Subliminal Channels in DSA
-
Upload
jingan-alna -
Category
Documents
-
view
223 -
download
0
Transcript of Subliminal Channels in DSA
-
8/2/2019 Subliminal Channels in DSA
1/15
Subliminal Channels in DSA protocol
Liviu ItoafMilitary Technical Academy
-
8/2/2019 Subliminal Channels in DSA
2/15
Introduction
Kleptography
Usage of subliminal channels
Trojans; viruses; backdoored cryptographic algorithms
Spying; tracking documents; tracking digital money
Historical necessities and motivation
Gus Simmons - The History of subliminal channels, 1998
Is it a bad thing ?
Subliminal channelis not a covert channel
Time-line analysis: quality or defect of DSA ?
-
8/2/2019 Subliminal Channels in DSA
3/15
Cryptographic context
Prisoners' dilemma (1984)
translated to an Alice-Bob problem
Correctness:
channel can be made public
Subliminal channel usage cant even be detected
-
8/2/2019 Subliminal Channels in DSA
4/15
Application overview
Exploit broad- and narrowband channel
OpenSSL 0.9.8r
Applications:
Watermarking, leaking keys, spy networks, marking and trackingdigital documents
Integration with Unix shell or Windows batch mode
redirect/format input/output
(signatures) verifications
statistics
other scenarios
-
8/2/2019 Subliminal Channels in DSA
5/15
Brief DSA description
Proposed by NIST in 1991 as DSS,
Described in FIPS 186-3 (1999)
The signature of the message m is the pair (r,s), so that:
r=(g^k mod p) mod q, k random, 0
-
8/2/2019 Subliminal Channels in DSA
6/15
Broadband channel The simplest one: hide 160 bit message in random k
Both communicators must know both private keys
Generate keys
$ ./crypto.exe --gen-keys
Sign
$./crypto.exe --sign-with-msg file prv_key.pem Verify signature
$openssl dgst -dss1 -verify pub_key.pem -signature file.sig
-
8/2/2019 Subliminal Channels in DSA
7/15
Narrowband channel
Eliminates impersonation issue
Idea:
prime numberp sharing
Set k s that ris quadratic residue modulop
Effiecient hardware implementation short undiscoverable leaks
Signing:
$./crypto.exe --sign-with-leak file rv_key.pem
Optimized quadratic residue algorithms
-
8/2/2019 Subliminal Channels in DSA
8/15
Application description
2 parts: Broadband channel and 14-bit narrowband
OpenSSL: pem, bn, and evp APIs
Build: on Linux and Windows (Cygwin) With static libcrypto.a or ssleay32.dll
SSL rebuilt for debugging symbols
C Code
Source : open on Google code
-
8/2/2019 Subliminal Channels in DSA
9/15
Features and limitations
Features:
Shell based integration with applications and scripts
Automation, crafting input, post-checks
Limitations:
Risks for k not random or in narrow interval
Extract private key x
OpenSSL bug on Debian
OTP solution
Secure (C) coding practices
-
8/2/2019 Subliminal Channels in DSA
10/15
Use cases [1]
Get input from another file
$./crypto.exe --sign-with-msg usage.pdf my_prv_key.pem 1234