Cryptographic Reverse Firewalls · • Kleptography and cryptovirology - Young and Yung 1996 •...

Yevgeniy Dodis, Ilya Mironov, Noah Stephens-Davidowitz Cryptographic Reverse Firewalls

Cryptographic Reverse Firewalls

Yevgeniy Dodis (NYU) Ilya Mironov (Google)

Noah Stephens-Davidowitz (NYU)

Act I: Cryptography

in Crisis

Classical Crypto

Alice’s Trusty Computer!

Should Alice Trust Her Computer?

(xkcd.com)

Widespread Deliberate Corruption of Hardware and Software

“The%SIGINT%Enabling%Project%[$250M/year%program]%

acBvely%engages%the%US%and%foreign%IT%industries%to%

covertly%influence%and/or%overtly%leverage%their%

commercial%products’%designs.%These%design%changes%

make%the%systems%in%quesBon%exploitable%…%with%

foreknowledge%of%the%modificaBon.%To%the%consumer%

and%other%adversaries,%however,%the%systems’%security%

remain%intact.”%

%%Excerpt%from%the%N.S.A.’s%2013%budget%request%

%%The%New%York%Times,%September%5,%2013%

Widespread Deliberate Corruption of Hardware and Software

Cryptographers have agreed not to accept this

The membership of the IACR repudiates mass surveillance and the undermining of cryptographic solutions and standards. Population-wide surveillance threatens democracy and human dignity. We call for expediting research and deployment of effective techniques to protect personal privacy against governmental and corporate overreach.

IACR Copenhagen ResolutionEurocrypt 2014, Copenhagen

Widespread, (Apparently) Accidental Bugs in Cryptographic Software

Crypto in the Real World?

iHEARTdogs&CAT$

4117-8289-1856

iHEARTdogs&CAT$

4117-8289-1856

Can we possibly do crypto on a compromised machine?

Prior Work

Prior Work• Subliminal channels

- Simmons 1984, …

- Simmons 1984, …• Divertible protocols

- Blaze, Bleumer, Strauss 1998

- Blaze, Bleumer, Strauss 1998• Limited security against limited forms of corruption

- Blaze, Bleumer, Strauss 1998• Limited security against limited forms of corruption• Only synchronous protocols

• Kleptography and cryptovirology

• Kleptography and cryptovirology- Young and Yung 1996

• Algorithm Substitution Attacks

• Algorithm Substitution Attacks- Bellare, Paterson, Rogaway 2014

• Symmetric-key encryption

• Symmetric-key encryption• Limited forms of corruption

- Bellare and Hoang 2015

- Bellare and Hoang 2015• Deterministic PKE

- Bellare and Hoang 2015• Deterministic PKE• Limited forms of corruption

• Backdoored PRGs

• Backdoored PRGs- Dodis, Ganesh, Golovnev, Juels, and Ristenpart 2015

Impossibility results in strongest models

We generalize these models and show a way around the impossibility results.

Act II….

Reverse Firewalls!

Reverse Firewalls!• Firewall sits between Alice’s computer and the outside world

Reverse Firewalls!• Firewall sits between Alice’s computer and the outside world• Modifies the messages that Alice sends and receives.

Reverse Firewalls!• Firewall sits between Alice’s computer and the outside world• Modifies the messages that Alice sends and receives.• Transparent to legitimate traffic.

- Certainly doesn’t break functionality.

- Certainly doesn’t break functionality.• Shares no secrets with Alice.

- We don’t trust the firewall.

- We don’t trust the firewall.• “Improves security!”

Reverse Firewall Functionality

Underlying classical protocol has some functionality.

Protocol with firewall has same functionality.

Reverse Firewall Security

Reverse Firewall SecurityUnderlying protocol satisfies some security notion.

Protocol with firewall satisfies the same security notion for any efficient corrupt implementation of Alice.

Underlying protocol satisfies some security notion.

Note: We require that the protocol is functional and secure without the reverse firewall when Alice’s

implementation is not corrupted.

Functionality Maintaining Corruption

A corrupted implementation of Alice is functionality maintaining if the protocol is still functional when Alice is replaced by .

(This is much more general than honest-but-curious adversaries, undetectable corruption, steganographic attacks, etc.)

Simple Example: Semantically Secure PKE

Let (Enc, Dec, Rerand) be a rerandomizable PKE scheme such that Dec(Rerand(Enc(m))) = m and Rerand(C) Enc(0)

for any C.

Underlying protocol:

for any C.

Firewall:

for any C.

Firewall:

for any C.

Firewall:

Functionality:

for any C.

Firewall:

Functionality:• Is the protocol functional without the firewall?

for any C.

Firewall:

Functionality:• Is the protocol functional without the firewall?

for any C.

Firewall:

Functionality:• Is the protocol functional without the firewall?• Is the protocol functional with the firewall?

for any C.

Firewall:

for any C.

Firewall:

Security:

for any C.

Firewall:

Security:• Is the protocol semantically secure without firewall?

for any C.

Firewall:

Security:• Is the protocol semantically secure without firewall?

for any C.

Firewall:

Security:• Is the protocol semantically secure without firewall?• Is the protocol with the firewall semantically secure

regardless of how behaves?

for any C.

Firewall:

Security:• Is the protocol semantically secure without firewall?• Is the protocol with the firewall semantically secure

regardless of how behaves?

What if the firewall is corrupt?

What if the firewall is corrupt?1) Honest Alice. Corrupt firewall.

(Security of the underlying protocol.)

2) Corrupt Alice. Honest firewall.

(Security of firewall.)

3) Corrupt Alice. Corrupt firewall.

(The whole world is corrupt….)

What can we instantiate in this crazy model?

Primitives with Reverse Firewalls

• [Mironov, S ‘15]

• [Mironov, S ‘15]- Oblivious transfer

• [Mironov, S ‘15]- Oblivious transfer- Secure function evaluation

• [Mironov, S ‘15]- Oblivious transfer- Secure function evaluation- “Exfiltration resistance” for arbitrary protocols

• [Dodis, Mironov, S ‘15]

• [Dodis, Mironov, S ‘15]- Message transmission in many different contexts

• [Dodis, Mironov, S ‘15]- Message transmission in many different contexts- Efficient CCA-secure scheme

• [Ateniese, Magri, Venturi ‘15]

• [Ateniese, Magri, Venturi ‘15]- Signatures

Act III: Message-Transmission

Protocols

Message-Transmission Protocols

CPA Security: An eavesdropper “cannot learn anything about the plaintext m.”

CPA Security: An eavesdropper “cannot learn anything about the plaintext m.”CCA Security: An active adversary with access to a decryption oracle “cannot learn anything about the plaintext m.”

CPA Security: An eavesdropper “cannot learn anything about the plaintext m.”CCA Security: An active adversary with access to a decryption oracle “cannot learn anything about the plaintext m.”Forward Secrecy: Security holds even if “the adversary gets access to Alice and Bob’s secret keys later.”

Classical Message-Transmission Protocols

Key Infrastructure Efficient? CCA

Secure?Forward Secret?

Symmetric-key encryption

Shared Secret Key Yes Yes No

Public-key encryption

Public-key Infrastructure No Yes No

Bob sends .Alice encrypts

under . .None No No Yes

KA + SKE None Yes No Yes

AKA + SKE Public-key Infrastructure Yes Yes Yes

All of these results hold with reverse firewalls as well!

Composition Theorem (Informal)

KA w/ Firewall +

SKE w/ Firewall =

MTP w/ Firewall

Act IV: Key Agreement

Key Agreement

Authenticated Key Agreement

First Attempt

We’ve agreed to a key without Bob!

Smarter Solution

Note: Efficiency compares well with real-world protocols, such as TLS!

Additional Issues

Additional Issues• Can a corrupt implementation use the signature

to communicate with the adversary ?

to communicate with the adversary ?- (Use unique or rerandomizable signatures as in

[AMV15].)

[AMV15].)• Can Bob have a firewall too?

- Yes!

- Yes!- (All results in [MS15] and [DMS15] have firewalls

for both parties.)

for both parties.)• Can Alice or Bob leak secrets through the protocols.

• No!

• No!• (We formalize this in the papers.)

Summary

Summary• Lots of recent news suggests that we can no longer

trust our computers when security is paramount.

trust our computers when security is paramount.• Reverse firewalls provide a framework to guarantee

security of arbitrary cryptographic primitives even on a compromised machine.

• Very strong cryptographic primitives can be instantiated in this model.

• The (arguably) most important cryptographic primitive, MTP, can be instantiated efficiently in this model.

A Lot of Work to Be Done!

A Lot of Work to Be Done!The space of all known cryptographic primitives

Studied in this context

Studied in this contextNot studied

OT, SFE [MS15]

Message transmission [DMS15]

OT, SFE [MS15]

Signatures [AMV15]

OT, SFE [MS15]

Signatures [AMV15]

OT, SFE [MS15]

Signatures [AMV15]

OT, SFE [MS15]

Signatures [AMV15]

Differential privacy

OT, SFE [MS15]

MPCYour favorite primitive!

Signatures [AMV15]

Differential privacy

Thanks!

Cryptographic Reverse Firewalls · • Kleptography and cryptovirology - Young and Yung 1996 •...

Documents

Transcript of Cryptographic Reverse Firewalls · • Kleptography and cryptovirology - Young and Yung 1996 •...

Entity Resolution: Tutorialgetoor/Tutorials/ER_ASONAM2012.pdf · Active Learning with Provable Guarantees [Bellare et al KDD 12] 1. Precision Constrained Weighted 0-1 Loss Problem

Mapping the Landscape of Operational Research in Tuberculosis Christian Lienhardt, Nita Bellare, Marcos Espinal TB Research Movement Stop TB Partnership.

CURRENT RANSOMWARE THREATS · Ransomware is formally categorized as part of the cryptovirology field, which focuses on ways in which cryptography can be used as a component of malware.

Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD

Beyond Provable Security: Verifiable IND-CCA Security of OAEPcerticrypt.gforge.inria.fr/2011.RSA.slides.pdf · Application: RSA-OAEP 1994 Bellare and Rogaway 2001 Shoup Fujisaki,

Jayesh Bellare

Copyright ©2004 Carlos Guestrin guestrin VLDB 2004 Efficient Data Acquisition in Sensor Networks Presented By Kedar Bellare (Slides adapted.

Bellare 2013 Chapter 1 Introduction

Watch your Constants: Malicious Streebog · 2017-05-02 · topic of malicious cryptography through their cryptovirology project [34]. Later Rijmen and Preneel proposed malicious versions

Comparative analysis of various ransomware virii€¦ · Cryptovirology : Extortion-based security threats and countermeasures “In this paper we present the idea of Cryptovirology,

New Proofs for NMAC and HMAC Security without …cseweb.ucsd.edu/~mihir/papers/hmac-new.pdfNew Proofs for NMAC and HMAC: Security without Collision-Resistance Mihir Bellare ⁄ June

Security Proofs for Identity-Based Identification and ...cseweb.ucsd.edu/~mihir/papers/ibi.pdf · Security Proofs for Identity-Based Identiﬂcation and Signature Schemes Mihir Bellare

A Security Framework for Privacy-preserving Data ... · (with symmetric-key encryption [Bellare et al. 1994] for privacy protection and message authentication codes [Bellare et al.

Charter of Trust - Siemens...AOHell Cryptovirology Level Seven Crew hack Denial-of-service attacks Cloudbleed sl1nk SCADA hacks Meltdown/Spectre AT&T Hack Morris Worm Melissa Worm

RANSOMWARE: WHAT YOU NEED TO KNOW NOW! · attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it. •

Research, Projects and Philosophy of Lifecseweb.ucsd.edu/~mihir/cse191/projects.pdf · Research, Projects and Philosophy of Life. 2 Mihir Bellare, UCSD Discussions with instructor

Identi cation Protocols Secure Against Reset Attackscseweb.ucsd.edu/~mihir/papers/id-reset.pdfMihir Bellare Marc Fischliny Shafi Goldwasserz Silvio Micalix April 28, 2000 Abstract

OCB: A Block-Cipher Mode of Operation for Efficient ... A Block-Cipher Mode of Operation for Eﬃcient Authenticated Encryption Phillip Rogaway ∗ Mihir Bellare † John ‡Black.

Malicious crypto - (Ab)use cryptology - oKLabs · 2013-07-24 · Cryptovirology A matter of precision A matter of time A matter of stealth Last words Malicious crypto (Ab)use cryptology

POCKET-SIZED - Black Hat | Home...Cryptovirology CryptoWall theorized CryptoDefense CBTLocker TorrentLocker CoinVault DirtyDecrypt Filecoder Cryptvault DMALock Tox 2004 GPCode 2000