Stealing Secrets with SSL/TLS and SSH – Kleptographic Attacks

  • Zbigniew Gołȩbiewski
  • Mirosław Kutyłowski
  • Filip Zagórski
Conference paper

DOI: 10.1007/11935070_13

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4301)
Cite this paper as:
Gołȩbiewski Z., Kutyłowski M., Zagórski F. (2006) Stealing Secrets with SSL/TLS and SSH – Kleptographic Attacks. In: Pointcheval D., Mu Y., Chen K. (eds) Cryptology and Network Security. CANS 2006. Lecture Notes in Computer Science, vol 4301. Springer, Berlin, Heidelberg

Abstract

We present very simple kleptographic attacks on SSL/TLS and SSH protocols. They enable a party, which has slightly manipulated the code of a cryptographic library, to steal secrets of the user. According to the scenario of the kleptographic attacks the secrets can be stolen only by a party having a secret key not included in the manipulated code. The attacker needs only to record transmissions. The messages transmitted are indistinguishable from the not manipulated ones (even for somebody that knows the kleptocode inserted). Therefore, detection of infected nodes based on communication analysis is much harder than in the case of classical subliminal channels.

The problems are caused by certain design features of SSL/TLS and SSH protocols that make them vulnerable for a kleptographic attack. We propose changes of these protocols that make them immune against this threat while all previous security features remain preserved.

Keywords

kleptography SSL TLS SSH 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Zbigniew Gołȩbiewski
    • 1
  • Mirosław Kutyłowski
    • 1
  • Filip Zagórski
    • 1
  1. 1.Institute of Mathematics and Computer ScienceWrocław University of Technology 

Personalised recommendations