Enterprise Services
Showing results for 
Search instead for 
Do you mean 

Kleptography: The dark side of cryptography

Grantby ‎02-03-2014 12:30 PM - edited ‎09-30-2015 07:01 AM



By Ed Reynolds, HP Fellow, HP Enterprise Security Services


Have you ever heard of kleptography? I hadn’t until recently, and here’s why you need to know. Kleptography is the study of stealing information securely and subliminally. Using this technique, state-sponsored groups or cyber criminals could embed back doors using mathematical tricks into cryptographic black boxes. This would enable them to steal encrypted files leaving no trace—the perfect cyber crime.


Email-2-642x301.jpgTo pull this off, a cryptographic back door would be embedded during manufacturing of the cryptosystem. If successful, an attacker would gain access to the private key without drawing attention. The generated public keys would not appear conspicuous, nor would any unexpected communication or errors arise while using the cryptographic functionality. Everything would appear to be working normally.


The high-tech bandits would need cryptographic expertise and access to the black box manufacturer, as the implantation of the back doors must be done before the equipment leaves the factory. How could this be done? Think of the thousands of mathematical whizzes graduating every year from universities around the world. A state sponsor or criminal gang offering enough money to a newly minted grad could get him to function as a cryptographic mole. (They might even try to entice a seasoned pro.) Working for the manufacturer, the mole could embed a back door undetected.


Given the degree of difficulty of such a caper, the odds of this impacting any given business may seem low. But as more data moves to the cloud requiring encryption, cyber spies and thieves may well move with it—trying out new schemes to break into “secure” systems. With the consequences of a kleptographic breach so high, IT executives should have the concept on their radar screens. Enterprises with the most to lose—governments, defense contractors, financial services, and any company depending on IP for their livelihood—should certainly take this threat seriously.


Taking action

There are sensible steps that black box users can take to reduce risk. For example, the European Union requires that security-related industrial hardware must be independently evaluated in two different EU states to achieve high transparency in production. Black boxes that are independently verified would provide a "Good Housekeeping"-type of assurance that the systems are free of kleptographic back doors.


Researchers are also looking for ways to reduce the possibility of the implementation of cryptographic back doors in black box products. According to security experts Bernhard Esslinger and Patrick Vacek, "another logical idea is to eliminate all possible subliminal channels … [by having] random numbers built into a sort of authentication protocol."


“Another technique was introduced in 2002 in which a third party can verify the RSA key generation process,” Esslinger and Vacek report. “This process is a type of distributed key generation, in which the private key is only known to the black box, thus safeguarding that the key generation was not manipulated and the key cannot be revealed through a kleptographic attack.”


Esslinger and Vacek conclude that, “in situations that demand the highest security, the expense of implementing countermeasures against kleptography are probably already worth the cost.”


I’d say that’s sound advice.


For more on enterprise security, watch my webcast, Security 2020: What’s next?  And join me to continue the conversation in the HP Innovation Insight LinkedIn group.


Note: The quotes from Esslinger and Vacek are from an article posted in infosecurity magazine. You can read the article in full here.


Reynolds.pngAbout the author

Ed Reynolds is an HP Fellow and a chief technologist for HP Enterprise Security Services. Ed’s focus is on security strategy and innovation. He leads initiatives addressing enterprise cloud security and information-centric security.

0 Kudos
About the Author


I've devoted more than a decade to writing about technology products, solutions and services.

Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all