Dual EC a standardized back door
Ruben Niederhagen
Joint work with Stephen Checkoway,1 Matthew Fredrikson,2 Matthew Green,1 Tanja Lange,3 Thomas Ristenpart,2 Daniel J. Bernstein,3,5 Jake Maskiewicz,4 and Hovav Shacham.4 Related work: network scan by Adam Everspaugh.2
1Johns Hopkins University, 2University of Wisconsin, 3Technische Universiteit Eindhoven, 4UC San Diego, 5University of Illinois at Chicago
Summer school on real-world crypto and privacy. June 5th, 2015 Ruben Niederhagen: Dual EC — a standardized back door Must be impossible for an attacker to predict!
Random Numbers in Cryptography 2/31
Random numbers are crucial for cryptography: § generation of private keys for authentication, § generation of secret keys for encryption, § generation of secret nonces for digital signatures, § generation of ephemeral keys for perfect-forward secrecy, § ...
Ruben Niederhagen: Dual EC — a standardized back door Random Numbers in Cryptography 2/31
Random numbers are crucial for cryptography: § generation of private keys for authentication, § generation of secret keys for encryption, § generation of secret nonces for digital signatures, § generation of ephemeral keys for perfect-forward secrecy, § ...
Must be impossible for an attacker to predict!
Ruben Niederhagen: Dual EC — a standardized back door Common approach: § use pseudo random numbers, § start with a random seed, § compute subsequent values deterministically, ñ update a secret internal state.
Random Numbers in Cryptography 3/31
Challenges of random number generation: § computers are built to be deterministic, § “real” randomness is rare.
Ruben Niederhagen: Dual EC — a standardized back door Random Numbers in Cryptography 3/31
Challenges of random number generation: § computers are built to be deterministic, § “real” randomness is rare.
Common approach: § use pseudo random numbers, § start with a random seed, § compute subsequent values deterministically, ñ update a secret internal state.
Ruben Niederhagen: Dual EC — a standardized back door f ps0q f ps1q f ps2q f ps3q f ps4q s1 s2 s3 s4 ¨ ¨ ¨
gps0q gps1q gps2q gps3q gps4q
r0 r1 r2 r3 r4
Broken if attacker learns internal state!
Random Numbers in Cryptography 4/31
s0
Ruben Niederhagen: Dual EC — a standardized back door f ps0q f ps1q f ps2q f ps3q f ps4q s1 s2 s3 s4 ¨ ¨ ¨
gps1q gps2q gps3q gps4q
r1 r2 r3 r4
Broken if attacker learns internal state!
Random Numbers in Cryptography 4/31
s0
gps0q
r0
Ruben Niederhagen: Dual EC — a standardized back door f ps1q f ps2q f ps3q f ps4q s2 s3 s4 ¨ ¨ ¨
gps1q gps2q gps3q gps4q
r1 r2 r3 r4
Broken if attacker learns internal state!
Random Numbers in Cryptography 4/31
f ps0q s0 s1
gps0q
r0
Ruben Niederhagen: Dual EC — a standardized back door f ps1q f ps2q f ps3q f ps4q s2 s3 s4 ¨ ¨ ¨
gps1q gps2q gps3q gps4q
r2 r3 r4
Broken if attacker learns internal state!
Random Numbers in Cryptography 4/31
f ps0q s0 s1
gps0q gps1q
r0 r1
Ruben Niederhagen: Dual EC — a standardized back door f ps2q f ps3q f ps4q s3 s4 ¨ ¨ ¨
gps1q gps2q gps3q gps4q
r2 r3 r4
Broken if attacker learns internal state!
Random Numbers in Cryptography 4/31
f ps0q f ps1q s0 s1 s2
gps0q gps1q
r0 r1
Ruben Niederhagen: Dual EC — a standardized back door Broken if attacker learns internal state!
Random Numbers in Cryptography 4/31
f ps0q f ps1q f ps2q f ps3q f ps4q s0 s1 s2 s3 s4 ¨ ¨ ¨
gps0q gps1q gps2q gps3q gps4q
r0 r1 r2 r3 r4
Ruben Niederhagen: Dual EC — a standardized back door Random Numbers in Cryptography 4/31
f ps0q f ps1q f ps2q f ps3q f ps4q s0 s1 s2 s3 s4 ¨ ¨ ¨
gps0q gps1q gps2q gps3q gps4q
r0 r1 r2 r3 r4
Broken if attacker learns internal state!
Ruben Niederhagen: Dual EC — a standardized back door Random Numbers in Cryptography 4/31
f ps0q f ps1q f ps2q f ps3q f ps4q s0 s1 s2 s3 s4 ¨ ¨ ¨
gps0q gps1q gps2q gps3q gps4q
r0 r1 r2 r3 r4
Broken if attacker learns internal state!
Ruben Niederhagen: Dual EC — a standardized back door Dual EC – a Standardized Back Door 5/31
Topic of this talk: The “potential” back door in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC) standardized by ANSI, ISO, and NIST.
Ruben Niederhagen: Dual EC — a standardized back door in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC. Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certification for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.
History of Dual EC 6/31
June 2004 Dual EC appears in an ANSI draft.
Ruben Niederhagen: Dual EC — a standardized back door in 2005 An ISO standard is published including Dual EC. Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certification for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.
History of Dual EC 6/31
June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE.
Ruben Niederhagen: Dual EC — a standardized back door Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certification for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.
History of Dual EC 6/31
June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC.
Ruben Niederhagen: Dual EC — a standardized back door early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certification for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.
History of Dual EC 6/31
June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC. Dec. 2005 A draft is released by NIST including Dual EC.
Ruben Niederhagen: Dual EC — a standardized back door June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certification for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.
History of Dual EC 6/31
June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC. Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC.
Ruben Niederhagen: Dual EC — a standardized back door This includes Dual EC in FIPS 140-2, the typical certification for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.
History of Dual EC 6/31
June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC. Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings.
Ruben Niederhagen: Dual EC — a standardized back door Aug. 2007 Shumow and Ferguson demonstrate the basic back door.
History of Dual EC 6/31
June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC. Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certification for RNGs.
Ruben Niederhagen: Dual EC — a standardized back door History of Dual EC 6/31
June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC. Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certification for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.
Ruben Niederhagen: Dual EC — a standardized back door The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r... s called the Dual EC DRBG standard.” 19 Sept. 2013 RSA advises not to use Dual EC. 20 Dec. 2013 Reuters reports that NSA paid RSA $10 million to use Dual EC as their default RNG. 21 Apr. 2014 NIST removes Dual EC from the standard.
Recent History of Dual EC 7/31
5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.”
Ruben Niederhagen: Dual EC — a standardized back door 19 Sept. 2013 RSA advises not to use Dual EC. 20 Dec. 2013 Reuters reports that NSA paid RSA $10 million to use Dual EC as their default RNG. 21 Apr. 2014 NIST removes Dual EC from the standard.
Recent History of Dual EC 7/31
5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.” The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r... s called the Dual EC DRBG standard.”
Ruben Niederhagen: Dual EC — a standardized back door 20 Dec. 2013 Reuters reports that NSA paid RSA $10 million to use Dual EC as their default RNG. 21 Apr. 2014 NIST removes Dual EC from the standard.
Recent History of Dual EC 7/31
5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.” The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r... s called the Dual EC DRBG standard.” 19 Sept. 2013 RSA advises not to use Dual EC.
Ruben Niederhagen: Dual EC — a standardized back door 21 Apr. 2014 NIST removes Dual EC from the standard.
Recent History of Dual EC 7/31
5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.” The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r... s called the Dual EC DRBG standard.” 19 Sept. 2013 RSA advises not to use Dual EC. 20 Dec. 2013 Reuters reports that NSA paid RSA $10 million to use Dual EC as their default RNG.
Ruben Niederhagen: Dual EC — a standardized back door Recent History of Dual EC 7/31
5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.” The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r... s called the Dual EC DRBG standard.” 19 Sept. 2013 RSA advises not to use Dual EC. 20 Dec. 2013 Reuters reports that NSA paid RSA $10 million to use Dual EC as their default RNG. 21 Apr. 2014 NIST removes Dual EC from the standard.
Ruben Niederhagen: Dual EC — a standardized back door Authors of Dual EC 8/31
Kelsey, in December 2013 slides: § Standardization effort by “NIST and NSA, with some participation from CSE”. § “Most of work on standards done by US federal employees (NIST and NSA, with some help from CSE)” § The standard Dual EC parameters P and Q come “ultimately from designers of Dual EC DRBG at NSA”.
Ruben Niederhagen: Dual EC — a standardized back door Attack Target — TLS 9/31
Transport Layer Security (TLS) § Used in the Internet for encryption of communication. Examples:
§ eMail transport, § online banking, § online shopping, § ...
§ Standard covers a fast amount of protocols and optional features. § Client and server agree on what parameters to use. § Client and server agree on a random secret key.
Ruben Niederhagen: Dual EC — a standardized back door TLS Handshake 10/31
Client Server generate client random client random generate session ID, , sig aP server random, a, server random, session ID, cert(pk), signature nonce generate b bP, Finished
Finished
KDFpabP,... ) KDFpabP,... )
Ruben Niederhagen: Dual EC — a standardized back door Attack Target — TLS 11/31
Common TLS implementations: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel § OpenSSL All of these offer Dual EC.
Ruben Niederhagen: Dual EC — a standardized back door Attack Target — TLS 11/31
Common TLS implementations: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel Remember: NSA paid RSA Security $10 million § OpenSSL to use Dual EC as the default RNG! All of these offer Dual EC.
Ruben Niederhagen: Dual EC — a standardized back door Useful in Cryptography: It is easy to compute k ¨ A, e.g.:
B “ 243 ¨ A “ 11110011b ¨ A “ A ` 2A ` 16A ` 32A ` 64A ` 128A. Cost: 5 additions and 7 doublings.
For given A and B, it is hard to find k such that B “ k ¨ A!
Elliptic Curve Discrete Logarithm Problem 12/31
Arithmetic on Elliptic Curves
Operate on points P “ pxP , yP q on an elliptic curve: § addition: A ` B “ C, § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A. k´times loooooooomoooooooon
Ruben Niederhagen: Dual EC — a standardized back door For given A and B, it is hard to find k such that B “ k ¨ A!
Elliptic Curve Discrete Logarithm Problem 12/31
Arithmetic on Elliptic Curves
Operate on points P “ pxP , yP q on an elliptic curve: § addition: A ` B “ C, § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A. k´times loooooooomoooooooon Useful in Cryptography: It is easy to compute k ¨ A, e.g.:
B “ 243 ¨ A “ 11110011b ¨ A “ A ` 2A ` 16A ` 32A ` 64A ` 128A. Cost: 5 additions and 7 doublings.
Ruben Niederhagen: Dual EC — a standardized back door Elliptic Curve Discrete Logarithm Problem 12/31
Arithmetic on Elliptic Curves
Operate on points P “ pxP , yP q on an elliptic curve: § addition: A ` B “ C, § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A. k´times loooooooomoooooooon Useful in Cryptography: It is easy to compute k ¨ A, e.g.:
B “ 243 ¨ A “ 11110011b ¨ A “ A ` 2A ` 16A ` 32A ` 64A ` 128A. Cost: 5 additions and 7 doublings.
For given A and B, it is hard to find k such that B “ k ¨ A!
Ruben Niederhagen: Dual EC — a standardized back door Dual EC 13/31
Parameters Here: elliptic curve over finite filed with NIST prime P-256. (NIST SP800-90A also defines curves for P-384 and P-521.) 256 224 192 96 The elliptic curve is defined over Fp with p “ 2 ´ 2 ` 2 ` 2 ´ 1. The curve is given in short Weierstrass form
E : y 2 “ x3 ´ 3x ` b, where
b “ 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b.
Dual EC defines two points, a base point P and a second point Q:
Px “ 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296, Py “ 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5;
Qx “ 0xc97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192, Qy “ 0xb28ef557ba31dfcbdd21ac46e2a91e3c304f44cb87058ada2cb815151e610046.
Ruben Niederhagen: Dual EC — a standardized back door s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq
s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
r1 r2 r3 30 bytes
Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes
s0
Ruben Niederhagen: Dual EC — a standardized back door s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq
s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
r1 r2 r3 30 bytes
Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq
s0 s1
Ruben Niederhagen: Dual EC — a standardized back door s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq
s2 s3
r2 “ xps2Qq r3 “ xps3Qq
r1 r2 r3 30 bytes
Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq
s0 s1
r1 “ xps1Qq
r1
Ruben Niederhagen: Dual EC — a standardized back door s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq
s2 s3
r2 “ xps2Qq r3 “ xps3Qq
r2 r3
Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq
s0 s1
r1 “ xps1Qq
r1 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door s3 “ xps2Pq s4 “ xps3Pq
s3
r2 “ xps2Qq r3 “ xps3Qq
r2 r3
Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1Pq
s0 s1 s2
r1 “ xps1Qq
r1 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door s3 “ xps2Pq s4 “ xps3Pq
s3
r3 “ xps3Qq
r2 r3
Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1Pq
s0 s1 s2
r1 “ xps1Qq r2 “ xps2Qq
r1 r2 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door s4 “ xps3Pq
r3 “ xps3Qq
r2 r3
Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq
s0 s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq
r1 r2 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door s4 “ xps3Pq
r2 r3
Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq
s0 s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
r1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door s4 “ xps3Pq
Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq
s0 s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
r1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
r1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 s2 s3
r1 “ xps1Qq ? r2 “ xps2Qq r3 “ xps3Qq
r1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — Basic Procedure 14/31
Points Q and P on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 s2 s3
r1 “ xps1Qq ? r2 “ xps2Qq ECDLP!r3 “ xps3Qq
r1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door s2 “ xps1dQq
xpd ¨ s1Qq
Shumow and Ferguson – the Basic Attack 14/31
Points Q and P “ dQ on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
r1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door xpd ¨ s1Qq
Shumow and Ferguson – the Basic Attack 14/31
Points Q and P “ dQ on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1dQq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
r1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door Shumow and Ferguson – the Basic Attack 14/31
Points Q and P “ dQ on an elliptic curve.
32 bytes s1 “ xps0Pq s2 “ xps1dQq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq xpd ¨ s1Qq r1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door Shumow and Ferguson – the Basic Attack 14/31
Points Q and P “ dQ on an elliptic curve.
32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
rc1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door Shumow and Ferguson – the Basic Attack 14/31
Points Q and P “ dQ on an elliptic curve.
32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
Rc “ prc , yprc qq rc1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door Shumow and Ferguson – the Basic Attack 14/31
Points Q and P “ dQ on an elliptic curve.
32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 sc2 s3 xpdRc q r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
Rc “ prc , yprc qq rc1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door Shumow and Ferguson – the Basic Attack 14/31
Points Q and P “ dQ on an elliptic curve.
32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 sc2 s3 xpdRc q r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
Rc “ prc , yprc qq rc1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door Shumow and Ferguson – the Basic Attack 14/31
32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq
s0 s1 s2 s3
r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq
r1 r2 r3 30 bytes
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — NIST SP800-90 in June 2006 15/31
t1 t2
‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q
s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq
r1 r2 r3
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — NIST SP800-90 in June 2006 15/31
t1 t2
‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q
s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq
r1 r2 r3
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — NIST SP800-90 in June 2006 15/31
t1 t2
‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q
s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r3
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — NIST SP800-90 in June 2006 15/31
t1 t2
‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q
s0 s1 s?2 s3 xpdRc q xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r3
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — NIST SP800-90 in June 2006 15/31
t1 t2
‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q
s0 s1 s?2 s3 xpdRc q xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r3
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — NIST SP800-90 in June 2006 15/31
t1 t2
‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q
s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq
r1 r2 r3
Ruben Niederhagen: Dual EC — a standardized back door sc
‚‘ Hpadin3q
xpdRc q
rc
Dual EC — NIST SP800-90 in March 2007 16/31
s0 s2 s5
‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23
xp‚Pq xp‚Pq xp‚Pq
s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq
r1 r32 r34
Ruben Niederhagen: Dual EC — a standardized back door sc
‚‘ Hpadin3q
xpdRc q
rc
Dual EC — NIST SP800-90 in March 2007 16/31
s0 s2 s5
‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23
xp‚Pq xp‚Pq xp‚Pq
s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq
r1 r32 r34
Ruben Niederhagen: Dual EC — a standardized back door sc
‚‘ Hpadin3q
xpdRc q
Dual EC — NIST SP800-90 in March 2007 16/31
s0 s2 s5
‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23
xp‚Pq xp‚Pq xp‚Pq
s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq
rc1 r32 r34
Ruben Niederhagen: Dual EC — a standardized back door ‚‘ Hpadin3q
Dual EC — NIST SP800-90 in March 2007 16/31
s0 sc2 s5
‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23 xpdRc q xp‚Pq xp‚Pq xp‚Pq
s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq
rc1 r32 r34
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — NIST SP800-90 in March 2007 16/31
s0 sc2 s5
‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23 xpdRc q xp‚Pq xp‚Pq xp‚Pq
s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq
rc1 r32 r34
Ruben Niederhagen: Dual EC — a standardized back door Dual EC — NIST SP800-90 in March 2007 16/31
s0 sc2 s5
‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23 xpdRc q xp‚Pq xp‚Pq xp‚Pq
s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq
rc1 r32 r34
Ruben Niederhagen: Dual EC — a standardized back door -fixed
Attack 17/31
Attack targets in our analysis: In the real world, the attack is more complicated. We attacked: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel § OpenSSL We replaced the points P and Q with known P “ dQ; this required some reverse engineering of BSAFE and SChannel.
Ruben Niederhagen: Dual EC — a standardized back door Attack 17/31
Attack targets in our analysis: In the real world, the attack is more complicated. We attacked: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel § OpenSSL-fixed We replaced the points P and Q with known P “ dQ; this required some reverse engineering of BSAFE and SChannel.
Ruben Niederhagen: Dual EC — a standardized back door s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r3 r4
Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r3 r4
Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc2 s5 xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s3 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r3 r4
Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 xp‚Pq
s1
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc2 s5 xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s3 s4 xp‚Qq xp‚Qq
rc r3 r4
Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 xp‚Pq
s1 xp‚Qq
r1
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc2 s5 xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s3 s4 xp‚Qq xp‚Qq
rc r3 r4
Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 xp‚Pq
s1 xp‚Qq
r1
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc s5 xp‚Pq xp‚Pq xpdRq xp‚Pq s3 s4 xp‚Qq xp‚Qq
rc r3 r4
Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 xp‚Pq xp‚Pq
s1 xp‚Qq
r1
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc s5 xp‚Pq xp‚Pq xpdRq xp‚Pq s3 s4 xp‚Qq xp‚Qq
rc r3 r4
Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 xp‚Pq xp‚Pq
s1 xp‚Qq
r1
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc s5 xp‚Pq xpdRq xp‚Pq s4 xp‚Qq xp‚Qq
rc r3 r4
Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 xp‚Pq xp‚Pq xp‚Pq
s1 s3 xp‚Qq
r1
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc s5 xp‚Pq xpdRq xp‚Pq s4 xp‚Qq
rc r4
Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 xp‚Pq xp‚Pq xp‚Pq
s1 s3 xp‚Qq xp‚Qq
r1 r3
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc s5 xp‚Pq xpdRq xp‚Pq s4 xp‚Qq
rc r4
Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 xp‚Pq xp‚Pq xp‚Pq
s1 s3 xp‚Qq xp‚Qq
r1 r3
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc s5 xp‚Pq xpdRq
xp‚Qq
rc r4
Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2
xp‚Pq xp‚Pq xp‚Pq xp‚Pq
s1 s3 s4 xp‚Qq xp‚Qq
r1 r3
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc s5 xp‚Pq xpdRq
rc
Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2
xp‚Pq xp‚Pq xp‚Pq xp‚Pq
s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r3 r4
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc s5 xp‚Pq xpdRq
rc
Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2
xp‚Pq xp‚Pq xp‚Pq xp‚Pq
s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r3 r4
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc xpdRq
rc
Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 s5
xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq
s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r3 r4
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc xpdRq
rc
Exposes longterm secret key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 s5
xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq
s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r3 r4
server random ECDHE priv. key ECDSA nonce
Ruben Niederhagen: Dual EC — a standardized back door sc xpdRq
rc
Exposes longterm secret key! ECDSA nonce ‚P Impersonation attack possible! ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 s5
xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq
s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r3 r4
server random ECDHE priv. key ECDSA nonce ‚P ECDHE public key
Ruben Niederhagen: Dual EC — a standardized back door sc xpdRq
rc
Exposes longterm secret key! ECDSA nonce Impersonation attack possible!
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 s5
xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq
s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r3 r4
server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door sc xpdRq
rc
Exposes longterm secret key! ECDSA nonce Impersonation attack possible!
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 s5
xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq
s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r3 r4
server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door sc xpdRq
Exposes longterm secret key! ECDSA nonce Impersonation attack possible!
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 s2 s5
xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq
s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r3 r4
server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door Exposes longterm secret key! ECDSA nonce Impersonation attack possible!
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r3 r4
server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door Exposes longterm secret key! ECDSA nonce Impersonation attack possible!
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r3 r4
server random ECDHE priv. key ECDSA nonce ‚P ? ‚P ECDHE public key ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door Exposes longterm secret key! ECDSA nonce Impersonation attack possible!
31 average cost: 2 pCv ` 5Cf q
Attack — Example: BSAFE-Java 18/31
s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r3 r4
server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door Exposes longterm secret key! ECDSA nonce Impersonation attack possible!
Attack — Example: BSAFE-Java 18/31
s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r3 r4
server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Ruben Niederhagen: Dual EC — a standardized back door ECDSA nonce
Attack — Example: BSAFE-Java 18/31
s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r3 r4
Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Ruben Niederhagen: Dual EC — a standardized back door Attack — Example: BSAFE-Java 18/31
s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r3 r4
Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature
31 average cost: 2 pCv ` 5Cf q
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDH key
Attack — BSAFE-C 19/31
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDH key
Attack — BSAFE-C 19/31
s0
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s3 s5 x P x P x P xp‚Pq p‚ q p‚ q p‚ q sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDH key
Attack — BSAFE-C 19/31
s0 xp‚Pq
s1
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s3 s5 x P x P x P xp‚Pq p‚ q p‚ q p‚ q sc2 s4 xpdRq xp‚Qq xp‚Qq
rc r2 r4
session ID server random EDH key
Attack — BSAFE-C 19/31
s0 xp‚Pq
s1 xp‚Qq
r1
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s3 s5 x P x P x P xp‚Pq p‚ q p‚ q p‚ q sc2 s4 xpdRq xp‚Qq xp‚Qq
rc r2 r4
session ID server random EDH key
Attack — BSAFE-C 19/31
s0 xp‚Pq
s1 xp‚Qq
r1
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s3 s5 xp‚Pq xp‚Pq xp‚Pq
sc s4 xpdRq xp‚Qq xp‚Qq
rc r2 r4
session ID server random EDH key
Attack — BSAFE-C 19/31
s0 x P p‚ q xp‚Pq s1 s2 xp‚Qq
r1
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s3 s5 xp‚Pq xp‚Pq xp‚Pq
sc s4 xpdRq xp‚Qq xp‚Qq
rc r2 r4
session ID server random EDH key
Attack — BSAFE-C 19/31
s0 x P p‚ q xp‚Pq s1 s2 xp‚Qq xp‚Qq
r1 r2
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s3 s5 xp‚Pq xp‚Pq xp‚Pq
sc s4 xpdRq xp‚Qq xp‚Qq
rc r2 r4
session ID server random EDH key
Attack — BSAFE-C 19/31
s0 x P p‚ q xp‚Pq s1 s2 xp‚Qq xp‚Qq
r1 r2
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s5 xp‚Pq xp‚Pq
sc s4 xpdRq xp‚Qq xp‚Qq
rc r2 r4
session ID server random EDH key
Attack — BSAFE-C 19/31
s0 s3 x P x P p‚ q xp‚Pq p‚ q s1 s2 xp‚Qq xp‚Qq
r1 r2
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s5 xp‚Pq xp‚Pq
sc s4 xpdRq xp‚Qq xp‚Qq
rc r2 r4
server random EDH key
Attack — BSAFE-C 19/31
s0 s3 x P x P p‚ q xp‚Pq p‚ q s1 s2 xp‚Qq xp‚Qq
r1 r2
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s5 xp‚Pq xp‚Pq
sc s4 xpdRq xp‚Qq xp‚Qq
rc r2 r4
EDH key
Attack — BSAFE-C 19/31
s0 s3 x P x P p‚ q xp‚Pq p‚ q s1 s2 xp‚Qq xp‚Qq
r1 r2
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s5 xp‚Pq
sc xpdRq xp‚Qq xp‚Qq
rc r2 r4
EDH key
Attack — BSAFE-C 19/31
s0 s3 x P x P x P p‚ q xp‚Pq p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq
r1 r2
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s5 xp‚Pq
sc xpdRq xp‚Qq
rc r2
EDH key
Attack — BSAFE-C 19/31
s0 s3 x P x P x P p‚ q xp‚Pq p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r2 r4
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
s5 xp‚Pq
sc xpdRq xp‚Qq
rc r2
EDH key
Attack — BSAFE-C 19/31
s0 s3 x P x P x P p‚ q xp‚Pq p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r2 r4
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
sc xpdRq xp‚Qq
rc r2
EDH key
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r2 r4
session ID server random DHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
sc xpdRq xp‚Qq
rc r2
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r2 r4
session ID server random EDHDHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
sc xpdRq xp‚Qq
rc r2
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r2 r4
session ID server random EDHDHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
sc xpdRq xp‚Qq
rc r2
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq
r1 r2 r4
session ID server random EDHDHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
sc xpdRq xp‚Qq
r2
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDHDHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
xp‚Qq
r2
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDHDHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
?
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDHDHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4 ?
session ID server random EDHDHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDHDHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDHDHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
15 average cost: 2 pCv ` Cf q
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDHDHE key
Ruben Niederhagen: Dual EC — a standardized back door 30 ¨
Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDHDHE key
15 average cost: 2 pCv ` Cf q
Ruben Niederhagen: Dual EC — a standardized back door Attack — BSAFE-C 19/31
s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4
session ID server random EDHDHE key
15 average cost: 30 ¨ 2 pCv ` Cf q
Ruben Niederhagen: Dual EC — a standardized back door 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q
sc xpdRq
rc
Attack — SChannel 20/31
s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 s2 s4 s5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq
r1 r2 r4 r5
session ID ECDHE priv. key server random ‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q
sc xpdRq
rc
Attack — SChannel 20/31
s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 s2 s4 s5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq
r1 r2 r4 r5
session ID ECDHE priv. key server random ‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q
Attack — SChannel 20/31
s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4 r5 ?
session ID ECDHE priv. key server random ‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q
Attack — SChannel 20/31
s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4 r5
session ID ECDHE priv. key server random ‚P ? ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q
Attack — SChannel 20/31
s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4 r5
session ID ECDHE priv. key server random ‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature
Ruben Niederhagen: Dual EC — a standardized back door Attack — SChannel 20/31
s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4 r5
session ID ECDHE priv. key server random ‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature
33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q
Ruben Niederhagen: Dual EC — a standardized back door 31 average cost: 2 pCv ` 4Cf q
sc xpdRq
rc
Attack — SChannel (cont.) 21/31
prev. connection curr. connection
1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q
s´3 s´1 s0 s1 s2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
r´3 r´1 r0 r1 r2
server random ECDSA nonce session ID ‚P ECDSA signature ECDHE priv. key ‚P ECDHE public key
Ruben Niederhagen: Dual EC — a standardized back door 31 average cost: 2 pCv ` 4Cf q
sc xpdRq
rc
Attack — SChannel (cont.) 21/31
prev. connection curr. connection
1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q
s´3 s´1 s0 s1 s2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
r´3 r´1 r0 r1 r2
server random ECDSA nonce session ID ‚P ECDSA signature ECDHE priv. key ‚P ECDHE public key
Ruben Niederhagen: Dual EC — a standardized back door 31 average cost: 2 pCv ` 4Cf q
Attack — SChannel (cont.) 21/31
prev. connection curr. connection
1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q
s´3 ss´c1 s0 s1 s2 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rr´c3 r´1 r0 r1 r2
server random ECDSA nonce session ID ‚P ? ECDSA signature ECDHE priv. key ‚P ECDHE public key
Ruben Niederhagen: Dual EC — a standardized back door 31 average cost: 2 pCv ` 4Cf q
Attack — SChannel (cont.) 21/31
prev. connection curr. connection
1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q
s´3 ss´c1 s0 s1 s2 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rr´c3 r´1 r0 r1 r2
server random ECDSA nonce session ID ‚P ECDSA signature ECDHE priv. key ‚P ECDHE public key
Ruben Niederhagen: Dual EC — a standardized back door Attack — SChannel (cont.) 21/31
prev. connection curr. connection
1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q
s´3 ss´c1 s0 s1 s2 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rr´c3 r´1 r0 r1 r2
server random ECDSA nonce session ID ‚P ECDSA signature ECDHE priv. key ‚P ECDHE public key
31 average cost: 2 pCv ` 4Cf q
Ruben Niederhagen: Dual EC — a standardized back door 15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q
xpdRq
rc
Attack — OpenSSL-fixed 22/31
s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q
t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s1 s2 s4 s6 s7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
r1 r2 r4 r6 r7
session ID server random ECDHE key ‚P ECDHE public key
Ruben Niederhagen: Dual EC — a standardized back door 15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q
xpdRq
rc
Attack — OpenSSL-fixed 22/31
s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q
t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s1 s2 s4 s6 s7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
r1 r2 r4 r6 r7
session ID server random ECDHE key ‚P ECDHE public key
Ruben Niederhagen: Dual EC — a standardized back door 15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q
Attack — OpenSSL-fixed 22/31
s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q
t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s s s s s x1pdRq 2 4 6 7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4 r6 r7 ?
session ID server random ECDHE key ‚P ECDHE public key
Ruben Niederhagen: Dual EC — a standardized back door 15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q
Attack — OpenSSL-fixed 22/31
s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q
t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s s s s s x1pdRq 2 4 6 7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4 r6 r7
session ID server random ECDHE key ‚P ECDHE public key
Ruben Niederhagen: Dual EC — a standardized back door 15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q
Attack — OpenSSL-fixed 22/31
s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q
t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s s s s s x1pdRq 2 4 6 7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4 r6 r7
session ID server random ECDHE key ‚P ECDHE public key
Ruben Niederhagen: Dual EC — a standardized back door Attack — OpenSSL-fixed 22/31
s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q
t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s s s s s x1pdRq 2 4 6 7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq
rc1 r2 r4 r6 r7
session ID server random ECDHE key ‚P ECDHE public key
15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q
Ruben Niederhagen: Dual EC — a standardized back door Attack — Attack Timings 23/31
Intel Xeon CPU 16 ˆ AMD CPU Attack Avg. Time (min) # for 1s Tot. Time (min) BSAFE-C v1.1 0.26 16 0.04 BSAFE-Java v1.1 641 38,500 63.96 SChannel I 619 37,100 62.97 SChannel II 1,760 106,000 182.64 OpenSSL-fixed I 0.04 3 0.02 OpenSSL-fixed II 707 44,200 83.32 OpenSSL-fixed III 2k ¨ 707 2k ¨ 44,200 2k ¨ 83.32
Ruben Niederhagen: Dual EC — a standardized back door Attack — Attack Timings 23/31
Intel Xeon CPU 16 ˆ AMD CPU Attack Avg. Time (min) # for 1s Tot. Time (min) BSAFE-C v1.1 0.26 16 0.04 BSAFE-Java v1.1 641 38,500 63.96 SChannel I 619 37,100 62.97 SChannel II 1,760 106,000 182.64 OpenSSL-fixed I 0.04 3 0.02 OpenSSL-fixed II 707 44,200 83.32 OpenSSL-fixed III 2k ¨ 707 2k ¨ 44,200 2k ¨ 83.32
Ruben Niederhagen: Dual EC — a standardized back door xpdRq
144 bits!
Dual EC with P-384 and P-521 24/31
32 bytes
s0 s2 xp‚Pq xp‚Pq xp‚Pq
s1 ... xp‚Qq
r1
server random
Ruben Niederhagen: Dual EC — a standardized back door xpdRq
144 bits!
Dual EC with P-384 and P-521 24/31
48 bytes
s0 s2 xp‚Pq xp‚Pq xp‚Pq
s1 ... xp‚Qq
r1
server random
Ruben Niederhagen: Dual EC — a standardized back door Dual EC with P-384 and P-521 24/31
48 bytes
s0 s2 xp‚Pq xp‚Pq xp‚Pq xpdRq s1 ... xp‚Qq
r1 144 bits!
server random
Ruben Niederhagen: Dual EC — a standardized back door Draft Proposal – Extended Random 25/31
Draft for a proposed TLS extension named “Extended Random”: § allows client to request up to 216 random bytes, § has a weak motivation: The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient. § was co-authored by an employee of NSA.
Ruben Niederhagen: Dual EC — a standardized back door xpdRq
Draft Proposal – Extended Random 26/31
s0 s2 xp‚Pq xp‚Pq xp‚Pq
s1 ... xp‚Qq
r1
extended random
Ruben Niederhagen: Dual EC — a standardized back door Draft Proposal – Extended Random 26/31
s0 s2 xp‚Pq xp‚Pq xp‚Pq xpdRq s1 ... xp‚Qq
r1
extended random
Ruben Niederhagen: Dual EC — a standardized back door Snippets from the patent application 27/31
Ruben Niederhagen: Dual EC — a standardized back door Snippets from the patent application 28/31
Ruben Niederhagen: Dual EC — a standardized back door The patent filing history also shows that:
§ Certicom knew how to back door Dual EC in 2005, § NSA was informed of the back door technique in 2005, and § the patent application, including examples of Dual EC exploitation, was publicly available in July 2006.
Additional Attack Cost – Patents 29/31
Dual EC patents: Certicom (now part of Blackberry) has patents in multiple countries on:
§ Dual EC exploitation: the use of Dual EC for key escrow and § Dual EC escrow avoidance: modification to avoid key escrow.
Ruben Niederhagen: Dual EC — a standardized back door Additional Attack Cost – Patents 29/31
Dual EC patents: Certicom (now part of Blackberry) has patents in multiple countries on:
§ Dual EC exploitation: the use of Dual EC for key escrow and § Dual EC escrow avoidance: modification to avoid key escrow.
The patent filing history also shows that:
§ Certicom knew how to back door Dual EC in 2005, § NSA was informed of the back door technique in 2005, and § the patent application, including examples of Dual EC exploitation, was publicly available in July 2006.
Ruben Niederhagen: Dual EC — a standardized back door § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.
Don’t useHow to fix Dual it? EC!
Summary 30/31
Dual EC — a standardized back door: § (co-)authored by NSA,
Ruben Niederhagen: Dual EC — a standardized back door § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.
Don’t useHow to fix Dual it? EC!
Summary 30/31
Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven),
Ruben Niederhagen: Dual EC — a standardized back door § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.
Don’t useHow to fix Dual it? EC!
Summary 30/31
Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs,
Ruben Niederhagen: Dual EC — a standardized back door § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.
Don’t useHow to fix Dual it? EC!
Summary 30/31
Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation,
Ruben Niederhagen: Dual EC — a standardized back door § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.
Don’t useHow to fix Dual it? EC!
Summary 30/31
Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries,
Ruben Niederhagen: Dual EC — a standardized back door § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.
Don’t useHow to fix Dual it? EC!
Summary 30/31
Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library,
Ruben Niederhagen: Dual EC — a standardized back door § it is not only standardized but even patented.
Don’t useHow to fix Dual it? EC!
Summary 30/31
Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random,
Ruben Niederhagen: Dual EC — a standardized back door Don’t useHow to fix Dual it? EC!
Summary 30/31
Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.
Ruben Niederhagen: Dual EC — a standardized back door Don’t use Dual EC!
Summary 30/31
Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.
How to fix it?
Ruben Niederhagen: Dual EC — a standardized back door Summary 30/31
Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes flaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.
Don’t useHow to fix Dual it? EC!
Ruben Niederhagen: Dual EC — a standardized back door Questions?
Summary 31/31
Additional information:
https://projectbullrun.org/dual-ec/
Ruben Niederhagen: Dual EC — a standardized back door Summary 31/31
Additional information:
https://projectbullrun.org/dual-ec/
Questions?
Ruben Niederhagen: Dual EC — a standardized back door