Kleptography: Using Cryptography Against Cryptography

Young, Adam; Yung, Moti

doi:10.1007/3-540-69053-0_6

Cited by 165 publications

(96 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Following Young and Yung [52], Goh, Boneh, Pinkas and Golle [21] consider the problem of adding a hidden key recovery to protocols. They suggest that when the server needs a random nonce, it can use in its place an encryption of the session key computed under the escrow key.…”

Section: Iv-replacement Attacksmentioning

confidence: 99%

“…One option is that it use many different keys K so that any particular compromise has limited consequences. Another possibility, following Young and Yung's descriptions of kleptography [53], is that the subverted encryption use asymmetric rather than symmetric encryption so that compromise of the system reveals only a public encryption key, B alone holding the corresponding decryption key. Here we sketch the model and definitions, replacing the master key K with a pair of master keys ( K, L).…”

Section: B Asymmetric Subversionmentioning

confidence: 99%

“…Young and Yung have developed an extensive body of work on what they call kleptography, beginning with [51,52]. This concerns the deliberate subversion of cryptosystems to provide backdoor capabilities; our work is a special case.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Security of Symmetric Encryption against Mass Surveillance

Bellare

Paterson

Rogaway

2014

Lecture Notes in Computer Science

147

208

View full text Add to dashboard Cite

Abstract. Motivated by revelations concerning population-wide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithm-substitution attacks (ASAs), where a subverted encryption algorithm replaces the real one. We assume that the goal of "big brother" is undetectable subversion, meaning that ciphertexts produced by the subverted encryption algorithm should reveal plaintexts to big brother yet be indistinguishable to users from those produced by the real encryption scheme. We formalize security notions to capture this goal and then offer both attacks and defenses. In the first category we show that successful (from the point of view of big brother) ASAs may be mounted on a large class of common symmetric encryption schemes. In the second category we show how to design symmetric encryption schemes that avoid such attacks and meet our notion of security. The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not.

show abstract

Section: Iv-replacement Attacksmentioning

confidence: 99%

Section: B Asymmetric Subversionmentioning

confidence: 99%

See 1 more Smart Citation

Security of Symmetric Encryption against Mass Surveillance

Bellare

Paterson

Rogaway

2014

Lecture Notes in Computer Science

147

208

View full text Add to dashboard Cite

show abstract

“…Unlike previous key recovery or escrow schemes that work at the level of encryption and signature algorithms [23,24], our designs use features of the protocol. We also consider practical issues such as ease of deployment and usage.…”

Section: Introductionmentioning

confidence: 99%

The Design and Implementation of Protocol-Based Hidden Key Recovery

Goh

Boneh

Pinkas

et al. 2003

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We show how to add key recovery to existing security protocols such as SSL/TLS and SSH without changing the protocol. Our key recovery designs possess the following novel features: (1) The Key recovery channels are "unfilterable" -the key recovery channels cannot be removed without also breaking correct operation of the protocol.(2) Protocol implementations containing our key recovery designs can inter-operate with standard (uncompromised) protocol implementations -the network traffic produced is indistinguishable from that produced by legitimate protocol implementations. (3) Keys are recovered in real time, hence most or all application data is recovered. (4) The key recovery channels exploit protocol features, rather than covert channels in encryption or signature algorithms. Using these designs, we present practical key recovery attacks on the SSL/TLS and SSH 2 protocols. We implemented the attack on SSL/TLS using the OpenSSL library, a web browser, and a network sniffer. These tools allow us to eavesdrop on SSL/TLS connections from the browser to any server.

show abstract

“…Pairs of public/private keys are generated using a setup (secretly embedded trapdoor with universal protection) mechanism [35,36] by trusted third parties or tamper-resistant devices. The notion of setup is related to that of subliminal channel due to Simmons [30] (see also [10]).…”

Section: Related Workmentioning

confidence: 99%

RSA Moduli with a Predetermined Portion: Techniques and Applications

Joye

Information Security Practice and Experience

View full text Add to dashboard Cite

Abstract. This paper discusses methods for generating RSA moduli with a predetermined portion. Predetermining a portion enables to represent RSA moduli in a compressed way, which gives rise to reduced transmission-and storage requirements. The first method described in this paper achieves the compression rate of known methods but is fully compatible with the fastest prime generation algorithms available on constrained devices. This is useful for devising a key escrow mechanism when RSA keys are generated on-board by tamper-resistant devices like smart cards. The second method in this paper is a compression technique yielding a compression rate of about 2/3 instead of 1/2. This results in higher savings in both transmission and storage of RSA moduli. In a typical application, a 2048-bit RSA modulus can fit on only 86 bytes (instead of 256 bytes for the regular representation). Of independent interest, the methods for prescribing bits in RSA moduli can be used to reduce the computational burden in a variety of cryptosystems.

show abstract

Kleptography: Using Cryptography Against Cryptography

Cited by 165 publications

References 9 publications

Security of Symmetric Encryption against Mass Surveillance

Security of Symmetric Encryption against Mass Surveillance

The Design and Implementation of Protocol-Based Hidden Key Recovery

RSA Moduli with a Predetermined Portion: Techniques and Applications

Contact Info

Product

Resources

About