in search of curveswap measuring elliptic curve
play

In search of CurveSwap: Measuring elliptic curve implementations in - PowerPoint PPT Presentation

Aug 24, 2023 •724 likes •1.28k views

In search of CurveSwap: Measuring elliptic curve implementations in the wild Luke Valenta , Nick Sullivan , Antonio Sanso , Nadia Heninger University of Pennsylvania, Cloudflare, Adobe April 26th, 2018 1 / 19

  1. In search of CurveSwap: Measuring elliptic curve implementations in the wild Luke Valenta ∗ , Nick Sullivan † , Antonio Sanso ‡ , Nadia Heninger ∗ ∗ University of Pennsylvania, † Cloudflare, ‡ Adobe April 26th, 2018 1 / 19

  2. Elliptic Curve Diffie-Hellman (ECDH) client “Alice”, server “Bob”, eavesdropper “Eve” .

  3. Elliptic Curve Diffie-Hellman (ECDH) client “Alice”, server “Bob”, eavesdropper “Eve” b bP .

  4. Elliptic Curve Diffie-Hellman (ECDH) client “Alice”, server “Bob”, eavesdropper “Eve” a b bP aP .

  5. Elliptic Curve Diffie-Hellman (ECDH) client “Alice”, server “Bob”, eavesdropper “Eve” a b bP aP . abP = k s baP = k s CDH assumption: Given aP , bP , and , Eve should not learn k s

  6. Elliptic Curve Diffie-Hellman (ECDH) client “Alice”, server “Bob”, eavesdropper “Eve” a b bP aP . abP = k s baP = k s CDH assumption: Given aP , bP , and , Eve should not learn k s . . . but this is vulnerable to MitM attack 2 / 19

  7. Elliptic Curve Diffie-Hellman (ECDH) client “Alice”, server “Bob”, man in the middle “Mallory” a b bP bP aP aP abP = k s baP = k s 3 / 19

  8. Elliptic Curve Diffie-Hellman (ECDH) client “Alice”, server “Bob”, man in the middle “Mallory” a b b ′ P bP aP a ′ P ab ′ P = k a ba ′ P = k b 3 / 19

  9. Elliptic Curve Diffie-Hellman (ECDH) w/ authentication client “Alice”, server “Bob”, man in the middle “Mallory” a b Sign B ( bP ) Sign B ( bP ) Sign A ( aP ) Sign A ( aP ) abP = k s baP = k s

  10. Elliptic Curve Diffie-Hellman (ECDH) w/ authentication client “Alice”, server “Bob”, man in the middle “Mallory” a b Sign B ( bP ) Sign B ( bP ) Sign A ( aP ) Sign A ( aP ) MAC k s ( msgs ) MAC k s ( msgs ) abP = k s baP = k s Signatures/MAC prevent na¨ ıve MitM

  11. Elliptic Curve Diffie-Hellman (ECDH) w/ authentication client “Alice”, server “Bob”, man in the middle “Mallory” a b Sign B ( bP ) Sign B ( bP ) Sign A ( aP ) Sign A ( aP ) MAC k s ( msgs ) MAC k s ( msgs ) abP = k s baP = k s Signatures/MAC prevent na¨ ıve MitM . . . but how do Alice and Bob decide on the curve? 4 / 19

  12. Elliptic Curve Diffie-Hellman (ECDH) w/ curve negotiation client “Alice”, server “Bob”, man in the middle “Mallory” a , , , , b Sign B ( bP ), Sign B ( bP ), Sign A ( aP ) Sign A ( aP ) MAC k s ( msgs ) MAC k s ( msgs ) abP = k s baP = k s

  13. Elliptic Curve Diffie-Hellman (ECDH) w/ curve negotiation client “Alice”, server “Bob”, man in the middle “Mallory” a , , , , b Sign B ( bP ), Sign B ( bP ), Sign A ( aP ) Sign A ( aP ) MAC k s ( msgs ) MAC k s ( msgs ) abP = k s baP = k s Curve negotiation is not authenticated in TLS 1.2 5 / 19

  14. CurveSwap Nick Sullivan at 32C3 (2015): “TLS supports a ton of crazy elliptic curves” “what if you did a downgrade attack on that?” “take the supported curves, and swap it with the smallest weakest curves supported by both parties” 6 / 19

  15. CurveSwap attack client “Alice”, server “Bob”, man in the middle “Mallory”

  16. CurveSwap attack client “Alice”, server “Bob”, man in the middle “Mallory” , ,

  17. CurveSwap attack client “Alice”, server “Bob”, man in the middle “Mallory” , ,

  18. CurveSwap attack client “Alice”, server “Bob”, man in the middle “Mallory” , , b Sign B ( bP ), Sign B ( bP ),

  19. CurveSwap attack client “Alice”, server “Bob”, man in the middle “Mallory” a , , b Sign B ( bP ), Sign B ( bP ), Sign A ( aP ) Sign A ( aP )

  20. CurveSwap attack client “Alice”, server “Bob”, man in the middle “Mallory” a , , b Sign B ( bP ), Sign B ( bP ), Sign A ( aP ) Sign A ( aP ) abP = k s baP = k s k s = dlog ( aP , bP , )

  21. CurveSwap attack client “Alice”, server “Bob”, man in the middle “Mallory” a , , b Sign B ( bP ), Sign B ( bP ), Sign A ( aP ) Sign A ( aP ) MAC k s ( msgs ) MAC k s ( msgs ) abP = k s baP = k s k s = dlog ( aP , bP , ) MAC only depends on k s 7 / 19

  22. This work Evaluate feasibility of CurveSwap downgrade attack ◮ Requires breaking ECDH online for some supported curve 8 / 19

  23. This work Evaluate feasibility of CurveSwap downgrade attack ◮ Requires breaking ECDH online for some supported curve Look at ECDH in TLS, SSH, IPsec (IKE), JWE Measure elliptic curve usage in hosts and implementations 8 / 19

  24. This work Evaluate feasibility of CurveSwap downgrade attack ◮ Requires breaking ECDH online for some supported curve Look at ECDH in TLS, SSH, IPsec (IKE), JWE Measure elliptic curve usage in hosts and implementations Punch line: we find many weaknesses in elliptic curve implementations, but nobody vulnerable to CurveSwap 8 / 19

  25. Scan measurements Fast internet scanning lets us study behavior of publicly accessible hosts. 9 / 19

  26. Scan measurements Fast internet scanning lets us study behavior of publicly accessible hosts. Curve support across protocols varies widely Total ECDHE secp224r1 secp256r1 x25519 HTTPS 41.0M 28.8M 2.8% 86.9% 2.6% SSH 14.5M 7.9M 0.0% 97.8% 77.2% IKEv1 1.1M 215.4K 66.8% 98.3% 0.0% IKEv2 1.2M 101.1K 4.1% 97.1% 0.0% 9 / 19

  27. Scan measurements Fast internet scanning lets us study behavior of publicly accessible hosts. Curve support across protocols varies widely Total ECDHE secp224r1 secp256r1 x25519 HTTPS 41.0M 28.8M 2.8% 86.9% 2.6% SSH 14.5M 7.9M 0.0% 97.8% 77.2% IKEv1 1.1M 215.4K 66.8% 98.3% 0.0% IKEv2 1.2M 101.1K 4.1% 97.1% 0.0% 8.5M HTTPS servers chose secp256r1 , secp384r1 , or secp521r1 , even when not offered by the client. 9 / 19

  28. Breaking Elliptic Curve Diffie-Hellman CurveSwap requires breaking ECDH for some supported curve k s = dlog ( aP , bP , ) 10 / 19

  29. Breaking Elliptic Curve Diffie-Hellman CurveSwap requires breaking ECDH for some supported curve k s = dlog ( aP , bP , ) Known attack vectors ◮ Solve the discrete logarithm on weak curves ◮ Invalid point attacks 10 / 19

  30. Breaking Elliptic Curve Diffie-Hellman CurveSwap requires breaking ECDH for some supported curve k s = dlog ( aP , bP , ) Known attack vectors ◮ Solve the discrete logarithm on weak curves ◮ Invalid point attacks Need server to reuse key for multiple connections ◮ Common optimization to reduce server load 10 / 19

  31. Do servers reuse keys? Scanned each host on public IPv4 Internet twice in rapid succession with secp256r1 , a popular curve. 11 / 19

  32. Do servers reuse keys? Scanned each host on public IPv4 Internet twice in rapid succession with secp256r1 , a popular curve. Of the TLS hosts supporting secp256r1 : ◮ 5.5M (22%) reused keys at least once ◮ 640K (2.6%) used the same key as another host 11 / 19

  33. Solve the discrete logarithm on weak curves ECDLP: Given and bP , compute b Best known attack runs in O ( √ n ) for curve with n points 12 / 19

  34. Solve the discrete logarithm on weak curves ECDLP: Given and bP , compute b Best known attack runs in O ( √ n ) for curve with n points TLS supports a ton of weak elliptic curves ◮ secp160r1 has 80-bit security ◮ Bitcoin network computes 2 80 hashes every 11 hours 12 / 19

  35. Solve the discrete logarithm on weak curves ECDLP: Given and bP , compute b Best known attack runs in O ( √ n ) for curve with n points TLS supports a ton of weak elliptic curves ◮ secp160r1 has 80-bit security ◮ Bitcoin network computes 2 80 hashes every 11 hours Out of 4M client hellos: ◮ sampled from Cloudflare ◮ 682.6K (16.3%) support secp160r1 12 / 19

  36. Solve the discrete logarithm on weak curves ECDLP: Given and bP , compute b Best known attack runs in O ( √ n ) for curve with n points TLS supports a ton of weak elliptic curves ◮ secp160r1 has 80-bit security ◮ Bitcoin network computes 2 80 hashes every 11 hours Out of 4M client hellos: Out of 41M servers from scans: ◮ sampled from Cloudflare ◮ 276.2K (0.67%) support secp160r1 ◮ 682.6K (16.3%) support ◮ 8.1K (2.9%) also reused keys secp160r1 ◮ only 2 reused after 25 hours 12 / 19

  37. Invalid point attacks Some implementations are “curve blind” Lack the validation checks to differentiate between and 13 / 19

  38. Invalid point attacks Some implementations are “curve blind” Lack the validation checks to differentiate between and

  39. Invalid point attacks Some implementations are “curve blind” Lack the validation checks to differentiate between and

  40. Invalid point attacks Some implementations are “curve blind” Lack the validation checks to differentiate between and b bP ,

  41. Invalid point attacks Some implementations are “curve blind” Lack the validation checks to differentiate between and b bP , P on

  42. Invalid point attacks Some implementations are “curve blind” Lack the validation checks to differentiate between and b bP , P on bP = k s

  43. Invalid point attacks Some implementations are “curve blind” Lack the validation checks to differentiate between and b bP , P on MAC k s ( data ) bP = k s break (MAC k s ( data )) = ⇒ learn some bits of b

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views • 18 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views • 25 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e

Efficient Finite Field and Elliptic Curve Arithmetic Laurent Imbert CNRS, LIRMM, Universit e Montpellier 2 Summer School ECC 2011 Nancy, September 12-16, 2011 Part 2 Elliptic curve arithmetic 1/41 The two facets of an elliptic curve

606 views • 42 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views • 18 slides
Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

491 views • 32 slides
A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March 21 st , 2016 1/13 A Brief Introduction to Elliptic Curve Cryptography Elliptic Curve 2/13 A

385 views • 13 slides
elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 ibenik , Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4:

1.38k views • 48 slides
DeBIN: Predicting Debug Information in Stripped Binaries ht https://debin.ai Jingxuan Pesho

DeBIN: Predicting Debug Information in Stripped Binaries ht https://debin.ai Jingxuan Pesho

DeBIN: Predicting Debug Information in Stripped Binaries ht https://debin.ai Jingxuan Pesho Petar Veselin Martin He Ivanov Tsankov Raychev Vechev Binaries with debug symbols Descriptive names for functions and variables Assembly

304 views • 29 slides
Carbon Center/Chicora/ North Oakland Grouping S T . J OSEPH M ATER D OLOROSA S T . W ENDELIN 2

Carbon Center/Chicora/ North Oakland Grouping S T . J OSEPH M ATER D OLOROSA S T . W ENDELIN 2

Carbon Center/Chicora/ North Oakland Grouping S T . J OSEPH M ATER D OLOROSA S T . W ENDELIN 2 Framing the 3 Framing the Vision We are blessed, and each of you is a part of that blessing. As we move forward, it is my hope that each member

854 views • 38 slides
Rev eview iew of of Probabilit obability Theor heory and and Random andom Proces ocesses

Rev eview iew of of Probabilit obability Theor heory and and Random andom Proces ocesses

CMPE 252A: Computer Networks Rev eview iew of of Probabilit obability Theor heory and and Random andom Proces ocesses es 1 Probability Theory A mathematical model used to quantify the likelihood of events taking place in an

197 views • 16 slides
EE 6882 Statistical Methods for Video Indexing and Analysis Fall 2004 Prof. Shih-Fu Chang

EE 6882 Statistical Methods for Video Indexing and Analysis Fall 2004 Prof. Shih-Fu Chang

EE 6882 Statistical Methods for Video Indexing and Analysis Fall 2004 Prof. Shih-Fu Chang http://www.ee.columbia.edu/~sfchang Lecture 2 Part B (9/15/04) 1 Overview: Probability A, B are events E.g., sequence of coin tossing outcome

366 views • 12 slides
Position Paper Akbar Siami Namin Mohan Sridharan Department of Computer Science Department of

Position Paper Akbar Siami Namin Mohan Sridharan Department of Computer Science Department of

Bayesian Reasoning for Software Testing Position Paper Akbar Siami Namin Mohan Sridharan Department of Computer Science Department of Computer Science Texas Tech University, USA Texas Tech University, USA akbar.namin@ttu.edu

840 views • 14 slides
Projections onto spaces of polynomials Tommaso Russo (Joint work in progress with P. Hjek)

Projections onto spaces of polynomials Tommaso Russo (Joint work in progress with P. Hjek)

Faculty of Electrical Engineering Czech Technical University in Prague Projections onto spaces of polynomials Tommaso Russo (Joint work in progress with P. Hjek) Workshop on Banach spaces and Banach lattices Madrid, Spain September 913,

718 views • 40 slides
h V oice C onversion C onversion C hallenge C h ll hallenge 2016 2016 2016 2016 The h ll

h V oice C onversion C onversion C hallenge C h ll hallenge 2016 2016 2016 2016 The h ll

The V oice h V oice C onversion C onversion C hallenge C h ll hallenge 2016 2016 2016 2016 The h ll Tomoki Toda (Nagoya U, Japan) Ling Hui Chen (USTC, China) Li H i Ch Daisuke Saito (Tokyo U, Japan) Fernando Villavicencio (NII, Japan)

354 views • 18 slides
Budget Allocation for Sequential Customer Engagement Craig Boutilier, Google Research, Mountain

Budget Allocation for Sequential Customer Engagement Craig Boutilier, Google Research, Mountain

Budget Allocation for Sequential Customer Engagement Craig Boutilier, Google Research, Mountain View (joint work with Tyler Lu) Were hiring: https://sites.google.com/site/icmlconf2016/careers 1 Sequential Models of Customer Engagement

702 views • 47 slides

More recommend