In search of CurveSwap: Measuring elliptic curve implementations in - - PowerPoint PPT Presentation

in search of curveswap measuring elliptic curve
SMART_READER_LITE
LIVE PREVIEW

In search of CurveSwap: Measuring elliptic curve implementations in - - PowerPoint PPT Presentation

Aug 24, 2023 724 likes •1.28k views

In search of CurveSwap: Measuring elliptic curve implementations in the wild Luke Valenta , Nick Sullivan , Antonio Sanso , Nadia Heninger University of Pennsylvania, Cloudflare, Adobe April 26th, 2018 1 / 19

slide-1
SLIDE 1

In search of CurveSwap: Measuring elliptic curve implementations in the wild

Luke Valenta∗, Nick Sullivan†, Antonio Sanso‡, Nadia Heninger∗

∗University of Pennsylvania, †Cloudflare, ‡Adobe

April 26th, 2018

1 / 19

slide-2
SLIDE 2

Elliptic Curve Diffie-Hellman (ECDH)

client “Alice”, server “Bob”, eavesdropper “Eve”

.

slide-3
SLIDE 3

Elliptic Curve Diffie-Hellman (ECDH)

client “Alice”, server “Bob”, eavesdropper “Eve”

. bP b

slide-4
SLIDE 4

Elliptic Curve Diffie-Hellman (ECDH)

client “Alice”, server “Bob”, eavesdropper “Eve”

. bP b aP a

slide-5
SLIDE 5

Elliptic Curve Diffie-Hellman (ECDH)

client “Alice”, server “Bob”, eavesdropper “Eve”

. bP b aP a abP = ks baP = ks CDH assumption: Given aP, bP, and , Eve should not learn ks

slide-6
SLIDE 6

Elliptic Curve Diffie-Hellman (ECDH)

client “Alice”, server “Bob”, eavesdropper “Eve”

. bP b aP a abP = ks baP = ks CDH assumption: Given aP, bP, and , Eve should not learn ks . . . but this is vulnerable to MitM attack

2 / 19

slide-7
SLIDE 7

Elliptic Curve Diffie-Hellman (ECDH)

client “Alice”, server “Bob”, man in the middle “Mallory”

b bP bP a aP aP abP = ks baP = ks

3 / 19

slide-8
SLIDE 8

Elliptic Curve Diffie-Hellman (ECDH)

client “Alice”, server “Bob”, man in the middle “Mallory”

b bP b′P a aP a′P ab′P = ka ba′P = kb

3 / 19

slide-9
SLIDE 9

Elliptic Curve Diffie-Hellman (ECDH) w/ authentication

client “Alice”, server “Bob”, man in the middle “Mallory”

b SignB(bP) SignB(bP) a SignA(aP) SignA(aP) abP = ks baP = ks

slide-10
SLIDE 10

Elliptic Curve Diffie-Hellman (ECDH) w/ authentication

client “Alice”, server “Bob”, man in the middle “Mallory”

b SignB(bP) SignB(bP) a SignA(aP) SignA(aP) abP = ks baP = ks MACks(msgs) MACks(msgs) Signatures/MAC prevent na¨ ıve MitM

slide-11
SLIDE 11

Elliptic Curve Diffie-Hellman (ECDH) w/ authentication

client “Alice”, server “Bob”, man in the middle “Mallory”

b SignB(bP) SignB(bP) a SignA(aP) SignA(aP) abP = ks baP = ks MACks(msgs) MACks(msgs) Signatures/MAC prevent na¨ ıve MitM . . . but how do Alice and Bob decide on the curve?

4 / 19

slide-12
SLIDE 12

Elliptic Curve Diffie-Hellman (ECDH) w/ curve negotiation

client “Alice”, server “Bob”, man in the middle “Mallory”

, , , , b SignB(bP), SignB(bP), a SignA(aP) SignA(aP) abP = ks baP = ks MACks(msgs) MACks(msgs)

slide-13
SLIDE 13

Elliptic Curve Diffie-Hellman (ECDH) w/ curve negotiation

client “Alice”, server “Bob”, man in the middle “Mallory”

, , , , b SignB(bP), SignB(bP), a SignA(aP) SignA(aP) abP = ks baP = ks MACks(msgs) MACks(msgs) Curve negotiation is not authenticated in TLS 1.2

5 / 19

slide-14
SLIDE 14

CurveSwap

Nick Sullivan at 32C3 (2015): “TLS supports a ton of crazy elliptic curves” “what if you did a downgrade attack on that?” “take the supported curves, and swap it with the smallest weakest curves supported by both parties”

6 / 19

slide-15
SLIDE 15

CurveSwap attack

client “Alice”, server “Bob”, man in the middle “Mallory”

slide-16
SLIDE 16

CurveSwap attack

client “Alice”, server “Bob”, man in the middle “Mallory”

, ,

slide-17
SLIDE 17

CurveSwap attack

client “Alice”, server “Bob”, man in the middle “Mallory”

, ,

slide-18
SLIDE 18

CurveSwap attack

client “Alice”, server “Bob”, man in the middle “Mallory”

, , b SignB(bP), SignB(bP),

slide-19
SLIDE 19

CurveSwap attack

client “Alice”, server “Bob”, man in the middle “Mallory”

, , b SignB(bP), SignB(bP), a SignA(aP) SignA(aP)

slide-20
SLIDE 20

CurveSwap attack

client “Alice”, server “Bob”, man in the middle “Mallory”

, , b SignB(bP), SignB(bP), a SignA(aP) SignA(aP) abP = ks baP = ks ks = dlog(aP, bP, )

slide-21
SLIDE 21

CurveSwap attack

client “Alice”, server “Bob”, man in the middle “Mallory”

, , b SignB(bP), SignB(bP), a SignA(aP) SignA(aP) abP = ks baP = ks ks = dlog(aP, bP, ) MACks(msgs) MACks(msgs) MAC only depends on ks

7 / 19

slide-22
SLIDE 22

This work

Evaluate feasibility of CurveSwap downgrade attack

◮ Requires breaking ECDH online for some supported curve

8 / 19

slide-23
SLIDE 23

This work

Evaluate feasibility of CurveSwap downgrade attack

◮ Requires breaking ECDH online for some supported curve

Look at ECDH in TLS, SSH, IPsec (IKE), JWE Measure elliptic curve usage in hosts and implementations

8 / 19

slide-24
SLIDE 24

This work

Evaluate feasibility of CurveSwap downgrade attack

◮ Requires breaking ECDH online for some supported curve

Look at ECDH in TLS, SSH, IPsec (IKE), JWE Measure elliptic curve usage in hosts and implementations Punch line: we find many weaknesses in elliptic curve implementations, but nobody vulnerable to CurveSwap

8 / 19

slide-25
SLIDE 25

Scan measurements

Fast internet scanning lets us study behavior of publicly accessible hosts.

9 / 19

slide-26
SLIDE 26

Scan measurements

Fast internet scanning lets us study behavior of publicly accessible hosts. Curve support across protocols varies widely

Total ECDHE secp224r1 secp256r1 x25519 HTTPS 41.0M 28.8M 2.8% 86.9% 2.6% SSH 14.5M 7.9M 0.0% 97.8% 77.2% IKEv1 1.1M 215.4K 66.8% 98.3% 0.0% IKEv2 1.2M 101.1K 4.1% 97.1% 0.0%

9 / 19

slide-27
SLIDE 27

Scan measurements

Fast internet scanning lets us study behavior of publicly accessible hosts. Curve support across protocols varies widely

Total ECDHE secp224r1 secp256r1 x25519 HTTPS 41.0M 28.8M 2.8% 86.9% 2.6% SSH 14.5M 7.9M 0.0% 97.8% 77.2% IKEv1 1.1M 215.4K 66.8% 98.3% 0.0% IKEv2 1.2M 101.1K 4.1% 97.1% 0.0%

8.5M HTTPS servers chose secp256r1, secp384r1, or secp521r1, even when not offered by the client.

9 / 19

slide-28
SLIDE 28

Breaking Elliptic Curve Diffie-Hellman

CurveSwap requires breaking ECDH for some supported curve ks = dlog(aP, bP, )

10 / 19

slide-29
SLIDE 29

Breaking Elliptic Curve Diffie-Hellman

CurveSwap requires breaking ECDH for some supported curve ks = dlog(aP, bP, ) Known attack vectors

◮ Solve the discrete logarithm on weak curves ◮ Invalid point attacks

10 / 19

slide-30
SLIDE 30

Breaking Elliptic Curve Diffie-Hellman

CurveSwap requires breaking ECDH for some supported curve ks = dlog(aP, bP, ) Known attack vectors

◮ Solve the discrete logarithm on weak curves ◮ Invalid point attacks

Need server to reuse key for multiple connections

◮ Common optimization to reduce server load

10 / 19

slide-31
SLIDE 31

Do servers reuse keys?

Scanned each host on public IPv4 Internet twice in rapid succession with secp256r1, a popular curve.

11 / 19

slide-32
SLIDE 32

Do servers reuse keys?

Scanned each host on public IPv4 Internet twice in rapid succession with secp256r1, a popular curve. Of the TLS hosts supporting secp256r1:

◮ 5.5M (22%) reused keys at least once ◮ 640K (2.6%) used the same key as another host

11 / 19

slide-33
SLIDE 33

Solve the discrete logarithm on weak curves

ECDLP: Given and bP, compute b Best known attack runs in O(√n) for curve with n points

12 / 19

slide-34
SLIDE 34

Solve the discrete logarithm on weak curves

ECDLP: Given and bP, compute b Best known attack runs in O(√n) for curve with n points TLS supports a ton of weak elliptic curves

◮ secp160r1 has 80-bit security ◮ Bitcoin network computes 280 hashes every 11 hours

12 / 19

slide-35
SLIDE 35

Solve the discrete logarithm on weak curves

ECDLP: Given and bP, compute b Best known attack runs in O(√n) for curve with n points TLS supports a ton of weak elliptic curves

◮ secp160r1 has 80-bit security ◮ Bitcoin network computes 280 hashes every 11 hours

Out of 4M client hellos:

◮ sampled from Cloudflare ◮ 682.6K (16.3%) support

secp160r1

12 / 19

slide-36
SLIDE 36

Solve the discrete logarithm on weak curves

ECDLP: Given and bP, compute b Best known attack runs in O(√n) for curve with n points TLS supports a ton of weak elliptic curves

◮ secp160r1 has 80-bit security ◮ Bitcoin network computes 280 hashes every 11 hours

Out of 4M client hellos:

◮ sampled from Cloudflare ◮ 682.6K (16.3%) support

secp160r1 Out of 41M servers from scans:

◮ 276.2K (0.67%) support

secp160r1

◮ 8.1K (2.9%) also reused keys ◮ only 2 reused after 25 hours

12 / 19

slide-37
SLIDE 37

Invalid point attacks

Some implementations are “curve blind” Lack the validation checks to differentiate between and

13 / 19

slide-38
SLIDE 38

Invalid point attacks

Some implementations are “curve blind” Lack the validation checks to differentiate between and

slide-39
SLIDE 39

Invalid point attacks

Some implementations are “curve blind” Lack the validation checks to differentiate between and

slide-40
SLIDE 40

Invalid point attacks

Some implementations are “curve blind” Lack the validation checks to differentiate between and bP, b

slide-41
SLIDE 41

Invalid point attacks

Some implementations are “curve blind” Lack the validation checks to differentiate between and bP, b P on

slide-42
SLIDE 42

Invalid point attacks

Some implementations are “curve blind” Lack the validation checks to differentiate between and bP, b P on bP = ks

slide-43
SLIDE 43

Invalid point attacks

Some implementations are “curve blind” Lack the validation checks to differentiate between and bP, b P on bP = ks MACks(data) break(MACks(data)) = ⇒ learn some bits of b

slide-44
SLIDE 44

Invalid point attacks

Some implementations are “curve blind” Lack the validation checks to differentiate between and bP, b P on bP = ks MACks(data) break(MACks(data)) = ⇒ learn some bits of b Repeat many times = ⇒ find b using Chinese Remainder Theorem

13 / 19

slide-45
SLIDE 45

Countermeasures

The countermeasures against these attacks are well known, and built into all most ECDH standards: RFC 4492 (TLS): “The server retrieves the client’s ephemeral ECDH public key from the ClientKeyExchange message and checks that it is on the same elliptic curve as the server’s ECDH key.” RFC 5656 (SSH): “All elliptic curve public keys MUST be validated after they are received” RFC 6989 (IKEv2): “A receiving peer MUST check that its peer’s public key value is valid” RFC 7516, 7518 (JWE): . . . no warning?

14 / 19

slide-46
SLIDE 46

Do libraries validate public keys?

Many TLS libraries don’t validate for ECDH: [JSS ESORICS ’15] Similar for FFDH in TLS, SSH, IPsec: [VASCFHHH NDSS ’16]

15 / 19

slide-47
SLIDE 47

Do libraries validate public keys?

Many TLS libraries don’t validate for ECDH: [JSS ESORICS ’15] Similar for FFDH in TLS, SSH, IPsec: [VASCFHHH NDSS ’16] Many JWE libraries don’t validate:

Library Vulnerable jose4j Yes Nimbus JOSE+JWT Yes Apache CXF No go-jose Yes jose2go Yes node-jose Yes

15 / 19

slide-48
SLIDE 48

Do hosts validate public keys?

Scanning methodology: test for two types of curve blindness

◮ send order-5 point on invalid curve related to secp256r1 ◮ send order-5 point on twist of secp256r1

16 / 19

slide-49
SLIDE 49

Do hosts validate public keys?

Scanning methodology: test for two types of curve blindness

◮ send order-5 point on invalid curve related to secp256r1 ◮ send order-5 point on twist of secp256r1

Protocol Accept Accept + Reuse Keys HTTPS 188.7K (0.7%) 0 (0.0%) SSH* 4.1K (0.1%) 0 (0.0%) IKEv1* 530 (0.2%) 0 (0.0%) IKEv2* 4.1K (4.0%) 0 (0.0%)

* Overestimates due to scanning limitations Scans from November 2016

16 / 19

slide-50
SLIDE 50

Modern advancements in ECC

“New” DJB curves: Curve25519, Curve41417, Curve448

◮ Montgomery/twisted Edwards curves ◮ By design, no twist or invalid curve attacks ◮ Curve25519 supported by 77.2% of SSH, 2.6% of HTTPS ◮ TLS 1.3 includes Curve25519 and Curve448

17 / 19

slide-51
SLIDE 51

Takeaways

Standards writers:

◮ Easy for developers to skip validation checks ◮ Minimize complexity of curve support ◮ Downgrade protection is essential in protocol design

18 / 19

slide-52
SLIDE 52

Takeaways

Standards writers:

◮ Easy for developers to skip validation checks ◮ Minimize complexity of curve support ◮ Downgrade protection is essential in protocol design

Software developers:

◮ Cryptography is hard, but it is easy to prevent known attacks ◮ Cryptographic validation should be part of your test suite

(https://github.com/google/wycheproof)

18 / 19

slide-53
SLIDE 53

Takeaways

Standards writers:

◮ Easy for developers to skip validation checks ◮ Minimize complexity of curve support ◮ Downgrade protection is essential in protocol design

Software developers:

◮ Cryptography is hard, but it is easy to prevent known attacks ◮ Cryptographic validation should be part of your test suite

(https://github.com/google/wycheproof) Academic researchers:

◮ Internet scanning is an effective “black box” measurement tool ◮ “Negative” results can and should be published

18 / 19

slide-54
SLIDE 54

Takeaways

Standards writers:

◮ Easy for developers to skip validation checks ◮ Minimize complexity of curve support ◮ Downgrade protection is essential in protocol design

Software developers:

◮ Cryptography is hard, but it is easy to prevent known attacks ◮ Cryptographic validation should be part of your test suite

(https://github.com/google/wycheproof) Academic researchers:

◮ Internet scanning is an effective “black box” measurement tool ◮ “Negative” results can and should be published

Questions?

18 / 19

slide-55
SLIDE 55

References

In search of CurveSwap: measuring elliptic curve implementations in the wild Luke Valenta, Nick Sullivan, Antonio Sanso, Nadia

  • Heninger. EuroS&P 2018. https://eprint.iacr.org/2018/298

Practical invalid curve attacks on TLS-ECDH Tibor Jager, J¨

  • rg

Schwenk, Juraj Somorovsky. ESORICS 2015. Measuring small subgroup attacks against Diffie-Hellman Luke Valenta, David Adrian, Antonio Sanso, Shaanan Cohney, Joshua Fried, Marcella Hastings, J. Alex Halderman, Nadia Heninger. NDSS 2016. Alice, Bob, and Eve images from Randall Munroe (XKCD)

19 / 19