Understanding and Implementing Encryption Backdoors By Derek Kern CSC7002 March 31, 2012
Contents ● The Setup ○ History: The Zimmerman Telegram ○ The Conceit ○ Where to conceal the backdoor ○ Asymmetric vs. Symmetric ● RSA ○ Simple Symmetric Backdoor ○ Extended Symmetric Backdoor ● ElGamal ○ Aside: Generating Groups and Primitives ○ Simple Symmetric Backdoor ● Electronic Book Cipher ○ Simple Symmetric Backdoor
Introduction ● Encryption algorithms like RSA, ElGamal, etc appear to be secure in the abstract ● Unfortunately, we do not use them in the abstract ● We trust that implementations of these algorithms are sound and honest ○ Sound - No cryptographically significant bugs ○ Honest - No backdoors ● Could e-commerce exist without this trust? ● My overall goal was to discover how easy it is to plant backdoors in order to determine whether this trust is warranted
Introduction ● Questions to be examined ○ How easy is it to embed backdoors into encryption implementations? ■ RSA ■ ElGamal ■ Electronic Book Cipher ○ What is it about encryption algorithms that make them susceptible to backdoors? ○ How can backdoors be revealed?
The Zimmerman Telegram The Ciphertext ● Sent by A. Zimmerman, German Foreign Secretary, to the German Ambassador of Mexico ● The Germans, anticipating an American response to planned unrestricted submarine warfare, were attempting to convince Mexico to attack the US ● They promised Texas, New Mexico and Arizona ● The telegram was to the government of intercepted and Mexico decoded by the British
The Zimmerman Telegram The plaintext We intend to begin on the first of February unrestricted submarine warfare. We shall endeavor in spite of this to keep the United States of America neutral. In the event of this not succeeding, we make Mexico a proposal of alliance on the following basis: make war together, make peace together, generous financial support and an understanding on our part that Mexico is to reconquer the lost territory in Texas, New Mexico, and Arizona. The settlement in detail is left to you. You will inform the President of the above most secretly as soon as the outbreak of war with the United States of America is certain and add the suggestion that he should, on his own initiative, invite Japan to immediate adherence and at the same time mediate between Japan and ourselves. Please call the President's attention to the fact that the ruthless employment of our submarines now offers the prospect of compelling England in a few months to make peace. Signed, ZIMMERMANN
The Conceit ● You are given a black box ● This box could be hardware or software ● Depending upon the algorithm, it may generate keys or encrypt the plaintext ● How would you know that this box is honest? ○ Are the keys being generated honest? ○ Is the ciphertext honest? ● When we discussed DES, we focused upon whether a backdoor was embedded into the algorithm
The Conceit ● This may have been the case, but the easiest place to embed a backdoor is in the implementation of an algorithm ● We will focus upon the implementation ● The actors in this cryptography story are: ○ Alice - Encryption user ○ Bart - Encryption user ○ EveCorp - Encryption implementer
What is a backdoor? ● A.k.a trapdoor ○ I avoided this synonym because of the use of 'trapdoor' when discussing trapdoor functions ● It is a selective weakening of a cryptographic implementation (or algorithm) such that a third party, EveCorp, can decrypt communications between Alice and Bob ● Usually backdoors are hidden, but not always (remember the, now defunct, Clipper chip) ● We will be focusing upon hidden backdoors
What is a backdoor? ● Food for thought: Is intention the only aspect that truly differentiates backdoors from implementation errors?
Where to conceal a backdoor ● Random number generators ○ In this case, EveCorp would have a good idea what random numbers will be generated ● In subtle code ○ In 2003, a hacker tried to slip a backdoor into Linux kernel. The difference between the honest and dishonest implementations was a single equal sign ● In public keys ○ We will see two such backdoors ● In ciphertext ○ We will see one such backdoor
Symmetric vs Asymmetric ● So, you are EveCorp ○ You have inserted a backdoor into an implementation ○ If, upon finding the backdoor, someone could use it to decrypt Alice and Bob's communications, then the backdoor is symmetric ○ If, upon finding the backdoor, someone could not use it to decrypt Alice and Bob's communications, then the backdoor is asymmetric [YY96] ● We will see only symmetric backdoors ● Asymmetric backdoors typically involve encrypting the backdoor itself
What should EveCorp's backdoor look like? ● The backdoor should: ○ ...allow polynomial time access to the contents of the message ● The backdoor should not: ○ ...cause the black box output to be distinguishable, in polynomial time, from honest black box output. Thus, it should be sufficiently hidden ○ ...weaken the encryption implementation such that it is open to non-backdoor attacks
RSA ● Quick Review ○ Start by generating two large primes, p and q; their product becomes the public key modulus, n ○ phi(n) = ( p - 1 )( q - 1 ) ○ Find the public key exponent, e, such that gcd( e, phi(n) ) = 1 ○ Find the private key exponent, d, such that d is the multiplicative inverse of e modulo phi(n) ○ Let m be the plaintext and c be the ciphertext ○ Encrypt: c = m e (mod n) ○ Decrypt: m = c d (mod n)
RSA ● Dirichlet's Prime Number Theorem ○ For any two positive coprime integers, a and d , there are infinitely many prime numbers of the form nd + a where n >= 0. [Dud08] Call these primes 'Dirichlet Primes' ○ Upshot: Given an arithmetic series nd + a, where a and d are coprime, there are an infinite number of prime numbers as n goes to infinity ○ Example ■ Let a = 5 and d = 7 ● n = 1: 1(7) + 5 = 12 --- Nope ● n = 2: 2(7) + 5 = 19 --- Bingo
RSA ● Dirichlet's Prime Number Theorem ○ So, how is Dirichlet's Theorem (DT) relevant? ■ Well, what happens if we do the following? ● n(d) + a (mod d) ● Example 2(7) + 5 = 19 ○ 19 ≡ 5 (mod 7) ○ ■ So, by looking at 19 mod 7, we are able to 'release' 5 from the sum ■ Thus, we are able to release the value of a from the Dirichlet Prime modulo d
RSA ● Simple Symmetric Backdoor [And93] ○ Choose p and q using Dirichlet's (td + a) ■ Note: I've renamed n to t in order to avoid confusion ○ Fix d to be a large prime; this is the backdoor key. It will be hidden in the black box ○ (1) Choose a random prime a such that a has roughly a quarter the bits of d ; we know that a and d are coprime ○ (2) Set t to be some initial value that is about a quarter of the bits of d; this initial value should be some function, f(x), of a and d ○ (3) Increase t until (td + a) is a prime ○ Do (1), (2) and (3) for p and q
RSA ● Simple Symmetric Backdoor ○ Now, consider n: ■ n = pq = (t 1 d + a 1 )(t 2 d + a 2 ) [Kal94] ● pq = t 1 dt 2 d + a 1 t 2 d + a 2 t 1 d + a 1 a 2 ● And this modulo d is: a 1 a 2 ● a 1 and a 2 are much smaller than p and q and can be easily factored ○ Assume that we factor a 1 a 2 to obtain a 1 and a 2 ■ How do we obtain p and q? ○ We know d and have a 1 and a 2 ; we also know f(x) ○ Use f(d + a 1 ) and f(d + a 2 ) to get the initial values of t , t 1 and t 2 , for p and q
RSA ● Simple Symmetric Backdoor ○ For each t , t 1 and t 2 , increase t until a prime is reached ○ For t 1 , this prime will p; for t 2 , this prime will be q ○ With p and q, the ciphertext can be decrypted
RSA - Simple Symmetric Backdoor Honestly generated keys e = 93854897993268419291268282158132054459478903016461905919978319015693947069231026005974211 7337930805914627366311257693964672312365587416140319953949 m = 62016643699815891866681776782968332929444025522604782939725140786641517313787243227776152 04975376524559040066052482523719642724550770881042443457837 d = 76142261560107732310949314937054504027136222912946759700839906428395196232482475719392595 9696795501194641200735629994701463260345872178329048258349 Dishonestly generated keys e = 38679033777561333679744814330283741777516711549088393212436928676715685026888635251008547 554814821766015253704097564971842900261750864932507866030963 m = 94837333025621043745241580207768261280757907156643485047688214354183296858393461170480771 1854450795093240193241133277726482805691469236923612526751981 d = 16866847269610423710279206935327981980647459578169704285835920028040686215635642293732050 210554408831060031156790302211642479203284798196797865229243
RSA ● Simple Symmetric Backdoor ○ Is this backdoor secure from outside attacks? ○ Kaliski [Kal94] proposes a method of freeing "trapped moduli" ■ He says that this is "easy" to do ■ However, requires many different public key moduli that use the same backdoor key ● It may be hard to obtain enough of them ● Each device could be given a unique backdoor key ○ So, it appears to be secure
Recommend
More recommend
