Enterprise Services
Showing results for 
Search instead for 
Do you mean 

Kleptography: The dark side of cryptography

Grantby ‎02-03-2014 12:30 PM - edited ‎09-30-2015 07:01 AM



By Ed Reynolds, HP Fellow, HP Enterprise Security Services


Have you ever heard of kleptography? I hadn’t until recently, and here’s why you need to know. Kleptography is the study of stealing information securely and subliminally. Using this technique, state-sponsored groups or cyber criminals could embed back doors using mathematical tricks into cryptographic black boxes. This would enable them to steal encrypted files leaving no trace—the perfect cyber crime.


Email-2-642x301.jpgTo pull this off, a cryptographic back door would be embedded during manufacturing of the cryptosystem. If successful, an attacker would gain access to the private key without drawing attention. The generated public keys would not appear conspicuous, nor would any unexpected communication or errors arise while using the cryptographic functionality. Everything would appear to be working normally.


The high-tech bandits would need cryptographic expertise and access to the black box manufacturer, as the implantation of the back doors must be done before the equipment leaves the factory. How could this be done? Think of the thousands of mathematical whizzes graduating every year from universities around the world. A state sponsor or criminal gang offering enough money to a newly minted grad could get him to function as a cryptographic mole. (They might even try to entice a seasoned pro.) Working for the manufacturer, the mole could embed a back door undetected.


Given the degree of difficulty of such a caper, the odds of this impacting any given business may seem low. But as more data moves to the cloud requiring encryption, cyber spies and thieves may well move with it—trying out new schemes to break into “secure” systems. With the consequences of a kleptographic breach so high, IT executives should have the concept on their radar screens. Enterprises with the most to lose—governments, defense contractors, financial services, and any company depending on IP for their livelihood—should certainly take this threat seriously.


Taking action

There are sensible steps that black box users can take to reduce risk. For example, the European Union requires that security-related industrial hardware must be independently evaluated in two different EU states to achieve high transparency in production. Black boxes that are independently verified would provide a "Good Housekeeping"-type of assurance that the systems are free of kleptographic back doors.


Researchers are also looking for ways to reduce the possibility of the implementation of cryptographic back doors in black box products. According to security experts Bernhard Esslinger and Patrick Vacek, "another logical idea is to eliminate all possible subliminal channels … [by having] random numbers built into a sort of authentication protocol."


“Another technique was introduced in 2002 in which a third party can verify the RSA key generation process,” Esslinger and Vacek report. “This process is a type of distributed key generation, in which the private key is only known to the black box, thus safeguarding that the key generation was not manipulated and the key cannot be revealed through a kleptographic attack.”


Esslinger and Vacek conclude that, “in situations that demand the highest security, the expense of implementing countermeasures against kleptography are probably already worth the cost.”


I’d say that’s sound advice.


For more on enterprise security, watch my webcast, Security 2020: What’s next?  And join me to continue the conversation in the HP Innovation Insight LinkedIn group.


Note: The quotes from Esslinger and Vacek are from an article posted in infosecurity magazine. You can read the article in full here.


Reynolds.pngAbout the author

Ed Reynolds is an HP Fellow and a chief technologist for HP Enterprise Security Services. Ed’s focus is on security strategy and innovation. He leads initiatives addressing enterprise cloud security and information-centric security.

About the Author


I've devoted more than a decade to writing about technology products, solutions and services.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
February 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during the online Expert Days - see details below. Software experts do not monitor this foru...
Read more
See board event postings
Vivit Events - 2016
Learn about upcoming Vivit webinars and live events in 2016.
Read more
View all