practical invalid curve attacks on tls-ecdh · practical invalid elliptic curve attacks on tls-ecdh...
TRANSCRIPT
![Page 1: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/1.jpg)
1Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Practical Invalid Curve Attacks on TLS-ECDH
Tibor Jager, Jörg Schwenk, Juraj Somorovsky Horst Görtz Institute for IT Security
Ruhr University Bochum
@jurajsomorovsky
1
![Page 2: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/2.jpg)
2Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Recent years revealed many attacks on TLS…
• ESORICS 2004, Bard: The Vulnerability of SSL to Chosen Plaintext Attack
• Eurocrypt 2002, Vaudenay: Security Flaws Induced by CBC Padding—Applications to SSL, IPSEC, WTLS
• Crypto 1998, Bleichenbacher: Chosen CiphertextAttacks Against Protocols based on the RSA Encryption Standard PKCS #1
2
![Page 3: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/3.jpg)
3Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Another “forgotten” attack
• Invalid curve attack
• Crypto 2000, Biehl et al.: Differential fault attacks on elliptic curve cryptosystems
• Targets elliptic curves
– Allows one to extract private keys
• Are current libraries vulnerable?
3
![Page 4: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/4.jpg)
4Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
1. Elliptic Curves
2. Invalid Curve Attacks
3. Application to TLS ECDH
4. Evaluation
5. Bonus Content
Overview
4
![Page 5: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/5.jpg)
5Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Elliptic Curve (EC) Crypto
• Key exchange, signatures, PRNGs
• Many sites switching to EC
• Fast, secure
– openssl speed rsa2048 ecdhp256
– ECDH about 10 times faster
5
![Page 6: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/6.jpg)
6Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Elliptic Curve
• Set of points over a finite field𝐸: 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏 𝑚𝑜𝑑 𝑝
• Operations: ADD and DOUBLE
• Example:𝑎 = 9𝑏 = 17𝑝 = 23
6
DOUBLE
ADD
Base Point P
![Page 7: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/7.jpg)
7Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Elliptic Curve Diffie Hellman (ECDH)
7
sP
qP
Base Point P
q(sP)
Client
Secret q
Server
Secret s
qP
sP
Shared secret: s(qP) = q(sP)
Small 5 bit curve
![Page 8: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/8.jpg)
8Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Elliptic Curves in Crypto
• Have to be chosen very carefully: high order
– P -> ADD -> ADD -> … -> ADD -> P
• Predefined curves
> 256 bits
NIST, brainpool, …
88
DOUBLE
ADD
Base Point P
order
![Page 9: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/9.jpg)
9Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
1. Elliptic Curves
2. Invalid Curve Attacks
3. Application to TLS ECDH
4. Evaluation
5. Bonus Content
Overview
9
![Page 10: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/10.jpg)
10Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Invalid Curve Attack
• What if we compute with a point P’ outside ofcurve E?
• P’ can have a small order
• Example:
– E’ with 256 bits
– P’ generates 5 points
10
![Page 11: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/11.jpg)
11Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Invalid Curve Attack
• What is the problem?
• Shared secret has only 5 possible values!
• Example
• Server attempts to
multiply sP
3 = 𝑠 𝑚𝑜𝑑 5
11
Server Secret s = 13
1P
2P
3P
4P
5P = infinity 6P
7P
8P
9P
10P = infinity
13P
![Page 12: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/12.jpg)
12Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Invalid Curve Attack
• What is the problem?
• Shared secret has only 5 possible values!
• We can compute:𝑠1 = 𝑠 𝑚𝑜𝑑 5
𝑠2 = 𝑠 𝑚𝑜𝑑 7𝑠3 = 𝑠 𝑚𝑜𝑑 11𝑠4 = 𝑠 𝑚𝑜𝑑 13
• Compute s with CRT12
![Page 13: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/13.jpg)
13Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
1. Elliptic Curves
2. Invalid Curve Attacks
3. Application to TLS ECDH
4. Evaluation
5. Bonus Content
Overview
13
![Page 14: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/14.jpg)
14Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Transport Layer Security (TLS)
• EC since 2006
• Static and ephemeral
• TLS server initialized with an EC certificate
– Server has EC key
14
![Page 15: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/15.jpg)
15Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
TLS ECDH
15
TLS
ClientTLS
Server
ClientHello
ServerHello
Certificate:
sP
ServerHelloDone
ClientKeyExchange:
qP
ChangeCipherSpec
(Client-) Finished:ChangeCipherSpec
(Server-) Finished
𝒑𝒎𝒔 = 𝒔 𝒒𝑷 = 𝒒(𝒔𝑷)
Premaster secretUsed to compute keys
![Page 16: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/16.jpg)
16Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Invalid Curve Attack on TLS
1. Generate invalid points with order
𝑝𝑖 = 5, 7, 11, 13…
2. Use TLS server to get equationss = 𝑠𝑖 𝑚𝑜𝑑 𝑝𝑖
3. Compute CRT to get secret key s
16
![Page 17: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/17.jpg)
17Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
1. Elliptic Curves
2. Invalid Curve Attacks
3. Application to TLS ECDH
4. Evaluation
5. Bonus Content
Overview
17
![Page 18: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/18.jpg)
18Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Evaluation
• 8 libraries
– Bouncy Castle v1.50, Bouncy Castle v1.52, MatrixSSL, mbedTLS, OpenSSL, Java NSS Provider, Oracle JSSE, WolfSSL
• 2 vulnerable
• Practical test with NIST secp256r1
– Most commonly used [Bos et al., 2013]
18
![Page 19: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/19.jpg)
19Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Evaluation: Bouncy Castle v1.50
• Vulnerable
– 74 equations
– 3300 real server queries
19
![Page 20: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/20.jpg)
20Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Evaluation: JSSE
• Java Secure Socket Extension (JSSE) server accepted invalid points
• However, the direct attack failed
20
![Page 21: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/21.jpg)
21Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Evaluation: JSSE
• Problem: invalid computation with some EC points
• Attack possible:– 52 equations, 17000 server requests
21
EC point order
ValidComputations [%]
![Page 22: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/22.jpg)
22Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Impact
• Attacks extract server private keys
• Huge problem for Java servers using EC certificates
– For example Apache Tomcat
– Static ECDH enabled per default
• Key revocation
• Not only applicable to TLS
– Also to other Java applications using EC
22
![Page 23: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/23.jpg)
23Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
1. Elliptic Curves
2. Invalid Curve Attacks
3. Application to TLS ECDH
4. Evaluation
5. Bonus Content
Overview
23
![Page 24: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/24.jpg)
24Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
What’s next?
• Hardware Security Modules
• Devices for storage of crypto material
24
![Page 25: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/25.jpg)
25Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Attacker Model in HSM Scenarios
• Key never leaves HSMs
25
dec (C)
m
Keys (RSA, EC, AES …)
![Page 26: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/26.jpg)
26Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Attacker Model in HSM Scenarios
• Key never leaves HSMs
26
getKeyKeys (RSA, EC, AES …)
![Page 27: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/27.jpg)
27Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
How about Invalid Curve Attacks?
• CVE-2015-6924 (with Dennis Felsch)
• Utimaco HSMs vulnerable
• < 100 queries to extract a key
• Only possible thanks to our cooperation
– Provided sample code, fast fix
• Utimaco HSM is FIPS certified
• Other devices?27
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
![Page 28: Practical Invalid Curve Attacks on TLS-ECDH · Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky 2 Recent years revealed many attacks](https://reader030.vdocuments.mx/reader030/viewer/2022040216/5f2d2cf030ba40681a23ddaf/html5/thumbnails/28.jpg)
28Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Conclusion
• Old attacks still applicable, we can learn a lot from them
• Bouncy Castle, JSSE and Utimaco broken
• More tools / analyses of crypto applications needed
• https://github.com/RUB-NDS/EccPlayground
• http://web-in-security.blogspot.de/
• http://safecurves.cr.yp.to/28