Dual EC a standardized back door Ruben Niederhagen Joint work with - PowerPoint PPT Presentation

Authors of Dual EC 8/31 Kelsey, in December 2013 slides: § Standardization effort by “NIST and NSA, with some participation from CSE”. § “Most of work on standards done by US federal employees (NIST and NSA, with some help from CSE)” § The standard Dual EC parameters P and Q come “ultimately from designers of Dual EC DRBG at NSA”. Ruben Niederhagen: Dual EC — a standardized back door

Attack Target — TLS 9/31 Transport Layer Security (TLS) § Used in the Internet for encryption of communication. Examples: § eMail transport, § online banking, § online shopping, § . . . § Standard covers a fast amount of protocols and optional features. § Client and server agree on what parameters to use. § Client and server agree on a random secret key. Ruben Niederhagen: Dual EC — a standardized back door

TLS Handshake 10/31 Client Server generate client random c l i e n t r a generate n d o m session ID, g , s i P k ) , a t ( p c e r I D , server random, a , o n e s s i m , s d o r a n v e r s e r signature nonce generate b bP , Finished Finished Ruben Niederhagen: Dual EC — a standardized back door

Attack Target — TLS 11/31 Common TLS implementations: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel § OpenSSL All of these offer Dual EC. Ruben Niederhagen: Dual EC — a standardized back door

Attack Target — TLS 11/31 Common TLS implementations: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel Remember: NSA paid RSA Security $10 million § OpenSSL to use Dual EC as the default RNG! All of these offer Dual EC. Ruben Niederhagen: Dual EC — a standardized back door

Elliptic Curve Discrete Logarithm Problem 12/31 Arithmetic on Elliptic Curves Operate on points P “ p x P , y P q on an elliptic curve: § addition: A ` B “ C , § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A . loooooooomoooooooon k ´ times Ruben Niederhagen: Dual EC — a standardized back door

Elliptic Curve Discrete Logarithm Problem 12/31 Arithmetic on Elliptic Curves Operate on points P “ p x P , y P q on an elliptic curve: § addition: A ` B “ C , § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A . loooooooomoooooooon k ´ times Useful in Cryptography: It is easy to compute k ¨ A , e.g.: B “ 243 ¨ A “ A ` 2 A ` 16 A ` 32 A ` 64 A ` 128 A . Cost: 5 additions and 7 doublings. Ruben Niederhagen: Dual EC — a standardized back door

Elliptic Curve Discrete Logarithm Problem 12/31 Arithmetic on Elliptic Curves Operate on points P “ p x P , y P q on an elliptic curve: § addition: A ` B “ C , § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A . loooooooomoooooooon k ´ times Useful in Cryptography: It is easy to compute k ¨ A , e.g.: B “ 243 ¨ A “ A ` 2 A ` 16 A ` 32 A ` 64 A ` 128 A . Cost: 5 additions and 7 doublings. For given A and B , it is hard to find k such that B “ k ¨ A ! Ruben Niederhagen: Dual EC — a standardized back door

Dual EC 13/31 Parameters Here: elliptic curve over finite filed with NIST prime P-256. (NIST SP800-90A also defines curves for P-384 and P-521.) The elliptic curve is defined over F p with p “ 2 256 ´ 2 224 ` 2 192 ` 2 96 ´ 1. The curve is given in short Weierstrass form E : y 2 “ x 3 ´ 3 x ` b , where b “ 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b . Dual EC defines two points, a base point P and a second point Q : P x “ 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296 , P y “ 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5 ; Q x “ 0xc97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192 , Q y “ 0xb28ef557ba31dfcbdd21ac46e2a91e3c304f44cb87058ada2cb815151e610046 . Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 0 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 0 s 1 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 0 s 1 r 1 “ x p s 1 Q q r 1 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 0 s 1 r 1 “ x p s 1 Q q r 1 r 1 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 0 s 1 s 2 r 1 “ x p s 1 Q q r 1 r 1 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 0 s 1 s 2 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 1 r 1 r 2 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 1 r 1 r 2 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q r 1 r 1 r 2 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q r 1 r 1 r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q r 1 r 1 r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q ? r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q r 1 r 1 r 1 r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — Basic Procedure 14/31 Points Q and P on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s 3 ECDLP! r 1 “ x p s 1 Q q ? r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q r 1 r 1 r 1 r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack 14/31 Points Q and P “ dQ on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q r 1 r 1 r 1 r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack 14/31 Points Q and P “ dQ on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q x p d ¨ s 1 Q q r 1 r 1 r 1 r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack 14/31 Points Q and P “ dQ on an elliptic curve. s 2 “ x p s 1 P q “ x p s 1 ¨ dQ q 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q x p d ¨ s 1 Q q r 1 r 1 r 1 r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack 14/31 Points Q and P “ dQ on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q r 1 r 1 r c r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack 14/31 Points Q and P “ dQ on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q R c “ p r c , y p r c qq r 1 r 1 r c r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack 14/31 Points Q and P “ dQ on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s c s 2 s 3 x p dR c q r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q R c “ p r c , y p r c qq r 1 r c r 1 r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack 14/31 Points Q and P “ dQ on an elliptic curve. 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s c s 2 s 3 x p dR c q r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q R c “ p r c , y p r c qq r 1 r c r 1 r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Shumow and Ferguson – the Basic Attack 14/31 32 bytes s 1 “ x p s 0 P q s 2 “ x p s 1 P q s 3 “ x p s 2 P q s 4 “ x p s 3 P q s 0 s 1 s 2 s 3 r 1 “ x p s 1 Q q r 2 “ x p s 2 Q q r 3 “ x p s 3 Q q r 1 r 1 r 2 r 2 r 3 r 3 30 bytes Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006 15/31 t 1 t 2 ‚ ‘ H p adin 1 q x p‚ P q ‚ ‘ H p adin 2 q x p‚ P q ‚ ‘ H p adin 4 q x p‚ P q s 0 s 1 s 2 s 3 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 1 r 2 r 2 r 3 r 3 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006 15/31 t 1 t 2 ‚ ‘ H p adin 1 q x p‚ P q ‚ ‘ H p adin 2 q x p‚ P q ‚ ‘ H p adin 4 q x p‚ P q s 0 s 1 s 2 s 3 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 1 r 2 r 2 r 3 r 3 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006 15/31 t 1 t 2 ‚ ‘ H p adin 1 q x p‚ P q ‚ ‘ H p adin 2 q x p‚ P q ‚ ‘ H p adin 4 q x p‚ P q s 0 s 1 s 2 s 3 x p‚ Q q x p‚ Q q x p‚ Q q r c r 1 r 1 r 2 r 2 r 3 r 3 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006 15/31 t 1 t 2 ‚ ‘ H p adin 1 q x p‚ P q ‚ ‘ H p adin 2 q x p‚ P q ‚ ‘ H p adin 4 q x p‚ P q ? s 0 s 1 s 2 s 3 x p dR c q x p‚ Q q x p‚ Q q x p‚ Q q r 1 r c r 1 r 2 r 2 r 3 r 3 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006 15/31 t 1 t 2 ‚ ‘ H p adin 1 q x p‚ P q ‚ ‘ H p adin 2 q x p‚ P q ‚ ‘ H p adin 4 q x p‚ P q ? s 0 s 1 s 2 s 3 x p dR c q x p‚ Q q x p‚ Q q x p‚ Q q r 1 r c r 1 r 2 r 2 r 3 r 3 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in June 2006 15/31 t 1 t 2 ‚ ‘ H p adin 1 q x p‚ P q ‚ ‘ H p adin 2 q x p‚ P q ‚ ‘ H p adin 4 q x p‚ P q s 0 s 1 s 2 s 3 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 1 r 2 r 2 r 3 r 3 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007 16/31 s 0 s 2 s 5 ‚ ‘ H p adin 1 q ‚ ‘ H p adin 3 q ‚ ‘ H p adin 6 q x p‚ P q x p‚ P q t 1 t 3 t 2 x p‚ P q x p‚ P q s 0 s 1 s 3 s 2 s 4 s 3 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 1 r 2 r 2 r 3 r 3 r 4 r 3 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007 16/31 s 0 s 2 s 5 ‚ ‘ H p adin 1 q ‚ ‘ H p adin 3 q ‚ ‘ H p adin 6 q x p‚ P q x p‚ P q t 1 t 3 t 2 x p‚ P q x p‚ P q s 0 s 1 s 3 s 2 s 4 s 3 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 1 r 2 r 2 r 3 r 3 r 4 r 3 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007 16/31 s 0 s 2 s 5 ‚ ‘ H p adin 1 q ‚ ‘ H p adin 3 q ‚ ‘ H p adin 6 q x p‚ P q x p‚ P q t 1 t 3 t 2 x p‚ P q x p‚ P q s 0 s 1 s 3 s 2 s 4 s 3 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 1 r c r 2 r 3 r 2 r 4 r 3 r 3 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007 16/31 s 0 s c s 2 s 5 ‚ ‘ H p adin 1 q ‚ ‘ H p adin 3 q ‚ ‘ H p adin 6 q x p‚ P q x p‚ P q t 1 t 3 t 2 x p dR c q x p‚ P q x p‚ P q s 0 s 1 s 3 s 2 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r c r 1 r 3 r 2 r 2 r 4 r 3 r 3 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007 16/31 s 0 s c s 2 s 5 ‚ ‘ H p adin 1 q ‚ ‘ H p adin 3 q ‚ ‘ H p adin 6 q x p‚ P q x p‚ P q t 1 t 3 t 2 x p dR c q x p‚ P q x p‚ P q s 0 s 1 s 2 s 3 s 4 s 3 x p‚ Q q x p‚ Q q x p‚ Q q r c r 1 r 1 r 2 r 3 r 2 r 3 r 3 r 4 Ruben Niederhagen: Dual EC — a standardized back door

Dual EC — NIST SP800-90 in March 2007 16/31 s 0 s c s 2 s 5 ‚ ‘ H p adin 1 q ‚ ‘ H p adin 3 q ‚ ‘ H p adin 6 q x p‚ P q x p‚ P q t 1 t 3 t 2 x p dR c q x p‚ P q x p‚ P q s 0 s 1 s 2 s 3 s 4 s 3 x p‚ Q q x p‚ Q q x p‚ Q q r c r 1 r 1 r 2 r 3 r 2 r 3 r 3 r 4 Ruben Niederhagen: Dual EC — a standardized back door

Attack 17/31 Attack targets in our analysis: In the real world, the attack is more complicated. We attacked: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel § OpenSSL We replaced the points P and Q with known P “ dQ ; this required some reverse engineering of BSAFE and SChannel. Ruben Niederhagen: Dual EC — a standardized back door

Attack 17/31 Attack targets in our analysis: In the real world, the attack is more complicated. We attacked: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel § OpenSSL-fixed We replaced the points P and Q with known P “ dQ ; this required some reverse engineering of BSAFE and SChannel. Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 x p‚ P q s 1 server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 x p‚ P q s 1 x p‚ Q q r 1 server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 x p‚ P q s 1 x p‚ Q q r 1 server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 x p‚ P q x p‚ P q s 1 x p‚ Q q r 1 server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 x p‚ P q x p‚ P q s 1 x p‚ Q q r 1 server random server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 x p‚ P q x p‚ P q x p‚ P q s 1 s 3 x p‚ Q q r 1 server random server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 x p‚ P q x p‚ P q x p‚ P q s 1 s 3 x p‚ Q q x p‚ Q q r 1 r 3 server random server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 x p‚ P q x p‚ P q x p‚ P q s 1 s 3 x p‚ Q q x p‚ Q q r 1 r 3 server random server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 x p‚ P q x p‚ P q x p‚ P q x p‚ P q s 1 s 3 s 4 x p‚ Q q x p‚ Q q r 1 r 3 server random server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 x p‚ P q x p‚ P q x p‚ P q x p‚ P q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 3 r 4 server random server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 x p‚ P q x p‚ P q x p‚ P q x p‚ P q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 3 r 4 server random server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 3 r 4 server random server random ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 3 r 4 server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 3 r 4 server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce ‚ P ECDHE public key Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 3 r 4 server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce ECDSA nonce ‚ P ‚ P ECDHE public key ECDSA signature Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r 3 r 4 server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce ECDSA nonce ‚ P ‚ P ECDHE public key ECDSA signature Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r c r 3 r 4 server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce ECDSA nonce ‚ P ‚ P ECDHE public key ECDSA signature Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 s c s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p dR q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r c r 3 r 4 server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce ECDSA nonce ‚ P ‚ P ECDHE public key ECDSA signature Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s c s 2 s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p dR q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r c r 3 r 4 server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce ECDSA nonce ? ‚ P ‚ P ECDHE public key ECDSA signature Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 s c s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p dR q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r c r 3 r 4 server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce ECDSA nonce ‚ P ‚ P ECDHE public key ECDSA signature Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s c s 2 s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p dR q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r 1 r c r 3 r 4 server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce ECDSA nonce ‚ P ‚ P ECDHE public key ECDSA signature average cost: 2 31 p C v ` 5 C f q Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s c s 2 s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p dR q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r c r 1 r 3 r 4 Exposes longterm secret key! server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce ECDSA nonce ECDSA nonce ‚ P ‚ P Impersonation attack possible! ECDHE public key ECDSA signature average cost: 2 31 p C v ` 5 C f q Ruben Niederhagen: Dual EC — a standardized back door

Attack — Example: BSAFE-Java 18/31 s 0 s 2 s c s 5 x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p‚ P q x p dR q s 1 s 3 s 4 x p‚ Q q x p‚ Q q x p‚ Q q r c r 1 r 3 r 4 Exposes longterm secret key! server random server random ECDHE priv. key ECDHE priv. key ECDSA nonce ECDSA nonce ECDSA nonce ECDSA nonce ‚ P ‚ P Impersonation attack possible! ECDHE public key ECDSA signature average cost: 2 31 p C v ` 5 C f q Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C 19/31 session ID server random DHE key Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C 19/31 s 0 session ID server random DHE key Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C 19/31 s 0 x p‚ P q s 1 session ID server random DHE key Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C 19/31 s 0 x p‚ P q s 1 x p‚ Q q r 1 session ID server random DHE key Ruben Niederhagen: Dual EC — a standardized back door

Attack — BSAFE-C 19/31 s 0 x p‚ P q s 1 x p‚ Q q r 1 session ID server random DHE key Ruben Niederhagen: Dual EC — a standardized back door