Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg - - PowerPoint PPT Presentation

practical invalid curve
SMART_READER_LITE
LIVE PREVIEW

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg - - PowerPoint PPT Presentation

Sep 17, 2022 1.07k likes •1.45k views

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jrg Schwenk, Juraj Somorovsky Horst Grtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks

slide-1
SLIDE 1

1

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Practical Invalid Curve Attacks on TLS-ECDH

Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Horst Görtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1

slide-2
SLIDE 2

2

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

About Me and Our Institute

  • Security Researcher at:

– Chair for Network and Data Security

  • Prof. Dr. Jörg Schwenk
  • Web Services, Single Sign-On, (Applied) Crypto, SSL, crypto currencies
  • Provable security, attacks and defenses

– Horst Görtz Institute for IT-Security

  • Further topics: embedded security, malware, crypto…

– Ruhr University Bochum

  • Penetration tests, security analyses, workshops…

2

slide-3
SLIDE 3

3

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Recent years revealed many attacks on TLS…

  • ESORICS 2004, Bard: The Vulnerability of SSL to

Chosen Plaintext Attack

  • Eurocrypt 2002, Vaudenay: Security Flaws Induced by

CBC Padding—Applications to SSL, IPSEC, WTLS

  • Crypto 1998, Bleichenbacher: Chosen Ciphertext

Attacks Against Protocols based on the RSA Encryption Standard PKCS #1

3

slide-4
SLIDE 4

4

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Another “forgotten” attack

  • Invalid curve attack
  • Crypto 2000, Biehl et al.: Differential fault

attacks on elliptic curve cryptosystems

  • Targets elliptic curves

– Allows one to extract private keys

  • Are current libraries vulnerable?

4

slide-5
SLIDE 5

5

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

  • 1. Elliptic Curves
  • 2. Invalid Curve Attacks
  • 3. Application to TLS ECDH
  • 4. Evaluation
  • 5. Bonus Content

Overview

5

slide-6
SLIDE 6

6

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Elliptic Curve (EC) Crypto

  • Key exchange, signatures, PRNGs
  • Many sites switching to EC
  • Fast, secure

– https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/

6

Algorithm Signatures 256 bit ECDSA 9516 per sec RSA 2048 bits 1000 per sec

slide-7
SLIDE 7

7

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Elliptic Curve

  • Set of points over a finite field

𝐹: 𝑧2 = 𝑦3 + 𝑏𝑦 + 𝑐 𝑛𝑝𝑒 𝑞

  • Operations: ADD and DOUBLE
  • Example:

𝑏 = 9 𝑐 = 17 𝑞 = 23

7

DOUBLE ADD Base Point P

slide-8
SLIDE 8

8

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Elliptic Curve Diffie Hellman (ECDH)

8

sP qP Base Point P q(sP)

Client

Secret q

Server

Secret s qP sP Shared secret: s(qP) = q(sP)

slide-9
SLIDE 9

9

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Elliptic Curves in Crypto

  • Have to be chosen very carefully: high order

– P -> ADD -> ADD -> … -> ADD -> P

  • Predefined curves

> 256 bits

9

DOUBLE ADD Base Point P

  • rder
slide-10
SLIDE 10

10

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

  • 1. Elliptic Curves
  • 2. Invalid Curve Attacks
  • 3. Application to TLS ECDH
  • 4. Evaluation
  • 5. Bonus Content

Overview

10

slide-11
SLIDE 11

11

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Invalid Curve Attack

  • What if we compute with a point P’ outside of

curve E?

  • P’ belongs to curve E’
  • E’ can have a small order
  • Example:

– E’ with 256 bits – P’ generates 5 points

11

slide-12
SLIDE 12

12

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Invalid Curve Attack

  • What can we learn?
  • Shared secret: sP’

– Only 5 possible values!

  • We can compute:

𝑡1 = 𝑡 𝑛𝑝𝑒 5 𝑡2 = 𝑡 𝑛𝑝𝑒 7 𝑡3 = 𝑡 𝑛𝑝𝑒 11 𝑡4 = 𝑡 𝑛𝑝𝑒 13

  • Compute s with CRT

12

slide-13
SLIDE 13

13

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Invalid Curve Attack

  • Possible if

– No point verification – Test for shared secret possible – Simple DOUBLE and ADD method

  • No sliding window etc.
  • Curve b parameter not in the computation

13

slide-14
SLIDE 14

14

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

  • 1. Elliptic Curves
  • 2. Invalid Curve Attacks
  • 3. Application to TLS ECDH
  • 4. Evaluation
  • 5. Bonus Content

Overview

14

slide-15
SLIDE 15

15

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Transport Layer Security (TLS)

  • EC since 2006
  • Static and ephemeral
  • TLS server initialized with an EC certificate

– Server has EC key

15

slide-16
SLIDE 16

16

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

TLS ECDH

16

TLS Client TLS Server

ClientHello ServerHello Certificate: sP ServerHelloDone ClientKeyExchange: qP ChangeCipherSpec (Client-) Finished: ChangeCipherSpec (Server-) Finished 𝒒𝒏𝒕 = 𝒕 𝒓𝑸 = 𝒓(𝒕𝑸) Premaster secret Used to compute keys

How to use the server as an oracle?

slide-17
SLIDE 17

17

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

TLS as an Oracle

  • Idea:

– Set 𝑞𝑛𝑡1 = 1𝑄′, 𝑞𝑛𝑡2 = 2𝑄′, 𝑞𝑛𝑡3 = 3𝑄′, … – Execute TLS handshakes – If pms correct, ClientFinished accepted

  • First described by Brumley et al.

17

slide-18
SLIDE 18

18

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

TLS as an Oracle

Attacker TLS Server

ClientHello ServerHello Certificate ServerHelloDone ChangeCipherSpec (Client-) Finished: Alert 𝒒𝒏𝒕 = 𝟐𝑸′ ClientKeyExchange P’ ClientHello ServerHello Certificate ServerHelloDone ChangeCipherSpec (Client-) Finished: ChangeCipherSpec (Server-) Finished 𝒒𝒏𝒕 = 𝟒𝑸′ ClientKeyExchange P’

slide-19
SLIDE 19

19

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Invalid Curve Attack on TLS

  • 1. Generate invalid points with order

𝑞𝑗 = 5, 7, 11, 13 …

  • 2. Use oracle to get equations

s = 𝑡𝑗 𝑛𝑝𝑒 𝑞𝑗

  • 3. Compute CRT to get secret key s

19

slide-20
SLIDE 20

20

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

  • 1. Elliptic Curves
  • 2. Invalid Curve Attacks
  • 3. Application to TLS ECDH
  • 4. Evaluation
  • 5. Bonus Content

Overview

20

slide-21
SLIDE 21

21

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Evaluation

  • 8 libraries

– Bouncy Castle v1.50, Bouncy Castle v1.52, MatrixSSL, mbedTLS, OpenSSL, Java NSS Provider, Oracle JSSE, WolfSSL

  • 2 vulnerable
  • Practical test with NIST secp256r1

– Most commonly used [Bos et al., 2013]

21

slide-22
SLIDE 22

22

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Evaluation: Bouncy Castle v1.50

  • Vulnerable

– 74 equations (oracle queries) – 3300 real server queries

22

slide-23
SLIDE 23

23

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Evaluation: JSSE

  • Java Secure Socket Extension (JSSE) server

accepted invalid points

  • However, the direct attack failed

23

slide-24
SLIDE 24

24

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Evaluation: JSSE

  • Problem: invalid computation with some EC points
  • Not considered by Biehl et al.
  • Attack possible:

– 52 oracle queries, 17000 server requests

24

EC point order Valid Computations [%]

slide-25
SLIDE 25

25

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Impact

  • Attacks extract server private keys
  • Huge problem for Java servers using EC

certificates

– For example Apache Tomcat – Static ECDH enabled per default

  • Key revocation
  • Not only applicable to TLS

– Also to other Java applications using EC

25

slide-26
SLIDE 26

26

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

  • 1. Elliptic Curves
  • 2. Invalid Curve Attacks
  • 3. Application to TLS ECDH
  • 4. Evaluation
  • 5. Bonus Content

Overview

26

slide-27
SLIDE 27

32

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

What’s next?

32

slide-28
SLIDE 28

33

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

What’s next?

  • Hardware Security Modules
  • Devices for storage of crypto material

33

slide-29
SLIDE 29

34

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Attacker Model in HSM Scenarios

  • Key never leaves HSMs

34

dec (C) m

Keys (RSA, EC, AES …)

slide-30
SLIDE 30

35

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Attacker Model in HSM Scenarios

  • Key never leaves HSMs

35

getKey

Keys (RSA, EC, AES …)

slide-31
SLIDE 31

36

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

How about Invalid Curve Attacks?

  • CVE-2015-6924
  • Utimaco HSMs vulnerable

– Analyzed together with Dennis Felsch

  • < 100 queries to extract a 256 bit EC key

36

"Catastrophic is the right word. On the scale

  • f 1 to 10, this is an 11.”

[Heartbleed]

slide-32
SLIDE 32

37

Pract actical ical Inva valid d Ellip iptic Curve ve Attack acks s on TLS-EC ECDH DH Tibor Jager, Jörg Schwenk, Juraj Somorovsky

Conclusion

  • Old attacks still applicable, we can learn a lot

from them

  • Bouncy Castle, JSSE and Utimaco broken
  • More tools / analyses of crypto applications

needed

  • https://github.com/RUB-NDS/EccPlayground
  • http://web-in-security.blogspot.de/

37