practical invalid curve
play

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg - PowerPoint PPT Presentation

Sep 17, 2022 •1.07k likes •1.45k views

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst Grtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks

  1. Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky Horst Görtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 1

  2. About Me and Our Institute • Security Researcher at: – Chair for Network and Data Security • Prof. Dr. Jörg Schwenk • Web Services, Single Sign-On, (Applied) Crypto, SSL, crypto currencies • Provable security, attacks and defenses – Horst Görtz Institute for IT-Security • Further topics: embedded security, malware, crypto … – Ruhr University Bochum • Penetration tests, security analyses, workshops … Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 2

  3. Recent years revealed many attacks on TLS… • ESORICS 2004, Bard: The Vulnerability of SSL to Chosen Plaintext Attack • Eurocrypt 2002, Vaudenay: Security Flaws Induced by CBC Padding — Applications to SSL, IPSEC, WTLS • Crypto 1998, Bleichenbacher: Chosen Ciphertext Attacks Against Protocols based on the RSA Encryption Standard PKCS #1 Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 3 3

  4. Another “forgotten” attack • Invalid curve attack • Crypto 2000 , Biehl et al.: Differential fault attacks on elliptic curve cryptosystems • Targets elliptic curves – Allows one to extract private keys • Are current libraries vulnerable? Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 4 4

  5. Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 5 5

  6. Elliptic Curve (EC) Crypto • Key exchange, signatures, PRNGs • Many sites switching to EC • Fast, secure Algorithm Signatures 256 bit ECDSA 9516 per sec RSA 2048 bits 1000 per sec – https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/ Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 6 6

  7. Elliptic Curve • Set of points over a finite field 𝐹: 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 𝑛𝑝𝑒 𝑞 • Operations: ADD and DOUBLE • Example: DOUBLE 𝑏 = 9 𝑐 = 17 ADD 𝑞 = 23 Base Point P Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 7 7

  8. Elliptic Curve Diffie Hellman (ECDH) Client Server Secret q Secret s qP q(sP) sP sP Shared secret: s(qP) = q(sP) qP Base Point P Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 8 8

  9. Elliptic Curves in Crypto • Have to be chosen very carefully: high order – P -> ADD -> ADD - > … -> ADD -> P order DOUBLE ADD • Predefined curves > 256 bits Base Point P Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 9 9

  10. Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 10 10

  11. Invalid Curve Attack • What if we compute with a point P ’ outside of curve E? • P’ belongs to curve E’ • E ’ can have a small order • Example: – E’ with 256 bits – P’ generates 5 points Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 11 11

  12. Invalid Curve Attack • What can we learn? • Shared secret: sP ’ – Only 5 possible values! • We can compute: 𝑡 1 = 𝑡 𝑛𝑝𝑒 5 𝑡 2 = 𝑡 𝑛𝑝𝑒 7 𝑡 3 = 𝑡 𝑛𝑝𝑒 11 𝑡 4 = 𝑡 𝑛𝑝𝑒 13 • Compute s with CRT Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 12 12

  13. Invalid Curve Attack • Possible if – No point verification – Test for shared secret possible – Simple DOUBLE and ADD method • No sliding window etc. • Curve b parameter not in the computation Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 13 13

  14. Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 14 14

  15. Transport Layer Security (TLS) • EC since 2006 • Static and ephemeral • TLS server initialized with an EC certificate – Server has EC key Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 15 15

  16. TLS ECDH TLS TLS Client Server ClientHello ServerHello Certificate: sP ServerHelloDone ClientKeyExchange: Premaster secret qP Used to compute keys 𝒒𝒏𝒕 = 𝒕 𝒓𝑸 = 𝒓(𝒕𝑸) ChangeCipherSpec How to use the server as an oracle? (Client-) Finished: ChangeCipherSpec (Server-) Finished Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 16 16

  17. TLS as an Oracle • Idea: – Set 𝑞𝑛𝑡 1 = 1𝑄′ , 𝑞𝑛𝑡 2 = 2𝑄′ , 𝑞𝑛𝑡 3 = 3𝑄′ , … – Execute TLS handshakes – If pms correct , ClientFinished accepted • First described by Brumley et al. Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 17 17

  18. TLS as an Oracle TLS Server ClientHello ServerHello Certificate ServerHelloDone P’ ClientKeyExchange 𝒒𝒏𝒕 = 𝟐𝑸′ ChangeCipherSpec (Client-) Finished: Alert Attacker … ClientHello ServerHello Certificate ServerHelloDone P’ ClientKeyExchange 𝒒𝒏𝒕 = 𝟒𝑸′ ChangeCipherSpec (Client-) Finished: ChangeCipherSpec (Server-) Finished Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 18

  19. Invalid Curve Attack on TLS 1. Generate invalid points with order 𝑞 𝑗 = 5, 7, 11, 13 … 2. Use oracle to get equations s = 𝑡 𝑗 𝑛𝑝𝑒 𝑞 𝑗 3. Compute CRT to get secret key s Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 19 19

  20. Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 20 20

  21. Evaluation • 8 libraries – Bouncy Castle v1.50 , Bouncy Castle v1.52, MatrixSSL, mbedTLS, OpenSSL, Java NSS Provider, Oracle JSSE , WolfSSL • 2 vulnerable • Practical test with NIST secp256r1 – Most commonly used [Bos et al., 2013] Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 21 21

  22. Evaluation: Bouncy Castle v1.50 • Vulnerable – 74 equations (oracle queries) – 3300 real server queries Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 22 22

  23. Evaluation: JSSE • Java Secure Socket Extension (JSSE) server accepted invalid points • However, the direct attack failed Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 23 23

  24. Evaluation: JSSE • Problem: invalid computation with some EC points Valid Computations [%] EC point order • Not considered by Biehl et al. • Attack possible: – 52 oracle queries, 17000 server requests Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 24 24

  25. Impact • Attacks extract server private keys • Huge problem for Java servers using EC certificates – For example Apache Tomcat – Static ECDH enabled per default • Key revocation • Not only applicable to TLS – Also to other Java applications using EC Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 25 25

  26. Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 26 26

  27. What ’s next? Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 32 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann

Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann

Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann Department of Computer Science Technion Israel Institute of Technology Cryptoday 2018 Eli Biham, Lior Neumann (Technion) Breaking the

784 views • 75 slides
Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation

Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation

Overview Using Curve Implementation Lessons Curve Curve Ninjas December 19, 2012 Curve Ninjas Curve Overview Using Curve Implementation Lessons Ninjas Shinobi Kun An John Chan David Mauskop Wisdom Omuya Zitong Wang Curve Ninjas

360 views • 17 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Ahead Ahead of the of the Curve Curve A N N U A L S H A R E H O L D E R S M E E T I N G 2 0 1

Ahead Ahead of the of the Curve Curve A N N U A L S H A R E H O L D E R S M E E T I N G 2 0 1

Ahead Ahead of the of the Curve Curve A N N U A L S H A R E H O L D E R S M E E T I N G 2 0 1 7 Forward Looking Statements And Non GAAP Financial Measures To the extent that statements in this PowerPoint presentation relate to future

775 views • 28 slides
3 t ,t >. The graph of EXAMPLE 3: Consider the curve r t = <5sin the curve is shown

3 t ,t >. The graph of EXAMPLE 3: Consider the curve r t = <5sin the curve is shown

SMOOTH AND UNSMOOTH CURVES Def. A curve C is smooth if it is traced out by a vector-valued function r ( t ), where r '( t ) is continuous and r '( t ) 0 for all values of t . t 2 > 3 EXAMPLE 1 : r t = < t , r ' t =

209 views • 3 slides
(Exam Success and well- being) Exam Success Context Change curve Key dates

(Exam Success and well- being) Exam Success Context Change curve Key dates

Post 16 Study Skills (Exam Success and well- being) Exam Success Context Change curve Key dates Uncontrollables Sixth Form learning environment Staff said (practical tips) Students said Emotional Well-being

938 views • 57 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
The curve they fit to the data What ordinary people expected to see The curve they fit to the

The curve they fit to the data What ordinary people expected to see The curve they fit to the

The curve they fit to the data What ordinary people expected to see The curve they fit to the data The range of the data The curve they fit to the data . . . . . . the data! Changing everything at once: Student-centered learning, computerized

560 views • 35 slides
Curve Sketching Michael Freeze MAT 151 UNC Wilmington Summer 2013 1 / 10 Section 5.4 :: Curve

Curve Sketching Michael Freeze MAT 151 UNC Wilmington Summer 2013 1 / 10 Section 5.4 :: Curve

Curve Sketching Michael Freeze MAT 151 UNC Wilmington Summer 2013 1 / 10 Section 5.4 :: Curve Sketching 2 / 10 Curve Sketching Make an accurate sketch of the graph the function. Identify any important features such as intercepts,

287 views • 10 slides
Curve of intersection of the surfaces z = x 3 and y =sin x + z 2 The curve can be parametrized as

Curve of intersection of the surfaces z = x 3 and y =sin x + z 2 The curve can be parametrized as

Curve of intersection of the surfaces z = x 3 and y =sin x + z 2 The curve can be parametrized as r(t) = < t, sin t + t 6 , t 3 > Curve of intersection of the surfaces z = 3 x 2 + y 2 (elliptic paraboloid) and y = x 2 (parabolic cylinder)

459 views • 6 slides
Practical Evaluation of Protected RNS Scalar Multiplication CHES 2019 By Louiza

Practical Evaluation of Protected RNS Scalar Multiplication CHES 2019 By Louiza

Practical Evaluation of Protected RNS Scalar Multiplication CHES 2019 By Louiza Papachristodoulou Joint work with A. Fournaris, K. Papagiannopoulos, L. Batina Out utli line Residue Number System in Elliptic Curve Cryptography

468 views • 17 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
A Mechanized Proof of the Curve Length of a Rectifiable Curve Jagadish Bapanapally and Ruben

A Mechanized Proof of the Curve Length of a Rectifiable Curve Jagadish Bapanapally and Ruben

A Mechanized Proof of the Curve Length of a Rectifiable Curve Jagadish Bapanapally and Ruben Gamboa ACL2 Workshop 2017 May 23, 2017 Theory L n i =1 | P i P i 1 | Deriving length of a continuously differentiable curve n L =

568 views • 24 slides
Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over F p 6 Vanessa VITSE Antoine JOUX Universit e de Versailles Saint-Quentin, Laboratoire PRISM Eurocrypt 2012

595 views • 44 slides
Maths Summary Intro: Zero coupon yield curve (Ex 13) TV concept Yield curve

Maths Summary Intro: Zero coupon yield curve (Ex 13) TV concept Yield curve

Maths Summary Intro: Zero coupon yield curve (Ex 13) TV concept Yield curve construction calcs (Ex 13) Yield curve prods calcs Stats calcs Intro yield curve AER (%) 10% Risk free 8% Zero coupon 7% Maturities

401 views • 10 slides
A Perfect Memory: Key Compromise in an Efficiency-centric World Britta Hale NTNU, Norwegian

A Perfect Memory: Key Compromise in an Efficiency-centric World Britta Hale NTNU, Norwegian

A Perfect Memory: Key Compromise in an Efficiency-centric World Britta Hale NTNU, Norwegian University of Science and Technology A Perfect Memory.... Britta Hale | Crypto vs. Mass Surveillance Workshop Facebook Google Lule, Sweden Britta

1.04k views • 18 slides
r t rts r

r t rts r

r t rts r t str rtr tt P

1.21k views • 76 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation

Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation

26. DECUS Symposium Bonn Open SSL in OpenVMS und STunnel Helmut Ammer OpenVMS Support CSSC Mnchen 2F06 Presentation Overview Product information What is the secure sockets layer (SSL)? Overview of SSL/OpenSSL/SSL on OpenVMS

657 views • 26 slides
Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17,

Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17,

Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17, 2014 Recap & outline Security is hard Cryptography is not security No "security through obscurity" Today:

924 views • 39 slides
MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One

MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One Year Later http://www.cs.stanford.edu/~iliano CS Department, UMBC

679 views • 29 slides
Communication Networks II www.kom.tu-darmstadt.de www.httc.de Security Prof. Dr.-Ing. Ralf

Communication Networks II www.kom.tu-darmstadt.de www.httc.de Security Prof. Dr.-Ing. Ralf

Communication Networks II www.kom.tu-darmstadt.de www.httc.de Security Prof. Dr.-Ing. Ralf Steinmetz TU Darmstadt - Darmstadt University of Technology, Dept. of Electrical Engineering and Information Technology, Dept. of Computer Science KOM -

2.54k views • 46 slides
A Comparative Review of HTTP/1.1, HTTP/2 & HTTP/3 December 3, 2018 Nancy Mogire WHAT

A Comparative Review of HTTP/1.1, HTTP/2 & HTTP/3 December 3, 2018 Nancy Mogire WHAT

A Comparative Review of HTTP/1.1, HTTP/2 & HTTP/3 December 3, 2018 Nancy Mogire WHAT The Hypertext Transfer Protocol (HTTP) WHAT a stateless application-level protocol for distributed, collaborative, hypertext

749 views • 23 slides

More recommend