 2013-05-12 . dead.
  11. https://github.com/jcryptool JCrypTool project website
  12. Die dunkle Seite der Kryptografie – Kleptografie bei Black-Box-Implementierungen . https://web.archive.org/web/20110721215721/http://www.kes.info/archiv/online/10-4-006.htm . 2011-07-21 . dead . de . B. . Esslinger . . 4 . 2010 . 6.
  13. Web site: The Many Flaws of Dual_EC_DRBG. Matthew. Green. September 18, 2016. November 19, 2016.