Tweet
Tweet

Slide 1

Slide 1 text

JP Aumasson Cryptographic Backdooring

Slide 2

Slide 2 text

/me: @veorq http://aumasson.jp BLAKE(2), SipHash, NORX https://password-hashing.net https://cryptocoding.net https://malicioussha1.github.io DahuCon

Slide 3

Slide 3 text

Agenda Why this talk? Backdooring 101 Sabotage tactics A perfect backdoor Conclusion

Slide 4

Slide 4 text

Why this talk?

Slide 5

Slide 5 text

You may not be interested in backdoors, but backdoors are interested in you

Slide 6

Slide 6 text

NSA’s BULLRUN program

Slide 7

Slide 7 text

Public research mostly inexistant

Slide 8

Slide 8 text

2004

Slide 9

Slide 9 text

http://eprint.iacr.org/2015/097.pdf

Slide 10

Slide 10 text

Bad reputation: surveillance, deception

Slide 11

Slide 11 text

“a back door for the government can easily —and quietly—become a back door for criminals and foreign intelligence services.” http://justsecurity.org/16503/security-front-doors-vs-back-doors-distinction-difference/

Slide 12

Slide 12 text

And terrorists etc. (Like internet and encryption)

Slide 13

Slide 13 text

“It increases the ‘attack surface’ of the system, providing new points of leverage that a nefarious attacker can exploit.” http://justsecurity.org/16503/security-front-doors-vs-back-doors-distinction-difference/

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Not well understood, by the public

Slide 16

Slide 16 text

Especially crypto backdoors

Slide 17

Slide 17 text

Why doing research about backdoors?

Slide 18

Slide 18 text

Detect backdoors

Slide 19

Slide 19 text

If you have to implement a backdoor, whatever the reasons, better do it well

Slide 20

Slide 20 text

Backdooring 101

Slide 21

Slide 21 text

What’s a backdoor?

Slide 22

Slide 22 text

Not a trapdoor (Covert rather than overt)

Slide 23

Slide 23 text

“A feature or defect that allows surreptitious access to data”

Slide 24

Slide 24 text

Weakened algorithms (A5/2, GMR, etc.)

Slide 25

Slide 25 text

Covert channels (Exfiltration of keys, etc.)

Slide 26

Slide 26 text

Key escrow Clipper chip phone AT&T TSD3600

Slide 27

Slide 27 text

“An undocumented way to get access to a computer system or the data it contains”

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Bugdoors Backdoors that look like bugs

Slide 30

Slide 30 text

What’s a good backdoor?

Slide 31

Slide 31 text

Undetectable Observables look legit Requires non-trivial RE

Slide 32

Slide 32 text

Deniable Looks unintentional Isn’t incriminating

Slide 33

Slide 33 text

NOBUS (no one but us) Exploitation requires a secret: Keys, algorithm, protocol, etc. Can also be specific privilege, skill, etc.

Slide 34

Slide 34 text

Reusable Multiple times, against multiple targets Usable without being revealed (Unlike Flame’s MD5 collision)

Slide 35

Slide 35 text

Unmalleable Not easily tweaked to be exploited by another party Difficult to replicate without all details

Slide 36

Slide 36 text

Forward-secure If the backdoor is detected, previous exploits aren’t compromised

Slide 37

Slide 37 text

Simple Minimize code, logic, memory,etc.

Slide 38

Slide 38 text

Sabotage tactics

Slide 39

Slide 39 text

Constants

Slide 40

Slide 40 text

Choose constants that allow you to compromise the security

Slide 41

Slide 41 text

40 bits modified Colliding binaries, images, archives Full control on the content, NOBUS (BSidesLV/DEFCON/SAC 2014) https://malicioussha1.github.io

Slide 42

Slide 42 text

2 distinct files, 3 valid file formats

Slide 43

Slide 43 text

NIST curves’ coefficients Hashes of unexplained 16-byte seeds, e.g. c49d3608 86e70493 6a6678e1 139d26b7 819f7e90 (Speculation, not evidence of backdoor)

Slide 44

Slide 44 text

Notion of rigidity Or suspiciousness of the constants: “a feature of a curve-generation process, limiting the number of curves that can be generated” http://safecurves.cr.yp.to/rigid.html

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

“The BADA55-VPR curves illustrate the fact that ‘verifiably pseudorandom’ curves with ‘systematic’ seeds generated from ‘nothing-up-my-sleeve numbers’ also do not stop the attacker from generating a curve with a one-in-a-million weakness.” http://safecurves.cr.yp.to/bada55.html

Slide 47

Slide 47 text

This program can generate millions of plausible values for “somewhat rigid” constants https://github.com/veorq/NUMSgen Is it possible to find many “fully rigid” designs?

Slide 48

Slide 48 text

Dual_EC_DRBG (NSA design, NIST standard) http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html If n such that nQ = P is known, RNG is broken (NOBUS)

Slide 49

Slide 49 text

Constants are anything that is.. constant Arithmetic operations, S-boxes, etc.

Slide 50

Slide 50 text

A backdoor in AES? (Research article by the honorable Dr. Gavekort: https://mjos.fi/doc/gavekort_kale.pdf)

Slide 51

Slide 51 text

Sabotaged AES S-box?? AES S-box is just the inverse x → x-1 in GF(28) !

Slide 52

Slide 52 text

A better S-box for AES! Can you find the real backdoor?

Slide 53

Slide 53 text

Key generation

Slide 54

Slide 54 text

Make session keys predictable

Slide 55

Slide 55 text

3G/4G AKA Session keys = hash( master key, rand ) Delegate tactical intercepts with low-entropy rand values Precompute and share session keys (Just a possibility, not making allegations)

Slide 56

Slide 56 text

Hide weak parameters

Slide 57

Slide 57 text

RSA Hide small public exponent with some tricks to avoid detection and recover using Boneh-Durfee-Frankel result (CT-RSA 2003)

Slide 58

Slide 58 text

Key generation as a covert channel for itself

Slide 59

Slide 59 text

RSA Hide bits of prime factors in n Recover using Coppersmith’s method Similar to “Pretty-Awful-Privacy” (Young-Yung) (CT-RSA 2003)

Slide 60

Slide 60 text

Lesson: don’t outsource keygen

Slide 61

Slide 61 text

Implementations

Slide 62

Slide 62 text

Slightly deviate from the specs Omit some verifications etc.

Slide 63

Slide 63 text

Small subgroup attacks Omit (EC)DH pubkey validation (CRYPTO 1997) (PKC 2003)

Slide 64

Slide 64 text

TLS MitM Incomplete cert verification

Slide 65

Slide 65 text

“Misuse” Repeated stream cipher nonces

Slide 66

Slide 66 text

NOBUS unlikely...

Slide 67

Slide 67 text

Software

Slide 68

Slide 68 text

Bugdoors in the crypto Deniability may be plausible

Slide 69

Slide 69 text

goto fail; goto fail; goto cleanup;

Slide 70

Slide 70 text

Probably unintentional Not NOBUS anyway

Slide 71

Slide 71 text

RC4 bugdoor (Wagner/Biondi) #define TOBYTE(x) (x) & 255 #define SWAP(x,y) do { x^=y; y^=x; x^=y; } while (0) static unsigned char A[256]; static int i=0, j=0; unsigned char encrypt_one_byte(unsigned char c) { int k; i = TOBYTE( i+1 ); j = TOBYTE( j + A[i] ); SWAP( A[i], A[j] ); k = TOBYTE( A[i] + A[j] ); return c ^ A[k]; }

Slide 72

Slide 72 text

RC4 bugdoor (Wagner/Biondi) #define TOBYTE(x) (x) & 255 #define SWAP(x,y) do { x^=y; y^=x; x^=y; } while (0) static unsigned char A[256]; static int i=0, j=0; unsigned char encrypt_one_byte(unsigned char c) { int k; i = TOBYTE( i+1 ); j = TOBYTE( j + A[i] ); SWAP( A[i], A[j] ); /* what if ( i == j ) ?*/ k = TOBYTE( A[i] + A[j] ); return c ^ A[k]; }

Slide 73

Slide 73 text

Hardware

Slide 74

Slide 74 text

IC trojans

Slide 75

Slide 75 text

Malicious modification of a chip At design (HDL), fab (netlist), distribution (IC) Detection difficult

Slide 76

Slide 76 text

“Undetectable by optical RE!” (CHES 2013)

Slide 77

Slide 77 text

“Maybe, but not with electronic imaging (SEM)” (CHES 2014)

Slide 78

Slide 78 text

CPU multiplier X × Y = Z correct except for one “magic” pair (X, Y) Exploitable to break RSA, ECC, etc. 2128 pairs for 64-bit MUL, detection unlikely

Slide 79

Slide 79 text

A perfect backdoor http://phili89.wordpress.com/2010/05/24/the-perfect-crime-project-38/

Slide 80

Slide 80 text

Covert channel with a malicious RNG NOBUS thanks public-key encryption Undetectable thanks to proven indistinguishability

Slide 81

Slide 81 text

Compute X = Enc( pubkey, secret data to exfiltrate ) X values should look random Use X as IVs for AES-CBC

Slide 82

Slide 82 text

Public-key encryption scheme with ciphertexts indistinguishable from random strings?

Slide 83

Slide 83 text

No content

Slide 84

Slide 84 text

Elligator curves http://safecurves.cr.yp.to/ind.html

Slide 85

Slide 85 text

RNG circuit must be hidden For example in FPGA/PLD, difficult to RE

Slide 86

Slide 86 text

Communications and computations Indistinguishable from those of a clean system

Slide 87

Slide 87 text

In case of full RE Backdoor detected but unexploitable, Previous covert coms remain safe (FS)

Slide 88

Slide 88 text

What can be exfiltrated? RNG state Can give past and future session keys, depending on the RNG construction

Slide 89

Slide 89 text

Many other techniques…

Slide 90

Slide 90 text

Conclusion

Slide 91

Slide 91 text

All this is quite basic (Credit: @krypt3ia)

Slide 92

Slide 92 text

And that’s only for crypto

Slide 93

Slide 93 text

Should we really worry about backdoors? Or first fix bugs and usability issues?

Slide 94

Slide 94 text

16 submissions received Winner: John Meacham sabotaged AES, confusion in standard type redefinition Runner-up: Gaëtan Leurent ZK identification protocol, buggy Hamming weight “Competition to write or modify crypto code that appears to be secure, but actually does something evil” https://underhandedcrypto.com/

Slide 95

Slide 95 text

Thank you!