![Page 1: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/1.jpg)
...
Nobody But Us Impersonate, Tamper, and Exploit
..
Alfonso De Gregorio
.
Founder, BeeWise
.. DeepSEC 2015, Vienna, November 17th-20th, 2015
..
![Page 2: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/2.jpg)
...Web PKI is Fragile
.1/103
..
WebPKI is Fragile
![Page 3: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/3.jpg)
..
![Page 4: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/4.jpg)
..
![Page 5: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/5.jpg)
..
![Page 6: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/6.jpg)
..
![Page 7: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/7.jpg)
..
Discuss
.Web PKI is Fragile
.6/103
/me @secYOUre
#illusoryTLS#DeepSEC
![Page 8: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/8.jpg)
..
First times are...
.Web PKI is Fragile
.7/103
..
![Page 9: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/9.jpg)
...Web PKI is Fragile
.8/103
If only we could notice them
![Page 10: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/10.jpg)
..
WebPKI is Fragile
.Web PKI is Fragile
.9/103
...
Web PKI is Fragile
![Page 11: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/11.jpg)
..
PKI Dramas
.Web PKI is Fragile
.10/103
. China Internet Network Information Center (CNNIC), 2015
. Lenovo, 2015
. National Informatics Centre of India, 2014
. ANSSI, 2013
. Trustwave, 2012
. Türktrust, 2011-2013
. DigiNotar, 2011
. Comodo, 2011
. Verisign, 2010
![Page 12: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/12.jpg)
..
Unsuspecting Users
.Web PKI is Fragile
.11/103
..
![Page 13: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/13.jpg)
..
Remaining oblivious
.Web PKI is Fragile
.12/103
..
![Page 14: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/14.jpg)
..
Silent Failure
.Web PKI is Fragile
.13/103
..
![Page 15: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/15.jpg)
..
![Page 16: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/16.jpg)
..
/me
.Web PKI is Fragile
.15/103
At the intersection of so ware security and security so ware,exploring, and trying to contain, the space of unanticipated state.
![Page 17: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/17.jpg)
..
Secure Backdoor
.Web PKI is Fragile
.16/103
Almost safe
![Page 18: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/18.jpg)
..
Agenda
.Web PKI is Fragile
.17/103
1. Web PKI is FragileThe sorrow state of the infrastructure we daily entrust our business upon
2. illusoryTLSNobody But Us Impersonate, Tamper, and Exploit
3. The ImpactOr, why one rotten apple spoils the whole barrel
4. A Backdoor Embedding AlgorithmElligator turned to evil
5. ConclusionsThemisery of our times
![Page 19: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/19.jpg)
..
Perspective
.Web PKI is Fragile
.18/103
. Timely topic o en debated as matter for a government to legislate on
. A space that some entities might have practically explored regardless of thepolicy framework
. Would we be able to notice if our communications were being exploited?
![Page 20: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/20.jpg)
..
Perspective
.Web PKI is Fragile
.18/103
. Timely topic o en debated as matter for a government to legislate on
. A space that some entities might have practically explored regardless of thepolicy framework
. Would we be able to notice if our communications were being exploited?
![Page 21: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/21.jpg)
..
Perspective
.Web PKI is Fragile
.18/103
. Timely topic o en debated as matter for a government to legislate on
. A space that some entities might have practically explored regardless of thepolicy framework
. Would we be able to notice if our communications were being exploited?
![Page 22: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/22.jpg)
..
Poll
.Web PKI is Fragile
.19/103
...
Poll
![Page 23: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/23.jpg)
..
Poll
.Web PKI is Fragile
.20/103
Howmany of you think thatbackdoors can be asymmetric?
![Page 24: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/24.jpg)
..
Poll
.Web PKI is Fragile
.21/103
Howmany of you think thatbackdoors can be planted in data?
![Page 25: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/25.jpg)
..
CommonView
.Web PKI is Fragile
.22/103
. Backdoors are symmetric
. Malicious logic in the target system code base
. Everyone with knowledge about the internals of the backdoor can exploit it
. Given enough skills and effort, code review can spot their presence
![Page 26: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/26.jpg)
..
Yet
.Web PKI is Fragile
.23/103
. Backdoors can be asymmetric.Their complete code does not enable anyone, except those with access tothe key-recovery system, to exploit the backdoor
. Backdoors can be planted in data
![Page 27: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/27.jpg)
..
Yet
.Web PKI is Fragile
.23/103
. Backdoors can be asymmetric.Their complete code does not enable anyone, except those with access tothe key-recovery system, to exploit the backdoor
. Backdoors can be planted in data
![Page 28: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/28.jpg)
...Web PKI is Fragile
.24/103
Backdoor is data, data is backdoor
![Page 29: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/29.jpg)
...Web PKI is Fragile
.25/103
..“ The illusion that your program is manipulating its data is powerful. But it is anillusion: The data is controlling your program.
Taylor Hornby..”
![Page 30: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/30.jpg)
..
Scenario
.Web PKI is Fragile
.26/103
. The entire X.509 Web PKI security architecture falls apart, if asingle CA certificate with a secretly embedded backdoor entersthe certificate store of relying parties
Have we sufficient assurance that this did not happen already?
![Page 31: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/31.jpg)
..
Scenario
.Web PKI is Fragile
.26/103
. . The entire X.509 Web PKI security architecture falls apart, if asingle CA certificate with a secretly embedded backdoor entersthe certificate store of relying parties
Have we sufficient assurance that this did not happen already?
![Page 32: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/32.jpg)
...illusoryTLS
.27/103
..
illusoryTLS
![Page 33: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/33.jpg)
..
Underhanded Crypto Contest
.illusoryTLS
.28/103
. ..
..“ The Underhanded Crypto Contestis a competition to write or modifycrypto code that appears to besecure, but actually doessomething evil ..”
![Page 34: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/34.jpg)
..
illusoryTLS
.illusoryTLS
.29/103
. An instance of the Young and Yung elliptic curve asymmetric backdoor inRSA key generation
![Page 35: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/35.jpg)
..
Security Outcome
.illusoryTLS
.30/103
The backdoor completely perverts the security guarantees provided by the TLSprotocol, allowing the attacker to:
. Impersonate the endpoints (i.e., authentication failure)
. Tamper with their messages (i.e., integrity erosion)
. Actively eavesdrop their communications (i.e., confidentiality loss)
![Page 36: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/36.jpg)
..
Security Outcome
.illusoryTLS
.30/103
The backdoor completely perverts the security guarantees provided by the TLSprotocol, allowing the attacker to:
. Impersonate the endpoints (i.e., authentication failure)
. Tamper with their messages (i.e., integrity erosion)
. Actively eavesdrop their communications (i.e., confidentiality loss)
![Page 37: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/37.jpg)
..
Security Outcome
.illusoryTLS
.30/103
The backdoor completely perverts the security guarantees provided by the TLSprotocol, allowing the attacker to:
. Impersonate the endpoints (i.e., authentication failure)
. Tamper with their messages (i.e., integrity erosion)
. Actively eavesdrop their communications (i.e., confidentiality loss)
![Page 38: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/38.jpg)
..
ThreatModel
.illusoryTLS
.31/103
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public keytechnologies.”
. Interfere with the supply-chain
. Disregard everything about policy
. Or, she is simply in the position to build the security module used by theCertification Authority for generating the key material
![Page 39: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/39.jpg)
..
ThreatModel
.illusoryTLS
.31/103
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public keytechnologies.”
. Interfere with the supply-chain
. Disregard everything about policy
. Or, she is simply in the position to build the security module used by theCertification Authority for generating the key material
![Page 40: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/40.jpg)
..
ThreatModel
.illusoryTLS
.31/103
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public keytechnologies.”
. Interfere with the supply-chain
. Disregard everything about policy
. Or, she is simply in the position to build the security module used by theCertification Authority for generating the key material
![Page 41: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/41.jpg)
..
ThreatModel
.illusoryTLS
.31/103
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public keytechnologies.”
. Interfere with the supply-chain
. Disregard everything about policy
. Or, she is simply in the position to build the security module used by theCertification Authority for generating the key material
![Page 42: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/42.jpg)
..
ThreatModel
.illusoryTLS
.31/103
The backdoor designer can:
. “Insert vulnerabilities into commercial encryption systems, IT systems,networks and endpoint communications devices used by targets.”
. “influence policies, standard and specifications for commercial public keytechnologies.”
. Interfere with the supply-chain
. Disregard everything about policy
. Or, she is simply in the position to build the security module used by theCertification Authority for generating the key material
![Page 43: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/43.jpg)
..
ThreeModules
.illusoryTLS
.32/103
..
![Page 44: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/44.jpg)
..
network-simple-tls
.illusoryTLS
.33/103
..
![Page 45: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/45.jpg)
..
Echo service over TLS
.illusoryTLS
.34/103
..
![Page 46: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/46.jpg)
..
Where is the backdoor?
.illusoryTLS
.35/103
If the client and server code iscontributed by an open-source project
and it is used as-is, where is thebackdoor?
![Page 47: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/47.jpg)
..
Where is the backdoor?
.illusoryTLS
.36/103
..
![Page 48: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/48.jpg)
..
A Covert Channel
.illusoryTLS
.37/103
. The upper order bits of the RSAmodulus encode the asymmetricencryption of a seed generated at random
. The same seed was used to generate one of the RSA primes of the CApublic-key modulus
. The RSAmodulus is at the same time a RSA public-key and an ciphertextthat gives to the backdoor designer the ability to factor with ease themodulus
![Page 49: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/49.jpg)
..
A Covert Channel
.illusoryTLS
.37/103
. The upper order bits of the RSAmodulus encode the asymmetricencryption of a seed generated at random
. The same seed was used to generate one of the RSA primes of the CApublic-key modulus
. The RSAmodulus is at the same time a RSA public-key and an ciphertextthat gives to the backdoor designer the ability to factor with ease themodulus
![Page 50: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/50.jpg)
..
A Covert Channel
.illusoryTLS
.37/103
. The upper order bits of the RSAmodulus encode the asymmetricencryption of a seed generated at random
. The same seed was used to generate one of the RSA primes of the CApublic-key modulus
. The RSAmodulus is at the same time a RSA public-key and an ciphertextthat gives to the backdoor designer the ability to factor with ease themodulus
![Page 51: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/51.jpg)
..
Where the backdoor is not
.illusoryTLS
.38/103
No backdoor was slipped into thecryptographic credentials issued to
the communicating endpoints
![Page 52: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/52.jpg)
..
SETUPAttacks
.illusoryTLS
.39/103
..
. Notion introduced by Adam Youngand Moti Yung at Crypto ’96
. Young and Yung elliptic-curveasymmetric backdoor in RSA keygeneration
. Expands on ‘A Space EfficientBackdoor in RSA and itsApplications’, Selected Areas inCryptography ’05
. A working implementation athttp://cryptovirology.com
![Page 53: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/53.jpg)
..
NOBUS
.illusoryTLS
.40/103
..
. The exploitation requires access toresources not embedded in thebackdoor itself
. e.g., elliptic-curve private key
. The vulnerability can be exploitedby the backdoor designer and bywhoever gains access to theassociated key-recovery system
![Page 54: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/54.jpg)
...illusoryTLS
.41/103
Howmany of you believe that it ispossible to forbid an enemy
intelligence organization from gainingaccess to a private key?
![Page 55: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/55.jpg)
..
Indistinguishability
.illusoryTLS
.42/103
..
. Assuming ECDDH holds
. The backdoor key pairs appear toall probabilistic polynomial timealgorithms like genuine RSA keypairs
. Black-box access to thekey-generator does not allowdetection
![Page 56: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/56.jpg)
..
Forward Secrecy
.illusoryTLS
.43/103
..
. If a reverse-engineer breaches thekey-generator, then the previouslystolen information remainsconfidential
![Page 57: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/57.jpg)
..
Reusability
.illusoryTLS
.44/103
... The backdoor can be usedmultiple
times and against multiple targets
![Page 58: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/58.jpg)
...Impact
.45/103
..
Impact
![Page 59: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/59.jpg)
..
A Subtle Attack
.Impact
.46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authenticationfailure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encryptedcommunications (e.g., confidentiality loss)
. No need to have access to any private keyused by system actors
. No need to tamper with thecommunicating endpoints
. Need to retain control over thekey-generation of the target RSAmodulus
![Page 60: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/60.jpg)
..
A Subtle Attack
.Impact
.46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authenticationfailure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encryptedcommunications (e.g., confidentiality loss)
. No need to have access to any private keyused by system actors
. No need to tamper with thecommunicating endpoints
. Need to retain control over thekey-generation of the target RSAmodulus
![Page 61: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/61.jpg)
..
A Subtle Attack
.Impact
.46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authenticationfailure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encryptedcommunications (e.g., confidentiality loss)
. No need to have access to any private keyused by system actors
. No need to tamper with thecommunicating endpoints
. Need to retain control over thekey-generation of the target RSAmodulus
![Page 62: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/62.jpg)
..
A Subtle Attack
.Impact
.46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authenticationfailure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encryptedcommunications (e.g., confidentiality loss)
. No need to have access to any private keyused by system actors
. No need to tamper with thecommunicating endpoints
. Need to retain control over thekey-generation of the target RSAmodulus
![Page 63: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/63.jpg)
..
A Subtle Attack
.Impact
.46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authenticationfailure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encryptedcommunications (e.g., confidentiality loss)
. No need to have access to any private keyused by system actors
. No need to tamper with thecommunicating endpoints
. Need to retain control over thekey-generation of the target RSAmodulus
![Page 64: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/64.jpg)
..
A Subtle Attack
.Impact
.46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authenticationfailure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encryptedcommunications (e.g., confidentiality loss)
. No need to have access to any private keyused by system actors
. No need to tamper with thecommunicating endpoints
. Need to retain control over thekey-generation of the target RSAmodulus
![Page 65: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/65.jpg)
..
A Subtle Attack
.Impact
.46/103
..
. Break TLS security guarantees at will
. Impersonation (e.g., authenticationfailure)
. Message tampering (e.g., integrity erosion)
. Active eavesdropping of encryptedcommunications (e.g., confidentiality loss)
. No need to have access to any private keyused by system actors
. No need to tamper with thecommunicating endpoints
. Need to retain control over thekey-generation of the target RSAmodulus
![Page 66: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/66.jpg)
...Impact
.47/103
Is the malicious implementer a threatmitigated by IT product security
certifications?
![Page 67: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/67.jpg)
..
Fictional Security
.Impact
.48/103
...
A single CA certificate with a secretly embedded backdoor renders the entire TLS security fictional
![Page 68: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/68.jpg)
..
OneRotten Apple...
.Impact
.49/103
...
One rotten apple...
![Page 69: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/69.jpg)
..
... spoils thewhole barrel
.Impact
.50/103
...
... spoils the whole barrel
![Page 70: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/70.jpg)
..
Ethylene
.Impact
.51/103
..
![Page 71: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/71.jpg)
...Impact
.52/103
Universal implicit cross-certification isthe ethylene of trust
![Page 72: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/72.jpg)
..
C2H4
.Impact
.53/103
..
![Page 73: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/73.jpg)
..
Cross Certification
.Impact
.54/103
..
![Page 74: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/74.jpg)
..
Cross Certification
.Impact
.55/103
..
. Cross certification enables entitiesin one public key infrastructure totrust entities in another PKI
. This mutual trust relationshipshould be typically supported by across-certification agreementbetween the CAs in each PKI
. The agreement establishes theresponsabilities and liability ofeach party
![Page 75: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/75.jpg)
..
Cross Certification
.Impact
.55/103
..
. Cross certification enables entitiesin one public key infrastructure totrust entities in another PKI
. This mutual trust relationshipshould be typically supported by across-certification agreementbetween the CAs in each PKI
. The agreement establishes theresponsabilities and liability ofeach party
![Page 76: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/76.jpg)
..
Cross Certification
.Impact
.55/103
..
. Cross certification enables entitiesin one public key infrastructure totrust entities in another PKI
. This mutual trust relationshipshould be typically supported by across-certification agreementbetween the CAs in each PKI
. The agreement establishes theresponsabilities and liability ofeach party
![Page 77: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/77.jpg)
..
Explicit Cross Certification
.Impact
.56/103
..
. Each CA is required to issue acertificate to the other to establisha relationship in both directions
. The path of trust is not hierarchical,although the separate PKIs may becertificate hierarchies
. A er two CAs have established andspecified the terms of trust andissued the certificates to eachother, entities within the separatePKIs can interact subject to thepolicies specified in the certificates
![Page 78: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/78.jpg)
..
Explicit Cross Certification
.Impact
.56/103
..
. Each CA is required to issue acertificate to the other to establisha relationship in both directions
. The path of trust is not hierarchical,although the separate PKIs may becertificate hierarchies
. A er two CAs have established andspecified the terms of trust andissued the certificates to eachother, entities within the separatePKIs can interact subject to thepolicies specified in the certificates
![Page 79: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/79.jpg)
..
Explicit Cross Certification
.Impact
.56/103
..
. Each CA is required to issue acertificate to the other to establisha relationship in both directions
. The path of trust is not hierarchical,although the separate PKIs may becertificate hierarchies
. A er two CAs have established andspecified the terms of trust andissued the certificates to eachother, entities within the separatePKIs can interact subject to thepolicies specified in the certificates
![Page 80: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/80.jpg)
...
But this is just in theory...
![Page 81: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/81.jpg)
...
In practice:
![Page 82: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/82.jpg)
..
Implicit Cross Certification
.Impact
.59/103
..
. Most current PKI so ware employs a formof implicit cross certification in which allroot CAs are equally trusted
. Equivalent to unbounded crosscertification among all CAs
. Any certificate can be trivially replaced byamasquereder’s certificate from anotherCA
. The security of any certificate is reduced tothat of the least trustworthy CA, who canissue bogus certificate to usurp thelegitimate one, at the same level of trust
![Page 83: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/83.jpg)
..
Implicit Cross Certification
.Impact
.59/103
..
. Most current PKI so ware employs a formof implicit cross certification in which allroot CAs are equally trusted
. Equivalent to unbounded crosscertification among all CAs
. Any certificate can be trivially replaced byamasquereder’s certificate from anotherCA
. The security of any certificate is reduced tothat of the least trustworthy CA, who canissue bogus certificate to usurp thelegitimate one, at the same level of trust
![Page 84: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/84.jpg)
..
Implicit Cross Certification
.Impact
.59/103
..
. Most current PKI so ware employs a formof implicit cross certification in which allroot CAs are equally trusted
. Equivalent to unbounded crosscertification among all CAs
. Any certificate can be trivially replaced byamasquereder’s certificate from anotherCA
. The security of any certificate is reduced tothat of the least trustworthy CA, who canissue bogus certificate to usurp thelegitimate one, at the same level of trust
![Page 85: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/85.jpg)
..
Implicit Cross Certification
.Impact
.59/103
..
. Most current PKI so ware employs a formof implicit cross certification in which allroot CAs are equally trusted
. Equivalent to unbounded crosscertification among all CAs
. Any certificate can be trivially replaced byamasquereder’s certificate from anotherCA
. The security of any certificate is reduced tothat of the least trustworthy CA, who canissue bogus certificate to usurp thelegitimate one, at the same level of trust
![Page 86: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/86.jpg)
..
CA Certificate in aMitMProxy
.Impact
.60/103
..
![Page 87: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/87.jpg)
..
Superfish Adware
.Impact
.61/103
..
![Page 88: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/88.jpg)
..
PKI is Not Dead, Just Resting
.Impact
.62/103
..
![Page 89: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/89.jpg)
...
Universal implicit cross-certification
![Page 90: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/90.jpg)
...
Security
![Page 91: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/91.jpg)
...
Ethylene
![Page 92: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/92.jpg)
...
Rotting fruit
![Page 93: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/93.jpg)
...
As weak as the weakest link
![Page 94: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/94.jpg)
...
Multiple attackers attracted
![Page 95: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/95.jpg)
..
![Page 96: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/96.jpg)
..
![Page 97: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/97.jpg)
..
![Page 98: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/98.jpg)
...
Negating any meaningful security whatsoever
![Page 99: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/99.jpg)
...Impact
.73/103
It is essential to have assurance aboutthe security of each implementation
of vulnerable key-generationalgorithm employed by trusted
credential issuers
![Page 100: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/100.jpg)
..
Hundreds CAs
.Impact
.74/103
...
188 Trusted CA certificates installed
![Page 101: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/101.jpg)
...Impact
.75/103
Have we sufficient assurance aboutthe hundreds CA certificates we daily
entrust our business upon?
![Page 102: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/102.jpg)
..
Requirements
.Impact
.76/103
..
. Publicly trusted certificates to beissued in compliance withEuropean Standard EN 319 411-3
. CA key generation to be carried outwithin a device that meets therequirements identified by someapproved PP
. CENWorkshop Agreement 14167,Part 2-3-4 are three of those PP
. EAL4 Augmented
. Augmentation from adherence toADV_IMP.2, AVA_CCA.1, andAVA_VLA.4
![Page 103: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/103.jpg)
..
Requirements
.Impact
.76/103
..
. Publicly trusted certificates to beissued in compliance withEuropean Standard EN 319 411-3
. CA key generation to be carried outwithin a device that meets therequirements identified by someapproved PP
. CENWorkshop Agreement 14167,Part 2-3-4 are three of those PP
. EAL4 Augmented
. Augmentation from adherence toADV_IMP.2, AVA_CCA.1, andAVA_VLA.4
![Page 104: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/104.jpg)
..
Requirements
.Impact
.76/103
..
. Publicly trusted certificates to beissued in compliance withEuropean Standard EN 319 411-3
. CA key generation to be carried outwithin a device that meets therequirements identified by someapproved PP
. CENWorkshop Agreement 14167,Part 2-3-4 are three of those PP
. EAL4 Augmented
. Augmentation from adherence toADV_IMP.2, AVA_CCA.1, andAVA_VLA.4
![Page 105: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/105.jpg)
..
Requirements
.Impact
.76/103
..
. Publicly trusted certificates to beissued in compliance withEuropean Standard EN 319 411-3
. CA key generation to be carried outwithin a device that meets therequirements identified by someapproved PP
. CENWorkshop Agreement 14167,Part 2-3-4 are three of those PP
. EAL4 Augmented
. Augmentation from adherence toADV_IMP.2, AVA_CCA.1, andAVA_VLA.4
![Page 106: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/106.jpg)
..
Requirements
.Impact
.76/103
..
. Publicly trusted certificates to beissued in compliance withEuropean Standard EN 319 411-3
. CA key generation to be carried outwithin a device that meets therequirements identified by someapproved PP
. CENWorkshop Agreement 14167,Part 2-3-4 are three of those PP
. EAL4 Augmented
. Augmentation from adherence toADV_IMP.2, AVA_CCA.1, andAVA_VLA.4
![Page 107: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/107.jpg)
..
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.Impact
.77/103
..
. Focused on assessing thevulnerabilities in the TOE
. Guaranteeing that theimplementation representation isan accurate and completeinstantiation of the TSFrequirements
. Special emphasis on identifyingcovert channels and estimatingtheir capacity
. SETUP attacks makes use of thekey-generation as a covert channelfor itself
![Page 108: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/108.jpg)
..
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.Impact
.77/103
..
. Focused on assessing thevulnerabilities in the TOE
. Guaranteeing that theimplementation representation isan accurate and completeinstantiation of the TSFrequirements
. Special emphasis on identifyingcovert channels and estimatingtheir capacity
. SETUP attacks makes use of thekey-generation as a covert channelfor itself
![Page 109: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/109.jpg)
..
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.Impact
.77/103
..
. Focused on assessing thevulnerabilities in the TOE
. Guaranteeing that theimplementation representation isan accurate and completeinstantiation of the TSFrequirements
. Special emphasis on identifyingcovert channels and estimatingtheir capacity
. SETUP attacks makes use of thekey-generation as a covert channelfor itself
![Page 110: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/110.jpg)
..
ADV_IMP.2, AVA_CCA.1, and AVA_VLA.4
.Impact
.77/103
..
. Focused on assessing thevulnerabilities in the TOE
. Guaranteeing that theimplementation representation isan accurate and completeinstantiation of the TSFrequirements
. Special emphasis on identifyingcovert channels and estimatingtheir capacity
. SETUP attacks makes use of thekey-generation as a covert channelfor itself
![Page 111: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/111.jpg)
..
Yet
.Impact
.78/103
..
. Developer is in charge for the vulnerabilityassessment and documentation
. Conflicts with our threat model
. The evaluator is le with thedocumentation and the implementationrepresentation to be assessed
. Can the presence of backdoor can be ruledout at the required assurance level?
. Formal methods required only at the twohighest levels (EAL6 and EAL7)
. Implementation representation mayrender backdoor detection unlikely (e.g.,HDL at design time, netlist at fabricationtime)
![Page 112: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/112.jpg)
..
Yet
.Impact
.78/103
..
. Developer is in charge for the vulnerabilityassessment and documentation
. Conflicts with our threat model
. The evaluator is le with thedocumentation and the implementationrepresentation to be assessed
. Can the presence of backdoor can be ruledout at the required assurance level?
. Formal methods required only at the twohighest levels (EAL6 and EAL7)
. Implementation representation mayrender backdoor detection unlikely (e.g.,HDL at design time, netlist at fabricationtime)
![Page 113: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/113.jpg)
..
Yet
.Impact
.78/103
..
. Developer is in charge for the vulnerabilityassessment and documentation
. Conflicts with our threat model
. The evaluator is le with thedocumentation and the implementationrepresentation to be assessed
. Can the presence of backdoor can be ruledout at the required assurance level?
. Formal methods required only at the twohighest levels (EAL6 and EAL7)
. Implementation representation mayrender backdoor detection unlikely (e.g.,HDL at design time, netlist at fabricationtime)
![Page 114: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/114.jpg)
..
Yet
.Impact
.78/103
..
. Developer is in charge for the vulnerabilityassessment and documentation
. Conflicts with our threat model
. The evaluator is le with thedocumentation and the implementationrepresentation to be assessed
. Can the presence of backdoor can be ruledout at the required assurance level?
. Formal methods required only at the twohighest levels (EAL6 and EAL7)
. Implementation representation mayrender backdoor detection unlikely (e.g.,HDL at design time, netlist at fabricationtime)
![Page 115: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/115.jpg)
..
Yet
.Impact
.78/103
..
. Developer is in charge for the vulnerabilityassessment and documentation
. Conflicts with our threat model
. The evaluator is le with thedocumentation and the implementationrepresentation to be assessed
. Can the presence of backdoor can be ruledout at the required assurance level?
. Formal methods required only at the twohighest levels (EAL6 and EAL7)
. Implementation representation mayrender backdoor detection unlikely (e.g.,HDL at design time, netlist at fabricationtime)
![Page 116: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/116.jpg)
..
Yet
.Impact
.78/103
..
. Developer is in charge for the vulnerabilityassessment and documentation
. Conflicts with our threat model
. The evaluator is le with thedocumentation and the implementationrepresentation to be assessed
. Can the presence of backdoor can be ruledout at the required assurance level?
. Formal methods required only at the twohighest levels (EAL6 and EAL7)
. Implementation representation mayrender backdoor detection unlikely (e.g.,HDL at design time, netlist at fabricationtime)
![Page 117: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/117.jpg)
..
Key Takeaway
.Impact
.79/103
As long as the implementations of RSA — or, more generally,algorithms vulnerable to this class of attacks — used by trustedentities (e.g., CA) cannot be audited by relying parties (e.g., x.509end-entities), any trust-anchor for the same trusted entities (e.g.,
root certificate) is to be regarded as a potential backdoor
![Page 118: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/118.jpg)
..
Key Takeaway - Ctd
.Impact
.80/103
As long as the implementation of algorithms adopted by CAs andvulnerable to this class of backdoors cannot be audited by relying
parties, the assurance provided by illusoryTLS (i.e., nonewhatsoever) is not any different from the assurance provided by
systems relying upon TLS and RSA certificates for originauthentication, confidentiality, andmessage integrity guarantees
![Page 119: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/119.jpg)
..
Mitigations
.Impact
.81/103
. Key Pinning, RFC 7469, Public Key Pinning Extension for HTTP (HPKP), April2015
. Certificate Transparency, RFC 6962, June 2013
. DANE, DNS-based Authentication of Named Entities, RFC 6698, August 2012
. Tack, Trust Assertions for Certificate Keys, dra -perrin-tls-tack-02.txt,Expired
. Proper explicit cross-certification
![Page 120: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/120.jpg)
...A Backdoor Embedding Algorithm
.82/103
..
ABackdoorEmbeddingAlgorithm
![Page 121: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/121.jpg)
..
Subtleness
.A Backdoor Embedding Algorithm
.83/103
The subtleness of a backdoor planted in a cryptographic credentialresides in the absence of malicious logic in the systemwhose
security it erodes.
![Page 122: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/122.jpg)
..
An attack variant
.A Backdoor Embedding Algorithm
.84/103
...
RyanC— https://gist.github.com/ryancdotorg/18235723e926be0afbdd
![Page 123: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/123.jpg)
..
Idea
.A Backdoor Embedding Algorithm
.85/103
1. Embed a Curve25519 public-key into the key-generator
2. Generate an ephemeral Curve25519 key at random3. Compute a shared secret using Elliptic Curve Diffie-Hellman4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTRmode5. Generate a normal RSA key using the seeded CSPRNG6. Replace 32-bytes of the generatedmodulus with the ephemeral Curve25519
public-key7. Use the original prime factors to compute two new primes leading to a new
modulus embedding the ephemeral public-key8. Output the RSA key with the secretly embedded backdoor
![Page 124: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/124.jpg)
..
Idea
.A Backdoor Embedding Algorithm
.85/103
1. Embed a Curve25519 public-key into the key-generator2. Generate an ephemeral Curve25519 key at random
3. Compute a shared secret using Elliptic Curve Diffie-Hellman4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTRmode5. Generate a normal RSA key using the seeded CSPRNG6. Replace 32-bytes of the generatedmodulus with the ephemeral Curve25519
public-key7. Use the original prime factors to compute two new primes leading to a new
modulus embedding the ephemeral public-key8. Output the RSA key with the secretly embedded backdoor
![Page 125: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/125.jpg)
..
Idea
.A Backdoor Embedding Algorithm
.85/103
1. Embed a Curve25519 public-key into the key-generator2. Generate an ephemeral Curve25519 key at random3. Compute a shared secret using Elliptic Curve Diffie-Hellman
4. Use the shared secret to seed at cryptographically secure pseudo-randomnumber generator (CSPRNG) based on AES run in CTRmode
5. Generate a normal RSA key using the seeded CSPRNG6. Replace 32-bytes of the generatedmodulus with the ephemeral Curve25519
public-key7. Use the original prime factors to compute two new primes leading to a new
modulus embedding the ephemeral public-key8. Output the RSA key with the secretly embedded backdoor
![Page 126: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/126.jpg)
..
Idea
.A Backdoor Embedding Algorithm
.85/103
1. Embed a Curve25519 public-key into the key-generator2. Generate an ephemeral Curve25519 key at random3. Compute a shared secret using Elliptic Curve Diffie-Hellman4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTRmode
5. Generate a normal RSA key using the seeded CSPRNG6. Replace 32-bytes of the generatedmodulus with the ephemeral Curve25519
public-key7. Use the original prime factors to compute two new primes leading to a new
modulus embedding the ephemeral public-key8. Output the RSA key with the secretly embedded backdoor
![Page 127: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/127.jpg)
..
Idea
.A Backdoor Embedding Algorithm
.85/103
1. Embed a Curve25519 public-key into the key-generator2. Generate an ephemeral Curve25519 key at random3. Compute a shared secret using Elliptic Curve Diffie-Hellman4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTRmode5. Generate a normal RSA key using the seeded CSPRNG
6. Replace 32-bytes of the generatedmodulus with the ephemeral Curve25519public-key
7. Use the original prime factors to compute two new primes leading to a newmodulus embedding the ephemeral public-key
8. Output the RSA key with the secretly embedded backdoor
![Page 128: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/128.jpg)
..
Idea
.A Backdoor Embedding Algorithm
.85/103
1. Embed a Curve25519 public-key into the key-generator2. Generate an ephemeral Curve25519 key at random3. Compute a shared secret using Elliptic Curve Diffie-Hellman4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTRmode5. Generate a normal RSA key using the seeded CSPRNG6. Replace 32-bytes of the generatedmodulus with the ephemeral Curve25519
public-key
7. Use the original prime factors to compute two new primes leading to a newmodulus embedding the ephemeral public-key
8. Output the RSA key with the secretly embedded backdoor
![Page 129: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/129.jpg)
..
Idea
.A Backdoor Embedding Algorithm
.85/103
1. Embed a Curve25519 public-key into the key-generator2. Generate an ephemeral Curve25519 key at random3. Compute a shared secret using Elliptic Curve Diffie-Hellman4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTRmode5. Generate a normal RSA key using the seeded CSPRNG6. Replace 32-bytes of the generatedmodulus with the ephemeral Curve25519
public-key7. Use the original prime factors to compute two new primes leading to a new
modulus embedding the ephemeral public-key
8. Output the RSA key with the secretly embedded backdoor
![Page 130: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/130.jpg)
..
Idea
.A Backdoor Embedding Algorithm
.85/103
1. Embed a Curve25519 public-key into the key-generator2. Generate an ephemeral Curve25519 key at random3. Compute a shared secret using Elliptic Curve Diffie-Hellman4. Use the shared secret to seed at cryptographically secure pseudo-random
number generator (CSPRNG) based on AES run in CTRmode5. Generate a normal RSA key using the seeded CSPRNG6. Replace 32-bytes of the generatedmodulus with the ephemeral Curve25519
public-key7. Use the original prime factors to compute two new primes leading to a new
modulus embedding the ephemeral public-key8. Output the RSA key with the secretly embedded backdoor
![Page 131: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/131.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus
2. Computes the shared secret via ECDH and using the private-key associatedto the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTRmode4. Generates a normal RSA key using the seeded CSPRNG5. Replaces 32-bytes of the generatedmodulus with the ephemeral
Curve25519 public-key6. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the ephmeral public-key7. Output the recovered RSA private key
![Page 132: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/132.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator
3. Uses the shared secret to seed the CSPRNG based on AES run in CTRmode4. Generates a normal RSA key using the seeded CSPRNG5. Replaces 32-bytes of the generatedmodulus with the ephemeral
Curve25519 public-key6. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the ephmeral public-key7. Output the recovered RSA private key
![Page 133: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/133.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator3. Uses the shared secret to seed the CSPRNG based on AES run in CTRmode
4. Generates a normal RSA key using the seeded CSPRNG5. Replaces 32-bytes of the generatedmodulus with the ephemeral
Curve25519 public-key6. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the ephmeral public-key7. Output the recovered RSA private key
![Page 134: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/134.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator3. Uses the shared secret to seed the CSPRNG based on AES run in CTRmode4. Generates a normal RSA key using the seeded CSPRNG
5. Replaces 32-bytes of the generatedmodulus with the ephemeralCurve25519 public-key
6. Uses the original prime factors to compute two new primes leading to thetarget modulus embedding the ephmeral public-key
7. Output the recovered RSA private key
![Page 135: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/135.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator3. Uses the shared secret to seed the CSPRNG based on AES run in CTRmode4. Generates a normal RSA key using the seeded CSPRNG5. Replaces 32-bytes of the generatedmodulus with the ephemeral
Curve25519 public-key
6. Uses the original prime factors to compute two new primes leading to thetarget modulus embedding the ephmeral public-key
7. Output the recovered RSA private key
![Page 136: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/136.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator3. Uses the shared secret to seed the CSPRNG based on AES run in CTRmode4. Generates a normal RSA key using the seeded CSPRNG5. Replaces 32-bytes of the generatedmodulus with the ephemeral
Curve25519 public-key6. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the ephmeral public-key
7. Output the recovered RSA private key
![Page 137: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/137.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.86/103
1. Extracts the ephemeral Curve25519 public-key from the target modulus2. Computes the shared secret via ECDH and using the private-key associated
to the public-key embedded in the key generator3. Uses the shared secret to seed the CSPRNG based on AES run in CTRmode4. Generates a normal RSA key using the seeded CSPRNG5. Replaces 32-bytes of the generatedmodulus with the ephemeral
Curve25519 public-key6. Uses the original prime factors to compute two new primes leading to the
target modulus embedding the ephmeral public-key7. Output the recovered RSA private key
![Page 138: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/138.jpg)
..
Broken
.A Backdoor Embedding Algorithm
.87/103
..
. Although the idea is nice
. The key pairs generated using thisalgorithm fall short in terms ofindistiguishability
. It is easy to tell backdooredcertificates apart from genuine RSAcertificate using only black-boxaccess
![Page 139: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/139.jpg)
...A Backdoor Embedding Algorithm
.88/103
Does anybody see why this is the case?
![Page 140: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/140.jpg)
..
Distinguishing Attack
.A Backdoor Embedding Algorithm
.89/103
. A public-key embedded into an RSAmodulus
. Elliptic curve public-keys are points on the curve
. And elliptic curve points are easily distinguished from uniform randomstrings
. A security evaluator could check if the coordinates encoded using thecandidate 32-byte substrings of the modulus satisfy the elliptic curveequation
![Page 141: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/141.jpg)
..
Distinguishing Attack
.A Backdoor Embedding Algorithm
.89/103
. A public-key embedded into an RSAmodulus
. Elliptic curve public-keys are points on the curve
. And elliptic curve points are easily distinguished from uniform randomstrings
. A security evaluator could check if the coordinates encoded using thecandidate 32-byte substrings of the modulus satisfy the elliptic curveequation
![Page 142: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/142.jpg)
..
Distinguishing Attack
.A Backdoor Embedding Algorithm
.89/103
. A public-key embedded into an RSAmodulus
. Elliptic curve public-keys are points on the curve
. And elliptic curve points are easily distinguished from uniform randomstrings
. A security evaluator could check if the coordinates encoded using thecandidate 32-byte substrings of the modulus satisfy the elliptic curveequation
![Page 143: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/143.jpg)
..
Distinguishing Attack
.A Backdoor Embedding Algorithm
.89/103
. A public-key embedded into an RSAmodulus
. Elliptic curve public-keys are points on the curve
. And elliptic curve points are easily distinguished from uniform randomstrings
. A security evaluator could check if the coordinates encoded using thecandidate 32-byte substrings of the modulus satisfy the elliptic curveequation
![Page 144: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/144.jpg)
..
Repairing the Backdoor
.A Backdoor Embedding Algorithm
.90/103
If we could make the elliptic curvepoints indistinguishable from random
strings, then the backdoorindistinguishability would be retained
![Page 145: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/145.jpg)
..
Elligator
.A Backdoor Embedding Algorithm
.91/103
..
. Censorship sucks!
. Daniel J. Bernstein, Anna Krasnova,Mike Hamburg, Tanja Lange
. an encoding for points on a singlecurve as strings indistiguishablefrom uniform random strings
. http://elligator.cr.yp.to
![Page 146: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/146.jpg)
..
Inherently Dual Use
.A Backdoor Embedding Algorithm
.92/103
...
All cyber security technology is inherently dual use
![Page 147: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/147.jpg)
..
Undetectability for Good or Ill
.A Backdoor Embedding Algorithm
.93/103
..
. Just like any and all cyber securitytools
. Undetectability of curve points canbe used for good or ill
. For censorship-circumvention orsurveillance
![Page 148: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/148.jpg)
..
BetweenOffense andDefense
.A Backdoor Embedding Algorithm
.94/103
I believe we can positively contributeto the discussion and practice of
information security by walking thefine line between offense and defense
![Page 149: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/149.jpg)
..
Code
.A Backdoor Embedding Algorithm
.95/103
. Website — http://illusorytls.com
. illusoryTLS — https://github.com/secYOUre/illusoryTLS
. pyelligator — https://github.com/secYOUre/pyelligator
. rsaelligatorbd — https://github.com/secYOUre/rsaelligatorbd
![Page 150: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/150.jpg)
..
Elligator backdoor embedding
.A Backdoor Embedding Algorithm
.96/103
. Embed a Curve25519 public-key into the key-generator..MASTER_PUB_HEX = ’525e422e42c9c662362a7326c3c5c785ac7ef52e86782c4ac3c06887583e7a6f’
master_pub = unhexlify(MASTER_PUB_HEX)
![Page 151: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/151.jpg)
..
Elligator backdoor embedding
.A Backdoor Embedding Algorithm
.96/103
. Generate an ephemeral Curve25519 key at random and the associateduniform representative string
..while True:
private = urandom(32)(v, pub, rep) = elligator.scalarbasemult(private)if v:
break
![Page 152: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/152.jpg)
..
Elligator backdoor embedding
.A Backdoor Embedding Algorithm
.96/103
. Compute a shared secret using ECDH
. Use the shared secret to seed a CSPRNG based on AES run in CTRmode
..# combine the ECDH keys to generate the seedseed = nacl.crypto_box_beforenm(master_pub, private)
prng = AESPRNG(seed)
![Page 153: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/153.jpg)
..
Elligator backdoor embedding
.A Backdoor Embedding Algorithm
.96/103
. Generate a normal RSA key using the seeded CSPRNG
..# deterministic key generation from seedrsa = build_key(embed=rep, pos=80, randfunc=prng.randbytes)...
def build_key(bits=2048, e=65537, embed=’’, pos=1, randfunc=None):# generate base keyrsa = RSA.generate(bits, randfunc)
![Page 154: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/154.jpg)
..
Elligator backdoor embedding
.A Backdoor Embedding Algorithm
.96/103
. Replace 32-bytes of the generatedmodulus with the representative stringassociated to the ephemeral Curve25519 public-key
..
# extract modulus as a stringn_str = unhexlify(str(hex(rsa.n))[2:-1])# embed data into the modulusn_hex = hexlify(replace_at(n_str, embed, pos))...
# overwrite some bytes in orig at a specificed offsetdef replace_at(orig, replace, offset):
return orig[0:offset] + replace + orig[offset+len(replace):]
![Page 155: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/155.jpg)
..
Elligator backdoor embedding
.A Backdoor Embedding Algorithm
.96/103
. Use the original prime factors to compute to new primes leading to a newmodulus embedding the uniform representative string
..
n = gmpy.mpz(n_hex, 16)p = rsa.p# compute a starting point to look for a new q valuepre_q = n / p# use the next prime as the new q valueq = pre_q.next_prime()n = p * qphi = (p-1) * (q-1)# compute new private exponentd = gmpy.invert(e, phi)# make sure that p is smaller than qif p > q:
(p, q) = (q, p)
![Page 156: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/156.jpg)
..
Elligator backdoor embedding
.A Backdoor Embedding Algorithm
.96/103
. Output the backdoored RSA key..return RSA.construct((long(n), long(e), long(d), long(p), long(q)))
![Page 157: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/157.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.97/103
. Extracts the representative string from the target modulus
..
#Load an x.509 certificate from a filex509 = X509.load_cert(sys.argv[2])# Pull the modulus out of the certificateorig_modulus = unhexlify(x509.get_pubkey().get_modulus())(seed, rep) = recover_seed(key=sys.argv[1], modulus=orig_modulus, pos=80)...
def recover_seed(key=’’, modulus=None, pos=1):...rep = modulus[pos:pos+32]
![Page 158: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/158.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.97/103
. Maps the representative string to the candidate ephemeral Curve25519public-key
..pub = elligator.representativetopublic(rep)
![Page 159: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/159.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.97/103
. Computes the shared secret via ECDH and using the private-key associatedto the public-key embedded in the key-generator
. Uses the shared secret to seed the CSPRNG based on AES run in CTRmode
..
def recover_seed(key=’’, modulus=None, pos=1):# recreate the master private key from the passphrasemaster = sha256(key).digest()...# compute seed with master private and ephemeral public keyreturn (nacl.crypto_box_beforenm(pub, master), rep)
...(seed, rep) = recover_seed(key=sys.argv[1], modulus=orig_modulus, pos=80)prng = AESPRNG(seed)
![Page 160: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/160.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.97/103
. Generates a normal RSA key using the seeded CSPRNG
..# deterministic key generation from seedrsa = build_key(embed=rep, pos=80, randfunc=prng.randbytes)...
def build_key(bits=2048, e=65537, embed=’’, pos=1, randfunc=None):# generate base keyrsa = RSA.generate(bits, randfunc)
![Page 161: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/161.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.97/103
. Replaces 32-bytes of the generatedmodulus with the representative stringfound in the target modulus
..# extract modulus as a stringn_str = unhexlify(str(hex(rsa.n))[2:-1])# embed data into the modulusn_hex = hexlify(replace_at(n_str, embed, pos))
![Page 162: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/162.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.97/103
. Uses the original prime factors to compute two new primes leading to thetarget modulus embedding the uniform representative string
..
n = gmpy.mpz(n_hex, 16)p = rsa.p# compute a starting point to look for a new q valuepre_q = n / p# use the next prime as the new q valueq = pre_q.next_prime()n = p * qphi = (p-1) * (q-1)# compute new private exponentd = gmpy.invert(e, phi)# make sure that p is smaller than qif p > q:
(p, q) = (q, p)
![Page 163: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/163.jpg)
..
Key Recovery
.A Backdoor Embedding Algorithm
.97/103
. Output the recovered RSA key
..return RSA.construct((long(n), long(e), long(d), long(p), long(q)))...print rsa.exportKey()
![Page 164: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/164.jpg)
...Conclusions
.98/103
..
Conclusions
![Page 165: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/165.jpg)
..
![Page 166: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/166.jpg)
..“ Though I am o en in the depths of misery, there is still calmness, pure harmonyandmusic inside me.
Vincent van Gogh..”
![Page 167: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/167.jpg)
..“ Though we are o en in the depths of insecurity, there is still calmness, pureharmony andmusic inside us. ..”
![Page 168: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/168.jpg)
..THANK YOU
![Page 169: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/169.jpg)
Q ?
![Page 170: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/170.jpg)
...Backup
.104/103
..
Backup
![Page 171: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/171.jpg)
..
Normal RSAKeyGeneration—Young and Yung
.Backup
.105/103
1. Let e be the public RSA exponent (e.g., 216 + 1)2. Choose a large number p randomly (e.g., 1024 bits long)3. If p is composite or gcd(e, p− 1) ̸= 1 then goto to step 14. Choose a large number q randomly (e.g., 1024 bits long)5. If q is composite or gcd(e, p− 1) ̸= 1 then goto to step 36. Output the public-key (N = pq, e) and the private-key p7. The private exponent d is found by solving for (d, k) in ed+ kϕ(n) = 1 using
the extended Euclidean algorithm
![Page 172: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/172.jpg)
..
RSA Encryption/Decryption—Young and Yung
.Backup
.106/103
. N = p ∗ q, where p and q are large primes known to the key owner
. Everyone knows N and e
. Let d be a privete key exponent where ed = 1mod(p− 1)(q− 1)
. To encryptm ∈ Z∗n (a er padding) compute: c = memodN
. To decrypt the ciphertext c compute: m = cdmodN
. As far as we know: Only with known factorization given N and e, one canfind d
![Page 173: illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)](https://reader031.vdocuments.net/reader031/viewer/2022030311/58ee637b1a28ab99208b45df/html5/thumbnails/173.jpg)
..
Elliptic Curve Decision Diffie-Hellman Problem
.Backup
.107/103
. Let C an elliptic-curve equation over the finite field Fq with prime order n
. Let G be the base point of the curve
. Given three point elements (xG), (yG) and (zG)
. Decide whether (zG = xyG), or not
. Where (x, y, z) are chosen randomly and 1 < x, y, z < n