BackdoorsinPRGsandPRNGs

KennyPaterson

InformationSecurityGroup

@kennyog;www.isg.rhul.ac.uk/~kp

Overviewofthislecture

• Motivationforconsideringbackdoors

•  BackdoorsinPRGs•  BackdoorsinPRNGs(PRGswithentropyinputs)

2

Motivation

TheSnowdenrevelations

•  In2013,SnowdenrevealedtheextentoftheNSAmasssurveillanceprograms

•  Newthreatmodel:

•  Backdoors,subversion,…

•  LedtoincreasedsuspicionoftheDual_ECpseudorandomgenerator

•  Standardizedbyseveralstandardizationbodies:NIST,ISO,ANSI,…

•  Simplegeneratorbasedontwo(specificandfixed)ellipticcurvepoints,PandQ.

•  Biasedandslow,sonorealincentivetouseit.

•  ButknowledgeofthediscretelogofPwrt.Qallowsstaterecoveryfromgeneratoroutputs(Shumov-Ferguson2007),sogoodtargetforbackdooring.

4

BasisforanattackagainstTLS?

TLSECDHEhandshake(simplified):

Client Server

clientrandom

serverrandom,sessionID,cert(pk),aP,sig

bP,Finished

Finished

MS=PRF(x(abP),“mastersecret”,clientrandom,serverrandom)

Checkowayetal.“OnthePracticalExploitabilityofDualECinTLSImplementations”,USENIX’14

5

TheJuniperincident

JuniperNetworksisamajorvendorofnetworksecuritydevices.

ScreenOSistheOperatingSysteminJuniper’sNetscreenVPNproductfamily.

2008:JuniperadoptDual_ECinScreenOS.

10/2013:JuniperpublishaknowledgebasearticleexplainingthatScreenOSusesDualEC,but“inawaythatshouldnotbevulnerabletothepossibleissuethathasbeenbroughttolight”.

•  CustomQinsteadofNIST-standardised(andNSA-generated)Q.

•  Dual_ECoutputpost-processedbyANSIX9.31generator.

12/2015:Junipermakesvulnerabilityannouncement:

“VPNDecryption(CVE-2015-7756)mayallowaknowledgeableattackerwhocanmonitorVPNtraffictodecryptthattraffic.[…]ThisissueaffectsScreenOS6.2.0r15through6.2.0r18and6.3.0r12through6.3.0r20.NootherJuniperproductsorversionsofScreenOSareaffectedbythisissue.Thereisnowaytodetectthatthisvulnerabilitywasexploited”.

6

TheJuniperincident

2015/2016:ReverseengineeringeffortbyCheckowayetal.discovers:

•  SubtlescopingbugincodemeansthatDual_ECoutputisdirectlyexposedasScreenOSPRNGoutput(insteadofbeingpost-processed).

•  Increasednoncesizeof32bytesinJuniperIKEimplementationisidealforrecoveringDual_ECstate.

•  EventhoughnoncefollowsDHvalueinIKEprotocol,noncevalueisgeneratedbeforeDHvalueandstoredinaqueue.

•  Hence,someonewhoknowsdlogP(Q)canrecover(EC)DHprivatevalueusingDual_ECbackdoor,andthenceallencryptionkeys,fromobservingasingleIKErun.

•  CVE-2015-7756actuallyreferstoachangeintheQvalue:itappearsthatJuniper’scustomQvaluewasreplacedin2012,alongwithtestvectors,bypersonsunknown.

•  SoJuniper(andpossiblyothers)couldpassivelybreakcustomers’IPsectraffic,butthenlostthecapabilitytopersonsunknown.

Detailsin:Checkowayetal.,ASystematicAnalysisoftheJuniperDualECIncident,ACM-CCS2016.7

BackdoorsinPRGs

BackdoorsinPRGs

Mainresearchquestion:

Tworecentresearchpapersaddressingthis:

•  Dodis-Ganesh-Golovnev-Juels-Ristenpart(Eurocrypt2015)

•  Degabriele-Paterson-Schuldt-Woodage(Crypto2016)

Towhatextentcanprovablysecurepseudorandomgeneratorsbebackdoored?

9

PseudorandomGenerators(PRGs)

Pseudorandomgenerator

(pp,bk)setup1λ stinitpp

r,st'nextst

Givenashortrandomseedasinput,aPRGoutputsanarbitrarylongstringofpseudorandombits

10

ForwardSecurityforPRGs

[]

GameFWD(,q)

nextst0 (stq,r10,…,rq0)q

setup

init

1λ (pp,bk)

pp st0

(pp,r1b,…,rqb,stq)

(r11,…,rq1)

b’

{0,1} b

return(b=b’)

Adv(,q)=2|Pr[FWD⇒1]-1/2|Advantage

Forall:Adv(,q)≤𝜀

(q,𝜀)-FWDSecurity

11

BackdooredPRGs

12

Lettype-BPRG()begamecapturingaspecificbackdooringgoal,andletAdv()denotethecorrespondingadvantage.

BackdooringGame

AtupleofalgorithmsPRG’=(setup,init,next,)isa(q,δ,[type,𝜀])-FWD-secureBPRGif:• PRG=(setup,init,next)isa(q,δ)-FWD-securePRG• Adv()≥𝜀

(q,δ,[type,𝜀])-FWD-secureBPRG

BigBrother:

Dodis-Ganesh-Golovnev-Juels-Ristenpart(2015)

•  Considerationofvariousdifferentbackdooringgoals.•  Distinguishingoutputfromrandom:type=DIST

•  Predictionofpast/futureoutputsgivencurrentoutput(randomseek):type=RSEEK

•  Predictionofcurrentstate:type=NEXT

•  (Inpractice,BBwouldliketorecoverinitialstate,notaddressedbyDodisetal.)

•  EquivalenceofDIST-backdooredPRGsandsingle-bitpublickeyencryptionwithpseudorandomciphertexts.•  SobackdooredPRGsarereallypublickeyprimitives.

•  cf.useofECDLPtobuildDual_EC.

•  Meansthatconstructionswill“looksuspicious”.

13

DIST-BPRGgame

[]

GameDIST-BPRG(,q)

nextst0 (stq,r10,…,rq0)q

setup

init

1λ (pp,bk)

pp st0

(bk,r1b,…,rqb)

(r11,…,rq1)

b’

{0,1} b

return(b=b’)

Adv(,q)=2|Pr[FWD⇒1]-1/2|

Advantage

•  PRG=(setup,init,next)is(q,δ)-FWD-secure.

•  Adv(,q)≥𝜀

(q,δ,[DIST,𝜀])-FWD-secureBPRG:

14

ConstructionofbitencryptionusingabackdooredPRGfrom[DGGJR15]

15

(pp,bk)setup1λ

stinitpp

r,st'nextst

(q,δ,[DIST,𝜀])-secureBPRG

(stq,r10,…,rq0)

setup (pp,bk)

return(PK=pp,SK=bk)

KGen(1λ):

1λ

Enc(PK,b):

initPK st0

return(r1b,…,rqb)

[]nextst0q

(r11,…,rq1)

Dec(SK,c):

(SK,c) b’return(b’)

PKE

Theorem:Theconstructionproducesasingle-bitPKEschemethatis𝜀-correctand(q,δ)-IND-$CPAsecure.

Furtherresultsin[DGGJR15]

•  VariousconstructionsforbackdooredPRGsforthedifferentgoals,DIST,RSEEK,NEXT.

•  Carefulstudyof“immunisation”ofbackdooredPRGstoremovebackdoors.

•  HighlyrelevantinlightoftheJuniperincident!

16

•  CanaBPRGbesimultaneouslyforwardsecureandallowrecoveryofpastoutputsviabackdooring?

•  CanweachievestrongerbackdooringnotionsforPRGs,likerecoveryofinitialstate?

OpenProblems:

FIRST-BPRGgamefrom[DPSW16]

[]

GameFIRST-BPRG(,q,i)

nextst0 (stq,r1,…,rq)q

setup

init

1λ (pp,bk)

pp st0

(bk,ri) st’

return(st0=st’)

Adv(,q,i)=Pr[FIRST-BPRG⇒1]

Advantage

•  PRG=(setup,init,next)is(q,δ)-FWD-secure.

•  Adv(,q,i)≥𝜀foreveryi.

(q,δ,[FIRST,𝜀])-FWD-secureBPRG:

FIRSTisapowerfulbackdooringnotion:recoveryofinitialstatest0fromanyoutputriallowsreconstructionofallpastandfutureoutputs!

17

BuildingaFIRST-BPRG[DPSW16]

•  AforwardsecurePRG=(setup’,init’,next’)

•  AnIND$-CPAsecurereverse-rerandomizableencryptionschemePKE=(keygen,enc,rerand,rev-rerand,dec)

18

IND$-CPA

Ciphertextsareindistinguishablefromrandomstrings

Rerandomizable

Forallpk,m,r’:{enc(pk,m;r)|r←R}≈{rerand(enc(pk,m;r’),r)|r←R}

Reverse-rerandomizable

Forallpk,m,r,r’:enc(pk,m;r)=rev-rerand(rand(enc(pk,m;r),r’),r’)

AFIRST-BPRGconstruction[DPSW16]

19

setup

(pk,sk)←keygen(pp’,⊥)←setup’pp←(pp’,pk)bk←skreturn(pp,bk)

init

state: st0 c0

st0←init’(pp’)

c0←enc(pk,st0)

next

st c

(r,st’)←next’(st)

c

outputc’←rerand(c,r)

st' c’

Usingbk,backdooradvcan:•  Decryptctoobtainst0;•  RunPRGtogeneratethe

rvalues;•  Reversethe

rerandomizationsofctoobtainc0.

•  (RunthePRGforwardtocomputealloutputs.)

PRG=(setup,init,next)isa(q,δ,(FIRST,1))-FWD-secureBPRG.Thisfollowsfrom:• ForwardsecurityofPRG’=(setup’,init’,next’)• IND$-CPAsecurityandrerandomizationsecurityofPKE=(keygen,enc,rerand,rev-rerand,dec)

• Abilitytorecoverrvaluesandreversethererandomizations

BackdoorsinPRNGs

PRNGs(sometimes:PRNGswithinput)

21

(pp,bk)

PRNG

setup1λ stinitpp

r,st'nextst

APRGthatallowsstateupdateswithinputsfromanentropysource

refresh(pp,st,I) st'

Inputfromentropysource

Modelingentropyinputs:Thedistributionsampler[DPRVW13]

22

State:σ

(σ’,I,ɣ,z)σ

Updatedstate

InputtoPRNG

Entropyestimateforinput

Sideinformationregardinginput

Entropyrequirement: H∞(Ii|I1,…,Ii-1,Ii+1,…Iq,z1,…,zq,ɣ1,…,ɣq)≥ɣi

Distributionsampler

RobustnessforPRNGs

23

GameROB(,,ɣ*)

setup

init

1λ (pp,bk)

pp st

pp b’

{0,1} b

return(b=b’)

∅ σ∞ cGET,SET,REF,ROR

Adv(,,ɣ*):=2|Pr[ROB(,,ɣ*)⇒1]-1/2|

Advantage

GET()

return(st)0 c

SET(st')

st’ st0 c

REF()

σ

refresh

(σ,l,ɣ,z)

(pp,st,l) st

c+ɣ c

return(ɣ,z)

ROR()

(pp,st)

0 cifc<ɣ*then

next

return(r0)elsereturn(rb)

r0,st

r1

BackdooringmodelsforPRNGs[DPSW16]

WeconsideraPRNGwhichweaccordingtoarefreshpatternrp,definingasequenceofnextandrefreshcalls.

24

evolve

GameST-BPRNG(,,i,j,rp)

setup

init

1λ (pp,bk)

pp st0

sj’

return(sj=sj’)

evolve(pp,st0,rp)

(r1,st1,…,rq,stq)

(bk,ri,i,j,rp)

GameOUT-BPRNG(,,i,j,rp)

setup

init

1λ (pp,bk)

pp st0

rj’

return(rj=rj’)

evolve(pp,st0,rp)

(r1,st1,…,rq,stq)

(bk,ri,i,j,rp)

AsimplebackdooredPRNG[DPSW16]

•  Dodisetal.(2013)presentaconstructionofaprovablyrobustPRNG

•  Crucially,theoutputisproducedbyusingaforwardsecurePRGin-betweenrefreshes.

•  SimplyreplacethiswithaBPRG(andtweaktheentropyaccumulationprocess).

•  BackdoorattackercanthencompromisethePRNGintheperiodbetweenrefreshes.

•  ButthePRNGisstillrobustagainstanormalattacker.

•  Challenge:CanwedesignabackdooredPRNGinwhichthebackdoorattackercanmovepastrefreshes?

25

Buildingblocks•  ArobustPRNG’=(setup’,init’,refresh’,next’)

•  AnIND$-CPAsecurererandomizableencryptionschemePKE=(keygen,enc,rerand,dec)

ConstructionofabackdooredPRNG[DPSW16]

26

setup

(pk,sk)←keygen(pp’,⊥)←setup’pp←(pp’,pk)bk←skreturn(pp,bk)

init

state: st0 c0

st0←init’(pp’)

c0←enc(pk,st0)

ConstructionofabackdooredPRNG[DPSW16]

27

refresh

st c1 c2 c3 c4c1 c2 c3c1’ c4

deleted

enc(pk,st’)→c1’

st’←refresh’(st,I)

st’

next

st c1 c2 c3 c4

output1:r=c1||…||c4

output2: usenext’togeneraterbasedonst

st' c1’ c2’ c3’ c4’

rerandomizeciandupdatest

Recomputablebybackdooradversaryifstateisrecovered

fromoutput1

Fullconstruction[DPSW16]

28

RobustnessofPRNG=(setup,init,refresh,next)followsfrom:•  RobustnessofPRG’=(setup’,init’,refresh’,next’)•  IND$-CPAsecurityandrerandomizabilityofPKE=(keygen,

enc,rerand,dec)AdvantageofBigBrotherintheOUT-BPRNGgameisapprox.¼fori,jvaluesin‘range’and0otherwise.

Impossibilityresult[DPSW16]

OurbackdooredPRNGconstructioncruciallyreliesonstoringsnapshotsofthestate,andthedegreeofbackdooringislimitedbythesizeofthestatespace.

Weshowthatthisisinherenttoaclassofdistributionsamplers:

29

Forany𝜀-robustPRNG,anywell-behaveddistributionsampler,anysequenceofqueries,anylegitimatesubsequencef,anyjandk:

H∞(Sf(j)|Rf(j)+k,pp)≥(j+1)/2⋅log(1/𝜀)-min(l,n)wherenisthesizeofthestate,andlistheoutputsize.

Concludingremarks

Concludingremarks

Thebadnews:

•  Provablyforward-securePRGscanbebackdooredinthestrongestsensepossible:initialstaterecoveryfromanysingleoutput.

•  ProvablyrobustPRNGscanbebackdooredtoallowBigBrothertorecoverpreviousoutputvalues,evenifthePRNGisrefreshed.

Theslightlybetternews:

•  BPRGsmustlooklikepublickeyprimitives.

•  RobustPRNGsprovidesomeresistanceagainstbackdooring.

Futurework:

•  Strongerimpossibilityresults,immunizersforBPRNGs,additionalconstructionsofBPRGsandBPRNGswithmorecompactstateorstrongerbackdooring,…

31