SlideShare a Scribd company logo

Kleptography

Download as PPT, PDF
E
Erfan Mallick

The document discusses kleptography, which is the study of secretly stealing cryptographic information in a way that cannot be detected. It proposes a technique called a Secretly Embedded Trapdoor with Universal Protection (SETUP) that allows an attacker to steal private keys or other secret information from cryptosystems in a way that is undetectable, even if the cryptosystem is reverse engineered. Specifically, it describes how a SETUP could be used to steal private RSA keys during key generation or compromise the Diffie-Hellman key exchange. The goal of kleptography and a SETUP is to allow an attacker to obtain secret information like private keys in a way that cannot be detected by users, reverse engineers, or other attackers

Technology
1 of 38
MOTI YUNG Columbia U./ RSA Labs. Joint work with Adam Young Kleptography: The outsider inside your crypto devices (and its trust implications)
Approach to Trustworthy Computing Have O.S. / HW Control sensitive actions (even at browser level) Employ strong Crypto Hopefully Tamper-proof Crypto (hardware) Have worthwhile Certification of public-keys (not everyone with access to the browser is a CA – a common commercial practice that ruins the name of PKI) Now, we have strong assurance in credentials (server side as well as client side and proxy side) This is (maybe costly however it is) wise… but….…
What is Kleptography? Kleptography is the study of stealing information securely and subliminally (out of your most trusted system component: Tamper proof crypto-device or un-scrutinized crypto-software). Types of information that we want to steal: — Private decryption keys/ signing keys — Symmetric decryption keys — Confidential data (industrial secrets, military secrets, national secrets) Kleptography is dedicated to (re)searching ways of obtaining such data in an undetectable fashion with high security guarantees. It is a formal cryptographic study of backdoor designs (beyond the naïve common attacks that are detectable– e.g. weak random generation).
What is the goal of kleptography? To develop a robust backdoor within a cryptosystem that: 1) Provides the attacker with the desired secret information (e.g., private key of the unwary user) 2) Cannot be detected in black-box implementations (I/O access only to a hardware box/ software) except by the attacker 3) If a reverse-engineer (i.e., not the attacker) breaches the black- box, then the previously stolen information remains confidential (secure against reverse-engineering). Ideally, confidentiality holds going forward as well. The successful reverse-engineer will learn that the attack is carried out, BUT will be unable to use the backdoor. It is the design of cryptographic Trojan horses that are robust against reverse-engineering.
Asymmetric Klepto Talk Road Map Kleptographic attack on RSA key generation — Motivates the notion of a SETUP Definition of a Secretly Embedded Trapdoor with Universal Protection (SETUP) Kleptographic attack on the Diffie-Hellman key exchange Kleptographic attack on the Digital Signature Algorithm (DSA)
Kleptographic Theft of RSA Private Key Problem: To devise a backdoor (i.e., a way to covertly obtain the RSA private keys of users) that can be deployed in an RSA [RSA78] key generation program such that: — The backdoor can only be utilized by the attacker, even if the code is obtained and scrutinized (confidentiality). — The resulting RSA key pair must “look like” a normal RSA key pair (indistinguishability). — The same copy of the key generation program is obtained by everyone (it may be code signed for instance). Observation: Note that a pseudorandom bit generator that uses a fixed secret seed does not accomplish this. The seed or seeds will be revealed to the reverse-engineer and the resulting pseudorandom bit sequences will be revealed (also: statistical test will reveal this attack). This provides that attacker with an exclusive advantage that is maintained even after reverse-engineering.
Algorithms that can be attacked By compromising RSA key generation using a SETUP, we can compromise: — RSA [RSA78] — Rabin [Ra79] — Properly padded RSA: RSA-Optimal Asymmetric Encryption Padding (OAEP) [BR95,FIPS01,Sh01]. — And others… Certification/ Validation: Simple Zero-Knowledge protocols will not: — reveal that a SETUP attack has taken place — inhibit the operation of the SETUP attack in any way.
Normal RSA Key Generation Let e be the public RSA exponent that is shared by all the users (e.g., e is often taken to be 216 +1) 1) choose a large number p randomly (e.g., p is 512 bits long) 2) if p is composite or gcd(e,p - 1) ≠ 1 then goto step 1 3) choose a large number q randomly 4) if q is composite or gcd(e,q - 1) ≠ 1 then goto step 3 5) output the public key (n=pq,e) and the private key p Note that the private exponent d is found by solving for (d,k) in ed + kφ(n) = 1 (using the extended Euclidean alg.)
RSA Encryption/Decryption Let d be the private exponent where ed = 1 mod (p-1)(q-1) Let ZZn* denote the set of numbers in {1,2,3,…,n-1} that are relatively prime to n To encrypt m ∈ ZZn* compute: c = me mod n To decrypt the ciphertext c compute: m = cd mod n
Kleptographic RSA Key Generation The key generation algorithm is modified to contain a cryptotrojan. The cryptotrojan contains the attacker’s public key Y. This is an earlier version of the attack [YY96,YY97], more mature versions exist [YY04,YY05]. 1) choose a large value s randomly (e.g., 512-bits) 2) compute p = H(s) where H is a cryptographic one-way function 3) if p is composite or p-1 not relatively prime to e then goto step 1 4) choose a large value RND randomly 5) compute c to be the asymmetric encryption of s under Y (the attacker’s p.k.) 6) solve for (q,r) in (c || RND) = pq + r 7) if q is composite or q-1 not ….. then goto step 1 8) output the public key (n=pq,e) and the private key p Note that n is about 1024 bits in length
Recovering the RSA Private Key The private key is recovered as follows: — The attacker obtains the public key (n,e) of the user — Let u be the 512 uppermost bits of n — The attacker sets c1 = u and c2 = u+1 (c2 accounts for a potential borrow bit having been taken from the computation n = pq = (c || RND) – r — The attacker decrypts c1 and c2 to get s1 and s2, respectively — Either p1 = H(s1) or p2 = H(s2) will divide n Only the attacker can perform this operation since only the attacker knows the needed private decryption key corresponding to Y.
Definition of a SETUP A SETUP attack is an algorithmic modification C’ of a cryptosystem C with the following properties: 1) Halting Correctness: C and C' are efficient algorithms. 2) Output Indistinguishability: The outputs of C and C' are computationally indistinguishable to all efficient algorithms except for the attacker A. 3) Confidentiality of C: The outputs of C do not compromise the security of the cryptosystem that C implements. 4) Confidentiality of C': The outputs of C' only compromise the security of the cryptosystem that C’ implements with respect to the attacker A (and not against the traditional adversary). 5) Ability to compromise C': With overwhelming probability the attacker A (a new shadow party) can decrypt, forge, or otherwise cryptanalyze efficiently at least one private output of C' given a sufficient number of public outputs of C'.
Formal Aspects In the CT-RSA-05 proceedings there is a formal “security model and definitions. There are two types of attackers (traditional and insider) The design employs tools of modern cryptography: indistinguishability, random oracle assumption regarding strong one-way hash functions, etc. There is a proof of security of the design (in the model). It is “fun” to use formal methodology and proof techniques to prove the “security of klepto” which gives us a new notion in modern cryptography that of “provable insecurity”  
Diffie-Hellman Key Exchange Parameters Concrete parameters: Let p be a large prime such that: — p is 768 bits long or larger — p-1 is divisible by a large prime q (e.g. p=2q+1) — q is a 160 bit prime Let g < p be an element in ZZp* with order q (p,q) must provide a suitable setting for the discrete-logarithm problem. The parameters (p,q) are public
The Key Exchange Problem Alice and Bob want to establish a shared secret key over an insecure network. The network in insecure in the sense that it is vulnerable to a passive eavesdropper. Once the shared secret key is derived, they can use it to send symmetrically encrypted plaintext to each other over the network. Diffie-Hellman solves this problem.
The Diffie-Hellman Key Exchange 1) Alice chooses a < q randomly 2) Alice sends A = ga mod p to Bob 3) Bob chooses b < q randomly 4) Bob sends B = gb mod p to Alice 5) Alice computes k = Ba mod p 6) Bob computes k = Ab mod p Observe that k = Ba = Ab mod p since gba = gab mod p
The Diffie-Hellman Assumption The classic Diffie-Hellman key exchange relies on the presumed intractability of solving the computational Diffie- Hellman problem. (security is assured by the decisional version) A simplified version of the Diffie-Hellman problem can be stated as follows: Given (p,g,A,B) compute k = Ab mod p where b = logg B mod p The RSA key generation has a subliminal channel (half of the bits can be fixed and we get a composite N). The DH problem does not have one (under the decisional assumption all bits are equally random and useful as “key material”)…
So.. Is subliminal channel needed? The computer Science Answer: If there ain’t one create one! There are many ways to establish “secure communication channels while crypto is involved”….
Assumptions for the DH SETUP attack The assumptions are as follows: 1) The attacker can deploy the SETUP attack in a tamper- resistant black-box that Alice will use (Bob can use a black- box as well). 2) The black-box can store state information across invocations of the Diffie-Hellman algorithm (non-volatile memory). 3) The malicious designer can act as a passive eavesdropper on all of Alice and Bob’s key exchanges.
Goal of the SETUP attack against DH The goals of the simplified SETUP attack are: 1) To permit the malicious manufacturer to learn every other (or all but one) Diffie-Hellman shared secret k that Alice and Bob compute. 2) To prevent Alice and Bob (and everyone else) from knowing that the attack is taking place. 3) Robustness against reverse-engineering: - If only the code for the SETUP attack is disclosed then all shared secrets past and future will remain confidential. - A single DH shared secret may be compromised if the non- volatile state information is disclosed.
Parameters for the DH SETUP attack Parameters for the attack: xm: private key generated by the malicious attacker for the attack. xm is randomly chosen such that xm < q. xm is kept secret by the attacker (e.g., in the attacker’s smart card). ym: public key corresponding to xm. Hence, ym = gxm mod p. ym is not certified, but is placed inside the black-box that Alice uses. ID: A random and secret bit string in Alice’s device (Identifier). It should be at least 160 bits in length. H: public cryptographic one-way hash function such that: H: {0,1}*  ZZq
Intuition behind the DH SETUP attack The idea is to have the attacker: 1) Generate a private key xm and public key ym = gxm mod p 2) Place the public key ym in the black-box 3) Design the black-box to compute a shared secret k between Alice and the attacker during the first DH key exchange between Alice and Bob. k = ym a mod p • Use pseudorandomness derived from k instead of a random exponent a in Alice’s next key exchange. This allows the attacker to learn the second Diffie-Hellman shared secret. In two DH exchanges there will be three (one extra shadow one)!!!!
The Diffie-Hellman SETUP Attack First exchange: • Alice’s device sends A1 = ga1 mod p to Bob where a1 ∈R ZZq • Alice’s device stores a1 in non-volatile memory • Bob’s device sends B1 = gb1 mod p to Alice where b1 ∈R ZZq • Alice and Bob’s devices compute k1 = ga1b1 mod p Second exchange: • Alice’s device computes a2 = H(ID || (ym a1 mod p)) • Alice’s device sends A2 = ga2 mod p to Bob • Bob’s device sends B2 = gb2 mod p to Alice where b2 ∈R ZZq • Alice and Bob’s devices compute k2 = ga2b2 mod p
Recovering the 2nd DH Shared Secret The attacker: 1) Obtains A1 and B2 via passive eavesdropping. 2) Computes a2 = H(ID || (A1 xm mod p)) 3) Computes k2 = B2 a2 mod p Note that: A1 xm mod p = ga1xm = ym a1 = gxma1 mod p
Security of the DH SETUP attack Device Indistinguishability: — Since ID is a large randomly chosen string and is secret within Alice’s device, a2 appears random to Alice even if the device gives (a1,a2) to her (H acts like a random oracle). Confidentiality w.r.t. the reverse-engineer: — The reverse-engineer learns ID and ym (we may assume that a1 is learned and so at most a2 is compromised). — The reverse-engineer still must solve instances of the Diffie- Hellman problem to learn past DH shared secrets k2.
Chaining the DH SETUP attack The attack generalizes to reveal t out of t+1 Diffie-Hellman shared secrets. This is accomplished by chaining the use of the DH pseudorandom exponent. For example, Alice’s device stores a2 in non-volatile memory and computes: a3 = H(ID || (ym a2 mod p)) instead of choosing a3 uniformly at random… This is called a (t,t+1)-SETUP attack.
Parameters for the DSA - The primes p and q are as before (but q much smaller 160 bits). - g is the same as before (gq = 1 mod p). - The DSA signing private key is x where x is chosen randomly modulo q. - The DSA signature verification public key is y where: y = gx mod p - SHA1 denotes the “somewhat-secure hash algorithm” [NIST180] SHA1: {0,1}*  {0,1}160
DSA Signing Algorithm Algorithm [NIST186] to sign m given (m,x,g,p,q): • Choose k < q randomly • Compute r = (gk mod p) mod q • Compute s = k-1 (SHA1(m) + xr) mod q • Output (r,s) as the digital signature on m. • The DSA sends only 320 bits per signature, can they be exploited fast?
DSA Signature Verification Algorithm Algorithm to verify the signature (r,s) given (m,r,s,y,g,p,q): 1) Make sure all values are contained in the correct sets 2) Compute t = s-1 mod q 3) Signature is valid if and only if: r = ((gt )SHA1(m) ytr mod p) mod q Note that: r = (gk mod p) mod q and k = s-1 SHA1(m) + xs-1 r mod q Also, (gt )SHA1(m) ytr mod p = gk mod p [Very Important!]
Goal of DSA SETUP Attack The goal of the SETUP attack is to leak Alice’s private key x securely and subliminally to the malicious manufacturer of the DSA black-box. The malicious manufacturer uses the key pair (ym,xm) as before. The attack seeks to leak one exponent k in every two successive digital signatures that are output. This securely transmits x to the manufacturer since (known fact): x = r-1 (sk – SHA1(m)) mod q
Discrete Log Kleptogram The value computed as an intermediate one: (gt )SHA1(m) ytr mod p = gk mod p Enables a SETUP attack against DSA We call this a discrete-log kleptogram since once we can have something that looks like a DH communicated value we can exploit (reduction to the attack on DH).
SETUP Attack Against DSA First DSA signature computation: 1) Alice’s device computes (r1,s1) on message m1 where r1 = (gk1 mod p) mod q and s1 = k1 -1 (SHA1(m1) + xr1) mod q 2) Alice’s device stores exponent k1 in non-volatile memory. Second DSA signature computation: 1) Alice’s device computes k2 = H(ID || (ym k1 mod p)) 2) Alice’s device computes (r2,s2) on message m2 where r2 = (gk2 mod p) mod q and s2 = k2 -1 (SHA1(m2) + xr2) mod q
Recovering the 2nd signature exponent The attacker: 1) Obtains (m1,r1,s1) and (m2,r2,s2) via passive eavesdropping. 2) Computes t = s1 -1 mod q 3) Computes T = (gt )SHA1(m1) ytr1 mod p Note that T = gk1 mod p 4) Computes k2 = H(ID || (Txm mod p)) Note that Txm mod p = gk1xm = ym k1 mod p 5) Computes x2 = r2 -1 (s2k2 – SHA1(m2)) mod q
Security of the DH SETUP attack Device Indistinguishability: — Note that Alice can always recover k1 and k2 using her private key x. — Since ID is a large randomly chosen string and is secret within Alice’s device, k2 appears random to Alice. Confidentiality w.r.t. the reverse-engineer: — The reverse-engineer learns ID and ym — The reverse-engineer still must solve instances of the Diffie- Hellman problem to learn past DH shared secrets k2.
Conclusion The notion of a cryptographic backdoor that is robust against reverse-engineering was introduced (SETUP). A SETUP attack against RSA key generation was presented. A SETUP attack against Diffie-Hellman was presented. A SETUP attack against DSA was presented. These SETUP attacks naturally extend to other cryptosystems as well: e.g., Cramer-Shoup, etc. (ongoing research…
Conclusions In all these schemes: we have proof of security of the system (against all but the attacker) and a second security (exclusivity) proof for the attacker [Two systems in one!] and proofs are according to modern standards…. Cryptography is about security (we know..), it is about solving seemingly paradoxical schemes (we know….), and is also about looking for things that no one will ever look at (thus it is also about non-trivial scrutiny, namely: hacking with a purpose)….
Conclusions Trust relationships: manufacturer has to be trusted and implementations scrutinized as much as possible. Some black box tests will not work (under cryptographic assumptions) Trust within and about cryptographic system is “tricky” (also true in dealing with other systems, but not everyone thinks about it seriously! So cryptographers ought to look at these other things…) Since cryptographic thinking is important in analyzing security issues  cryptographic training is important! [to catch a thief you have to think like one]
THANK YOU!

Recommended

Презентація Тижня знань ПДР 2017/2018
Презентація Тижня знань ПДР 2017/2018Презентація Тижня знань ПДР 2017/2018
Презентація Тижня знань ПДР 2017/2018
Alla Kolosai
 
Розв’язування прикладних задач (із застосуванням визначеного інтеграла)
Розв’язування прикладних задач (із застосуванням визначеного інтеграла)Розв’язування прикладних задач (із застосуванням визначеного інтеграла)
Розв’язування прикладних задач (із застосуванням визначеного інтеграла)
Надвірнянський інформаційно - методичний центр
 
Видатні вчені-природознавці України і світу
Видатні вчені-природознавці України і світуВидатні вчені-природознавці України і світу
Видатні вчені-природознавці України і світуМикола Корчак
 
Презентація до нового підручника "Математика. 4 клас"
Презентація до нового підручника "Математика. 4 клас"Презентація до нового підручника "Математика. 4 клас"
Презентація до нового підручника "Математика. 4 клас"
Електронні книги Ранок
 
презент.сухомл.5
презент.сухомл.5презент.сухомл.5
презент.сухомл.5Sergeevna1985
 
алгоритм складання портфоліо вчителя, який атестується
алгоритм складання портфоліо вчителя, який атестуєтьсяалгоритм складання портфоліо вчителя, який атестується
алгоритм складання портфоліо вчителя, який атестуєтьсяelrosol
 
Відокремлені означення
Відокремлені означенняВідокремлені означення
Відокремлені означення
Svitlana ZHyvolup
 
Вказівка МВС №63 від 24.01.2011 "Про незадовільний стан службової дисципліни..
Вказівка МВС №63 від 24.01.2011 "Про незадовільний стан службової дисципліни..Вказівка МВС №63 від 24.01.2011 "Про незадовільний стан службової дисципліни..
Вказівка МВС №63 від 24.01.2011 "Про незадовільний стан службової дисципліни..
Eugene Krapyvin
 

Recommended

Презентація Тижня знань ПДР 2017/2018
Презентація Тижня знань ПДР 2017/2018Презентація Тижня знань ПДР 2017/2018
Презентація Тижня знань ПДР 2017/2018
Alla Kolosai
 
Розв’язування прикладних задач (із застосуванням визначеного інтеграла)
Розв’язування прикладних задач (із застосуванням визначеного інтеграла)Розв’язування прикладних задач (із застосуванням визначеного інтеграла)
Розв’язування прикладних задач (із застосуванням визначеного інтеграла)
Надвірнянський інформаційно - методичний центр
 
Видатні вчені-природознавці України і світу
Видатні вчені-природознавці України і світуВидатні вчені-природознавці України і світу
Видатні вчені-природознавці України і світуМикола Корчак
 
Презентація до нового підручника "Математика. 4 клас"
Презентація до нового підручника "Математика. 4 клас"Презентація до нового підручника "Математика. 4 клас"
Презентація до нового підручника "Математика. 4 клас"
Електронні книги Ранок
 
презент.сухомл.5
презент.сухомл.5презент.сухомл.5
презент.сухомл.5Sergeevna1985
 
алгоритм складання портфоліо вчителя, який атестується
алгоритм складання портфоліо вчителя, який атестуєтьсяалгоритм складання портфоліо вчителя, який атестується
алгоритм складання портфоліо вчителя, який атестуєтьсяelrosol
 
Відокремлені означення
Відокремлені означенняВідокремлені означення
Відокремлені означення
Svitlana ZHyvolup
 
Вказівка МВС №63 від 24.01.2011 "Про незадовільний стан службової дисципліни..
Вказівка МВС №63 від 24.01.2011 "Про незадовільний стан службової дисципліни..Вказівка МВС №63 від 24.01.2011 "Про незадовільний стан службової дисципліни..
Вказівка МВС №63 від 24.01.2011 "Про незадовільний стан службової дисципліни..
Eugene Krapyvin
 
Міфологія Єгипту
Міфологія ЄгиптуМіфологія Єгипту
Міфологія Єгипту
DorokhGala
 
Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"
Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"
Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"
Ігор Арсентьєв
 
план заходів 1
план заходів 1план заходів 1
план заходів 1
Юлія Асанова
 
презентація якоб і вільгельм грімм2
презентація якоб і вільгельм грімм2презентація якоб і вільгельм грімм2
презентація якоб і вільгельм грімм2
Myagkova Tanya
 
Історія виникнення косметики
Історія виникнення косметикиІсторія виникнення косметики
Історія виникнення косметики
Галина Пидручная
 
Розквіт та занепад Єгипту в ІІ тис. до н. е.
Розквіт та занепад Єгипту в ІІ тис. до н. е.Розквіт та занепад Єгипту в ІІ тис. до н. е.
Розквіт та занепад Єгипту в ІІ тис. до н. е.
Anna Shkandyuba
 
Формули скороченого множення
Формули скороченого множенняФормули скороченого множення
Формули скороченого множення
Наталія Третякова
 
дидактичні погляди Сковороди
дидактичні погляди Сковородидидактичні погляди Сковороди
дидактичні погляди Сковороди
Oksana Matsopa
 
Ukrajinska mova-8klas-avramenko-2016
Ukrajinska mova-8klas-avramenko-2016Ukrajinska mova-8klas-avramenko-2016
Ukrajinska mova-8klas-avramenko-2016
kreidaros1
 
Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...
Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...
Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...
Iryna Sukhorabska
 
Т.Шевченко "Садок вишневий коло хати"
Т.Шевченко "Садок вишневий коло хати"Т.Шевченко "Садок вишневий коло хати"
Т.Шевченко "Садок вишневий коло хати"
Tatyana Dudka
 
NZ Інструкція для класного керівника 22.07.22.pdf
NZ Інструкція для класного керівника 22.07.22.pdfNZ Інструкція для класного керівника 22.07.22.pdf
NZ Інструкція для класного керівника 22.07.22.pdf
ssuser59c0a2
 
Астрід ліндгрен. Пеппі довга панчоха
Астрід ліндгрен. Пеппі довга панчохаАстрід ліндгрен. Пеппі довга панчоха
Астрід ліндгрен. Пеппі довга панчохаolyasmetyukh
 
сзш № 12 атестація 2013 ....
сзш № 12 атестація 2013 ....сзш № 12 атестація 2013 ....
сзш № 12 атестація 2013 ....alla123456
 
Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...
Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...
Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...
Інститут післядипломної педагогічної освіти КУБГ
 
Неймовірний світ Катерини Штанко
Неймовірний світ Катерини ШтанкоНеймовірний світ Катерини Штанко
Неймовірний світ Катерини Штанко
estet13
 
Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...
Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...
Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...
Інститут післядипломної педагогічної освіти КУБГ
 
6 біблійні афоризми
6 біблійні афоризми6 біблійні афоризми
6 біблійні афоризми
SnezhanaP10
 
Дисидентський рух
Дисидентський рухДисидентський рух
Дисидентський рух
Yura Yatsko
 
автоматизація звука р в словах
автоматизація звука р в словахавтоматизація звука р в словах
автоматизація звука р в словахЛюбов Чулак
 
Introduction to cryptography
Introduction to cryptographyIntroduction to cryptography
Introduction to cryptographySuresh Thammishetty
 
Rsa
RsaRsa
Rsaismaelhaider
 

More Related Content

What's hot

Міфологія Єгипту
Міфологія ЄгиптуМіфологія Єгипту
Міфологія Єгипту
DorokhGala
 
Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"
Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"
Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"
Ігор Арсентьєв
 
план заходів 1
план заходів 1план заходів 1
план заходів 1
Юлія Асанова
 
презентація якоб і вільгельм грімм2
презентація якоб і вільгельм грімм2презентація якоб і вільгельм грімм2
презентація якоб і вільгельм грімм2
Myagkova Tanya
 
Історія виникнення косметики
Історія виникнення косметикиІсторія виникнення косметики
Історія виникнення косметики
Галина Пидручная
 
Розквіт та занепад Єгипту в ІІ тис. до н. е.
Розквіт та занепад Єгипту в ІІ тис. до н. е.Розквіт та занепад Єгипту в ІІ тис. до н. е.
Розквіт та занепад Єгипту в ІІ тис. до н. е.
Anna Shkandyuba
 
Формули скороченого множення
Формули скороченого множенняФормули скороченого множення
Формули скороченого множення
Наталія Третякова
 
дидактичні погляди Сковороди
дидактичні погляди Сковородидидактичні погляди Сковороди
дидактичні погляди Сковороди
Oksana Matsopa
 
Ukrajinska mova-8klas-avramenko-2016
Ukrajinska mova-8klas-avramenko-2016Ukrajinska mova-8klas-avramenko-2016
Ukrajinska mova-8klas-avramenko-2016
kreidaros1
 
Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...
Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...
Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...
Iryna Sukhorabska
 
Т.Шевченко "Садок вишневий коло хати"
Т.Шевченко "Садок вишневий коло хати"Т.Шевченко "Садок вишневий коло хати"
Т.Шевченко "Садок вишневий коло хати"
Tatyana Dudka
 
NZ Інструкція для класного керівника 22.07.22.pdf
NZ Інструкція для класного керівника 22.07.22.pdfNZ Інструкція для класного керівника 22.07.22.pdf
NZ Інструкція для класного керівника 22.07.22.pdf
ssuser59c0a2
 
Астрід ліндгрен. Пеппі довга панчоха
Астрід ліндгрен. Пеппі довга панчохаАстрід ліндгрен. Пеппі довга панчоха
Астрід ліндгрен. Пеппі довга панчохаolyasmetyukh
 
сзш № 12 атестація 2013 ....
сзш № 12 атестація 2013 ....сзш № 12 атестація 2013 ....
сзш № 12 атестація 2013 ....alla123456
 
Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...
Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...
Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...
Інститут післядипломної педагогічної освіти КУБГ
 
Неймовірний світ Катерини Штанко
Неймовірний світ Катерини ШтанкоНеймовірний світ Катерини Штанко
Неймовірний світ Катерини Штанко
estet13
 
Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...
Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...
Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...
Інститут післядипломної педагогічної освіти КУБГ
 
6 біблійні афоризми
6 біблійні афоризми6 біблійні афоризми
6 біблійні афоризми
SnezhanaP10
 
Дисидентський рух
Дисидентський рухДисидентський рух
Дисидентський рух
Yura Yatsko
 
автоматизація звука р в словах
автоматизація звука р в словахавтоматизація звука р в словах
автоматизація звука р в словахЛюбов Чулак
 

What's hot (20)

Міфологія Єгипту
Міфологія ЄгиптуМіфологія Єгипту
Міфологія Єгипту
 
Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"
Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"
Педагогічна рада на тему: "Національно - патріотичне виховання в школі та сім'ї"
 
план заходів 1
план заходів 1план заходів 1
план заходів 1
 
презентація якоб і вільгельм грімм2
презентація якоб і вільгельм грімм2презентація якоб і вільгельм грімм2
презентація якоб і вільгельм грімм2
 
Історія виникнення косметики
Історія виникнення косметикиІсторія виникнення косметики
Історія виникнення косметики
 
Розквіт та занепад Єгипту в ІІ тис. до н. е.
Розквіт та занепад Єгипту в ІІ тис. до н. е.Розквіт та занепад Єгипту в ІІ тис. до н. е.
Розквіт та занепад Єгипту в ІІ тис. до н. е.
 
Формули скороченого множення
Формули скороченого множенняФормули скороченого множення
Формули скороченого множення
 
дидактичні погляди Сковороди
дидактичні погляди Сковородидидактичні погляди Сковороди
дидактичні погляди Сковороди
 
Ukrajinska mova-8klas-avramenko-2016
Ukrajinska mova-8klas-avramenko-2016Ukrajinska mova-8klas-avramenko-2016
Ukrajinska mova-8klas-avramenko-2016
 
Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...
Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...
Група київських неокласиків, їхнє творче кредо, орієнтири на класичну форму п...
 
Т.Шевченко "Садок вишневий коло хати"
Т.Шевченко "Садок вишневий коло хати"Т.Шевченко "Садок вишневий коло хати"
Т.Шевченко "Садок вишневий коло хати"
 
NZ Інструкція для класного керівника 22.07.22.pdf
NZ Інструкція для класного керівника 22.07.22.pdfNZ Інструкція для класного керівника 22.07.22.pdf
NZ Інструкція для класного керівника 22.07.22.pdf
 
Астрід ліндгрен. Пеппі довга панчоха
Астрід ліндгрен. Пеппі довга панчохаАстрід ліндгрен. Пеппі довга панчоха
Астрід ліндгрен. Пеппі довга панчоха
 
сзш № 12 атестація 2013 ....
сзш № 12 атестація 2013 ....сзш № 12 атестація 2013 ....
сзш № 12 атестація 2013 ....
 
Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...
Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...
Ільєнко Т.А., вчитель-логопед СНВК «Мрія». Мінімальні прояви дизартрій у діте...
 
Неймовірний світ Катерини Штанко
Неймовірний світ Катерини ШтанкоНеймовірний світ Катерини Штанко
Неймовірний світ Катерини Штанко
 
Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...
Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...
Н.І.Боринець. Інноваційна освітня діяльність учителя трудового навчання: види...
 
6 біблійні афоризми
6 біблійні афоризми6 біблійні афоризми
6 біблійні афоризми
 
Дисидентський рух
Дисидентський рухДисидентський рух
Дисидентський рух
 
автоматизація звука р в словах
автоматизація звука р в словахавтоматизація звука р в словах
автоматизація звука р в словах
 

Similar to Kleptography

15.Security
15.Security15.Security
15.Security
Senthil Kanth
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
Nagendra Um
 
Public key algorithm
Public key algorithmPublic key algorithm
Public key algorithm
Prateek Pandey
 
Chapter 15 - Security
Chapter 15 - SecurityChapter 15 - Security
Chapter 15 - Security
Wayne Jones Jnr
 
Survey on asymmetric key cryptography algorithms
Survey on asymmetric key cryptography algorithmsSurvey on asymmetric key cryptography algorithms
Survey on asymmetric key cryptography algorithmsEditor Jacotech
 
OpenPGP/GnuPG Encryption
OpenPGP/GnuPG EncryptionOpenPGP/GnuPG Encryption
OpenPGP/GnuPG Encryption
Tanner Lovelace
 
IS Unit 3_Public Key Cryptography
IS Unit 3_Public Key CryptographyIS Unit 3_Public Key Cryptography
IS Unit 3_Public Key CryptographySarthak Patel
 
Network security
Network securityNetwork security
Network security
Ramasubbu .P
 
Encryption/Decryption Algorithm for Devanagri Script(Affine Cipher)
Encryption/Decryption Algorithm for Devanagri Script(Affine Cipher)Encryption/Decryption Algorithm for Devanagri Script(Affine Cipher)
Encryption/Decryption Algorithm for Devanagri Script(Affine Cipher)
Swati Nagpal
 
Moein
MoeinMoein
Moein
itrraincity
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYTuhin_Das
 
Cryptography for developers
Cryptography for developersCryptography for developers
Cryptography for developers
Kai Koenig
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Rsa diffi-network security-itt
Rsa diffi-network security-ittRsa diffi-network security-itt
Rsa diffi-network security-ittrameshvvv
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
Srilal Buddika
 
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
PROIDEA
 
D017433134
D017433134D017433134
D017433134
IOSR Journals
 

Similar to Kleptography (20)

Introduction to cryptography
Introduction to cryptographyIntroduction to cryptography
Introduction to cryptography
 
Rsa
RsaRsa
Rsa
 
15.Security
15.Security15.Security
15.Security
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Public key algorithm
Public key algorithmPublic key algorithm
Public key algorithm
 
Chapter 15 - Security
Chapter 15 - SecurityChapter 15 - Security
Chapter 15 - Security
 
Survey on asymmetric key cryptography algorithms
Survey on asymmetric key cryptography algorithmsSurvey on asymmetric key cryptography algorithms
Survey on asymmetric key cryptography algorithms
 
OpenPGP/GnuPG Encryption
OpenPGP/GnuPG EncryptionOpenPGP/GnuPG Encryption
OpenPGP/GnuPG Encryption
 
IS Unit 3_Public Key Cryptography
IS Unit 3_Public Key CryptographyIS Unit 3_Public Key Cryptography
IS Unit 3_Public Key Cryptography
 
Network security
Network securityNetwork security
Network security
 
Encryption/Decryption Algorithm for Devanagri Script(Affine Cipher)
Encryption/Decryption Algorithm for Devanagri Script(Affine Cipher)Encryption/Decryption Algorithm for Devanagri Script(Affine Cipher)
Encryption/Decryption Algorithm for Devanagri Script(Affine Cipher)
 
Moein
MoeinMoein
Moein
 
DOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITYDOCS ON NETWORK SECURITY
DOCS ON NETWORK SECURITY
 
Cryptography for developers
Cryptography for developersCryptography for developers
Cryptography for developers
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Rsa diffi-network security-itt
Rsa diffi-network security-ittRsa diffi-network security-itt
Rsa diffi-network security-itt
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
Ch09
Ch09Ch09
Ch09
 
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
[CONFidence 2016] Marco Ortisi - Recover a RSA private key from a TLS session...
 
D017433134
D017433134D017433134
D017433134
 

Recently uploaded

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 

Recently uploaded (20)

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 

Kleptography

  • 1. MOTI YUNG Columbia U./ RSA Labs. Joint work with Adam Young Kleptography: The outsider inside your crypto devices (and its trust implications)
  • 2. Approach to Trustworthy Computing Have O.S. / HW Control sensitive actions (even at browser level) Employ strong Crypto Hopefully Tamper-proof Crypto (hardware) Have worthwhile Certification of public-keys (not everyone with access to the browser is a CA – a common commercial practice that ruins the name of PKI) Now, we have strong assurance in credentials (server side as well as client side and proxy side) This is (maybe costly however it is) wise… but….…
  • 3. What is Kleptography? Kleptography is the study of stealing information securely and subliminally (out of your most trusted system component: Tamper proof crypto-device or un-scrutinized crypto-software). Types of information that we want to steal: — Private decryption keys/ signing keys — Symmetric decryption keys — Confidential data (industrial secrets, military secrets, national secrets) Kleptography is dedicated to (re)searching ways of obtaining such data in an undetectable fashion with high security guarantees. It is a formal cryptographic study of backdoor designs (beyond the naïve common attacks that are detectable– e.g. weak random generation).
  • 4. What is the goal of kleptography? To develop a robust backdoor within a cryptosystem that: 1) Provides the attacker with the desired secret information (e.g., private key of the unwary user) 2) Cannot be detected in black-box implementations (I/O access only to a hardware box/ software) except by the attacker 3) If a reverse-engineer (i.e., not the attacker) breaches the black- box, then the previously stolen information remains confidential (secure against reverse-engineering). Ideally, confidentiality holds going forward as well. The successful reverse-engineer will learn that the attack is carried out, BUT will be unable to use the backdoor. It is the design of cryptographic Trojan horses that are robust against reverse-engineering.
  • 5. Asymmetric Klepto Talk Road Map Kleptographic attack on RSA key generation — Motivates the notion of a SETUP Definition of a Secretly Embedded Trapdoor with Universal Protection (SETUP) Kleptographic attack on the Diffie-Hellman key exchange Kleptographic attack on the Digital Signature Algorithm (DSA)
  • 6. Kleptographic Theft of RSA Private Key Problem: To devise a backdoor (i.e., a way to covertly obtain the RSA private keys of users) that can be deployed in an RSA [RSA78] key generation program such that: — The backdoor can only be utilized by the attacker, even if the code is obtained and scrutinized (confidentiality). — The resulting RSA key pair must “look like” a normal RSA key pair (indistinguishability). — The same copy of the key generation program is obtained by everyone (it may be code signed for instance). Observation: Note that a pseudorandom bit generator that uses a fixed secret seed does not accomplish this. The seed or seeds will be revealed to the reverse-engineer and the resulting pseudorandom bit sequences will be revealed (also: statistical test will reveal this attack). This provides that attacker with an exclusive advantage that is maintained even after reverse-engineering.
  • 7. Algorithms that can be attacked By compromising RSA key generation using a SETUP, we can compromise: — RSA [RSA78] — Rabin [Ra79] — Properly padded RSA: RSA-Optimal Asymmetric Encryption Padding (OAEP) [BR95,FIPS01,Sh01]. — And others… Certification/ Validation: Simple Zero-Knowledge protocols will not: — reveal that a SETUP attack has taken place — inhibit the operation of the SETUP attack in any way.
  • 8. Normal RSA Key Generation Let e be the public RSA exponent that is shared by all the users (e.g., e is often taken to be 216 +1) 1) choose a large number p randomly (e.g., p is 512 bits long) 2) if p is composite or gcd(e,p - 1) ≠ 1 then goto step 1 3) choose a large number q randomly 4) if q is composite or gcd(e,q - 1) ≠ 1 then goto step 3 5) output the public key (n=pq,e) and the private key p Note that the private exponent d is found by solving for (d,k) in ed + kφ(n) = 1 (using the extended Euclidean alg.)
  • 9. RSA Encryption/Decryption Let d be the private exponent where ed = 1 mod (p-1)(q-1) Let ZZn* denote the set of numbers in {1,2,3,…,n-1} that are relatively prime to n To encrypt m ∈ ZZn* compute: c = me mod n To decrypt the ciphertext c compute: m = cd mod n
  • 10. Kleptographic RSA Key Generation The key generation algorithm is modified to contain a cryptotrojan. The cryptotrojan contains the attacker’s public key Y. This is an earlier version of the attack [YY96,YY97], more mature versions exist [YY04,YY05]. 1) choose a large value s randomly (e.g., 512-bits) 2) compute p = H(s) where H is a cryptographic one-way function 3) if p is composite or p-1 not relatively prime to e then goto step 1 4) choose a large value RND randomly 5) compute c to be the asymmetric encryption of s under Y (the attacker’s p.k.) 6) solve for (q,r) in (c || RND) = pq + r 7) if q is composite or q-1 not ….. then goto step 1 8) output the public key (n=pq,e) and the private key p Note that n is about 1024 bits in length
  • 11. Recovering the RSA Private Key The private key is recovered as follows: — The attacker obtains the public key (n,e) of the user — Let u be the 512 uppermost bits of n — The attacker sets c1 = u and c2 = u+1 (c2 accounts for a potential borrow bit having been taken from the computation n = pq = (c || RND) – r — The attacker decrypts c1 and c2 to get s1 and s2, respectively — Either p1 = H(s1) or p2 = H(s2) will divide n Only the attacker can perform this operation since only the attacker knows the needed private decryption key corresponding to Y.
  • 12. Definition of a SETUP A SETUP attack is an algorithmic modification C’ of a cryptosystem C with the following properties: 1) Halting Correctness: C and C' are efficient algorithms. 2) Output Indistinguishability: The outputs of C and C' are computationally indistinguishable to all efficient algorithms except for the attacker A. 3) Confidentiality of C: The outputs of C do not compromise the security of the cryptosystem that C implements. 4) Confidentiality of C': The outputs of C' only compromise the security of the cryptosystem that C’ implements with respect to the attacker A (and not against the traditional adversary). 5) Ability to compromise C': With overwhelming probability the attacker A (a new shadow party) can decrypt, forge, or otherwise cryptanalyze efficiently at least one private output of C' given a sufficient number of public outputs of C'.
  • 13. Formal Aspects In the CT-RSA-05 proceedings there is a formal “security model and definitions. There are two types of attackers (traditional and insider) The design employs tools of modern cryptography: indistinguishability, random oracle assumption regarding strong one-way hash functions, etc. There is a proof of security of the design (in the model). It is “fun” to use formal methodology and proof techniques to prove the “security of klepto” which gives us a new notion in modern cryptography that of “provable insecurity”  
  • 14. Diffie-Hellman Key Exchange Parameters Concrete parameters: Let p be a large prime such that: — p is 768 bits long or larger — p-1 is divisible by a large prime q (e.g. p=2q+1) — q is a 160 bit prime Let g < p be an element in ZZp* with order q (p,q) must provide a suitable setting for the discrete-logarithm problem. The parameters (p,q) are public
  • 15. The Key Exchange Problem Alice and Bob want to establish a shared secret key over an insecure network. The network in insecure in the sense that it is vulnerable to a passive eavesdropper. Once the shared secret key is derived, they can use it to send symmetrically encrypted plaintext to each other over the network. Diffie-Hellman solves this problem.
  • 16. The Diffie-Hellman Key Exchange 1) Alice chooses a < q randomly 2) Alice sends A = ga mod p to Bob 3) Bob chooses b < q randomly 4) Bob sends B = gb mod p to Alice 5) Alice computes k = Ba mod p 6) Bob computes k = Ab mod p Observe that k = Ba = Ab mod p since gba = gab mod p
  • 17. The Diffie-Hellman Assumption The classic Diffie-Hellman key exchange relies on the presumed intractability of solving the computational Diffie- Hellman problem. (security is assured by the decisional version) A simplified version of the Diffie-Hellman problem can be stated as follows: Given (p,g,A,B) compute k = Ab mod p where b = logg B mod p The RSA key generation has a subliminal channel (half of the bits can be fixed and we get a composite N). The DH problem does not have one (under the decisional assumption all bits are equally random and useful as “key material”)…
  • 18. So.. Is subliminal channel needed? The computer Science Answer: If there ain’t one create one! There are many ways to establish “secure communication channels while crypto is involved”….
  • 19. Assumptions for the DH SETUP attack The assumptions are as follows: 1) The attacker can deploy the SETUP attack in a tamper- resistant black-box that Alice will use (Bob can use a black- box as well). 2) The black-box can store state information across invocations of the Diffie-Hellman algorithm (non-volatile memory). 3) The malicious designer can act as a passive eavesdropper on all of Alice and Bob’s key exchanges.
  • 20. Goal of the SETUP attack against DH The goals of the simplified SETUP attack are: 1) To permit the malicious manufacturer to learn every other (or all but one) Diffie-Hellman shared secret k that Alice and Bob compute. 2) To prevent Alice and Bob (and everyone else) from knowing that the attack is taking place. 3) Robustness against reverse-engineering: - If only the code for the SETUP attack is disclosed then all shared secrets past and future will remain confidential. - A single DH shared secret may be compromised if the non- volatile state information is disclosed.
  • 21. Parameters for the DH SETUP attack Parameters for the attack: xm: private key generated by the malicious attacker for the attack. xm is randomly chosen such that xm < q. xm is kept secret by the attacker (e.g., in the attacker’s smart card). ym: public key corresponding to xm. Hence, ym = gxm mod p. ym is not certified, but is placed inside the black-box that Alice uses. ID: A random and secret bit string in Alice’s device (Identifier). It should be at least 160 bits in length. H: public cryptographic one-way hash function such that: H: {0,1}*  ZZq
  • 22. Intuition behind the DH SETUP attack The idea is to have the attacker: 1) Generate a private key xm and public key ym = gxm mod p 2) Place the public key ym in the black-box 3) Design the black-box to compute a shared secret k between Alice and the attacker during the first DH key exchange between Alice and Bob. k = ym a mod p • Use pseudorandomness derived from k instead of a random exponent a in Alice’s next key exchange. This allows the attacker to learn the second Diffie-Hellman shared secret. In two DH exchanges there will be three (one extra shadow one)!!!!
  • 23. The Diffie-Hellman SETUP Attack First exchange: • Alice’s device sends A1 = ga1 mod p to Bob where a1 ∈R ZZq • Alice’s device stores a1 in non-volatile memory • Bob’s device sends B1 = gb1 mod p to Alice where b1 ∈R ZZq • Alice and Bob’s devices compute k1 = ga1b1 mod p Second exchange: • Alice’s device computes a2 = H(ID || (ym a1 mod p)) • Alice’s device sends A2 = ga2 mod p to Bob • Bob’s device sends B2 = gb2 mod p to Alice where b2 ∈R ZZq • Alice and Bob’s devices compute k2 = ga2b2 mod p
  • 24. Recovering the 2nd DH Shared Secret The attacker: 1) Obtains A1 and B2 via passive eavesdropping. 2) Computes a2 = H(ID || (A1 xm mod p)) 3) Computes k2 = B2 a2 mod p Note that: A1 xm mod p = ga1xm = ym a1 = gxma1 mod p
  • 25. Security of the DH SETUP attack Device Indistinguishability: — Since ID is a large randomly chosen string and is secret within Alice’s device, a2 appears random to Alice even if the device gives (a1,a2) to her (H acts like a random oracle). Confidentiality w.r.t. the reverse-engineer: — The reverse-engineer learns ID and ym (we may assume that a1 is learned and so at most a2 is compromised). — The reverse-engineer still must solve instances of the Diffie- Hellman problem to learn past DH shared secrets k2.
  • 26. Chaining the DH SETUP attack The attack generalizes to reveal t out of t+1 Diffie-Hellman shared secrets. This is accomplished by chaining the use of the DH pseudorandom exponent. For example, Alice’s device stores a2 in non-volatile memory and computes: a3 = H(ID || (ym a2 mod p)) instead of choosing a3 uniformly at random… This is called a (t,t+1)-SETUP attack.
  • 27. Parameters for the DSA - The primes p and q are as before (but q much smaller 160 bits). - g is the same as before (gq = 1 mod p). - The DSA signing private key is x where x is chosen randomly modulo q. - The DSA signature verification public key is y where: y = gx mod p - SHA1 denotes the “somewhat-secure hash algorithm” [NIST180] SHA1: {0,1}*  {0,1}160
  • 28. DSA Signing Algorithm Algorithm [NIST186] to sign m given (m,x,g,p,q): • Choose k < q randomly • Compute r = (gk mod p) mod q • Compute s = k-1 (SHA1(m) + xr) mod q • Output (r,s) as the digital signature on m. • The DSA sends only 320 bits per signature, can they be exploited fast?
  • 29. DSA Signature Verification Algorithm Algorithm to verify the signature (r,s) given (m,r,s,y,g,p,q): 1) Make sure all values are contained in the correct sets 2) Compute t = s-1 mod q 3) Signature is valid if and only if: r = ((gt )SHA1(m) ytr mod p) mod q Note that: r = (gk mod p) mod q and k = s-1 SHA1(m) + xs-1 r mod q Also, (gt )SHA1(m) ytr mod p = gk mod p [Very Important!]
  • 30. Goal of DSA SETUP Attack The goal of the SETUP attack is to leak Alice’s private key x securely and subliminally to the malicious manufacturer of the DSA black-box. The malicious manufacturer uses the key pair (ym,xm) as before. The attack seeks to leak one exponent k in every two successive digital signatures that are output. This securely transmits x to the manufacturer since (known fact): x = r-1 (sk – SHA1(m)) mod q
  • 31. Discrete Log Kleptogram The value computed as an intermediate one: (gt )SHA1(m) ytr mod p = gk mod p Enables a SETUP attack against DSA We call this a discrete-log kleptogram since once we can have something that looks like a DH communicated value we can exploit (reduction to the attack on DH).
  • 32. SETUP Attack Against DSA First DSA signature computation: 1) Alice’s device computes (r1,s1) on message m1 where r1 = (gk1 mod p) mod q and s1 = k1 -1 (SHA1(m1) + xr1) mod q 2) Alice’s device stores exponent k1 in non-volatile memory. Second DSA signature computation: 1) Alice’s device computes k2 = H(ID || (ym k1 mod p)) 2) Alice’s device computes (r2,s2) on message m2 where r2 = (gk2 mod p) mod q and s2 = k2 -1 (SHA1(m2) + xr2) mod q
  • 33. Recovering the 2nd signature exponent The attacker: 1) Obtains (m1,r1,s1) and (m2,r2,s2) via passive eavesdropping. 2) Computes t = s1 -1 mod q 3) Computes T = (gt )SHA1(m1) ytr1 mod p Note that T = gk1 mod p 4) Computes k2 = H(ID || (Txm mod p)) Note that Txm mod p = gk1xm = ym k1 mod p 5) Computes x2 = r2 -1 (s2k2 – SHA1(m2)) mod q
  • 34. Security of the DH SETUP attack Device Indistinguishability: — Note that Alice can always recover k1 and k2 using her private key x. — Since ID is a large randomly chosen string and is secret within Alice’s device, k2 appears random to Alice. Confidentiality w.r.t. the reverse-engineer: — The reverse-engineer learns ID and ym — The reverse-engineer still must solve instances of the Diffie- Hellman problem to learn past DH shared secrets k2.
  • 35. Conclusion The notion of a cryptographic backdoor that is robust against reverse-engineering was introduced (SETUP). A SETUP attack against RSA key generation was presented. A SETUP attack against Diffie-Hellman was presented. A SETUP attack against DSA was presented. These SETUP attacks naturally extend to other cryptosystems as well: e.g., Cramer-Shoup, etc. (ongoing research…
  • 36. Conclusions In all these schemes: we have proof of security of the system (against all but the attacker) and a second security (exclusivity) proof for the attacker [Two systems in one!] and proofs are according to modern standards…. Cryptography is about security (we know..), it is about solving seemingly paradoxical schemes (we know….), and is also about looking for things that no one will ever look at (thus it is also about non-trivial scrutiny, namely: hacking with a purpose)….
  • 37. Conclusions Trust relationships: manufacturer has to be trusted and implementations scrutinized as much as possible. Some black box tests will not work (under cryptographic assumptions) Trust within and about cryptographic system is “tricky” (also true in dealing with other systems, but not everyone thinks about it seriously! So cryptographers ought to look at these other things…) Since cryptographic thinking is important in analyzing security issues  cryptographic training is important! [to catch a thief you have to think like one]