The Design and Implementation of Protocol-Based Hidden Key Recovery

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2851)


We show how to add key recovery to existing security protocols such as SSL/TLS and SSH without changing the protocol. Our key recovery designs possess the following novel features: (1) The Key recovery channels are “unfilterable” — the key recovery channels cannot be removed without also breaking correct operation of the protocol. (2) Protocol implementations containing our key recovery designs can inter-operate with standard (uncompromised) protocol implementations — the network traffic produced is indistinguishable from that produced by legitimate protocol implementations. (3) Keys are recovered in real time, hence most or all application data is recovered. (4) The key recovery channels exploit protocol features, rather than covert channels in encryption or signature algorithms.

Using these designs, we present practical key recovery attacks on the SSL/TLS and SSH 2 protocols. We implemented the attack on SSL/TLS using the OpenSSL library, a web browser, and a network sniffer. These tools allow us to eavesdrop on SSL/TLS connections from the browser to any server.


Block Cipher Security Protocol Covert Channel Transport Layer Security Handshake Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)Google Scholar
  2. 2.
    Blaze, M.: Protocol failure in the escrowed encryption standard. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, Nov. 1994, pp. 59–67. ACM Press, New York (1994)CrossRefGoogle Scholar
  3. 3.
    Canetti, R., Ostrovsky, R.: Secure computation with honest-looking parties: What if nobody is truly honest? In: Proceedings of the 31st Symposium on Theory of Computing, May 1999, pp. 255–264. ACM Press, New York (1999)Google Scholar
  4. 4.
    Denning, D.: Descriptions of key escrow systems. Technical report, Georgetown University (February 1997),
  5. 5.
    Denning, D., Smid, M.: Key escrowing today. IEEE Communications 32(9), 58–68 (1994)CrossRefGoogle Scholar
  6. 6.
    Desmedt, Y.: Abuses in cryptography and how to fight them. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 375–389. Springer, Heidelberg (1988)Google Scholar
  7. 7.
    Desmedt, Y., Goutier, C., Bengio, S.: Special uses and abuses of the Fiat- Shamir passport protocol. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 21–39. Springer, Heidelberg (1987)Google Scholar
  8. 8.
    Dierks, T., Allen, C.: The TLS protocol. RFC 2246 (January 1999)Google Scholar
  9. 9.
    FBI. Carnivore diagnostic tool.
  10. 10.
    Freier, A., Karlton, P., Kocher, P.: The SSL protocol version 3.0 (November 1996),
  11. 11.
    Ito, A.: w3m: text based browser,
  12. 12.
    Kilian, J., Leighton, T.: Fair cryptosystems, revisited: A rigorous approach to key-escrow. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 208–221. Springer, Heidelberg (1995)Google Scholar
  13. 13.
    Kim, G.H., Spafford, E.H.: The design and implementation of Tripwire: A file system integrity checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, pp. 18–29. ACM Press, New York (1994)CrossRefGoogle Scholar
  14. 14.
    Lampson, B.: A note on the confinement problem. Communications of the ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  15. 15.
    Menezes, A.J., Vanstone, S.A.: Elliptic curve cryptosystems and their implementations. Journal of Cryptology 6(4), 209–224 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    National Institute of Standards and Technology. Security requirements for cryptographic modules. FIPS 140-2, NIST (June 2001),
  17. 17.
    OpenSSL Project,
  18. 18.
    Rescorla, E.: ssldump version 0.9b2,
  19. 19.
    Scott, M.: MIRACL - Multiprecision Integer and Rational Arithmetic C/C++ Library v. 4.6,
  20. 20.
  21. 21.
    Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Chaum, D. (ed.) Proceedings of Crypto 1983, August 1983, pp. 51–67. Plenum Press, New York (1983)Google Scholar
  22. 22.
    Simmons, G.J.: The subliminal channel and digital signatures. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 364–378. Springer, Heidelberg (1984)CrossRefGoogle Scholar
  23. 23.
    Young, A., Yung, M.: The dark side of “black-box” cryptography, or: Should we trust Capstone. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996)Google Scholar
  24. 24.
    Young, A., Yung, M.: Kleptography: Using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.Stanford UniversityUSA
  2. 2.HP LabsUSA

Personalised recommendations