NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring

1. Cryptographic Backdooring
JP Aumasson

2. /me
@veorq http://aumasson.jp

3. Agenda
Why this talk?
Backdooring 101
Sabotage tactics
A perfect backdoor
Conclusion

4. Why this talk?

5. You may not be interested in backdoors,
but backdoors are interested in you

6. NSA’s BULLRUN program

7. Public/academic research mostly inexistant

9. Bad reputation

10. Surveillance, deception, etc.

11. “a back door for the government can easily —and
quietly—become a back door for criminals and
foreign intelligence services.”
http://justsecurity.org/16503/security-front-doors-vs-back-doors-distinction-difference/

12. And terrorists etc.
(Like internet and encryption)
Not a great argument IMHO

13. “It increases the ‘attack surface’ of the system,
providing new points of leverage that a nefarious
attacker can exploit.”
http://justsecurity.org/16503/security-front-doors-vs-back-doors-distinction-difference/

15. Not well understood, by the public

16. Especially crypto backdoors

17. Why public research?

18. Detect backdoors

19. If you have to implement a backdoor
—for good or not-so-good reasons—
better know how (not) to do it

20. Backdooring 101

21. What is a backdoor?

22. Not a trapdoor
(Covert rather than overt)

23. “A feature or defect that allows
surreptitious access to data”

24. Weakened algorithms
(A5/2, GMR, etc.)

25. Covert channels
(Exfiltration of keys, etc.)

26. Key escrow
Clipper chip phone AT&T TSD3600

27. May be known to exist
(Is lawful interception a backdoor?)

28. “An undocumented way to get access to a
computer system or the data it contains”

30. Bugs? RCE?

31. Only if intentional, a.k.a. bugdoors
(© The Grugq)

32. Deniability...

33. What is a “good” backdoor?

34. Undetectable

35. NOBUS
(No one but us, NSA term)

36. Reusable

37. Unmodifiable

38. Forward-secure

39. Simple

40. To be continued...

41. Sabotage tactics

42. Constants

43. Choose constants that allow you
to compromise the security

44. SHA-1 round constants

45. 40 bits modified
Colliding binaries, images, archives
Full control on the content, NOBUS
(BSidesLV/DEFCON/SAC 2014)

46. https://malicioussha1.github.io/

47. 2 distinct files, 3 valid file formats

48. Elliptic curve coefficients

49. NIST curves’ coefficients:
hashes of unexplained 16-byte seeds, e.g.
c49d3608 86e70493 6a6678e1 139d26b7 819f7e90
(Speculation, no public evidence of backdoor)

50. Notion of rigidity
“a feature of a curve-generation process,
limiting the number of curves that can be
generated by the process”
http://safecurves.cr.yp.to/rigid.html

52. Limitation: there may be an exponential
number of fully-rigid generation methods

53. Math structure elements

54. Dual_EC_DRBG
(NSA design, NIST standard)
http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html
If n s.t. nQ = P is known, the RNG is broken

55. Key generation

56. Make session keys predictable

57. 3G/4G AKA
Session keys = hash( master key, rand )
Delegate tactical intercepts with
low-entropy rand values
Precompute and share session keys
(A possibility, not allegations)

58. Hide weak parameters

59. RSA
Hide small public exponent
with some tricks to avoid detection
and recover using Boneh-Durfee-Frankel result
(CT-RSA 2003)

60. Key gen as a covert channel for itself

61. RSA
Hide bits of prime factors in n
Recover using Coppersmith’s method
Similar to “Pretty-Awful-Privacy” (Young-Yung)
(CT-RSA 2003)

62. Lesson: don’t outsource keygen

63. Implementations

64. Slightly deviate from the specs
Omit some verifications
etc.

65. Small subgroup attacks
Omit (EC)DH pubkey validation
(CRYPTO 1997)

66. Small subgroup attacks
Omit (EC)DH pubkey validation
(PKC 2003)

67. “domain parameter shifting attacks”
Omit ECC domain parameters validation
(ACISP 2004)

68. TLS MitM
Incomplete cert verification

69. “Misuse”
Repeated stream cipher nonces

70. NOBUS unlikely...

71. Software

72. Bugdoors in the crypto
Deniability may be plausible

74. goto fail;
goto fail;

75. Those 2 are probably unintentional

76. RC4 bugdoor (Wagner/Biondi)
#define TOBYTE(x) (x) & 255
#define SWAP(x,y) do { x^=y; y^=x; x^=y; } while (0)
static unsigned char A[256];
static int i=0, j=0;
unsigned char encrypt_one_byte(unsigned char c) {
int k;
i = TOBYTE( i+1 );
j = TOBYTE( j + A[i] );
SWAP( A[i], A[j] );
k = TOBYTE( A[i] + A[j] );
return c ^ A[k];
}

77. Hardware

78. IC trojans

79. Malicious modification of a chip
At design (HDL) or fab (netlist)
Detection difficult

80. (CHES 2013)

81. (CHES 2014)

82. CPU multiplier X × Y = Z correct
except for one “magic” pair (X, Y)
Exploitable to break RSA, ECC, etc.
2128
pairs for 64-bit MUL, detection unlikely

83. A perfect backdoor
http://phili89.wordpress.com/2010/05/24/the-perfect-crime-project-38/

84. Covert channel with a malicious RNG
Public-key encryption (NOBUS)
Indistinguishability from random strings
(for undetectability)

85. Compute X = Enc( pk, data to exfiltrate )
X should look like a random string
Use X as (say) IVs for AES-CTR

86. Pubkey encryption scheme with ciphertexts
indistinguishable from random strings?

88. Elligator curves
http://safecurves.cr.yp.to/ind.html

89. RNG circuit must be hidden
(For example in FPGA/PLD, difficult to RE)

90. Communications and computations
appear identical to those of a clean system

91. Full reverse-engineering:
Backdoor detected but unexploitable,
and previous covert coms remain safe

92. What can be exfiltrated? RNG state
Can give past and future session keys,
depending on the RNG construction

93. Many other techniques…

94. Conclusion

95. All this is quite basic

96. And that’s only for crypto

97. Should we worry about backdoors?
or
First fix bugs and usability issues?

98. Draw your own conclusions

99. “a competition to write or modify crypto code
that appears to be secure, but actually does
something evil.”
Send you submission(s) before Dec 2, 2014
https://underhandedcrypto.com/

100. Merci!
“Secrets… are the very root of cool.”
William Gibson, Spook Country