cryptographic back doors with chuck easttom chuck@chuckeasttom.com

CRYPTOGRAPHIC BACK DOORS

WITH CHUCK EASTTOM

CHUCK@CHUCKEASTTOM.COM

WWW.CHUCKEASTTOM.COM

ABOUT THE SPEAKER Chuck Easttom chuck@chuckeasttom.com www.ChuckEasttom.com

Education: B.A. and M.Ed. from Southeastern Oklahoma State University., MBA with emphasis in applied computer science from Northcentral University. 29 computer certifications

18 Computer Science books including 4 computer security textbooks and 3 computer forensics books.

Worked as a subject matter expert for CompTIA in the creation of the Security+, Server+, and Linux+ exams as well as revising the CTT+. Worked on the Job Task Analysis Team for CEH v8. Created the ECES cryptography certification course for the EC Council

Experience: many years in IT, 15+ years of teaching/training.

Frequent Expert Witness in computer related cases (patent infringement, computer crimes, etc.)

5 patents including a patent for steganography technique

Taught cryptography and related topics around the world including to the US Secret Service, DoD related personnel, and allied foreign military units.

WHAT IS KLEPTOGRAPHY?Kleptography is a colloquial term for creating

cryptographic algorithms that resemble the original/actual algorithms, but provide the creator an advantage in cracking encrypted messages.

It is a formal cryptographic study of backdoor designs

WHAT ARE THE GOALS OF CRYPTOGRAPHIC BACKDOORS?

Any cryptographic backdoor can only work if it fulfills the following four criteria.

1)Output Indistinguishability: The outputs of C and C' are computationally indistinguishable to all efficient algorithms except for the attacker A.

2)Confidentiality of C: The outputs of C do not compromise the security of the cryptosystem that C implements.

3)Confidentiality of C': The outputs of C' only compromise the security of the cryptosystem that C’ implements with respect to the attacker A (and not against the traditional adversary).

4)Ability to compromise C': With overwhelming probability the attacker A (a new shadow party) can decrypt, forge, or otherwise cryptanalyze efficiently at least one private output of C' given a sufficient number of public outputs of C'.

DUAL_ECC_DRBG

• Dual_EC_DRBG or Dual Elliptic Curve Deterministic Random Bit Generator is a pseudorandom number generator that was promoted as a cryptographically secure pseudorandom number generator (CSPRNG) by the National Institute of Standards and Technology.

• It is based on the elliptic curve discrete logarithm problem (ECDLP) and is one of the four CSPRNGs standardized in the NIST SP 800-90A.

• In 2006 cryptography researchers suggested the algorithm might have a back door.

• In 2013, The New York Times reported internal NSA memos leaked by Edward Snowden suggest an RNG generated by the NSA which was used in the Dual_EC_DRBG standard does indeed contain a backdoor for the NSA.

AN EXAMPLE

• Let us examine RSA and a possible backdoor that could be put into RSA.

• We will begin by examining the RSA algorithm itself.

• Some of you are undoubtably familiar with it, but many of you may not be.

CONCEPTS FOR RSA

Except for basic operations like multiplication, you really only need four concepts from number theory/discrete math to understand RSA. Those concepts are:

•Prime

•Co-Prime

•Euler’s Totient

•Modulus operation

PRIME NUMBERS

A prime number is any number whose factors are 1 and itself. So 2, 3, 5, 7, 11, 13, 17, 23, etc. are prime numbers. Prime numbers are used in some public key cryptography algorithms such as RSA.

Prime Number Theorem: If a random number N is selected, the chance of it being prime is approximately 1 / ln(N), where ln(N) denotes the natural logarithm of N.

CO-PRIME

Just as important as prime numbers are in cryptography, co-prime numbers are also important. A co-prime is a number that has no factors in common with another number. For example 3 and 8 are co-prime. This is another term for ‘relatively prime’.

EULERS TOTIENT

This is actually a part of the RSA Algorithm which we will study in lesson 4. The number of positive integers less than or equal to n that are coprime to n is called the Euler’s Totient of n.

So for the number 6, 4 and 5 are coprime with 6. Therefore Eulers Totient = 2

For a prime number p the Eulers totient is always p-1.

EULERS TOTIENT

Coprime numbers have interesting relationships that are part of algorithms like RSA. For example if m and n are prime then the totient of m * the totient of n is equal to the totient of (m*n). Put more mathematically

If m and n are prime then

(m) * (n) = (mn)

MODULAR ARITHMETIC

Let a be an integer and m be a positive integer.We denote by a mod m the remainder when a is divided by m.

Examples:

12

9 mod 4 =9 mod 4 = 11

8 mod 3 =8 mod 3 = 22

13 mod 5 =13 mod 5 = 33

NORMAL RSA KEY GENERATIONKey generation

Generate two large random primes, p and q, of approximately equal size such that their product n = pq is of the required bit length (such as 2048 bits, 4096 bits, etc.)

Let n = pq

Let m = (p-1)(q-1)

Choose a small number e, co-prime to m (note: Two numbers are co-prime if they have no common factors.) e is often 216+1

Find d, such that de % m = 1

Publish e and n as the public key.Keep d and n as the secret key.

RSA CONTINUED

Encrypt

= Me % n

Put another way

Computes the ciphertext c = me mod n

Decrypt

P = Cd % n

Put another way

Uses his private key (d,n) to compute m = cd mod n.

More details

http://www.di-mgt.com.au/rsa_alg.html

RSA (CONTINUED)Normally RSA would be done with very large integers. To make the math easy to follow we will use small integers in this example. (note this example is from Wikipedia):

Choose two distinct prime numbers, such as p = 61 and q = 53.

Compute n = pq giving n = 61 · 53 = 3233.

Compute the totient of the product as φ(n) = (p − 1)(q − 1) giving φ(3233) = (61 − 1)(53 − 1) = 3120.

Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime number for e leaves us only to check that e is not a divisor of 3120. Let e = 17.

Compute d, the modular multiplicative inverse of yielding d = 2753.

The public key is (n = 3233, e = 17). For a padded plaintext message m, the encryption function is m17 (mod 3233).

The private key is (n = 3233, d = 2753). For an encrypted ciphertext c, the decryption function is c2753 (mod 3233).

WEAKNESSES

• It has been demonstrated that small private exponents may be efficiently recovered if d < n^.25 and this result was later improved by Boneh and Durfee who showed a similar result for d < n^.292. Moreover, it is a well known fact that given a multiple of φ(n) such as de − 1 satisfying de ≡ 1(mod φ(n)), it is easy to factor n.

KLEPTOGRAPHIC RSA KEY GENERATION

The key generation algorithm is modified to contain a cryptographic back door or cryptotrojan. The cryptographic backdoor contains the attacker’s public key Y.

Remember basic asymmetric cryptography allows something encrypted with a persons public key to be decrypted with their private key.

EXAMPLE

• This example is based on an example by Yung & Young RSA labs

• It is relatively simple, though not very efficient

THE STEPS1)choose a large value x randomly (e.g., 2048-bits)

2)compute p = H(x) where H is a cryptographic hash function

3)if p is composite or p-1 not relatively prime to e then goto step 1 repeat until p is a prime then proceed to step 4

4)choose a large random value R

5)compute c to be the asymmetric encryption of x with the attackers private key (K) (basically c is the digital signature of x)

6)solve for (q,r) in (c || R) = pq + r

7)if q is composite or q-1 not co-prime to e then goto step 1

8)output the public key (n=pq,e) and the private key p

Note that n is about 2048 bits in length

RECOVERING THE RSA PRIVATE KEY

The private key is recovered as follows:

The attacker obtains the public key (n,e) of the user

Let u be the 512 uppermost bits of n

The attacker sets c1 = u and c2 = u+1 (c2 accounts for

a potential borrow bit having been taken from the computation

n = pq = (c || R) – r

The attacker decrypts c1 and c2 to get s1 and s2,

respectively

Either p1 = H(s1) or p2 = H(s2) will divide n

Only the attacker can perform this operation since only the attacker knows the needed private decryption key corresponding to Y.

OTHER METHODS

• Crepeau and Slakmon in their paper "Simple Backdoors for RSA Key Generation" show several methods of creating an RSA backdoor.

• Cho in his paper "Ten Years of RSA Cheating Cryptosystems“ provides a good overview of the concepts.

THIS CAN BE DONE WITH OTHER ALGORITHMS

• Researchers have published backdoors with Diffie Hellman and DSA.

WHERE IS THIS PROBLEM?

• Young and Yung pointed out that while one thinks of backdoors in relation to black box systems, it is not uncommon for open source systems to not be examined thoroughly.

• As an example (though not a crypto backdoor) the heartbleed bug was open source, introduced in December 2011 and not widely reported until well into 2014.

WHAT DOES THIS ALL MEAN?

• “This suggests that nobody should rely on RSA key generation schemes provided by a third party. This is most striking in the smartcard model, unless some guarantees are provided that all such attacks to key generation cannot have been embedded.”

• -Simple Backdoors for RSA Key Generation by Claude Crepeau and Alain Slakmon

WHAT TO DO NEXT?

• Random number generators and prime number generators are necessary for cryptography.

• It is very important to understand how they work and not rely on ‘black box’ implementations.

• Where possible you should develop your own if you have the resources to do so.

SOME REFERENCES• Cryptanalysis of the Dual Elliptic Curve Pseudorandom

Generator -Berry Schoenmakers and Andrey Sidorenko

• Malicious Cryptography: Kleptographic Aspects by Young and Yung Columbia University

• Ten Years of RSA Cheating Cryptosystems by Jihoon Cho

• Simple Backdoors for RSA Key Generation by Claude Crepeau and Alain Slakmon

• Sun, Wu, and Yang "Simple Backdoors on RSA Modulus by Using RSA Vulnerability.

QUESTIONS

Don’t forget to check out

www.ChuckEasttom.com

And

www.CryptoCorner.com

APPENDIX

• The following slides are simply more detail on DUAL_ECC_DRBNG for those with the mathematical background and desire to delve deeper.

MORE ON DUAL_ECC_DRBNG The algorithm specification specifies an elliptic curve, which is

basically just a finite cyclic (and thus Abelian) group G . The algorithm also specifies two group elements P,Q . It doesn't say how they were chosen; all we know is that they were chosen by an employee of the NSA. In the simplified algorithm, the state of the PRNG at time t is some integer s .To run the PRNG forward one step, we do the following:

We compute sP (recall we use additive group notation; this is the same as P s , if you prefer multiplicative notation), convert this to an integer, and call it r .

We compute rP , convert it to an integer, and call it s ′ (this will become the new state in the next step).

We compute rQ and output it as this step's output from the PRNG. (OK, technically, we convert it to a bitstring in a particular way, but you can ignore that.)

MORE ON DUAL_ECC_DRBNG Now here's the observation: we're pretty much guaranteed that P=eQ

for some integer e . We don't know what e is, and it's hard for us to find it (that requires solving the discrete log problem on an elliptic curve, so this is presumably hard). However, since the NSA chose the values P,Q , it could have chosen them by picking Q randomly, picking e randomly, and setting P=eQ . In particular, the NSA could have chosen them so that they know e .

And here the number e is a backdoor that lets you break the PRNG. Suppose the NSA can observe one output from the PRNG, namely, rQ . They can multiply this by e , to get erQ . Now notice that erQ=r(eQ)=rP=s ′ . So, they can infer what the next state of the PRNG will be. This means they learn the state of your PRNG! That's really bad -- after observing just one output from the PRNG, they can predict all future outputs from the PRNG with almost no work. This is just about as bad a break of the PRNG as could possibly happen.

DUAL_ECC_DRBNG EXPLAINED ANOTHER WAY

Now here's the observation: we're pretty much guaranteed that P=eQ for some integer e . We don't know what e is, and it's hard for us to find it (that requires solving the discrete log problem on an elliptic curve, so this is presumably hard). However, since the NSA chose the values P,Q , it could have chosen them by picking Q randomly, picking e randomly, and setting P=eQ . In particular, the NSA could have chosen them so that they know e .

And here the number e is a backdoor that lets you break the PRNG. Suppose the NSA can observe one output from the PRNG, namely, rQ . They can multiply this by e , to get erQ . Now notice that erQ=r(eQ)=rP=s ′ . So, they can infer what the next state of the PRNG will be. This means they learn the state of your PRNG! That's really bad -- after observing just one output from the PRNG, they can predict all future outputs from the PRNG with almost no work. This is just about as bad a break of the PRNG as could possibly happen.

For more see http://rump2007.cr.yp.to/15-shumow.pdf