The Design and Implementation of Protocol-based Hidden Key Recovery
Authors: E. Goh, D. Boneh, P. Golle, and B. Pinkas
Abstract:
We show how to add key recovery to existing security protocols such as
SSL/TLS and SSH without changing the protocol. Our key recovery
designs possess the following novel features: (1) The Key recovery
channels are ``unfilterable'' --- the key recovery channels cannot be
removed without also breaking correct operation of the protocol. (2)
Protocol implementations containing our key recovery designs can
inter-operate with standard (uncompromised) protocol implementations
--- the network traffic produced is indistinguishable from that
produced by legitimate protocol implementations. (3) Keys are
recovered in real time, hence most or all application data is
recovered. (4) The key recovery channels exploit protocol features,
rather than covert channels in encryption or signature algorithms.
Using these designs, we present practical key recovery attacks on the
SSL/TLS and SSH 2 protocols. We implemented the attack on SSL/TLS
using the OpenSSL library, a web browser, and a network sniffer. These
tools allow us to eavesdrop on SSL/TLS connections from the browser to
any server.
Reference:
In proceedings of the 6th Information Security Conference 2003,
LNCS 2851, pp. 165-179, 2003.
Full paper: pdf