Practical Invalid Curve Attacks on TLS-ECDH

Similar documents
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Low-Level TLS Hacking

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Security Protocols/Standards

On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption

Information Security

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Communication Systems SSL

TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Transport Layer Security (TLS)

Web Security Considerations

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Cryptography and Network Security Sicurezza delle reti e dei sistemi informatici SSL/TSL

Secure Sockets Layer

Strengths and Weaknesses of Cybersecurity Standards

CSC Network Security

CSC 474 Information Systems Security

DROWN: Breaking TLS using SSLv2

2014 IBM Corporation

Overview. SSL Cryptography Overview CHAPTER 1

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Protocol Rollback and Network Security

Security Protocols and Infrastructures. h_da, Winter Term 2011/2012

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Programming with cryptography

Authenticity of Public Keys

Binding Security Tokens to TLS Channels. A. Langley, Google Inc. D. Balfanz, Google Inc. A. Popov, Microsoft Corp.

SSL Secure Socket Layer

SSL: Secure Socket Layer

ISA 562 Information System Security

TLS/SSL in distributed systems. Eugen Babinciuc

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Secure Socket Layer. Security Threat Classifications

CRYPTOGRAPHY AS A SERVICE

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Lecture 7: Transport Level Security SSL/TLS. Course Admin

SSL Secure Socket Layer

Software Engineering 4C03 Research Project. An Overview of Secure Transmission on the World Wide Web. Sean MacDonald

Communication Security for Applications

MatrixSSL Developer's Guide Version 3.7

Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1

SECURE SOCKETS LAYER (SSL)

Secure Network Communications FIPS Non Proprietary Security Policy

National Security Agency Perspective on Key Management

Certificates and network security

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Overview of Public-Key Cryptography

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track ISSN: A. Langley Google June 2015

Secure Socket Layer (TLS) Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Chapter 10. Network Security

MatrixSSL Developer s Guide

Secure Socket Layer/ Transport Layer Security (SSL/TLS)

Chapter 7 Transport-Level Security

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

RSA BSAFE. Crypto-C Micro Edition for MFP SW Platform (psos) Security Policy. Version , October 22, 2012

Lecture 9: Application of Cryptography

Secure network protocols: how SSL/TLS, SSH, SFTP and FTPS work

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Evaluation of Digital Signature Process

Implementation and Evaluation of Datagram Transport Layer Security (DTLS) for the Android Operating System DANIELE TRABALZA

Some solutions commonly used in order to guarantee a certain level of safety and security are:

Savitribai Phule Pune University

Secure, insecure, secure, insecure: The ongoing saga of the SSL/TLS protocol. Dr Douglas Stebila

Learning Network Security with SSL The OpenSSL Way

Chapter 11 Security Protocols. Network Security Threats Security and Cryptography Network Security Protocols Cryptographic Algorithms

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Network Security Part II: Standards

Today s Topics SSL/TLS. Certification Authorities VPN. Server Certificates Client Certificates. Trust Registration Authorities

SSL BEST PRACTICES OVERVIEW

Enabling SSL and Client Certificates on the SAP J2EE Engine

Is Your SSL Website and Mobile App Really Secure?

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Identifying and Exploiting Padding Oracles. Brian Holyfield Gotham Digital Science

Transport Level Security

Network Fundamentals Carnegie Mellon University

Crypto at Scale. Brian Sniffen

Cryptography and Network Security: Summary

Security Policy Revision Date: 23 April 2009

Lab 7. Answer. Figure 1

The New Key Management:

Einführung in SSL mit Wireshark

Bit Chat: A Peer-to-Peer Instant Messenger

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Transport Layer Security Protocols

Implementation Vulnerabilities in SSL/TLS

Chapter 17. Transport-Level Security

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Using BroadSAFE TM Technology 07/18/05

Transcription:

Practical Invalid Curve Attacks on TLS-ECDH Tibor Jager, Jörg Schwenk, Juraj Somorovsky Horst Görtz Institute for IT Security Ruhr University Bochum @jurajsomorovsky 1 1

About Me and Our Institute Security Researcher at: Chair for Network and Data Security Prof. Dr. Jörg Schwenk Web Services, Single Sign-On, (Applied) Crypto, SSL, crypto currencies Provable security, attacks and defenses Horst Görtz Institute for IT-Security Further topics: embedded security, malware, crypto Ruhr University Bochum Penetration tests, security analyses, workshops 2 2

Recent years revealed many attacks on TLS ESORICS 2004, Bard: The Vulnerability of SSL to Chosen Plaintext Attack Eurocrypt 2002, Vaudenay: Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS Crypto 1998, Bleichenbacher: Chosen Ciphertext Attacks Against Protocols based on the RSA Encryption Standard PKCS #1 3 3

Another forgotten attack Invalid curve attack Crypto 2000, Biehl et al.: Differential fault attacks on elliptic curve cryptosystems Targets elliptic curves Allows one to extract private keys Are current libraries vulnerable? 4 4

Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content 5 5

Elliptic Curve (EC) Crypto Key exchange, signatures, PRNGs Many sites switching to EC Fast, secure Algorithm Signatures 256 bit ECDSA 9516 per sec RSA 2048 bits 1000 per sec https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/ 6 6

Elliptic Curve Set of points over a finite field E: y 2 = x 3 + ax + b mod p Operations: ADD and DOUBLE Example: a = 9 b = 17 p = 23 ADD DOUBLE Base Point P 7 7

Elliptic Curve Diffie Hellman (ECDH) Client Secret q Server Secret s qp sp q(sp) Shared secret: s(qp) = q(sp) sp qp Base Point P 8 8

Elliptic Curves in Crypto Have to be chosen very carefully: high order P -> ADD -> ADD -> -> ADD -> P order DOUBLE Predefined curves > 256 bits ADD Base Point P 9 9

Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content 10

Invalid Curve Attack What if we compute with a point P outside of curve E? P belongs to curve E E can have a small order Example: E with 256 bits P generates 5 points 11 11

Invalid Curve Attack What can we learn? Shared secret: sp Only 5 possible values! We can compute: s 1 = s mod 5 s 2 = s mod 7 s 3 = s mod 11 s 4 = s mod 13 Compute s with CRT 12 12

Invalid Curve Attack Possible if No point verification Test for shared secret possible Simple DOUBLE and ADD method No sliding window etc. Curve b parameter not in the computation 13 13

Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content 14

Transport Layer Security (TLS) EC since 2006 Static and ephemeral TLS server initialized with an EC certificate Server has EC key 15 15

TLS ECDH TLS Client ClientHello TLS Server ServerHello Certificate: sp ServerHelloDone ClientKeyExchange: qp pms = s qp = q(sp) Premaster secret Used to compute keys ChangeCipherSpec (Client-) Finished: How to use the server ChangeCipherSpec as an oracle? (Server-) Finished 16 16

TLS as an Oracle Idea: Set pms 1 = 1P, pms 2 = 2P, pms 3 = 3P, Execute TLS handshakes If pms correct, ClientFinished accepted First described by Brumley et al. 17 17

TLS as an Oracle ClientHello P ClientKeyExchange TLS Server ServerHello Certificate ServerHelloDone Attacker ChangeCipherSpec (Client-) Finished: pms = 1P Alert P ClientHello ClientKeyExchange ChangeCipherSpec (Client-) Finished: pms = 3P ServerHello Certificate ServerHelloDone ChangeCipherSpec (Server-) Finished 18

Invalid Curve Attack on TLS 1. Generate invalid points with order p i = 5, 7, 11, 13 2. Use oracle to get equations s = s i mod p i 3. Compute CRT to get secret key s 19 19

Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content 20

Evaluation 8 libraries Bouncy Castle v1.50, Bouncy Castle v1.52, MatrixSSL, mbedtls, OpenSSL, Java NSS Provider, Oracle JSSE, WolfSSL 2 vulnerable Practical test with NIST secp256r1 Most commonly used [Bos et al., 2013] 21 21

Evaluation: Bouncy Castle v1.50 Vulnerable 74 equations (oracle queries) 3300 real server queries 22 22

Evaluation: JSSE Java Secure Socket Extension (JSSE) server accepted invalid points However, the direct attack failed 23 23

Evaluation: JSSE Problem: invalid computation with some EC points Valid Computations [%] EC point order Not considered by Biehl et al. Attack possible: 52 oracle queries, 17000 server requests 24 24

Impact Attacks extract server private keys Huge problem for Java servers using EC certificates For example Apache Tomcat Static ECDH enabled per default Key revocation Not only applicable to TLS Also to other Java applications using EC 25 25

Overview 1. Elliptic Curves 2. Invalid Curve Attacks 3. Application to TLS ECDH 4. Evaluation 5. Bonus Content 26

What s next? 32 32

What s next? Hardware Security Modules Devices for storage of crypto material 33 33

Attacker Model in HSM Scenarios Key never leaves HSMs dec (C) m Keys (RSA, EC, AES ) 34 34

Attacker Model in HSM Scenarios Key never leaves HSMs getkey Keys (RSA, EC, AES ) 35 35

How about Invalid Curve Attacks? CVE-2015-6924 Utimaco HSMs vulnerable Analyzed together with Dennis Felsch < 100 queries to extract a 256 bit EC key "Catastrophic is the right word. On the scale of 1 to 10, this is an 11. [Heartbleed] 36 36

Conclusion Old attacks still applicable, we can learn a lot from them Bouncy Castle, JSSE and Utimaco broken More tools / analyses of crypto applications needed https://github.com/rub-nds/eccplayground http://web-in-security.blogspot.de/ 37 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information