practical invalid curve attacks on tls-ecdh · 2020. 1. 17. · practical invalid elliptic curve...
TRANSCRIPT
-
1Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Practical Invalid Curve Attacks on TLS-ECDH
Tibor Jager, Jörg Schwenk, Juraj Somorovsky Horst Görtz Institute for IT Security
Ruhr University Bochum
@jurajsomorovsky
1
-
2Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Recent years revealed many attacks on TLS…
• ESORICS 2004, Bard: The Vulnerability of SSL to Chosen Plaintext Attack
• Eurocrypt 2002, Vaudenay: Security Flaws Induced by CBC Padding—Applications to SSL, IPSEC, WTLS
• Crypto 1998, Bleichenbacher: Chosen CiphertextAttacks Against Protocols based on the RSA Encryption Standard PKCS #1
2
-
3Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Another “forgotten” attack
• Invalid curve attack
• Crypto 2000, Biehl et al.: Differential fault attacks on elliptic curve cryptosystems
• Targets elliptic curves
– Allows one to extract private keys
• Are current libraries vulnerable?
3
-
4Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
1. Elliptic Curves
2. Invalid Curve Attacks
3. Application to TLS ECDH
4. Evaluation
5. Bonus Content
Overview
4
-
5Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Elliptic Curve (EC) Crypto
• Key exchange, signatures, PRNGs
• Many sites switching to EC
• Fast, secure
– openssl speed rsa2048 ecdhp256
– ECDH about 10 times faster
5
-
6Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Elliptic Curve
• Set of points over a finite field𝐸: 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏 𝑚𝑜𝑑 𝑝
• Operations: ADD and DOUBLE
• Example:𝑎 = 9𝑏 = 17𝑝 = 23
6
DOUBLE
ADD
Base Point P
-
7Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Elliptic Curve Diffie Hellman (ECDH)
7
sP
qP
Base Point P
q(sP)
Client
Secret q
Server
Secret s
qP
sP
Shared secret: s(qP) = q(sP)
Small 5 bit curve
-
8Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Elliptic Curves in Crypto
• Have to be chosen very carefully: high order
– P -> ADD -> ADD -> … -> ADD -> P
• Predefined curves
> 256 bits
NIST, brainpool, …
88
DOUBLE
ADD
Base Point P
order
-
9Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
1. Elliptic Curves
2. Invalid Curve Attacks
3. Application to TLS ECDH
4. Evaluation
5. Bonus Content
Overview
9
-
10Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Invalid Curve Attack
• What if we compute with a point P’ outside ofcurve E?
• P’ can have a small order
• Example:
– E’ with 256 bits
– P’ generates 5 points
10
-
11Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Invalid Curve Attack
• What is the problem?
• Shared secret has only 5 possible values!
• Example
• Server attempts to
multiply sP
3 = 𝑠 𝑚𝑜𝑑 5
11
Server Secret s = 13
1P
2P
3P
4P
5P = infinity 6P
7P
8P
9P
10P = infinity
13P
-
12Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Invalid Curve Attack
• What is the problem?
• Shared secret has only 5 possible values!
• We can compute:𝑠1 = 𝑠 𝑚𝑜𝑑 5
𝑠2 = 𝑠 𝑚𝑜𝑑 7𝑠3 = 𝑠 𝑚𝑜𝑑 11𝑠4 = 𝑠 𝑚𝑜𝑑 13
• Compute s with CRT12
-
13Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
1. Elliptic Curves
2. Invalid Curve Attacks
3. Application to TLS ECDH
4. Evaluation
5. Bonus Content
Overview
13
-
14Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Transport Layer Security (TLS)
• EC since 2006
• Static and ephemeral
• TLS server initialized with an EC certificate
– Server has EC key
14
-
15Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
TLS ECDH
15
TLS
ClientTLS
Server
ClientHello
ServerHello
Certificate:
sP
ServerHelloDone
ClientKeyExchange:
qP
ChangeCipherSpec
(Client-) Finished:ChangeCipherSpec
(Server-) Finished
𝒑𝒎𝒔 = 𝒔 𝒒𝑷 = 𝒒(𝒔𝑷)
Premaster secretUsed to compute keys
-
16Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Invalid Curve Attack on TLS
1. Generate invalid points with order
𝑝𝑖 = 5, 7, 11, 13…
2. Use TLS server to get equationss = 𝑠𝑖 𝑚𝑜𝑑 𝑝𝑖
3. Compute CRT to get secret key s
16
-
17Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
1. Elliptic Curves
2. Invalid Curve Attacks
3. Application to TLS ECDH
4. Evaluation
5. Bonus Content
Overview
17
-
18Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Evaluation
• 8 libraries
– Bouncy Castle v1.50, Bouncy Castle v1.52, MatrixSSL, mbedTLS, OpenSSL, Java NSS Provider, Oracle JSSE, WolfSSL
• 2 vulnerable
• Practical test with NIST secp256r1
– Most commonly used [Bos et al., 2013]
18
-
19Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Evaluation: Bouncy Castle v1.50
• Vulnerable
– 74 equations
– 3300 real server queries
19
-
20Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Evaluation: JSSE
• Java Secure Socket Extension (JSSE) server accepted invalid points
• However, the direct attack failed
20
-
21Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Evaluation: JSSE
• Problem: invalid computation with some EC points
• Attack possible:– 52 equations, 17000 server requests
21
EC point order
ValidComputations [%]
-
22Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Impact
• Attacks extract server private keys
• Huge problem for Java servers using EC certificates
– For example Apache Tomcat
– Static ECDH enabled per default
• Key revocation
• Not only applicable to TLS
– Also to other Java applications using EC
22
-
23Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
1. Elliptic Curves
2. Invalid Curve Attacks
3. Application to TLS ECDH
4. Evaluation
5. Bonus Content
Overview
23
-
24Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
What’s next?
• Hardware Security Modules
• Devices for storage of crypto material
24
-
25Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Attacker Model in HSM Scenarios
• Key never leaves HSMs
25
dec (C)
m
Keys (RSA, EC, AES …)
-
26Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Attacker Model in HSM Scenarios
• Key never leaves HSMs
26
getKeyKeys (RSA, EC, AES …)
-
27Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
How about Invalid Curve Attacks?
• CVE-2015-6924 (with Dennis Felsch)
• Utimaco HSMs vulnerable
• < 100 queries to extract a key
• Only possible thanks to our cooperation
– Provided sample code, fast fix
• Utimaco HSM is FIPS certified
• Other devices?27
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
-
28Practical Invalid Elliptic Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky
Conclusion
• Old attacks still applicable, we can learn a lot from them
• Bouncy Castle, JSSE and Utimaco broken
• More tools / analyses of crypto applications needed
• https://github.com/RUB-NDS/EccPlayground
• http://web-in-security.blogspot.de/
• http://safecurves.cr.yp.to/28
https://github.com/RUB-NDS/EccPlaygroundhttp://web-in-security.blogspot.de/http://safecurves.cr.yp.to/