backdoors in prgs and prngs - cryptoexperts · 2017-06-08 · • backdoors, subversion, … •...
Post on 16-Jul-2020
4 Views
Preview:
TRANSCRIPT
BackdoorsinPRGsandPRNGs
KennyPaterson
InformationSecurityGroup
@kennyog;www.isg.rhul.ac.uk/~kp
Overviewofthislecture
• Motivationforconsideringbackdoors
• BackdoorsinPRGs• BackdoorsinPRNGs(PRGswithentropyinputs)
2
Motivation
TheSnowdenrevelations
• In2013,SnowdenrevealedtheextentoftheNSAmasssurveillanceprograms
• Newthreatmodel:
• Backdoors,subversion,…
• LedtoincreasedsuspicionoftheDual_ECpseudorandomgenerator
• Standardizedbyseveralstandardizationbodies:NIST,ISO,ANSI,…
• Simplegeneratorbasedontwo(specificandfixed)ellipticcurvepoints,PandQ.
• Biasedandslow,sonorealincentivetouseit.
• ButknowledgeofthediscretelogofPwrt.Qallowsstaterecoveryfromgeneratoroutputs(Shumov-Ferguson2007),sogoodtargetforbackdooring.
4
BasisforanattackagainstTLS?
TLSECDHEhandshake(simplified):
Client Server
clientrandom
serverrandom,sessionID,cert(pk),aP,sig
bP,Finished
Finished
MS=PRF(x(abP),“mastersecret”,clientrandom,serverrandom)
Checkowayetal.“OnthePracticalExploitabilityofDualECinTLSImplementations”,USENIX’14
5
TheJuniperincident
JuniperNetworksisamajorvendorofnetworksecuritydevices.
ScreenOSistheOperatingSysteminJuniper’sNetscreenVPNproductfamily.
2008:JuniperadoptDual_ECinScreenOS.
10/2013:JuniperpublishaknowledgebasearticleexplainingthatScreenOSusesDualEC,but“inawaythatshouldnotbevulnerabletothepossibleissuethathasbeenbroughttolight”.
• CustomQinsteadofNIST-standardised(andNSA-generated)Q.
• Dual_ECoutputpost-processedbyANSIX9.31generator.
12/2015:Junipermakesvulnerabilityannouncement:
“VPNDecryption(CVE-2015-7756)mayallowaknowledgeableattackerwhocanmonitorVPNtraffictodecryptthattraffic.[…]ThisissueaffectsScreenOS6.2.0r15through6.2.0r18and6.3.0r12through6.3.0r20.NootherJuniperproductsorversionsofScreenOSareaffectedbythisissue.Thereisnowaytodetectthatthisvulnerabilitywasexploited”.
6
TheJuniperincident
2015/2016:ReverseengineeringeffortbyCheckowayetal.discovers:
• SubtlescopingbugincodemeansthatDual_ECoutputisdirectlyexposedasScreenOSPRNGoutput(insteadofbeingpost-processed).
• Increasednoncesizeof32bytesinJuniperIKEimplementationisidealforrecoveringDual_ECstate.
• EventhoughnoncefollowsDHvalueinIKEprotocol,noncevalueisgeneratedbeforeDHvalueandstoredinaqueue.
• Hence,someonewhoknowsdlogP(Q)canrecover(EC)DHprivatevalueusingDual_ECbackdoor,andthenceallencryptionkeys,fromobservingasingleIKErun.
• CVE-2015-7756actuallyreferstoachangeintheQvalue:itappearsthatJuniper’scustomQvaluewasreplacedin2012,alongwithtestvectors,bypersonsunknown.
• SoJuniper(andpossiblyothers)couldpassivelybreakcustomers’IPsectraffic,butthenlostthecapabilitytopersonsunknown.
Detailsin:Checkowayetal.,ASystematicAnalysisoftheJuniperDualECIncident,ACM-CCS2016.7
BackdoorsinPRGs
BackdoorsinPRGs
Mainresearchquestion:
Tworecentresearchpapersaddressingthis:
• Dodis-Ganesh-Golovnev-Juels-Ristenpart(Eurocrypt2015)
• Degabriele-Paterson-Schuldt-Woodage(Crypto2016)
Towhatextentcanprovablysecurepseudorandomgeneratorsbebackdoored?
9
PseudorandomGenerators(PRGs)
Pseudorandomgenerator
(pp,bk)setup1λ stinitpp
r,st'nextst
Givenashortrandomseedasinput,aPRGoutputsanarbitrarylongstringofpseudorandombits
10
ForwardSecurityforPRGs
[]
GameFWD(,q)
nextst0 (stq,r10,…,rq0)q
setup
init
1λ (pp,bk)
pp st0
(pp,r1b,…,rqb,stq)
(r11,…,rq1)
b’
{0,1} b
return(b=b’)
Adv(,q)=2|Pr[FWD⇒1]-1/2|Advantage
Forall:Adv(,q)≤𝜀
(q,𝜀)-FWDSecurity
11
BackdooredPRGs
12
Lettype-BPRG()begamecapturingaspecificbackdooringgoal,andletAdv()denotethecorrespondingadvantage.
BackdooringGame
AtupleofalgorithmsPRG’=(setup,init,next,)isa(q,δ,[type,𝜀])-FWD-secureBPRGif:• PRG=(setup,init,next)isa(q,δ)-FWD-securePRG• Adv()≥𝜀
(q,δ,[type,𝜀])-FWD-secureBPRG
BigBrother:
Dodis-Ganesh-Golovnev-Juels-Ristenpart(2015)
• Considerationofvariousdifferentbackdooringgoals.• Distinguishingoutputfromrandom:type=DIST
• Predictionofpast/futureoutputsgivencurrentoutput(randomseek):type=RSEEK
• Predictionofcurrentstate:type=NEXT
• (Inpractice,BBwouldliketorecoverinitialstate,notaddressedbyDodisetal.)
• EquivalenceofDIST-backdooredPRGsandsingle-bitpublickeyencryptionwithpseudorandomciphertexts.• SobackdooredPRGsarereallypublickeyprimitives.
• cf.useofECDLPtobuildDual_EC.
• Meansthatconstructionswill“looksuspicious”.
13
DIST-BPRGgame
[]
GameDIST-BPRG(,q)
nextst0 (stq,r10,…,rq0)q
setup
init
1λ (pp,bk)
pp st0
(bk,r1b,…,rqb)
(r11,…,rq1)
b’
{0,1} b
return(b=b’)
Adv(,q)=2|Pr[FWD⇒1]-1/2|
Advantage
• PRG=(setup,init,next)is(q,δ)-FWD-secure.
• Adv(,q)≥𝜀
(q,δ,[DIST,𝜀])-FWD-secureBPRG:
14
ConstructionofbitencryptionusingabackdooredPRGfrom[DGGJR15]
15
(pp,bk)setup1λ
stinitpp
r,st'nextst
(q,δ,[DIST,𝜀])-secureBPRG
(stq,r10,…,rq0)
setup (pp,bk)
return(PK=pp,SK=bk)
KGen(1λ):
1λ
Enc(PK,b):
initPK st0
return(r1b,…,rqb)
[]nextst0q
(r11,…,rq1)
Dec(SK,c):
(SK,c) b’return(b’)
PKE
Theorem:Theconstructionproducesasingle-bitPKEschemethatis𝜀-correctand(q,δ)-IND-$CPAsecure.
Furtherresultsin[DGGJR15]
• VariousconstructionsforbackdooredPRGsforthedifferentgoals,DIST,RSEEK,NEXT.
• Carefulstudyof“immunisation”ofbackdooredPRGstoremovebackdoors.
• HighlyrelevantinlightoftheJuniperincident!
16
• CanaBPRGbesimultaneouslyforwardsecureandallowrecoveryofpastoutputsviabackdooring?
• CanweachievestrongerbackdooringnotionsforPRGs,likerecoveryofinitialstate?
OpenProblems:
FIRST-BPRGgamefrom[DPSW16]
[]
GameFIRST-BPRG(,q,i)
nextst0 (stq,r1,…,rq)q
setup
init
1λ (pp,bk)
pp st0
(bk,ri) st’
return(st0=st’)
Adv(,q,i)=Pr[FIRST-BPRG⇒1]
Advantage
• PRG=(setup,init,next)is(q,δ)-FWD-secure.
• Adv(,q,i)≥𝜀foreveryi.
(q,δ,[FIRST,𝜀])-FWD-secureBPRG:
FIRSTisapowerfulbackdooringnotion:recoveryofinitialstatest0fromanyoutputriallowsreconstructionofallpastandfutureoutputs!
17
BuildingaFIRST-BPRG[DPSW16]
• AforwardsecurePRG=(setup’,init’,next’)
• AnIND$-CPAsecurereverse-rerandomizableencryptionschemePKE=(keygen,enc,rerand,rev-rerand,dec)
18
IND$-CPA
Ciphertextsareindistinguishablefromrandomstrings
Rerandomizable
Forallpk,m,r’:{enc(pk,m;r)|r←R}≈{rerand(enc(pk,m;r’),r)|r←R}
Reverse-rerandomizable
Forallpk,m,r,r’:enc(pk,m;r)=rev-rerand(rand(enc(pk,m;r),r’),r’)
AFIRST-BPRGconstruction[DPSW16]
19
setup
(pk,sk)←keygen(pp’,⊥)←setup’pp←(pp’,pk)bk←skreturn(pp,bk)
init
state: st0 c0
st0←init’(pp’)
c0←enc(pk,st0)
next
st c
(r,st’)←next’(st)
c
outputc’←rerand(c,r)
st' c’
Usingbk,backdooradvcan:• Decryptctoobtainst0;• RunPRGtogeneratethe
rvalues;• Reversethe
rerandomizationsofctoobtainc0.
• (RunthePRGforwardtocomputealloutputs.)
PRG=(setup,init,next)isa(q,δ,(FIRST,1))-FWD-secureBPRG.Thisfollowsfrom:• ForwardsecurityofPRG’=(setup’,init’,next’)• IND$-CPAsecurityandrerandomizationsecurityofPKE=(keygen,enc,rerand,rev-rerand,dec)
• Abilitytorecoverrvaluesandreversethererandomizations
BackdoorsinPRNGs
PRNGs(sometimes:PRNGswithinput)
21
(pp,bk)
PRNG
setup1λ stinitpp
r,st'nextst
APRGthatallowsstateupdateswithinputsfromanentropysource
refresh(pp,st,I) st'
Inputfromentropysource
Modelingentropyinputs:Thedistributionsampler[DPRVW13]
22
State:σ
(σ’,I,ɣ,z)σ
Updatedstate
InputtoPRNG
Entropyestimateforinput
Sideinformationregardinginput
Entropyrequirement: H∞(Ii|I1,…,Ii-1,Ii+1,…Iq,z1,…,zq,ɣ1,…,ɣq)≥ɣi
Distributionsampler
RobustnessforPRNGs
23
GameROB(,,ɣ*)
setup
init
1λ (pp,bk)
pp st
pp b’
{0,1} b
return(b=b’)
∅ σ∞ cGET,SET,REF,ROR
Adv(,,ɣ*):=2|Pr[ROB(,,ɣ*)⇒1]-1/2|
Advantage
GET()
return(st)0 c
SET(st')
st’ st0 c
REF()
σ
refresh
(σ,l,ɣ,z)
(pp,st,l) st
c+ɣ c
return(ɣ,z)
ROR()
(pp,st)
0 cifc<ɣ*then
next
return(r0)elsereturn(rb)
r0,st
r1
BackdooringmodelsforPRNGs[DPSW16]
WeconsideraPRNGwhichweaccordingtoarefreshpatternrp,definingasequenceofnextandrefreshcalls.
24
evolve
GameST-BPRNG(,,i,j,rp)
setup
init
1λ (pp,bk)
pp st0
sj’
return(sj=sj’)
evolve(pp,st0,rp)
(r1,st1,…,rq,stq)
(bk,ri,i,j,rp)
GameOUT-BPRNG(,,i,j,rp)
setup
init
1λ (pp,bk)
pp st0
rj’
return(rj=rj’)
evolve(pp,st0,rp)
(r1,st1,…,rq,stq)
(bk,ri,i,j,rp)
AsimplebackdooredPRNG[DPSW16]
• Dodisetal.(2013)presentaconstructionofaprovablyrobustPRNG
• Crucially,theoutputisproducedbyusingaforwardsecurePRGin-betweenrefreshes.
• SimplyreplacethiswithaBPRG(andtweaktheentropyaccumulationprocess).
• BackdoorattackercanthencompromisethePRNGintheperiodbetweenrefreshes.
• ButthePRNGisstillrobustagainstanormalattacker.
• Challenge:CanwedesignabackdooredPRNGinwhichthebackdoorattackercanmovepastrefreshes?
25
Buildingblocks• ArobustPRNG’=(setup’,init’,refresh’,next’)
• AnIND$-CPAsecurererandomizableencryptionschemePKE=(keygen,enc,rerand,dec)
ConstructionofabackdooredPRNG[DPSW16]
26
setup
(pk,sk)←keygen(pp’,⊥)←setup’pp←(pp’,pk)bk←skreturn(pp,bk)
init
state: st0 c0
st0←init’(pp’)
c0←enc(pk,st0)
ConstructionofabackdooredPRNG[DPSW16]
27
refresh
st c1 c2 c3 c4c1 c2 c3c1’ c4
deleted
enc(pk,st’)→c1’
st’←refresh’(st,I)
st’
next
st c1 c2 c3 c4
output1:r=c1||…||c4
output2: usenext’togeneraterbasedonst
st' c1’ c2’ c3’ c4’
rerandomizeciandupdatest
Recomputablebybackdooradversaryifstateisrecovered
fromoutput1
Fullconstruction[DPSW16]
28
RobustnessofPRNG=(setup,init,refresh,next)followsfrom:• RobustnessofPRG’=(setup’,init’,refresh’,next’)• IND$-CPAsecurityandrerandomizabilityofPKE=(keygen,
enc,rerand,dec)AdvantageofBigBrotherintheOUT-BPRNGgameisapprox.¼fori,jvaluesin‘range’and0otherwise.
Impossibilityresult[DPSW16]
OurbackdooredPRNGconstructioncruciallyreliesonstoringsnapshotsofthestate,andthedegreeofbackdooringislimitedbythesizeofthestatespace.
Weshowthatthisisinherenttoaclassofdistributionsamplers:
29
Forany𝜀-robustPRNG,anywell-behaveddistributionsampler,anysequenceofqueries,anylegitimatesubsequencef,anyjandk:
H∞(Sf(j)|Rf(j)+k,pp)≥(j+1)/2⋅log(1/𝜀)-min(l,n)wherenisthesizeofthestate,andlistheoutputsize.
Concludingremarks
Concludingremarks
Thebadnews:
• Provablyforward-securePRGscanbebackdooredinthestrongestsensepossible:initialstaterecoveryfromanysingleoutput.
• ProvablyrobustPRNGscanbebackdooredtoallowBigBrothertorecoverpreviousoutputvalues,evenifthePRNGisrefreshed.
Theslightlybetternews:
• BPRGsmustlooklikepublickeyprimitives.
• RobustPRNGsprovidesomeresistanceagainstbackdooring.
Futurework:
• Strongerimpossibilityresults,immunizersforBPRNGs,additionalconstructionsofBPRGsandBPRNGswithmorecompactstateorstrongerbackdooring,…
31
top related