Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual-EC in RSA's B-Safe product, a modified Dual-EC in Juniper's operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions not using nothing-up-my-sleeve numbers, as well as how such numbers can be safely picked. However, the question of how to introduce a backdoor in an already secure, safe and easy to audit implementation has so far rarely been researched (in the public). We present two ways of building a Nobody-But-Us (NOBUS) Diffie-Hellman backdoor: a composite modulus with a hidden subgroup (CMHS) and a composite modulus with a smooth order (CMSO). We then explain how we were able to subtly implement and exploit it in a local copy of an open source library using the TLS protocol.
2. TLS
pre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail
cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox
2013: Facebook is full-https
2014: preloaded-HSTS introduced in Chrome
3. TLS
pre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail
cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox
2013: Facebook is full-https
2014: preloaded-HSTS introduced in Chrome
4.
5. TLS
pre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail
cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox
2013: Facebook is full-https
2014: preloaded-HSTS introduced in Chrome
6. TLS
pre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail
cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox / Firesheep
2013: Facebook is full-https
2014: preloaded-HSTS introduced in Chrome
7.
8. TLS
pre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail
cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox / Firesheep
2013: Facebook is full-https / Snowden leaks
2014: preloaded-HSTS introduced in Chrome
9. TLS
pre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail
cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox / Firesheep
2013: Facebook is full-https / Snowden leaks
2010/2014: preloaded-HSTS introduced in Chrome
18. • hardcoded DHE parameters in Apache
• NSA believed to be able to compute discrete
logarithm in modulo 1024-bit integers
• too much work
Logjam
19. • hardcoded DHE parameters in Apache
• NSA believed to be able to compute discrete
logarithm in modulo 1024-bit integers
• too much work
Logjam
20. • hardcoded DHE parameters in Apache
• NSA believed to be able to compute discrete
logarithm in modulo 1024-bit integers
• too much work
Logjam
21. U.S. export rules
• weak “Export” Cipher Suites
• 512-bit primes for Diffie-Hellman
• 40-bit keys for DES
22. U.S. export rules
• weak “Export” Cipher Suites
• 512-bit primes for Diffie-Hellman
• 40-bit keys for DES
23. U.S. export rules
• weak “Export” Cipher Suites
• 512-bit primes for Diffie-Hellman
• 40-bit keys for DES
24.
25. LOTUS NOTES
• 64-bit crypto allowed…
• …if 24 bits of the key are encrypted to the NSA
• NSA’s RSA public key O=MiniTruth CN=Big Brother
26. LOTUS NOTES
• 64-bit crypto allowed…
• …if 24 bits of the key are encrypted to the NSA
• NSA’s RSA public key O=MiniTruth CN=Big Brother
27. LOTUS NOTES
• 64-bit crypto allowed…
• …if 24 bits of the key are encrypted to the NSA
• NSA’s RSA public key O=MiniTruth CN=Big Brother
28. Kleptography
• A kleptographic attack is an attack which uses
asymmetric cryptography to implement a
cryptographic backdoor.
• A secure kleptographic attack is undetectable as
long as the cryptosystem is a black-box.
• what about white-box? Reverse Engineering?
29. Kleptography
• A kleptographic attack is an attack which uses
asymmetric cryptography to implement a
cryptographic backdoor.
• A secure kleptographic attack is undetectable as
long as the cryptosystem is a black-box.
• what about white-box? Reverse Engineering?
30. Kleptography
• A kleptographic attack is an attack which uses
asymmetric cryptography to implement a
cryptographic backdoor.
• A secure kleptographic attack is undetectable as
long as the cryptosystem is a black-box.
• what about white-box? Reverse Engineering?
89. Detect and Protect
• Check for prime modulus
• Better: check for safe prime modulus
• Google Chrome -> deprecating DHE
• migrating to ECDHE
90. Detect and Protect
• Check for prime modulus
• Better: check for safe prime modulus
• Google Chrome -> deprecating DHE
• migrating to ECDHE
91. Detect and Protect
• Check for prime modulus
• Better: check for safe prime modulus
• Google Chrome deprecating DHE (-> ECDHE)
• migrating to ECDHE