How to use untrusty cryptographic devices Daniel Kucner Mirosław Kutyłowski Institute of Computer Science Institute of Mathematics University of Wrocław Wrocław University of Technology and CC Signet Tatracrypt ’03 – p.1/20 Black-Box device the following data is available for a black-box device: specification of a protocol implemented, some quality certificates (according to Common Criteria, FIPS, ...) Tatracrypt ’03 – p.2/20 Black-Box device the following data is available for a black-box device: specification of a protocol implemented, some quality certificates (according to Common Criteria, FIPS, ...) Advantages: unchangeable (no viruses, no malicious changes) safer and faster then software Tatracrypt ’03 – p.2/20 Black-Box device the following data is available for a black-box device: specification of a protocol implemented, some quality certificates (according to Common Criteria, FIPS, ...) Advantages: unchangeable (no viruses, no malicious changes) safer and faster then software Disadvantages: a real black-box – impossible to verify Tatracrypt ’03 – p.2/20 How do we know that a device is honest? verification is extremely complex certification authorities need to be trusted produced by a foreign manufacturer (under control of a foreign secret service?) Tatracrypt ’03 – p.3/20 How do we know that a device is honest? verification is extremely complex certification authorities need to be trusted produced by a foreign manufacturer (under control of a foreign secret service?) the danger is real – kleptography techniques Tatracrypt ’03 – p.3/20 Bob generate random generate random to Alice send to Bob send Alice Diffie-Hellman key exchange Tatracrypt ’03 – p.4/20 – adversary’s keys. ! &%#$" () 3 21/ 0 -.' 4. return () , ' 3. ' 2. return 1. generate random Device +* Kleptography - device (DH) Tatracrypt ’03 – p.5/20 – adversary’s keys. '- ' 3 ' 12/ 0 * then return 4 , ' , '- 2. 3. if 3 12/ 0 1. Adversary eavesdrops + () -.' 4. return () , ' +* 3. ' 2. return 1. generate random &%# " Attack ! Device +* Kleptography - device (DH) Tatracrypt ’03 – p.5/20 Kleptography - detection Different number of exponentiation changes stochastic characteristic of computation time G 2IH G IH DF W E F : ) QE :P C JV TU C S5 K , SB N ML O C D )E : KJ G I2H DF ) E C 6B R ; @ A generate random 7 >?= < generate random 7 : 98 6 DH contaminated device 65 DH clear device Tatracrypt ’03 – p.6/20 Idea of solution combine two or more devices of different manufacturers even if each of them is contaminated, the result should be secure Tatracrypt ’03 – p.7/20 using X using \ Z YX - [ Z 2. Y\ 1. [ Secure DH with contaminated devices Tatracrypt ’03 – p.8/20 Z \ X from Bob 4. get X \ Z - [ YX 3. send using using 2. Y\ 1. [ Secure DH with contaminated devices to Bob Tatracrypt ’03 – p.8/20 Z X X \ \ X using to Bob using \] X] [ 7. \] - [ X] 6. ] 5. from Bob 4. get \ Z - [ YX 3. send using using 2. Y\ 1. [ Secure DH with contaminated devices Tatracrypt ’03 – p.8/20 Proof of SDH security - outline cd ` e ghf e g f cd j ^_ i_ given find ba` if one device is secure then whole is secure otherwise adversary has to solve problem: Tatracrypt ’03 – p.9/20 l l k @_ using @ 6o l n m 2. compute a generator @ @ 1. set in k Another secure DH ? Tatracrypt ’03 – p.10/20 l l k @_ @ m @ l pl n So @ pm using to the partner and obtain r 5. send pm 4. compute using p k q a generator n 3. set in p k q 2. compute pl _ 6o a generator m @ 1. set in k Another secure DH ? Tatracrypt ’03 – p.10/20 l k @_ m @ So pr n 6o r n pr and compute the key r k r So pl n pm into and compute @ pr using to the partner and obtain p k s into 7. put l @ p k q pm 6. put r 5. send @ a generator 4. compute using p k q 6o m 3. set in n 2. compute pl _ k a generator @ 1. set in l Another secure DH ? Tatracrypt ’03 – p.10/20 l k @_ m @ So pr n r So 6o rN p r 6o _ 6o r n pr and compute the key _r k r So pl n pm into and compute @ pr using to the partner and obtain p k s into 7. put l @ p k q pm 6. put r 5. send @ a generator 4. compute using p k q 6o m 3. set in n 2. compute pl _ k a generator @ 1. set in l Another secure DH ? Tatracrypt ’03 – p.10/20 t p V V @ w vV { 6 S t z @ IH G {U S :V z F 6 C } where ~ pt p @ w t y x S} ~ pt @ vV vV w x t p ~ 6} y pt p @ S V V 6. put 7. put into into W and compute S { SD W S using and compute 5. send @ w V V S 6 y{ t p x S oS y t p z z S 6 C{ SD a generator z 4. compute @ w t @V @V 6 D { S o6 y x ) 6 using S S S y{ vV @ x V pt 2. compute S { t x S o| z y vV w pt p 3. set in z 6 C D 6D a generator ) then 1. set in S S w t x vV pt vV V @V pu t p pu t – observable 6 @ @ w pt Attack on (in)secure DH . . to the partner and obtain iterate: Tatracrypt ’03 – p.11/20 [ [ Z 1. pick a random 2. compute 3. compute ElGamal Encryption Tatracrypt ’03 – p.12/20 \ X \ (on PC) of message \ X X 5. return ciphertext using device (on PC) (on PC) 4. 3. 2. compute ciphertext \ 1. compute ciphertext X Secure ElGamal Encryption (SEGE 1) Tatracrypt ’03 – p.13/20 \ X \ \ \ 6. return ciphertext (on PC) (on PC) - \ X X 5. 4. 3. \ X X 2. X \ so that 1. find X Secure ElGamal Encryption (SEGE 2) Tatracrypt ’03 – p.14/20 ¡ \ ¢ - [ [ - [ ¢ - [ [ (on PC) [ Z \ (on PC) ¡ \ 6. return ciphertext ¡ \ X X \ \ - \ X X X \ X \ X so that X ¡ ¡ 5. X 1. find X 4. \ 3. 2. Secure ElGamal Encryption (SEGE 2) Tatracrypt ’03 – p.14/20 e ghf d ¦p£ @a @ 6 £ « © ®¯¬ n £ £ § ¦p£ £ ¥¤@ « ª @ ¤@ i © 1. find 2. ¨ Secure ElGamal Encryption (SEGE 3) Tatracrypt ’03 – p.15/20 e ghf d @a £ pª « v ¦p£ © pi | ®¯¬ ª v ¤v i n « © v l k ° pª to ¤ , a ciphertext of k « @ 6 © pi « © ®¯¬ p k ¦p£ £ £ § ¦p£ ª @ ¤@ i n « © ¥¤@ £ 1. find 2. 3. computes 4. set of to 5. set public key of 6. ¨ Secure ElGamal Encryption (SEGE 3) Tatracrypt ’03 – p.15/20 d @a pª « « © ¤ i return ciphertext ª i ª ¦p£ © e hgf @a v pi | e hgf vd vd @a n ª ®¯¬ ª v i i n ¤v i n « © v l k ° « pª to ¤ pi , a ciphertext of k © @ 6 £ « © ®¯¬ computes set of to set public key of p k ¦p£ £ £ § ¦p£ ª @ ¤@ i n « © ¥¤@ £ ¨ find ª 1. 2. 3. 4. 5. 6. 7. 8. 9. e ghf Secure ElGamal Encryption (SEGE 3) Tatracrypt ’03 – p.15/20 r a£ |o 6o NS ± o |o 6o NS ± o « © e hgf i e hgf vd @a n ®¯¬ ª ¦p£ | v ¤v « © « ¤ pi pª ° pª k k v pi v l to o _| So l ª ¤ i ª vd @a i n p k , a ciphertext of rN p£ a a 6o r £ @a 6o return ciphertext p i o _ | l i i ª n © computes set of to set public key of p ª o _ | p£ a a v_ r a 6o @a £ i_ i « © @ 6 @ ¤@ n £ ®¯¬ ª i « © « © £ d £ £ ¨ e ghf ¦p£ @a § ¦p£ ¥¤@ find @a ª_ i 1. 2. 3. 4. 5. 6. 7. 8. 9. ª Secure ElGamal Encryption (SEGE 3) Tatracrypt ’03 – p.15/20 g both devices have the same r p e hgf So d p l pm _ - no general algorithm, exist such that for random we could So @ - as above lN 6o ¤ @g p ¤ g e hgf , then m_ l @ 6o d @_ m g g devices have different perhaps special and ? compute ¤ g if both devices have the same parameters DH could be broken ¤ l How to get product of exponents? Tatracrypt ’03 – p.16/20 ElGamal Signature Protocol : 3. ¡ 4. output the signature ³ ² X Z 2. [ 1. compute a random Sign a message Tatracrypt ’03 – p.17/20 ` i k ` ¤ l ¤ ´ @ i (on PC) £ ¤ m ¤ l for parameters g ° @d e ghf « pª for message ¸ ¤ and (random « ¤ pi ¶ pª pi ¤@ ª to · © generates ª _ « 6. ¤ i © p k © 4. Alice sets generator of ¤@ @ from p k @ µ¤@ ¶ 3. Alice computes 5. @ for parameters g ª i k generates private key) @ 2. to « © 1. Alice sends arbitrary hash ´ Secure ElGamal Signature Tatracrypt ’03 – p.18/20 Conclusions We have shown how to use devices for Diffie-Hellman ElGamal Encryption ElGamal Signature to keep safe even if devices are contaminated. Tatracrypt ’03 – p.19/20 Problems \ ¹ into X ¹ RSA – well known: split ¹ what about systems without random numbers? for splitting the secret! could we construct such a protocol for Rabin encryption, signature? Tatracrypt ’03 – p.20/20
© Copyright 2024