Results 1  10
of
10
A Formal Treatment of Backdoored Pseudorandom Generators
"... We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited fo ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor. We show that backdoored PRGs are equivalent to publickey encryption schemes with pseudorandom ciphertexts. We use this equivalence to build backdoored PRGs that avoid a well known drawback of the Dual EC PRG, namely biases in outputs that an attacker can exploit without the trapdoor. Our results also yield a number of new constructions and an explanatory framework for why there are no reported observations in the wild of backdoored PRGs using only symmetric primitives. We also investigate folklore suggestions for countermeasures to backdoored PRGs, which we call immunizers. We show that simply hashing PRG outputs is not an effective immunizer against an attacker that knows the hash function in use. Salting the hash, however, does yield a secure immunizer, a fact we prove using a surprisingly subtle proof in the random oracle model. We also give a proof in the standard model under the assumption that the hash function is a universal computational extractor (a recent notion introduced by Bellare, Tung, and Keelveedhi). 1
Auditable Privacy: On TamperEvident Mix Networks
 IN FINANCIAL CRYPTOGRAPHY ’02
, 2006
"... We introduce the notion of tamperevidence for mix networks in order to defend against attacks aimed at covertly leaking secret information held by corrupted mix servers. This is achieved by letting observers (which need not be trusted) verify the absence of covert channels by means of technique ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
We introduce the notion of tamperevidence for mix networks in order to defend against attacks aimed at covertly leaking secret information held by corrupted mix servers. This is achieved by letting observers (which need not be trusted) verify the absence of covert channels by means of techniques we introduce herein. Our tamperevident mix network is a type of reencryption mixnet in which a server proves that the permutation and reencryption factors that it uses are correctly derived from a random seed to which the server is committed.
Covert Channels in PrivacyPreserving Identification Systems
"... Abstract. We examine covert channels in privacyenhanced mobile identification devices where the devices uniquely identify themselves to an authorized verifier. Such devices (e.g. RFID tags) are increasingly commonplace in hospitals and many other environments. For privacy, the device outputs used f ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We examine covert channels in privacyenhanced mobile identification devices where the devices uniquely identify themselves to an authorized verifier. Such devices (e.g. RFID tags) are increasingly commonplace in hospitals and many other environments. For privacy, the device outputs used for identification should “appear random ” to any entity other than the verifier, and should not allow physical tracking of device bearers. Worryingly, there already exist privacy breaches for some devices [28] that allow adversaries to physically track users. Ideally, such devices should allow anyone to publicly determine that the device outputs are covertchannel free (CCF); we say that such devices are CCFcheckable. Our main result shows that there is a fundamental tension between identifier privacy and CCFcheckability; we show that the two properties cannot coexist in a single system. We also develop a weaker privacy model where a continuous observer can correlate appearances of a given tag, but a sporadic observer cannot. We also construct a privacypreserving tag identification scheme that is CCFcheckable and prove it secure under the weaker privacy model using a new complexity assumption. The main challenge addressed in our construction is the enforcement of public verifiability, which allows a user to verify covertchannelfreeness in her device without managing secret keys external to the device. 1
Singlebit reencryption with applications to distributed proof systems
 In Proceedings of the ACM Workshop on Privacy in the Electronic Society (WPES
, 2007
"... Computer Science Dept. We examine the implementation of the distributed proof system designed by Minami and Kotz [17]. We find that, although a highlevel analysis shows that it preserves confidentiality, the implementation of the cryptographic primitives contains a covert channel that can leak info ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Computer Science Dept. We examine the implementation of the distributed proof system designed by Minami and Kotz [17]. We find that, although a highlevel analysis shows that it preserves confidentiality, the implementation of the cryptographic primitives contains a covert channel that can leak information. Moreover, this channel is present with any traditional choice of public key encryption functions. To remedy this problem, we use the GoldwasserMicali cryptosystem to implement singlebit reencryption and show how to make it free of covert channels. We then extend the primitive to support commutative encryption as well. Using this primitive, we design a variant of the MinamiKotz algorithm that not only is free of covert channels, but also has additional proving power over the original design.
TamperEvident Digital Signatures:
 In Proceedings of the Symposium on Dependable Autonomic and Secure Computing 2006
, 2005
"... We introduce the notion of tamperevidence for digital signature generation in order to defend against attacks aimed at covertly leaking secret information held by corrupted signing nodes. This is achieved by letting observers (which need not be trusted) verify the absence of covert channels by mean ..."
Abstract
 Add to MetaCart
We introduce the notion of tamperevidence for digital signature generation in order to defend against attacks aimed at covertly leaking secret information held by corrupted signing nodes. This is achieved by letting observers (which need not be trusted) verify the absence of covert channels by means of techniques we introduce herein. We call our signature schemes tamperevident since any deviation from the protocol is immediately detectable. We demonstrate our technique for the RSAPSS (known as RSA's Probabilistic Signature Scheme) and DSA signature schemes and show how the same technique can be applied to the Schnorr and FeigeFiatShamir (FFS) signature schemes. Our technique does not modify the distribution of the generated signature transcripts, and has only a minimal overhead in terms of computation, communication, and storage.
Ensuring HighQuality Randomness in Cryptographic Key Generation ABSTRACT
"... The security of any cryptosystem relies on the secrecy of the system’s secret keys. Yet, recent experimental work demonstrates that tens of thousands of devices on the Internet use RSA and DSA secrets drawn from a small pool of candidate values. As a result, an adversary can derive the device’s secr ..."
Abstract
 Add to MetaCart
(Show Context)
The security of any cryptosystem relies on the secrecy of the system’s secret keys. Yet, recent experimental work demonstrates that tens of thousands of devices on the Internet use RSA and DSA secrets drawn from a small pool of candidate values. As a result, an adversary can derive the device’s secret keys without breaking the underlying cryptosystem. We introduce a new threat model, under which there is a systemic solution to such randomness flaws. In our model, when a device generates a cryptographic key, it incorporates some random values from an entropy authority into its cryptographic secrets and then proves to the authority, using zeroknowledgeproof techniques, that it performed this operationcorrectly. Bypresentinganentropyauthoritysigned publickey certificate to a third party (like a certificate authority or SSH client), the device can demonstrate that its public key incorporates randomness from the authority and is therefore drawn from a large pool of candidate values. Where possible, our protocol protects against eavesdroppers, entropy authority misbehavior, and devices attempting to discredit the entropy authority. To demonstrate the practicality of our protocol, we have implemented and evaluated its performance on a commodity wireless home router. When running on a home router, our protocol incurs a 1.7 × slowdown over conventional RSA key generation and it incurs a 3.6 × slowdown over conventional ECDSA key generation.
Cliptography: Clipping the Power of Kleptographic Attacks
, 2015
"... Kleptography, introduced 20 years ago by Young and Yung [Crypto ’96], studies how to steal information securely and subliminally from cryptosystems. The basic framework considers the (in)security of malicious implementations of a standard cryptographic primitives by embedding a “backdoor ” into the ..."
Abstract
 Add to MetaCart
(Show Context)
Kleptography, introduced 20 years ago by Young and Yung [Crypto ’96], studies how to steal information securely and subliminally from cryptosystems. The basic framework considers the (in)security of malicious implementations of a standard cryptographic primitives by embedding a “backdoor ” into the system. Remarkably, crippling subliminal attacks are possible even if the subverted cryptosystem produces output indistinguishable from a truly secure “reference implementation. ” Bellare, Paterson, and Rogaway [Crypto ’14] recently initiated a formal study of attacks on symmetric key encryption algorithms, demonstrating a kleptographic attack that can be mounted in broad generality against randomized components of cryptographic systems. We enlarge the scope of current work on the problem by permitting adversarial subversion of (randomized) key generation; in particular, we initiate the study of cryptography in the full subversion model, where all relevant cryptographic primitives are subject to kleptographic attacks. We formally study oneway permutations and trapdoor oneway permutations in this “complete subversion ” model, describing a general, rigorous immunization strategy to clip the power of kleptographic subversions. We augment this strategy with a “split program ” model
Energy Analysis of PublicKey Cryptography for Wireless Sensor Networks
"... In this paper, we quantify the energy cost of authentication and key exchange based on publickey cryptography on an 8bit microcontroller platform. We present a comparison of two publickey algorithms, RSA and Elliptic Curve Cryptography (ECC), and consider mutual authentication and key exchange be ..."
Abstract
 Add to MetaCart
(Show Context)
In this paper, we quantify the energy cost of authentication and key exchange based on publickey cryptography on an 8bit microcontroller platform. We present a comparison of two publickey algorithms, RSA and Elliptic Curve Cryptography (ECC), and consider mutual authentication and key exchange between two untrusted parties such as two nodes in a wireless sensor network. Our measurements on an Atmel ATmega128L lowpower microcontroller indicate that publickey cryptography is very viable on 8bit energyconstrained platforms even if implemented in software. We found ECC to have a significant advantage over RSA as it reduces computation time and also the amount of data transmitted and stored.