Subliminal Channels in DSA protocol

Liviu Itoaf

Military Technical Academy

Introduction
Kleptography Usage of subliminal channels Trojans; viruses; backdoored cryptographic algorithms Spying; tracking documents; tracking digital money Historical necessities and motivation Gus Simmons - The History of subliminal channels, 1998 Is it a bad thing ? Subliminal channel is not a covert channel Time-line analysis: quality or defect of DSA ?

Cryptographic context
Prisoners' dilemma (1984)
translated to an Alice-Bob problem

Correctness:
channel can be made public Subliminal channel usage cant even be detected

Application overview
Exploit broad- and narrowband channel OpenSSL 0.9.8r Applications:
Watermarking, leaking keys, spy networks, marking and tracking digital documents

Integration with Unix shell or Windows batch mode

redirect/format input/output (signatures) verifications statistics other scenarios

Brief DSA description

Proposed by NIST in 1991 as DSS, Described in FIPS 186-3 (1999)

The signature of the message m is the pair (r,s), so that:

r=(g^k mod p) mod q, k random, 0<k<q s=k^(-1)(H(m)+x*r) mod q p 1024 bit prime number, q- 160 bit prime number g=h^((p+1)/q) mod p, h random, 1<h<p-1

Private key: x, p, q, (x random, 0<x<q) Public key: y=g^x mod p

Broadband channel
The simplest one: hide 160 bit message in random k Both communicators must know both private keys Generate keys $ ./crypto.exe --gen-keys Sign $./crypto.exe --sign-with-msg file prv_key.pem Verify signature $openssl dgst -dss1 -verify pub_key.pem -signature file.sig <file Extract message $./crypto.exe --get-msg file file.sig prv_key.pem

Narrowband channel
Eliminates impersonation issue Idea:
prime number p sharing Set k s that r is quadratic residue modulo p

Effiecient hardware implementation

short undiscoverable leaks

Signing:
$./crypto.exe --sign-with-leak file rv_key.pem

Optimized quadratic residue algorithms

Application description
2 parts: Broadband channel and 14-bit narrowband OpenSSL: pem, bn, and evp APIs Build: on Linux and Windows (Cygwin)
With static libcrypto.a or ssleay32.dll SSL rebuilt for debugging symbols

C Code Source : open on Google code

Features and limitations

Features:
Shell based integration with applications and scripts
Automation, crafting input, post-checks

Limitations:
Risks for k not random or in narrow interval
Extract private key x OpenSSL bug on Debian OTP solution

Secure (C) coding practices

Use cases [1]

Get input from another file
$./crypto.exe --sign-with-msg usage.pdf my_prv_key.pem 1234 < usage.lyx

Pipe text from application

$ echo "hidden msg" | ./crypto.exe --sign-with-msg usage.pdf my_prv_key.pem 1234

Hide whole binary (text) files

Annexed bash script Use a cover directory with plausible content

Use cases [2]

OTP
Script to code subliminal message with otp, before embedding, in appendix Generated in bash with /dev/urandom
environmental noise; entropy pool

In Windows, same functionality achieved with ksecdd.sys module

FipsGenRandom (FIPS 186-2)

Imperceptible digital watermarking

Embed public key signature

Future work
Subliminal channels in visual cryptography Automatic checks for OpenSSL upgrades/vulnerabilities Minimize detection with a low rate of secret message Use improved quadratic residue algorithm Store generated keys in software containers (PKCS #12) Source code verifications: Leaks; keys in memory; core files Randomness for k parameter (achieved through scripts)

Conclusions
Application can be used as a good starting point If used correctly, the subliminal channels in DSA are completely stealth Schemes exist for preventing subliminal channels
Ideas by Yvo Desmedt and Gus Simmons Raise awareness (information theft) In some ways, cryptography is like pharmaceuticals. Its integrity may be absolutely crucial. Bad penicillin looks the same as good penicillin Philip Zimmermann

References
Xianfeng Zhao, Ning Li Reversible Watermarking with Subliminal Channel Tzung-Her Chen - A Novel Subliminal Channel Found in Visual Cryptography and Its Application to Image Hiding Gustavus J. Simmons The history of subliminal channels, EEE Journal (1998) Yvo Desmedt Abuses in Cryptography and How to Fight Them http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/ http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almostwas/ Bruce Schneier Applied Cryptography, 2nd edition, Wiley 1996

Happy signing!