Abstract
We present very simple kleptographic attacks on SSL/TLS and SSH protocols. They enable a party, which has slightly manipulated the code of a cryptographic library, to steal secrets of the user. According to the scenario of the kleptographic attacks the secrets can be stolen only by a party having a secret key not included in the manipulated code. The attacker needs only to record transmissions. The messages transmitted are indistinguishable from the not manipulated ones (even for somebody that knows the kleptocode inserted). Therefore, detection of infected nodes based on communication analysis is much harder than in the case of classical subliminal channels.
The problems are caused by certain design features of SSL/TLS and SSH protocols that make them vulnerable for a kleptographic attack. We propose changes of these protocols that make them immune against this threat while all previous security features remain preserved.
Partially supported by Polish Committee for Scientific Research grant 3 T11C 011 26.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Allen, C., Dierks, T.: The TLS Protocol. Version 1.0. Informational RFC 2246, IETF, Network Working Group (1999)
Chaum, D.: Secret-ballot receipts: True voter-verifiable elections. IEEE Security and Privacy Magazine 2(1), 38–47 (2004)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol. Version 1.1. Informational RFC 4346, IETF, Network Working Group (2006)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976), http://www.cs.purdue.edu/homes/ninghui/courses/Fall04/lectures/diffie-hellman.pdf
Gogolewski, M., Klonowski, M., Kubiak, P., Kutyłowski, M., Lauks, A., Zagórski, F.: Kleptographic attacks on e-voting schemes. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 494–508. Springer, Heidelberg (2006)
Gogolewski, M., Klonowski, M., Kubiak, P., Kutyłowski, M., Lauks, A., Zagórski, F.: Kleptographic attacks on e-voting schemes. In: Proc. of the Workshop on Electronic Voting and e-Government in the UK, February 27-28, pp. 49–57. e-Science Institute, Edinburgh (2006)
Goh, E.-J., Boneh, D., Pinkas, B., Golle, P.: The design and implementation of protocol-based hidden key recovery. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 165–179. Springer, Heidelberg (2003)
Kucner, D., Kutyłowski, M.: Stochastic kleptography detection. In: Proceedings of the International Conference. Stefan Banach International Mathematical Center, 2000, pp. 137–149. Walter de Gruyter & Co., Berlin (2001)
Kucner, D., Kutyłowski, M.: How to use un-trusty cryptographic devices. Tatra Mountains Mathematical Publications 29, 57–67 (2004)
Ylonen, T.: The Secure Shell (SSH) Transport Layer Protocol. Informational RFC 4253, IETF, Network Working Group (2006)
Young, A., Yung, M.: The dark side of ”black-box” cryptography, or: Should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996)
Young, A., Yung, M.: Kleptography: Using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997)
Young, A., Yung, M.: Bandwidth-optimal kleptographic attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 235–250. Springer, Heidelberg (2001)
Young, A., Yung, M.: Malicious cryptography: Kleptographic aspects. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 7–18. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gołȩbiewski, Z., Kutyłowski, M., Zagórski, F. (2006). Stealing Secrets with SSL/TLS and SSH – Kleptographic Attacks. In: Pointcheval, D., Mu, Y., Chen, K. (eds) Cryptology and Network Security. CANS 2006. Lecture Notes in Computer Science, vol 4301. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11935070_13
Download citation
DOI: https://doi.org/10.1007/11935070_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-49462-1
Online ISBN: 978-3-540-49463-8
eBook Packages: Computer ScienceComputer Science (R0)