Backdoors matemáticos em algoritmos de criptografia

Costumávamos confiar em algoritmos de criptografia modernos. No entanto, eles estão realmente protegendo nossos dados com segurança? Vamos dar uma olhada no conceito de backdoor matemático, o que é e como funciona.

---

Introdução

. , - .

, , , , , .

1. Apple

   
   
   
   
   

2. Telegram

   
   
   
   
   

, . , , .

, .

Inspiration

Black Hat 2017 . .

?

, . , . , , , . , , . .

.

, :

1. 
   
   
   
   

2. 
   
   
   
   

. . ,  - .     . ,   . , - . . .

. :   ( ) . .

, , , , , () . SSH. « », . «», « » .

.

, , .

, :

• 
  
  
  
  

• 
  
  
  
  

• « »

  
  
  
  
  

, : , , , . , - , 64‒256 .

, , , . , , .

   (    ).   .

, . , , . , . , , .

.

, . , AES, . - , Backdoored Encryption Algorithm 1, BEA-1 . , .

, . , «implementation backdoors», . , , , «» .

Recent years have shown that more than ever governments and intelligence agencies try to control and bypass the cryptographic means used for the protection of data. Backdooring encryption algorithms is considered as the best way to enforce cryptographic control. Until now, only implementation backdoors (at the protocol, implementation or management level) are generally considered.

, . , .

In this paper we propose to address the most critical issue of backdoors: mathematical backdoors or by-design backdoors, which are put directly at the mathematical design of the encryption algorithm. While the algorithm may be totally public, proving that there is a backdoor, identifying it and exploiting it, may be an intractable problem.

, :

• 
  
  
  
  

• 
  
  
  
  

•  — , , , ,

  
  
  
  
  

•  — , , ,

  
  
  
  
  

•  — , , ,

  
  
  
  
  

•  — - , .

  
  
  
  
  

. BEA-1, , , .

Considering a particular family (among all the possible ones), we present BEA-1, a block cipher algorithm which is similar to the AES and which contains a mathematical backdoor enabling an operational and effective cryptanalysis. The BEA-1 algorithm (80-bit block size, 120-bit key, 11 rounds) is designed to resist to linear and differential cryptanalyses.

, — , , .

. / , K. K. .

, , . .

, , , ( ), . .

. , DUAL_EC_DRBG - , TLS - («implementation backdoos»).

DUAL_EC_DRBG

DUAL_EC_DRBG -         NIST  2006 . 2007 , . .

DUAL_EC_DRBG .

A concrete example is the pseudorandom number generator Dual_EC_DBRG  designed by NSA, whose backdoor was revealed by Edward Snowden in 2013 and also in some research works.

TLS Apple

 TLS   Apple. , , - .

static DSStatus SSLVerifySignedServerKeyExchnge(....)
{
     DSStatus err;
     ....
     if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
          goto fail;
          goto fail;
     if ((SSHashSHA1.final(&hashCtx, &hashOut)) != 0)
          goto fail;
     ....
     fail:
          ....
          return err;
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

,  if   goto fail, ,  if. . , , .  "Man-in-the-middle", . , , , . , , - .

, , .

BEA-1?

, , , . - . . , , Substitution-Permutation Networks, .

SP - , S-, P- XOR . S-, P-. , P- . , , , . , S P .

SP- , (. substitution stage) (. permutation stage). , S P . ( ). , P .

S-, . S-, P-. S- . , . S- , . S- , . S- .

P- — : S-, S- . P- S- S- . , P- - , , .

, . ,

, , . . , - . " ".

, S P ( ) . , . .

, : , :

• S-

  
  
  
  
  

• P-

  
  
  
  
  

• XOR

  
  
  
  
  

P-, .

, . , . , . , S- .

, S-, . . , .

BEA-1

, BEA-1, SP .

:

• 80

  
  
  
  
  

• 120 , , ExpandKey,

  
  
  
  
  

• 11 , 10 , . , 12 80-

  
  
  
  
  

The encryption consists in applying eleven times a simple keyed operation called /round function/to the data block. A different 80-bit round key is used for each iteration of the round function. Since the last round is slightly different and uses two round keys, the encryption requires twelve 80-bit round keys. These round keys are derived from the 120-bit master key using an algorithm called key schedule

!

Fig. 2. P- M

BEA-1, « » . , , 80 , ( ) 2^80.

Consequently, a differential cryptanalysis of the 10-round version of our cipher would require at least 2^117 chosen plaintext/ciphertext pairs and a linear cryptanalysis would require 2^100 known plaintext/ciphertext pairs.

, .

S-

BEA-1 «Secret S-boxes», S-. S- , .

, S- S-, . . , S- , S- . , .

, BEA-1 S0, S1, S2 S- 944 ( 1024, 10 ) S3 925 ( 1024)

, S- S-, .

( , ). BEA-1 30.000 , (2 × 300 Kb) , 10 intel Core i7, 4 cores, 2.50GHz.

, , . S P . . , , . , DES «» IBM.

AES, Apple . . Backdoored Encryption Algorithm 1 Rijndael, AES. , S- AES, Rijandel.

AES DES, . , 1970 S- . .

1990 — . S-. S- DES , . , 1970- . . , 1990 .

The best historic example is that of the differential cryptanalysis. Following Biham and Shamir’s seminal work in 1991, NSA acknowledged that it was aware of that cryptanalysis years ago Most of experts estimate that it was nearly 20 years ahead. However a number of non public, commercial block ciphers in the early 90s might have been be weak with respect to differential cryptanalysis.

. , 34.12-2018. , S- , . S- : , .

. @pelbyl . , " S-", . , , . " S-", , , . , . , - S- AES. , .

, , , (1.3M USD). .

iPhone 5C iOS 9, A6. 10 . Secure Enclave. . .  — 80 . , .

. iOS   2014 . . , . , , . «, », front door. . .    .

-. iPhone 5C . Apple . 16    , .

2020 Pangu Secure Enclave. Jailbreak-.

Apple ( ).

, Apple . iPhone 5c c -. , , , .

?

: , , , , . , , , - . , S-.

, « ». , , , . , , .

, - . , , . , , , , .

Não posso deixá-los sozinhos com a crescente paranóia e ansiedade, pois, mesmo supondo que todos os algoritmos de criptografia disponíveis estejam comprometidos, ainda existe a possibilidade de estabelecer uma troca segura de informações, todo um artigo científico é mesmo dedicado a isso . Se você quiser sentir a atmosfera de busca de vulnerabilidades em algoritmos de criptografia existentes, aconselho a ler este artigo inspirador .