Dual EC a standardized back door Ruben Niederhagen Joint work with - - PowerPoint PPT Presentation

dual ec
SMART_READER_LITE
LIVE PREVIEW

Dual EC a standardized back door Ruben Niederhagen Joint work with - - PowerPoint PPT Presentation

Jan 03, 2023 338 likes •1.97k views

Dual EC a standardized back door Ruben Niederhagen Joint work with Stephen Checkoway 1 , Matthew Fredrikson 2 , Matthew Green 1 , Tanja Lange 3 , Thomas Ristenpart 2 , Daniel J. Bernstein 3,5 Jake Maskiewicz 4 , and Hovav Shacham 4 , . Related

slide-1
SLIDE 1

Ruben Niederhagen: Dual EC — a standardized back door

Dual EC

a standardized back door Ruben Niederhagen

Joint work with Stephen Checkoway1 , Matthew Fredrikson2 , Matthew Green1 , Tanja Lange3 , Thomas Ristenpart2 , Daniel J. Bernstein3,5 , Jake Maskiewicz4 , and Hovav Shacham4 . Related work: network scan by Adam Everspaugh.2 ECC 2014, Oct. 8 2014

1Johns Hopkins University, 2University of Wisconsin, 3Technische Universiteit Eindhoven, 4UC San Diego, 5University of Illinois at Chicago

slide-2
SLIDE 2

2/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

Random numbers are crucial for cryptography:

§ generation of private keys for authentication, § generation of secret keys for encryption, § generation of secret nonces for digital signatures, § generation of ephemeral keys for perfect-forward secrecy, § . . .

slide-3
SLIDE 3

2/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

Random numbers are crucial for cryptography:

§ generation of private keys for authentication, § generation of secret keys for encryption, § generation of secret nonces for digital signatures, § generation of ephemeral keys for perfect-forward secrecy, § . . .

Must be impossible for an attacker to predict!

slide-4
SLIDE 4

3/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

Challenges of random number generation:

§ computers are built to be deterministic, § “real” randomness is rare.

slide-5
SLIDE 5

3/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

Challenges of random number generation:

§ computers are built to be deterministic, § “real” randomness is rare.

Common approach:

§ use pseudo random numbers, § start with a random seed, § compute subsequent values deterministically,

ñ update a secret internal state.

slide-6
SLIDE 6

4/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

s0

slide-7
SLIDE 7

4/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

s0 r0 gps0q

slide-8
SLIDE 8

4/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

s0 r0 gps0q s1 f ps0q

slide-9
SLIDE 9

4/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

s0 r0 gps0q s1 f ps0q r1 gps1q

slide-10
SLIDE 10

4/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

s0 r0 gps0q s1 f ps0q r1 gps1q s2 f ps1q

slide-11
SLIDE 11

4/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

s0 r0 gps0q s1 f ps0q r1 gps1q s2 f ps1q s3 s4 ¨ ¨ ¨ r2 r3 r4 f ps2q f ps3q f ps4q gps1q gps2q gps3q gps4q

slide-12
SLIDE 12

4/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

s0 r0 gps0q s1 f ps0q r1 gps1q s2 f ps1q s3 s4 ¨ ¨ ¨ r2 r3 r4 f ps2q f ps3q f ps4q gps1q gps2q gps3q gps4q Broken if attacker learns internal state!

slide-13
SLIDE 13

4/31 Ruben Niederhagen: Dual EC — a standardized back door

Random Numbers in Cryptography

s0 r0 gps0q s1 f ps0q r1 gps1q s2 f ps1q s3 s4 ¨ ¨ ¨ r2 r3 r4 f ps2q f ps3q f ps4q gps1q gps2q gps3q gps4q Broken if attacker learns internal state!

slide-14
SLIDE 14

5/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC – a Standardized Back Door

Topic of this talk:

The “potential” back door in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC) standardized by ANSI, ISO, and NIST.

slide-15
SLIDE 15

6/31 Ruben Niederhagen: Dual EC — a standardized back door

History of Dual EC

June 2004 Dual EC appears in an ANSI draft.

slide-16
SLIDE 16

6/31 Ruben Niederhagen: Dual EC — a standardized back door

History of Dual EC

June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE.

slide-17
SLIDE 17

6/31 Ruben Niederhagen: Dual EC — a standardized back door

History of Dual EC

June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC.

slide-18
SLIDE 18

6/31 Ruben Niederhagen: Dual EC — a standardized back door

History of Dual EC

June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC.

  • Dec. 2005

A draft is released by NIST including Dual EC.

slide-19
SLIDE 19

6/31 Ruben Niederhagen: Dual EC — a standardized back door

History of Dual EC

June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC.

  • Dec. 2005

A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC.

slide-20
SLIDE 20

6/31 Ruben Niederhagen: Dual EC — a standardized back door

History of Dual EC

June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC.

  • Dec. 2005

A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings.

slide-21
SLIDE 21

6/31 Ruben Niederhagen: Dual EC — a standardized back door

History of Dual EC

June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC.

  • Dec. 2005

A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certification for RNGs.

slide-22
SLIDE 22

6/31 Ruben Niederhagen: Dual EC — a standardized back door

History of Dual EC

June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC.

  • Dec. 2005

A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certification for RNGs.

  • Aug. 2007

Shumow and Ferguson demonstrate the basic back door.

slide-23
SLIDE 23

7/31 Ruben Niederhagen: Dual EC — a standardized back door

Recent History of Dual EC

5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.”

slide-24
SLIDE 24

7/31 Ruben Niederhagen: Dual EC — a standardized back door

Recent History of Dual EC

5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.” The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r. . . s called the Dual EC DRBG standard.”

slide-25
SLIDE 25

7/31 Ruben Niederhagen: Dual EC — a standardized back door

Recent History of Dual EC

5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.” The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r. . . s called the Dual EC DRBG standard.” 19 Sept. 2013 RSA advises not to use Dual EC.

slide-26
SLIDE 26

7/31 Ruben Niederhagen: Dual EC — a standardized back door

Recent History of Dual EC

5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.” The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r. . . s called the Dual EC DRBG standard.” 19 Sept. 2013 RSA advises not to use Dual EC. 20 Dec. 2013 Reuters reports that NSA paid RSA $10 million to use Dual EC as their default RNG.

slide-27
SLIDE 27

7/31 Ruben Niederhagen: Dual EC — a standardized back door

Recent History of Dual EC

5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.” The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r. . . s called the Dual EC DRBG standard.” 19 Sept. 2013 RSA advises not to use Dual EC. 20 Dec. 2013 Reuters reports that NSA paid RSA $10 million to use Dual EC as their default RNG. 21 Apr. 2014 NIST removes Dual EC from the standard.

slide-28
SLIDE 28

8/31 Ruben Niederhagen: Dual EC — a standardized back door

Authors of Dual EC

Kelsey, in December 2013 slides:

§ Standardization effort by “NIST and NSA, with some participation

from CSE”.

§ “Most of work on standards done by US federal employees (NIST and

NSA, with some help from CSE)”

§ The standard Dual EC parameters P and Q come “ultimately from

designers of Dual EC DRBG at NSA”.

slide-29
SLIDE 29

9/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack Target — TLS

Transport Layer Security (TLS)

§ Used in the Internet for encryption of communication.

Examples:

§ eMail transport, § online banking, § online shopping, § . . .

§ Standard covers a fast amount of protocols and optional features. § Client and server agree on what parameters to use. § Client and server agree on a random secret key.

slide-30
SLIDE 30

10/31 Ruben Niederhagen: Dual EC — a standardized back door

TLS Handshake

Client Server generate client random generate session ID, server random, a, signature nonce c l i e n t r a n d

  • m

generate b s e r v e r r a n d

  • m

, s e s s i

  • n

I D , c e r t ( p k ) , a P , s i g bP, Finished Finished

slide-31
SLIDE 31

11/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack Target — TLS

Common TLS implementations:

§ RSA’s BSAFE

§ RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C)

§ Microsoft’s SChannel § OpenSSL

All of these offer Dual EC.

slide-32
SLIDE 32

11/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack Target — TLS

Common TLS implementations:

§ RSA’s BSAFE

§ RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C)

Remember: NSA paid RSA Security $10 million to use Dual EC as the default RNG!

§ Microsoft’s SChannel § OpenSSL

All of these offer Dual EC.

slide-33
SLIDE 33

12/31 Ruben Niederhagen: Dual EC — a standardized back door

Elliptic Curve Discrete Logarithm Problem

Arithmetic on Elliptic Curves

Operate on points P “ pxP, yPq on an elliptic curve:

§ addition: A ` B “ C, § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A

loooooooomoooooooon

k´times

.

slide-34
SLIDE 34

12/31 Ruben Niederhagen: Dual EC — a standardized back door

Elliptic Curve Discrete Logarithm Problem

Arithmetic on Elliptic Curves

Operate on points P “ pxP, yPq on an elliptic curve:

§ addition: A ` B “ C, § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A

loooooooomoooooooon

k´times

.

Useful in Cryptography:

It is easy to compute k ¨ A, e.g.: B “ 243 ¨ A “ A ` 2A ` 16A ` 32A ` 64A ` 128A. Cost: 5 additions and 7 doublings.

slide-35
SLIDE 35

12/31 Ruben Niederhagen: Dual EC — a standardized back door

Elliptic Curve Discrete Logarithm Problem

Arithmetic on Elliptic Curves

Operate on points P “ pxP, yPq on an elliptic curve:

§ addition: A ` B “ C, § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A

loooooooomoooooooon

k´times

.

Useful in Cryptography:

It is easy to compute k ¨ A, e.g.: B “ 243 ¨ A “ A ` 2A ` 16A ` 32A ` 64A ` 128A. Cost: 5 additions and 7 doublings. For given A and B, it is hard to find k such that B “ k ¨ A!

slide-36
SLIDE 36

13/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC

Parameters

Here: elliptic curve over finite filed with NIST prime P-256.

(NIST SP800-90A also defines curves for P-384 and P-521.)

The elliptic curve is defined over Fp with p “ 2256 ´ 2224 ` 2192 ` 296 ´ 1. The curve is given in short Weierstrass form E : y2 “ x3 ´ 3x ` b, where

b “ 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b.

Dual EC defines two points, a base point P and a second point Q:

Px “ 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296, Py “ 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5; Qx “ 0xc97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192, Qy “ 0xb28ef557ba31dfcbdd21ac46e2a91e3c304f44cb87058ada2cb815151e610046.

slide-37
SLIDE 37

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes

slide-38
SLIDE 38

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq

slide-39
SLIDE 39

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq

slide-40
SLIDE 40

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes

slide-41
SLIDE 41

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq

slide-42
SLIDE 42

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq

slide-43
SLIDE 43

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq

slide-44
SLIDE 44

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq

slide-45
SLIDE 45

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3

slide-46
SLIDE 46

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq

slide-47
SLIDE 47

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq r1

?

slide-48
SLIDE 48

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure

Points Q and P on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq r1

?

ECDLP!

slide-49
SLIDE 49

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack

Points Q and P “ dQ on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq r1

slide-50
SLIDE 50

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack

Points Q and P “ dQ on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq r1

xpd ¨ s1Qq

slide-51
SLIDE 51

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack

Points Q and P “ dQ on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq r1

xpd ¨ s1Qq s2 “ xps1Pq “ xps1 ¨ dQq

slide-52
SLIDE 52

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack

Points Q and P “ dQ on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq rc

slide-53
SLIDE 53

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack

Points Q and P “ dQ on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq rc

Rc “ prc, yprcqq

slide-54
SLIDE 54

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack

Points Q and P “ dQ on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq rc

Rc “ prc, yprcqq

s2

xpdRcq

sc

slide-55
SLIDE 55

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack

Points Q and P “ dQ on an elliptic curve.

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq rc

Rc “ prc, yprcqq

s2

xpdRcq

sc

slide-56
SLIDE 56

14/31 Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack

s0 32 bytes s1 s1 “ xps0Pq r1 r1 “ xps1Qq r1 30 bytes s2 s2 “ xps1Pq r2 r2 “ xps2Qq s3 s3 “ xps2Pq r3 r3 “ xps3Qq r2 r3 s4 “ xps3Pq

slide-57
SLIDE 57

15/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 xp‚Pq t1 t2 ‚ ‘ Hpadin1q ‚ ‘ Hpadin2q ‚ ‘ Hpadin4q xp‚Pq xp‚Pq

slide-58
SLIDE 58

15/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 xp‚Pq t1 t2 ‚ ‘ Hpadin1q ‚ ‘ Hpadin2q ‚ ‘ Hpadin4q xp‚Pq xp‚Pq

slide-59
SLIDE 59

15/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 xp‚Pq t1 t2 ‚ ‘ Hpadin1q ‚ ‘ Hpadin2q ‚ ‘ Hpadin4q xp‚Pq xp‚Pq rc

slide-60
SLIDE 60

15/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 xp‚Pq t1 t2 ‚ ‘ Hpadin1q ‚ ‘ Hpadin2q ‚ ‘ Hpadin4q xp‚Pq xp‚Pq rc

?

xpdRcq

slide-61
SLIDE 61

15/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 xp‚Pq t1 t2 ‚ ‘ Hpadin1q ‚ ‘ Hpadin2q ‚ ‘ Hpadin4q xp‚Pq xp‚Pq rc

?

xpdRcq

slide-62
SLIDE 62

15/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 xp‚Pq t1 t2 ‚ ‘ Hpadin1q ‚ ‘ Hpadin2q ‚ ‘ Hpadin4q xp‚Pq xp‚Pq

slide-63
SLIDE 63

16/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 t1 t2 xp‚Pq xp‚Pq s0 ‚ ‘ Hpadin1q t3 s3 s4 r3 r4 s2 ‚ ‘ Hpadin3q xp‚Pq s5 xp‚Pq ‚ ‘ Hpadin6q

slide-64
SLIDE 64

16/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 t1 t2 xp‚Pq xp‚Pq s0 ‚ ‘ Hpadin1q t3 s3 s4 r3 r4 s2 ‚ ‘ Hpadin3q xp‚Pq s5 xp‚Pq ‚ ‘ Hpadin6q

slide-65
SLIDE 65

16/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 t1 t2 xp‚Pq xp‚Pq s0 ‚ ‘ Hpadin1q t3 s3 s4 r3 r4 s2 ‚ ‘ Hpadin3q xp‚Pq s5 xp‚Pq ‚ ‘ Hpadin6q rc

slide-66
SLIDE 66

16/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 t1 t2 xp‚Pq xp‚Pq s0 ‚ ‘ Hpadin1q t3 s3 s4 r3 r4 s2 ‚ ‘ Hpadin3q xp‚Pq s5 xp‚Pq ‚ ‘ Hpadin6q rc sc

xpdRcq

slide-67
SLIDE 67

16/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 t1 t2 xp‚Pq xp‚Pq s0 ‚ ‘ Hpadin1q t3 s3 s4 r3 r4 s2 xp‚Pq s5 xp‚Pq ‚ ‘ Hpadin6q rc sc

xpdRcq

‚ ‘ Hpadin3q

slide-68
SLIDE 68

16/31 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007

s0 s1 r1 xp‚Qq r1 s2 r2 xp‚Qq s3 r3 xp‚Qq r2 r3 t1 t2 xp‚Pq xp‚Pq s0 ‚ ‘ Hpadin1q t3 s3 s4 r3 r4 s2 xp‚Pq s5 xp‚Pq ‚ ‘ Hpadin6q rc sc

xpdRcq

‚ ‘ Hpadin3q

slide-69
SLIDE 69

17/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack

Attack targets in our analysis:

In the real world, the attack is more complicated. We attacked:

§ RSA’s BSAFE

§ RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C)

§ Microsoft’s SChannel § OpenSSL

We replaced the points P and Q with known P “ dQ; this required some reverse engineering of BSAFE and SChannel.

slide-70
SLIDE 70

17/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack

Attack targets in our analysis:

In the real world, the attack is more complicated. We attacked:

§ RSA’s BSAFE

§ RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C)

§ Microsoft’s SChannel § OpenSSL-fixed

We replaced the points P and Q with known P “ dQ; this required some reverse engineering of BSAFE and SChannel.

slide-71
SLIDE 71

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce

slide-72
SLIDE 72

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0

slide-73
SLIDE 73

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq

slide-74
SLIDE 74

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq

slide-75
SLIDE 75

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq

slide-76
SLIDE 76

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq

slide-77
SLIDE 77

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random

slide-78
SLIDE 78

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq

slide-79
SLIDE 79

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq

slide-80
SLIDE 80

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq

slide-81
SLIDE 81

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq

slide-82
SLIDE 82

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq

slide-83
SLIDE 83

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq

slide-84
SLIDE 84

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq

slide-85
SLIDE 85

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key

slide-86
SLIDE 86

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key ECDHE public key ‚P

slide-87
SLIDE 87

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key ECDHE public key ‚P ECDSA nonce ECDSA signature ‚P

slide-88
SLIDE 88

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key ECDHE public key ‚P ECDSA nonce ECDSA signature ‚P

slide-89
SLIDE 89

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key ECDHE public key ‚P ECDSA nonce ECDSA signature ‚P rc

slide-90
SLIDE 90

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key ECDHE public key ‚P ECDSA nonce ECDSA signature ‚P rc sc

xpdRq

slide-91
SLIDE 91

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key ECDHE public key ‚P ECDSA nonce ECDSA signature ‚P rc sc

xpdRq ?

slide-92
SLIDE 92

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key ECDHE public key ‚P ECDSA nonce ECDSA signature ‚P rc sc

xpdRq

slide-93
SLIDE 93

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key ECDHE public key ‚P ECDSA nonce ECDSA signature ‚P rc sc

xpdRq average cost: 231pCv ` 5Cf q

slide-94
SLIDE 94

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key ECDHE public key ‚P ECDSA nonce ECDSA signature ‚P rc sc

xpdRq average cost: 231pCv ` 5Cf q

Exposes longterm secret key! Impersonation attack possible!

ECDSA nonce

slide-95
SLIDE 95

18/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq server random s3 xp‚Pq r3 xp‚Qq s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq ECDHE priv. key ECDHE public key ‚P ECDSA nonce ECDSA signature ‚P rc sc

xpdRq average cost: 231pCv ` 5Cf q

Exposes longterm secret key! Impersonation attack possible!

ECDSA nonce ECDSA nonce

slide-96
SLIDE 96

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key

slide-97
SLIDE 97

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0

slide-98
SLIDE 98

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq

slide-99
SLIDE 99

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq

slide-100
SLIDE 100

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq

slide-101
SLIDE 101

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq

slide-102
SLIDE 102

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq

slide-103
SLIDE 103

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq

slide-104
SLIDE 104

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq

slide-105
SLIDE 105

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID

slide-106
SLIDE 106

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random

slide-107
SLIDE 107

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq

slide-108
SLIDE 108

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq

slide-109
SLIDE 109

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq

slide-110
SLIDE 110

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq

slide-111
SLIDE 111

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key

slide-112
SLIDE 112

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key

slide-113
SLIDE 113

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key

slide-114
SLIDE 114

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key rc

slide-115
SLIDE 115

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key rc sc xpdRq

slide-116
SLIDE 116

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key rc sc xpdRq r2 xp‚Qq

slide-117
SLIDE 117

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key rc sc xpdRq r2 xp‚Qq

?

slide-118
SLIDE 118

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key rc sc xpdRq r2 xp‚Qq

slide-119
SLIDE 119

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key rc sc xpdRq r2 xp‚Qq

slide-120
SLIDE 120

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key rc sc xpdRq r2 xp‚Qq

slide-121
SLIDE 121

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key rc sc xpdRq r2 xp‚Qq

average cost: 215pCv ` Cf q

slide-122
SLIDE 122

19/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C

session ID server random DHE key s0 s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 xp‚Pq session ID server random s4 xp‚Pq r4 xp‚Qq s5 xp‚Pq EDH key rc sc xpdRq r2 xp‚Qq

average cost: 30 ¨ 215pCv ` Cf q

slide-123
SLIDE 123

20/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel

session ID %20,000 ECDHE priv. key ECDHE public key ‚P server random ECDSA nonce ECDSA signature ‚P s0 s3 s6 s1 s2 s4 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r1 r2 r4 r5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq

slide-124
SLIDE 124

20/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel

session ID %20,000 ECDHE priv. key ECDHE public key ‚P server random ECDSA nonce ECDSA signature ‚P s0 s3 s6 s1 s2 s4 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r1 r2 r4 r5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq

slide-125
SLIDE 125

20/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel

session ID %20,000 ECDHE priv. key ECDHE public key ‚P server random ECDSA nonce ECDSA signature ‚P s0 s3 s6 s1 s2 s4 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r1 r2 r4 r5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq rc sc xpdRq

?

slide-126
SLIDE 126

20/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel

session ID %20,000 ECDHE priv. key ECDHE public key ‚P server random ECDSA nonce ECDSA signature ‚P s0 s3 s6 s1 s2 s4 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r1 r2 r4 r5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq rc sc xpdRq

?

slide-127
SLIDE 127

20/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel

session ID %20,000 ECDHE priv. key ECDHE public key ‚P server random ECDSA nonce ECDSA signature ‚P s0 s3 s6 s1 s2 s4 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r1 r2 r4 r5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq rc sc xpdRq

slide-128
SLIDE 128

20/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel

session ID %20,000 ECDHE priv. key ECDHE public key ‚P server random ECDSA nonce ECDSA signature ‚P s0 s3 s6 s1 s2 s4 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r1 r2 r4 r5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq rc sc xpdRq

average cost: 233pCv ` Cf q ` 217p5Cf q

slide-129
SLIDE 129

21/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel (cont.)

  • prev. connection
  • curr. connection

server random ECDSA nonce ECDSA signature ‚P session ID ECDHE priv. key ECDHE public key ‚P s´4 s´1 s1 s3 s´3 s´2 s0 s1 s2 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r´3 r´1 r0 r1 r2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

slide-130
SLIDE 130

21/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel (cont.)

  • prev. connection
  • curr. connection

server random ECDSA nonce ECDSA signature ‚P session ID ECDHE priv. key ECDHE public key ‚P s´4 s´1 s1 s3 s´3 s´2 s0 s1 s2 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r´3 r´1 r0 r1 r2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

slide-131
SLIDE 131

21/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel (cont.)

  • prev. connection
  • curr. connection

server random ECDSA nonce ECDSA signature ‚P session ID ECDHE priv. key ECDHE public key ‚P s´4 s´1 s1 s3 s´3 s´2 s0 s1 s2 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r´3 r´1 r0 r1 r2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq rc

?

sc xpdRq

slide-132
SLIDE 132

21/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel (cont.)

  • prev. connection
  • curr. connection

server random ECDSA nonce ECDSA signature ‚P session ID ECDHE priv. key ECDHE public key ‚P s´4 s´1 s1 s3 s´3 s´2 s0 s1 s2 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r´3 r´1 r0 r1 r2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq rc sc xpdRq

slide-133
SLIDE 133

21/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — SChannel (cont.)

  • prev. connection
  • curr. connection

server random ECDSA nonce ECDSA signature ‚P session ID ECDHE priv. key ECDHE public key ‚P s´4 s´1 s1 s3 s´3 s´2 s0 s1 s2 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq r´3 r´1 r0 r1 r2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq rc sc xpdRq

average cost: 231pCv ` 4Cf q

slide-134
SLIDE 134

22/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — OpenSSL-fixed

s0 t1 ‚ ‘ Hpadin1q s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 s5 s8 t4 t6 s4 s6 s7 r4 r6 r7 session ID server random ECDHE key ECDHE public key ‚P xp‚Pq ‚ ‘ Hpadin4q xp‚Pq xp‚Qq xp‚Pq xp‚Pq ‚ ‘ Hpadin6q xp‚Pq xp‚Qq xp‚Qq xp‚Pq

slide-135
SLIDE 135

22/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — OpenSSL-fixed

s0 t1 ‚ ‘ Hpadin1q s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 s5 s8 t4 t6 s4 s6 s7 r4 r6 r7 session ID server random ECDHE key ECDHE public key ‚P xp‚Pq ‚ ‘ Hpadin4q xp‚Pq xp‚Qq xp‚Pq xp‚Pq ‚ ‘ Hpadin6q xp‚Pq xp‚Qq xp‚Qq xp‚Pq

slide-136
SLIDE 136

22/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — OpenSSL-fixed

s0 t1 ‚ ‘ Hpadin1q s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 s5 s8 t4 t6 s4 s6 s7 r4 r6 r7 session ID server random ECDHE key ECDHE public key ‚P xp‚Pq ‚ ‘ Hpadin4q xp‚Pq xp‚Qq xp‚Pq xp‚Pq ‚ ‘ Hpadin6q xp‚Pq xp‚Qq xp‚Qq xp‚Pq rc xpdRq

?

slide-137
SLIDE 137

22/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — OpenSSL-fixed

s0 t1 ‚ ‘ Hpadin1q s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 s5 s8 t4 t6 s4 s6 s7 r4 r6 r7 session ID server random ECDHE key ECDHE public key ‚P xp‚Pq ‚ ‘ Hpadin4q xp‚Pq xp‚Qq xp‚Pq xp‚Pq ‚ ‘ Hpadin6q xp‚Pq xp‚Qq xp‚Qq xp‚Pq rc xpdRq

slide-138
SLIDE 138

22/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — OpenSSL-fixed

s0 t1 ‚ ‘ Hpadin1q s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 s5 s8 t4 t6 s4 s6 s7 r4 r6 r7 session ID server random ECDHE key ECDHE public key ‚P xp‚Pq ‚ ‘ Hpadin4q xp‚Pq xp‚Qq xp‚Pq xp‚Pq ‚ ‘ Hpadin6q xp‚Pq xp‚Qq xp‚Qq xp‚Pq rc xpdRq

slide-139
SLIDE 139

22/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — OpenSSL-fixed

s0 t1 ‚ ‘ Hpadin1q s1 xp‚Pq r1 xp‚Qq s2 xp‚Pq r2 xp‚Qq s3 s5 s8 t4 t6 s4 s6 s7 r4 r6 r7 session ID server random ECDHE key ECDHE public key ‚P xp‚Pq ‚ ‘ Hpadin4q xp‚Pq xp‚Qq xp‚Pq xp‚Pq ‚ ‘ Hpadin6q xp‚Pq xp‚Qq xp‚Qq xp‚Pq rc xpdRq

average cost: 215pCv ` Cf q ` 220`k`lp2Cf q ` 213p5Cf q

slide-140
SLIDE 140

23/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Attack Timings

Intel Xeon CPU 16 ˆ AMD CPU Attack

  • Avg. Time (min)

# for 1s

  • Tot. Time (min)

BSAFE-C v1.1 0.26 16 0.04 BSAFE-Java v1.1 641 38,500 63.96 SChannel I 619 37,100 62.97 SChannel II 1,760 106,000 182.64 OpenSSL-fixed I 0.04 3 0.02 OpenSSL-fixed II 707 44,200 83.32 OpenSSL-fixed III 2k ¨ 707 2k ¨ 44,200 2k ¨ 83.32

slide-141
SLIDE 141

23/31 Ruben Niederhagen: Dual EC — a standardized back door

Attack — Attack Timings

Intel Xeon CPU 16 ˆ AMD CPU Attack

  • Avg. Time (min)

# for 1s

  • Tot. Time (min)

BSAFE-C v1.1 0.26 16 0.04 BSAFE-Java v1.1 641 38,500 63.96 SChannel I 619 37,100 62.97 SChannel II 1,760 106,000 182.64 OpenSSL-fixed I 0.04 3 0.02 OpenSSL-fixed II 707 44,200 83.32 OpenSSL-fixed III 2k ¨ 707 2k ¨ 44,200 2k ¨ 83.32

slide-142
SLIDE 142

24/31 Ruben Niederhagen: Dual EC — a standardized back door

NIST FOIA

Two FOIA requests by Andrew Crocker and Nate Cardozo of EFF and Matthew Stoller and Rep. Alan Grayson. Files hosted by Matt Green at https://github.com/matthewdgreen/nistfoia.

slide-143
SLIDE 143

25/31 Ruben Niederhagen: Dual EC — a standardized back door

NIST FOIA

slide-144
SLIDE 144

26/31 Ruben Niederhagen: Dual EC — a standardized back door

Draft Proposal – Extended Random

Draft for a proposed TLS extension named “Extended Random”:

§ allows client to request up to 216 random bytes, § has a weak motivation:

The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient.

§ was co-authored by an employee of NSA.

slide-145
SLIDE 145

26/31 Ruben Niederhagen: Dual EC — a standardized back door

Draft Proposal – Extended Random

Draft for a proposed TLS extension named “Extended Random”:

§ allows client to request up to 216 random bytes, § has a weak motivation:

The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient.

§ was co-authored by an employee of NSA.

Makes Dual EC even more vulnerable!

slide-146
SLIDE 146

27/31 Ruben Niederhagen: Dual EC — a standardized back door

Snippets from the patent application

slide-147
SLIDE 147

28/31 Ruben Niederhagen: Dual EC — a standardized back door

Snippets from the patent application

slide-148
SLIDE 148

29/31 Ruben Niederhagen: Dual EC — a standardized back door

Additional Attack Cost – Patents

Dual EC patents:

Certicom (now part of Blackberry) has patents in multiple countries on:

§ Dual EC exploitation: the use of Dual EC for key escrow and § Dual EC escrow avoidance: modification to avoid key escrow.

slide-149
SLIDE 149

29/31 Ruben Niederhagen: Dual EC — a standardized back door

Additional Attack Cost – Patents

Dual EC patents:

Certicom (now part of Blackberry) has patents in multiple countries on:

§ Dual EC exploitation: the use of Dual EC for key escrow and § Dual EC escrow avoidance: modification to avoid key escrow.

The patent filing history also shows that:

§ Certicom knew the Dual EC back door by 2005, § NSA was informed of the Dual EC back door by 2005, and § the patent application, including examples of Dual EC exploitation,

was publicly available in July 2006.

slide-150
SLIDE 150

30/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Dual EC — a standardized back door:

§ (co-)authored by NSA,

slide-151
SLIDE 151

30/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Dual EC — a standardized back door:

§ (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven),

slide-152
SLIDE 152

30/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Dual EC — a standardized back door:

§ (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs,

slide-153
SLIDE 153

30/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Dual EC — a standardized back door:

§ (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation,

slide-154
SLIDE 154

30/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Dual EC — a standardized back door:

§ (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries,

slide-155
SLIDE 155

30/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Dual EC — a standardized back door:

§ (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library,

slide-156
SLIDE 156

30/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Dual EC — a standardized back door:

§ (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random,

slide-157
SLIDE 157

30/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Dual EC — a standardized back door:

§ (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.

slide-158
SLIDE 158

30/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Dual EC — a standardized back door:

§ (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.

How to fix it?

slide-159
SLIDE 159

30/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Dual EC — a standardized back door:

§ (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.

How to fix it?

Don’t use Dual EC!

slide-160
SLIDE 160

31/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Additional information:

https://projectbullrun.org/dual-ec/

slide-161
SLIDE 161

31/31 Ruben Niederhagen: Dual EC — a standardized back door

Summary

Additional information:

https://projectbullrun.org/dual-ec/ Questions?