The entire X.509 PKI security architecture falls apart, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Have we sufficient assurance that this did not happen already? This talk explores this scenario from both an experimental and speculative point of view.
From the experimental standpoint, the talk reports on illusoryTLS, an entry to the first Underhanded Crypto Contest. illusoryTLS is an instance of the Young and Yung elliptic curve asymmetric backdoor in RSA key generation. It targets a Certification Authority public-key certificate imported in the certificate store of a pretty standard HTTPS client and TLS server. The security outcome is the worst possible outcome, because the backdoor completely perverts the security guarantees provided by the TLS protocol, allowing the attacker to impersonate the endpoints (i.e., authentication failure), tamper with their messages (i.e., integrity erosion), and actively eavesdrop their communications (i.e., confidentiality loss).
illusoryTLS has been shortlisted to the final rounds of the contest, which is still ongoing. Being the backdoored public-key indistinguishable (under the ECDDH assumption) to all probabilistic polynomial time algorithms from genuine public-keys, illusoryTLS is expected to withstand the review and scrutiny of contest judges.
In the Internet X.509 PKI the security impact of such backdoor would extend further; the presence of a single CA certificate with a secretly embedded backdoor in the certificate store renders the entire TLS security fictional. In fact, the current practice of universal implicit cross-certification makes the whole X.509 PKI as weak as its weakest link.
Therefore, when dealing with this class of attacks in the context of X.509 PKIs, it might be not sufficient to avoid outsourcing the key generation. It becomes essential also to have assurance about the security of each implementation of vulnerable key-generation algorithms employed by trusted credential issuers. Have we sufficient assurance about the tens or hundreds CA certificate we daily entrust our business upon?
Full source code and design of illusoryTLS will be made available at HITBSecConf 2015 Amsterdam.
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploita001
Learn how to embed an elliptic-curve asymmetric backdoor into a RSA modulus using Elligator. Find out how the entire TLS security may turn to be fictional, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Discover how some entities might have practically explored cryptographic backdoors for intelligence purposes regardless of the policy framework.
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)a001
Learn how to embed an elliptic-curve asymmetric backdoor into a RSA modulus using Elligator. Find out how the entire TLS security may turn to be fictional, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Discover how some entities might have practically explored cryptographic backdoors for intelligence purposes regardless of the policy framework.
Functional encryption (FE) has more fine-grained control to encrypted data than traditional
encryption schemes. The well-accepted security of FE is indistinguishability-based security
(IND-FE) and simulation-based security (SIMFE), but the security is not sufficient. For
example, if an adversary has the ability to access a vector of ciphertexts and can ask to open
some information of the messages, such as coins used in the encryption or secret key in multikey
setting, whether the privacy of the unopened messages is guaranteed. This is called selective
opening attack (SOA).
In this paper, we propose a stronger security of FE which is secure against SOA (we call SOFE)
and propose a concrete construction of SO-FE scheme in the standard model. Our scheme
is a non-adaptive IND-FE which satisfies selective opening secure in the simulation sense. In
addition, the scheme can encrypt messages of any bit length other than bitwise and it is secure
against SOA-C and SOAK simultaneously while the two attacks were appeared in different
model before. According to the different functionality f, our scheme can specialize as IBE, ABE
and even PE schemes secure against SOA.
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploita001
Learn how to embed an elliptic-curve asymmetric backdoor into a RSA modulus using Elligator. Find out how the entire TLS security may turn to be fictional, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Discover how some entities might have practically explored cryptographic backdoors for intelligence purposes regardless of the policy framework.
illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)a001
Learn how to embed an elliptic-curve asymmetric backdoor into a RSA modulus using Elligator. Find out how the entire TLS security may turn to be fictional, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Discover how some entities might have practically explored cryptographic backdoors for intelligence purposes regardless of the policy framework.
Functional encryption (FE) has more fine-grained control to encrypted data than traditional
encryption schemes. The well-accepted security of FE is indistinguishability-based security
(IND-FE) and simulation-based security (SIMFE), but the security is not sufficient. For
example, if an adversary has the ability to access a vector of ciphertexts and can ask to open
some information of the messages, such as coins used in the encryption or secret key in multikey
setting, whether the privacy of the unopened messages is guaranteed. This is called selective
opening attack (SOA).
In this paper, we propose a stronger security of FE which is secure against SOA (we call SOFE)
and propose a concrete construction of SO-FE scheme in the standard model. Our scheme
is a non-adaptive IND-FE which satisfies selective opening secure in the simulation sense. In
addition, the scheme can encrypt messages of any bit length other than bitwise and it is secure
against SOA-C and SOAK simultaneously while the two attacks were appeared in different
model before. According to the different functionality f, our scheme can specialize as IBE, ABE
and even PE schemes secure against SOA.
Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network. Footprinting could be both passive and active. Reviewing a company’s website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering.
Footprinting is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target.
The Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiva001
Zero-day vulnerabilities — weaknesses in software or hardware that are unknown to the parties who can mitigate their specific negative effects — are gaining a prominent role in the modern-day intelligence, national-security, and law-enforcement operations.
At the same time, the lack of transparency and accountability in their trade and adoption, their possible overexploitation or abuse, the latent conflict of interests by entities handling them, and their potential double effect may pose societal risks or lead to the breach of human rights.
If left unaddressed, these usage-related challenges call into question the legitimacy of zero-day vulnerabilities as enablers of national security and law enforcement operations and erode the benefits that their proportionate use have for the judiciary, defence, and intelligence purposes.
This work explores what the private sector involved in the trade of zero-day vulnerabilities can do to ensure the respect human rights and the benign and societally beneficial use of those capabilities. After reviewing what can go wrong in the acquisition of zero-day vulnerabilities, this work contributes the first code of ethics focused on the trade of vulnerability information, where the author sets forth six principles and eight corresponding ethical standards aimed respectively at guiding and regulating the conduct of this business.
More Related Content
Similar to illusoryTLS: Impersonate, Tamper, and Exploit
Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network. Footprinting could be both passive and active. Reviewing a company’s website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering.
Footprinting is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target.
The Vulnerability Supply Chain - HackIT Ukraine 2016, Kharkiva001
Zero-day vulnerabilities — weaknesses in software or hardware that are unknown to the parties who can mitigate their specific negative effects — are gaining a prominent role in the modern-day intelligence, national-security, and law-enforcement operations.
At the same time, the lack of transparency and accountability in their trade and adoption, their possible overexploitation or abuse, the latent conflict of interests by entities handling them, and their potential double effect may pose societal risks or lead to the breach of human rights.
If left unaddressed, these usage-related challenges call into question the legitimacy of zero-day vulnerabilities as enablers of national security and law enforcement operations and erode the benefits that their proportionate use have for the judiciary, defence, and intelligence purposes.
This work explores what the private sector involved in the trade of zero-day vulnerabilities can do to ensure the respect human rights and the benign and societally beneficial use of those capabilities. After reviewing what can go wrong in the acquisition of zero-day vulnerabilities, this work contributes the first code of ethics focused on the trade of vulnerability information, where the author sets forth six principles and eight corresponding ethical standards aimed respectively at guiding and regulating the conduct of this business.
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...a001
Zero-day vulnerabilities are gaining a prominent role in the modern-day intelligence, national security, and law enforcement operations. At the same time, trading vulnerability information or zero-day exploits is considered a risky ordeal. Players in the secretive zero-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.
To alleviate some of these hurdles, it was suggested to:
1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting;
2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and
3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.
This work presents the first results of an ongoing study on extortion and cooperation in zero-day markets through the lens of game theory.
The questions motivating this research are: a. Can the zero-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the zero-day trading strategies applicable to each scenario.
Learn which strategies allows to maximize the profits while trading zero-days in today’s marketplaces. Find out how to avoid getting extorted by zero–day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the zero-day markets can achieve efficiency.
Andy, the Polluters, Rick Deckard, and Other Bounty Hunters Vulnerabilities a...a001
Zero-day vulnerabilities — weaknesses in software or hardware that are unknown to the parties who can mitigate their specific negative effects — are gaining a prominent role in the modern-day intelligence, national-security, and law-enforcement operations.
At the same time, the lack of transparency and accountability in their trade and adoption, their possible overexploitation or abuse, the latent conflict of interests by entities handling them, and their potential double effect may pose societal risks or lead to the breach of human rights.
If left unaddressed, these usage-related challenges call into question the legitimacy of zero-day vulnerabilities as enablers of national security and law enforcement operations and erode the benefits that their proportionate use have for the judiciary, defence, and intelligence purposes.
This work explores what the private sector involved in the trade of zero-day vulnerabilities can do to ensure the respect human rights and the benign and societally beneficial use of those capabilities. After reviewing what can go wrong in the acquisition of zero-day vulnerabilities, this work contributes the first code of ethics focused on the trade of vulnerability information, where the author sets forth six principles and eight corresponding ethical standards aimed respectively at guiding and regulating the conduct of this business.
Vulnerabilities and their Surrounding Ethical Questions: A Code of Ethics for...a001
Zero-day vulnerabilities — weaknesses in software or hardware that are unknown to the parties who can mitigate their specific negative effects — are gaining a prominent role in the modern-day intelligence, national-security, and law-enforcement operations.
At the same time, the lack of transparency and accountability in their trade and adoption, their possible overexploitation or abuse, the latent conflict of interests by entities handling them, and their potential double effect may pose societal risks or lead to the breach of human rights.
If left unaddressed, these usage-related challenges call into question the legitimacy of zero-day vulnerabilities as enablers of national security and law enforcement operations and erode the benefits that their proportionate use have for the judiciary, defence, and intelligence purposes.
This work explores what the private sector involved in the trade of zero-day vulnerabilities can do to ensure the respect human rights and the benign and societally beneficial use of those capabilities. After reviewing what can go wrong in the acquisition of zero-day vulnerabilities, this work contributes the first code of ethics focused on the trade of vulnerability information, where the author sets forth six principles and eight corresponding ethical standards aimed respectively at guiding and regulating the conduct of this business.
The Bazaar, the Maharaja’s Ultimatum, and the Shadow of the Future: Extortion...a001
Zero-day vulnerabilities are gaining a prominent role in the modern-day intelligence, national security, and law enforcement operations. At the same time, trading vulnerability information or zero-day exploits is considered a risky ordeal. Players in the secretive zero-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.
To alleviate some of these hurdles, it was suggested to:
1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting;
2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and
3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.
This work presents the first results of an ongoing study on extortion and cooperation in zero-day markets through the lens of game theory.
The questions motivating this research are: a. Can the zero-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the zero-day trading strategies applicable to each scenario.
Learn which strategies allows to maximize the profits while trading zero-days in today’s marketplaces. Find out how to avoid getting extorted by zero–day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the zero-day markets can achieve efficiency.
Zero-day vulnerabilities are gaining a prominent role in the modern-day intelligence, national security, and law enforcement operations. At the same time, trading vulnerability information or zero-day exploits is considered a risky ordeal. Players in the secretive zero-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.
To alleviate some of these problems, it was suggested to: 1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting; 2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and 3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.
This work presents the first results of an ongoing study on extortion and cooperation in zero-day markets through the lens of game theory.
The questions motivating this research are: a. Can the zero-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the zero-day trading strategies applicable to each scenario.
Learn which strategies allows to maximize the profits while trading zero-days in today's marketplaces. Find out how to avoid getting extorted by zero--day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the zero-day markets can achieve efficiency.
This work find application in a number of markets for vulnerability information and zero-day exploits. They range from over-the-counter zero-day trading, to boutique exploit providers offering zero-day vulnerabilities for a subscription fee, to service models for vulnerability research.
The Bazaar, the Maharaja's Ultimatum, and the Shadow of the Future: Extortion...a001
Zero-day vulnerabilities are gaining a prominent role in the modern-day intelligence, national security, and law enforcement operations. At the same time, trading vulnerability information or zero-day exploits is considered a risky ordeal. Players in the secretive zero-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.
To alleviate some of these problems, it was suggested to: 1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting; 2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and 3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.
This work presents the first results of an ongoing study on extortion and cooperation in zero-day markets through the lens of game theory.
The questions motivating this research are: a. Can the zero-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the zero-day trading strategies applicable to each scenario.
Learn which strategies allows to maximize the profits while trading zero-days in today's marketplaces. Find out how to avoid getting extorted by zero--day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the zero-day markets can achieve efficiency.
This work find application in a number of markets for vulnerability information and zero-day exploits. They range from over-the-counter zero-day trading, to boutique exploit providers offering zero-day vulnerabilities for a subscription fee, to service models for vulnerability research.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
9. ...
Web PKI is Fragile
.
8/104
If only we could notice them
10. ..
Web PKI is Fragile
.
Web PKI is Fragile
.
9/104
...
Web PKI is Fragile
11. ..
PKI Dramas
.
Web PKI is Fragile
.
10/104
. China Internet Network Information Center (CNNIC), 2015
. Lenovo, 2015
. National Informatics Centre of India, 2014
. ANSSI, 2013
. Trustwave, 2012
. Türktrust, 2011-2013
. DigiNotar, 2011
. Comodo, 2011
. Verisign, 2010
16. ..
/me
.
Web PKI is Fragile
.
15/104
At the intersection of so ware security and security so ware,
exploring, and trying to contain, the space of unanticipated state.
18. ..
Agenda
.
Web PKI is Fragile
.
17/104
1. Web PKI is Fragile
The sorrow state of the infrastructure we daily entrust our business upon
2. illusoryTLS
Nobody But Us Impersonate, Tamper, and Exploit
3. The Impact
Or, why one rotten apple spoils the whole barrel
4. A Backdoor Embedding Algorithm
Elligator turned to evil
5. Conclusions
The misery of our times
19. ..
Perspective
.
Web PKI is Fragile
.
18/104
. Timely topic o en debated as matter for a government to legislate on
20. ..
Perspective
.
Web PKI is Fragile
.
18/104
. Timely topic o en debated as matter for a government to legislate on
. A space that some entities might have practically explored regardless of the
policy framework
21. ..
Perspective
.
Web PKI is Fragile
.
18/104
. Timely topic o en debated as matter for a government to legislate on
. A space that some entities might have practically explored regardless of the
policy framework
. Would we be able to notice if our communications were being exploited?
23. ..
Poll
.
Web PKI is Fragile
.
20/104
How many of you think that
backdoors can be asymmetric?
24. ..
Poll
.
Web PKI is Fragile
.
21/104
How many of you think that
backdoors can be planted in data?
25. ..
Common View
.
Web PKI is Fragile
.
22/104
. Backdoors are symmetric
. Malicious logic in the target system code base
. Everyone with knowledge about the internals of the backdoor can exploit it
. Given enough skills and effort, code review can spot their presence
26. ..
Yet
.
Web PKI is Fragile
.
23/104
. Backdoors can be asymmetric.
Their complete code does not enable anyone, except those with access to
the key-recovery system, to exploit the backdoor
27. ..
Yet
.
Web PKI is Fragile
.
23/104
. Backdoors can be asymmetric.
Their complete code does not enable anyone, except those with access to
the key-recovery system, to exploit the backdoor
. Backdoors can be planted in data
28. ...
Web PKI is Fragile
.
24/104
Backdoor is data, data is backdoor
29. ...
Web PKI is Fragile
.
25/104
..
“
The illusion that your program is manipulating its data is powerful. But it is an
illusion: The data is controlling your program.
Taylor Hornby..
”
30. ..
Scenario
.
Web PKI is Fragile
.
26/104
. The entire X.509 Web PKI security architecture falls apart, if a
single CA certificate with a secretly embedded backdoor enters
the certificate store of relying parties
31. ..
Scenario
.
Web PKI is Fragile
.
26/104
. . The entire X.509 Web PKI security architecture falls apart, if a
single CA certificate with a secretly embedded backdoor enters
the certificate store of relying parties
Have we sufficient assurance that this did not happen already?
36. ..
Security Outcome
.
illusoryTLS
.
30/104
The backdoor completely perverts the security guarantees provided by the TLS
protocol, allowing the attacker to:
. Impersonate the endpoints (i.e., authentication failure)
. Tamper with their messages (i.e., integrity erosion)
37. ..
Security Outcome
.
illusoryTLS
.
30/104
The backdoor completely perverts the security guarantees provided by the TLS
protocol, allowing the attacker to:
. Impersonate the endpoints (i.e., authentication failure)
. Tamper with their messages (i.e., integrity erosion)
. Actively eavesdrop their communications (i.e., confidentiality loss)
39. ..
Threat Model
.
illusoryTLS
.
31/104
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public key
technologies.”
40. ..
Threat Model
.
illusoryTLS
.
31/104
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public key
technologies.”
. Interfere with the supply-chain
41. ..
Threat Model
.
illusoryTLS
.
31/104
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public key
technologies.”
. Interfere with the supply-chain
. Disregard everything about policy
42. ..
Threat Model
.
illusoryTLS
.
31/104
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,
networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public key
technologies.”
. Interfere with the supply-chain
. Disregard everything about policy
. Or, she is simply in the position to build the security module used by the
Certification Authority for generating the key material
46. ..
Where is the backdoor?
.
illusoryTLS
.
35/104
If the client and server code is
contributed by an open-source project
and it is used as-is, where is the
backdoor?
49. ..
A Covert Channel
.
illusoryTLS
.
37/104
. The upper order bits of the RSA modulus encode the asymmetric
encryption of a seed generated at random
. The same seed was used to generate one of the RSA primes of the CA
public-key modulus
50. ..
A Covert Channel
.
illusoryTLS
.
37/104
. The upper order bits of the RSA modulus encode the asymmetric
encryption of a seed generated at random
. The same seed was used to generate one of the RSA primes of the CA
public-key modulus
. The RSA modulus is at the same time a RSA public-key and an ciphertext
that gives to the backdoor designer the ability to factor with ease the
modulus
51. ..
Where the backdoor is not
.
illusoryTLS
.
38/104
No backdoor was slipped into the
cryptographic credentials issued to
the communicating endpoints
52. ..
SETUP Attacks
.
illusoryTLS
.
39/104
..
. Notion introduced by Adam Young
and Moti Yung at Crypto ’96
. Young and Yung elliptic-curve
asymmetric backdoor in RSA key
generation
. Expands on ‘A Space Efficient
Backdoor in RSA and its
Applications’, Selected Areas in
Cryptography ’05
. A working implementation at
http://cryptovirology.com
53. ..
NOBUS
.
illusoryTLS
.
40/104
..
. The exploitation requires access to
resources not embedded in the
backdoor itself
. e.g., elliptic-curve private key
. The vulnerability can be exploited
by the backdoor designer and by
whoever gains access to the
associated key-recovery system
54. ...
illusoryTLS
.
41/104
How many of you believe that it is
possible to forbid an enemy
intelligence organization from gaining
access to a private key?
61. ..
A Subtle Attack
.
Impact
.
46/104
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
. Message tampering (e.g., integrity erosion)
62. ..
A Subtle Attack
.
Impact
.
46/104
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encrypted
communications (e.g., confidentiality loss)
63. ..
A Subtle Attack
.
Impact
.
46/104
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encrypted
communications (e.g., confidentiality loss)
. No need to have access to any private key
used by system actors
64. ..
A Subtle Attack
.
Impact
.
46/104
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encrypted
communications (e.g., confidentiality loss)
. No need to have access to any private key
used by system actors
. No need to tamper with the
communicating endpoints
65. ..
A Subtle Attack
.
Impact
.
46/104
..
. Break TLS security guarantees at will
. Impersonation (e.g., authentication
failure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encrypted
communications (e.g., confidentiality loss)
. No need to have access to any private key
used by system actors
. No need to tamper with the
communicating endpoints
. Need to retain control over the
key-generation of the target RSA modulus
75. ..
Cross Certification
.
Impact
.
55/104
..
. Cross certification enables entities
in one public key infrastructure to
trust entities in another PKI
. This mutual trust relationship
should be typically supported by a
cross-certification agreement
between the CAs in each PKI
76. ..
Cross Certification
.
Impact
.
55/104
..
. Cross certification enables entities
in one public key infrastructure to
trust entities in another PKI
. This mutual trust relationship
should be typically supported by a
cross-certification agreement
between the CAs in each PKI
. The agreement establishes the
responsabilities and liability of
each party
78. ..
Explicit Cross Certification
.
Impact
.
56/104
..
. Each CA is required to issue a
certificate to the other to establish
a relationship in both directions
. The path of trust is not hierarchical,
although the separate PKIs may be
certificate hierarchies
79. ..
Explicit Cross Certification
.
Impact
.
56/104
..
. Each CA is required to issue a
certificate to the other to establish
a relationship in both directions
. The path of trust is not hierarchical,
although the separate PKIs may be
certificate hierarchies
. A er two CAs have established and
specified the terms of trust and
issued the certificates to each
other, entities within the separate
PKIs can interact subject to the
policies specified in the certificates
83. ..
Implicit Cross Certification
.
Impact
.
59/104
..
. Most current PKI so ware employs a form
of implicit cross certification in which all
root CAs are equally trusted
. Equivalent to unbounded cross
certification among all CAs
84. ..
Implicit Cross Certification
.
Impact
.
59/104
..
. Most current PKI so ware employs a form
of implicit cross certification in which all
root CAs are equally trusted
. Equivalent to unbounded cross
certification among all CAs
. Any certificate can be trivially replaced by
a masquereder’s certificate from another
CA
85. ..
Implicit Cross Certification
.
Impact
.
59/104
..
. Most current PKI so ware employs a form
of implicit cross certification in which all
root CAs are equally trusted
. Equivalent to unbounded cross
certification among all CAs
. Any certificate can be trivially replaced by
a masquereder’s certificate from another
CA
. The security of any certificate is reduced to
that of the least trustworthy CA, who can
issue bogus certificate to usurp the
legitimate one, at the same level of trust
99. ...
Impact
.
73/104
It is essential to have assurance about
the security of each implementation
of vulnerable key-generation
algorithm employed by trusted
credential issuers
103. ..
Requirements
.
Impact
.
76/104
..
. Publicly trusted certificates to be
issued in compliance with
European Standard EN 319 411-3
. CA key generation to be carried out
within a device that meets the
requirements identified by some
approved PP
104. ..
Requirements
.
Impact
.
76/104
..
. Publicly trusted certificates to be
issued in compliance with
European Standard EN 319 411-3
. CA key generation to be carried out
within a device that meets the
requirements identified by some
approved PP
. CEN Workshop Agreement 14167,
Part 2-3-4 are three of those PP
105. ..
Requirements
.
Impact
.
76/104
..
. Publicly trusted certificates to be
issued in compliance with
European Standard EN 319 411-3
. CA key generation to be carried out
within a device that meets the
requirements identified by some
approved PP
. CEN Workshop Agreement 14167,
Part 2-3-4 are three of those PP
. EAL4 Augmented
106. ..
Requirements
.
Impact
.
76/104
..
. Publicly trusted certificates to be
issued in compliance with
European Standard EN 319 411-3
. CA key generation to be carried out
within a device that meets the
requirements identified by some
approved PP
. CEN Workshop Agreement 14167,
Part 2-3-4 are three of those PP
. EAL4 Augmented
. Augmentation from adherence to
ADV_IMP.2, AVA_CCA.1, and
AVA_VLA.4
107. ..
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.
Impact
.
77/104
..
. Focused on assessing the
vulnerabilities in the TOE
108. ..
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.
Impact
.
77/104
..
. Focused on assessing the
vulnerabilities in the TOE
. Guaranteeing that the
implementation representation is
an accurate and complete
instantiation of the TSF
requirements
109. ..
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.
Impact
.
77/104
..
. Focused on assessing the
vulnerabilities in the TOE
. Guaranteeing that the
implementation representation is
an accurate and complete
instantiation of the TSF
requirements
. Special emphasis on identifying
covert channels and estimating
their capacity
110. ..
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.
Impact
.
77/104
..
. Focused on assessing the
vulnerabilities in the TOE
. Guaranteeing that the
implementation representation is
an accurate and complete
instantiation of the TSF
requirements
. Special emphasis on identifying
covert channels and estimating
their capacity
. SETUP attacks makes use of the
key-generation as a covert channel
for itself
113. ..
Yet
.
Impact
.
78/104
..
. Developer is in charge for the vulnerability
assessment and documentation
. Conflicts with our threat model
. The evaluator is le with the
documentation and the implementation
representation to be assessed
114. ..
Yet
.
Impact
.
78/104
..
. Developer is in charge for the vulnerability
assessment and documentation
. Conflicts with our threat model
. The evaluator is le with the
documentation and the implementation
representation to be assessed
. Can the presence of backdoor can be ruled
out at the required assurance level?
115. ..
Yet
.
Impact
.
78/104
..
. Developer is in charge for the vulnerability
assessment and documentation
. Conflicts with our threat model
. The evaluator is le with the
documentation and the implementation
representation to be assessed
. Can the presence of backdoor can be ruled
out at the required assurance level?
. Formal methods required only at the two
highest levels (EAL6 and EAL7)
116. ..
Yet
.
Impact
.
78/104
..
. Developer is in charge for the vulnerability
assessment and documentation
. Conflicts with our threat model
. The evaluator is le with the
documentation and the implementation
representation to be assessed
. Can the presence of backdoor can be ruled
out at the required assurance level?
. Formal methods required only at the two
highest levels (EAL6 and EAL7)
. Implementation representation may
render backdoor detection unlikely (e.g.,
HDL at design time, netlist at fabrication
time)
117. ..
Key Takeaway
.
Impact
.
79/104
As long as the implementations of RSA — or, more generally,
algorithms vulnerable to this class of attacks — used by trusted
entities (e.g., CA) cannot be audited by relying parties (e.g., x.509
end-entities), any trust-anchor for the same trusted entities (e.g.,
root certificate) is to be regarded as a potential backdoor
118. ..
Key Takeaway - Ctd
.
Impact
.
80/104
As long as the implementation of algorithms adopted by CAs and
vulnerable to this class of backdoors cannot be audited by relying
parties, the assurance provided by illusoryTLS (i.e., none
whatsoever) is not any different from the assurance provided by
systems relying upon TLS and RSA certificates for origin
authentication, confidentiality, and message integrity guarantees
119. ..
Mitigations
.
Impact
.
81/104
. Key Pinning, RFC 7469, Public Key Pinning Extension for HTTP (HPKP), April
2015
. Certificate Transparency, RFC 6962, June 2013
. DANE, DNS-based Authentication of Named Entities, RFC 6698, August 2012
. Tack, Trust Assertions for Certificate Keys, dra -perrin-tls-tack-02.txt,
Expired
. Proper explicit cross-certification
121. ..
Subtleness
.
A Backdoor Embedding Algorithm
.
83/104
The subtleness of a backdoor planted in a cryptographic credential
resides in the absence of malicious logic in the system whose
security it erodes.
122. ..
An attack variant
.
A Backdoor Embedding Algorithm
.
84/104
...
RyanC — https://gist.github.com/ryancdotorg/18235723e926be0afbdd
124. ..
Idea
.
A Backdoor Embedding Algorithm
.
85/104
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
125. ..
Idea
.
A Backdoor Embedding Algorithm
.
85/104
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
126. ..
Idea
.
A Backdoor Embedding Algorithm
.
85/104
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTR mode
127. ..
Idea
.
A Backdoor Embedding Algorithm
.
85/104
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTR mode
5. Generate a normal RSA key using the seeded CSPRNG
128. ..
Idea
.
A Backdoor Embedding Algorithm
.
85/104
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTR mode
5. Generate a normal RSA key using the seeded CSPRNG
6. Replace 32-bytes of the generated modulus with the ephemeral Curve25519
public-key
129. ..
Idea
.
A Backdoor Embedding Algorithm
.
85/104
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTR mode
5. Generate a normal RSA key using the seeded CSPRNG
6. Replace 32-bytes of the generated modulus with the ephemeral Curve25519
public-key
7. Use the original prime factors to compute two new primes leading to a new
modulus embedding the ephemeral public-key
130. ..
Idea
.
A Backdoor Embedding Algorithm
.
85/104
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTR mode
5. Generate a normal RSA key using the seeded CSPRNG
6. Replace 32-bytes of the generated modulus with the ephemeral Curve25519
public-key
7. Use the original prime factors to compute two new primes leading to a new
modulus embedding the ephemeral public-key
8. Output the RSA key with the secretly embedded backdoor
131. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/104
1. Extracts the ephemeral Curve25519 public-key from the target modulus
132. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/104
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
133. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/104
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
134. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/104
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
4. Generates a normal RSA key using the seeded CSPRNG
135. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/104
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
4. Generates a normal RSA key using the seeded CSPRNG
5. Replaces 32-bytes of the generated modulus with the ephemeral
Curve25519 public-key
136. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/104
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
4. Generates a normal RSA key using the seeded CSPRNG
5. Replaces 32-bytes of the generated modulus with the ephemeral
Curve25519 public-key
6. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the ephmeral public-key
137. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
86/104
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
4. Generates a normal RSA key using the seeded CSPRNG
5. Replaces 32-bytes of the generated modulus with the ephemeral
Curve25519 public-key
6. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the ephmeral public-key
7. Output the recovered RSA private key
138. ..
Broken
.
A Backdoor Embedding Algorithm
.
87/104
..
. Although the idea is nice
. The key pairs generated using this
algorithm fall short in terms of
indistiguishability
. It is easy to tell backdoored
certificates apart from genuine RSA
certificate using only black-box
access
141. ..
Distinguishing Attack
.
A Backdoor Embedding Algorithm
.
89/104
. A public-key embedded into an RSA modulus
. Elliptic curve public-keys are points on the curve
142. ..
Distinguishing Attack
.
A Backdoor Embedding Algorithm
.
89/104
. A public-key embedded into an RSA modulus
. Elliptic curve public-keys are points on the curve
. And elliptic curve points are easily distinguished from uniform random
strings
143. ..
Distinguishing Attack
.
A Backdoor Embedding Algorithm
.
89/104
. A public-key embedded into an RSA modulus
. Elliptic curve public-keys are points on the curve
. And elliptic curve points are easily distinguished from uniform random
strings
. A security evaluator could check if the coordinates encoded using the
candidate 32-byte substrings of the modulus satisfy the elliptic curve
equation
144. ..
Repairing the Backdoor
.
A Backdoor Embedding Algorithm
.
90/104
If we could make the elliptic curve
points indistinguishable from random
strings, then the backdoor
indistinguishability would be retained
145. ..
Elligator
.
A Backdoor Embedding Algorithm
.
91/104
..
. Censorship sucks!
. Daniel J. Bernstein, Anna Krasnova,
Mike Hamburg, Tanja Lange
. an encoding for points on a single
curve as strings indistiguishable
from uniform random strings
. http://elligator.cr.yp.to
146. ..
Inherently Dual Use
.
A Backdoor Embedding Algorithm
.
92/104
...
All cyber security technology is inherently dual use
147. ..
Undetectability for Good or Ill
.
A Backdoor Embedding Algorithm
.
93/104
..
. Just like any and all cyber security
tools
. Undetectability of curve points can
be used for good or ill
. For censorship-circumvention or
surveillance
148. ..
Between Offense and Defense
.
A Backdoor Embedding Algorithm
.
94/104
I believe we can positively contribute
to the discussion and practice of
information security by walking the
fine line between offense and defense
150. ..
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/104
. Embed a Curve25519 public-key into the key-generator
..MASTER_PUB_HEX = ’525e422e42c9c662362a7326c3c5c785ac7ef52e86782c4ac3c06887583e7a6f’
master_pub = unhexlify(MASTER_PUB_HEX)
151. ..
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/104
. Generate an ephemeral Curve25519 key at random and the associated
uniform representative string
..
while True:
private = urandom(32)
(v, pub, rep) = elligator.scalarbasemult(private)
if v:
break
152. ..
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/104
. Compute a shared secret using ECDH
. Use the shared secret to seed a CSPRNG based on AES run in CTR mode
..
# combine the ECDH keys to generate the seed
seed = nacl.crypto_box_beforenm(master_pub, private)
prng = AESPRNG(seed)
153. ..
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/104
. Generate a normal RSA key using the seeded CSPRNG
..
# deterministic key generation from seed
rsa = build_key(embed=rep, pos=80, randfunc=prng.randbytes)
...
def build_key(bits=2048, e=65537, embed=’’, pos=1, randfunc=None):
# generate base key
rsa = RSA.generate(bits, randfunc)
154. ..
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/104
. Replace 32-bytes of the generated modulus with the representative string
associated to the ephemeral Curve25519 public-key
..
# extract modulus as a string
n_str = unhexlify(str(hex(rsa.n))[2:-1])
# embed data into the modulus
n_hex = hexlify(replace_at(n_str, embed, pos))
...
# overwrite some bytes in orig at a specificed offset
def replace_at(orig, replace, offset):
return orig[0:offset] + replace + orig[offset+len(replace):]
155. ..
Elligator backdoor embedding
.
A Backdoor Embedding Algorithm
.
96/104
. Use the original prime factors to compute to new primes leading to a new
modulus embedding the uniform representative string
..
n = gmpy.mpz(n_hex, 16)
p = rsa.p
# compute a starting point to look for a new q value
pre_q = n / p
# use the next prime as the new q value
q = pre_q.next_prime()
n = p * q
phi = (p-1) * (q-1)
# compute new private exponent
d = gmpy.invert(e, phi)
# make sure that p is smaller than q
if p > q:
(p, q) = (q, p)
157. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/104
. Extracts the representative string from the target modulus
..
#Load an x.509 certificate from a file
x509 = X509.load_cert(sys.argv[2])
# Pull the modulus out of the certificate
orig_modulus = unhexlify(x509.get_pubkey().get_modulus())
(seed, rep) = recover_seed(key=sys.argv[1], modulus=orig_modulus, pos=80)
...
def recover_seed(key=’’, modulus=None, pos=1):
...
rep = modulus[pos:pos+32]
158. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/104
. Maps the representative string to the candidate ephemeral Curve25519
public-key
..pub = elligator.representativetopublic(rep)
159. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/104
. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key-generator
. Uses the shared secret to seed the CSPRNG based on AES run in CTR mode
..
def recover_seed(key=’’, modulus=None, pos=1):
# recreate the master private key from the passphrase
master = sha256(key).digest()
...
# compute seed with master private and ephemeral public key
return (nacl.crypto_box_beforenm(pub, master), rep)
...
(seed, rep) = recover_seed(key=sys.argv[1], modulus=orig_modulus, pos=80)
prng = AESPRNG(seed)
160. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/104
. Generates a normal RSA key using the seeded CSPRNG
..
# deterministic key generation from seed
rsa = build_key(embed=rep, pos=80, randfunc=prng.randbytes)
...
def build_key(bits=2048, e=65537, embed=’’, pos=1, randfunc=None):
# generate base key
rsa = RSA.generate(bits, randfunc)
161. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/104
. Replaces 32-bytes of the generated modulus with the representative string
found in the target modulus
..
# extract modulus as a string
n_str = unhexlify(str(hex(rsa.n))[2:-1])
# embed data into the modulus
n_hex = hexlify(replace_at(n_str, embed, pos))
162. ..
Key Recovery
.
A Backdoor Embedding Algorithm
.
97/104
. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the uniform representative string
..
n = gmpy.mpz(n_hex, 16)
p = rsa.p
# compute a starting point to look for a new q value
pre_q = n / p
# use the next prime as the new q value
q = pre_q.next_prime()
n = p * q
phi = (p-1) * (q-1)
# compute new private exponent
d = gmpy.invert(e, phi)
# make sure that p is smaller than q
if p > q:
(p, q) = (q, p)
172. ..
Normal RSA Key Generation — Young and Yung
.
Backup
.
106/104
1. Let e be the public RSA exponent (e.g., 216
+ 1)
2. Choose a large number p randomly (e.g., 1024 bits long)
3. If p is composite or gcd(e, p − 1) ̸= 1 then goto to step 1
4. Choose a large number q randomly (e.g., 1024 bits long)
5. If q is composite or gcd(e, p − 1) ̸= 1 then goto to step 3
6. Output the public-key (N = pq, e) and the private-key p
7. The private exponent d is found by solving for (d, k) in ed + kϕ(n) = 1 using
the extended Euclidean algorithm
173. ..
RSA Encryption/Decryption — Young and Yung
.
Backup
.
107/104
. N = p ∗ q, where p and q are large primes known to the key owner
. Everyone knows N and e
. Let d be a privete key exponent where ed = 1mod(p − 1)(q − 1)
. To encrypt m ∈ Z∗
n (a er padding) compute: c = me
modN
. To decrypt the ciphertext c compute: m = cd
modN
. As far as we know: Only with known factorization given N and e, one can
find d
174. ..
Elliptic Curve Decision Diffie-Hellman Problem
.
Backup
.
108/104
. Let C an elliptic-curve equation over the finite field Fq with prime order n
. Let G be the base point of the curve
. Given three point elements (xG), (yG) and (zG)
. Decide whether (zG = xyG), or not
. Where (x, y, z) are chosen randomly and 1 < x, y, z < n