Backdoors Always Backfire

Backdoors always backfire

Tanja Lange

Technische Universiteit Eindhoven https://projectbullrun.org/dual-ec/

21 February 2019 I 8 March 2005 Vodafone deactivates rogue software.

I 9 March 2005 Costas Tsalikidis, telecommunications engineer in charge of network planning at Vodafone Greece, found hanged in his apartment, an apparent suicide.

Vodafone Greece

I Vodafone Greece used Ericsson switches to manage phone network.

I Purchased without legal interception capabilities (=wiretaps). I Upgrade in early 2003 included remote-control equipment subsystem (RES).

I Some time after this and before 24 January 2005, “somebody” used the RES capabilities and put wiretaps on > 100 phones, including Greek prime minister and his wife, ministers of national defense, foreign affairs, and justice, . . .

Tanja Lange Backdoors always backfire 2 I 8 March 2005 Vodafone deactivates rogue software.

Vodafone Greece

I Vodafone Greece used Ericsson switches to manage phone network.

I Purchased without legal interception capabilities (=wiretaps). I Upgrade in early 2003 included remote-control equipment subsystem (RES).

I Some time after this and before 24 January 2005, “somebody” used the RES capabilities and put wiretaps on > 100 phones, including Greek prime minister and his wife, ministers of national defense, foreign affairs, and justice, . . .

I 9 March 2005 Costas Tsalikidis, telecommunications engineer in charge of network planning at Vodafone Greece, found hanged in his apartment, an apparent suicide.

Tanja Lange Backdoors always backfire 2 Vodafone Greece

I Vodafone Greece used Ericsson switches to manage phone network.

I Purchased without legal interception capabilities (=wiretaps). I Upgrade in early 2003 included remote-control equipment subsystem (RES).

I Some time after this and before 24 January 2005, “somebody” used the RES capabilities and put wiretaps on > 100 phones, including Greek prime minister and his wife, ministers of national defense, foreign affairs, and justice, . . .

I 8 March 2005 Vodafone deactivates rogue software.

I 9 March 2005 Costas Tsalikidis, telecommunications engineer in charge of network planning at Vodafone Greece, found hanged in his apartment, an apparent suicide.

I 10 March Vodafone CEO informs prime minister.

Tanja Lange Backdoors always backfire 2 Vodafone Greece I Vodafone Greece used Ericsson switches to manage phone network. I Purchased without legal interception capabilities (=wiretaps). I Upgrade in early 2003 included remote-control equipment subsystem (RES). I Some time after this and before 24 January 2005, “somebody” used the RES capabilities and put wiretaps on > 100 phones, including Greek prime minister and his wife, ministers of national defense, foreign affairs, and justice, . . . I 8 March 2005 Vodafone deactivates rogue software. I 9 March 2005 Costas Tsalikidis, telecommunications engineer in charge of network planning at Vodafone Greece, found hanged in his apartment, an apparent suicide. I 10 March Vodafone CEO informs prime minister. https://spectrum.ieee.org/telecom/security/ the-athens-affair https://theintercept.com/2015/09/28/ death-athens-rogue-nsa-operation/ Tanja Lange Backdoors always backfire 2 Snowden at SXSW: [..] we know that these encryption algorithms we are using today work typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves.

Random numbers are important

I Cryptography needs random numbers to generate long-term secret keys for encryption and signatures. I Many schemes expect random (or pseudorandom) numbers, e.g.

I ephemeral keys for DH key exchange, I nonces for digital signatures, I nonces in authenticated encryption.

I Nonce reuse can reveal long-term secret keys (e.g. PlayStation disaster)

I DSA/ECDSA are so touchy that biased nonces are enough to break them.

Tanja Lange Backdoors always backfire 3 Random numbers are important to the NSA

I Cryptography needs random numbers to generate long-term secret keys for encryption and signatures. I Many schemes expect random (or pseudorandom) numbers, e.g.

I ephemeral keys for DH key exchange, I nonces for digital signatures, I nonces in authenticated encryption.

I Nonce reuse can reveal long-term secret keys (e.g. PlayStation disaster)

I DSA/ECDSA are so touchy that biased nonces are enough to break them. Snowden at SXSW: [..] we know that these encryption algorithms we are using today work typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves.

Tanja Lange Backdoors always backfire 3 Pseudo-random-number generators

Crypto libraries expand short seed into long stream of random bits. Random bits are used as secret keys, DSA nonces, . . .

The usual structure, starting from short seed s1: f (s0) f (s1) f (s2) f (s3) f (s4) s0 s1 s2 s3 s4 ···

g(s0) g(s1) g(s2) g(s3) g(s4)

r0 r1 r2 r3 r4

XXX’s mission: Predict the “random” output bits. 1. Create protocols that directly output rn for some reason.

Tanja Lange Backdoors always backfire 4 3. Standardize this design of f , g. 4. Convince users to switch to this design: e.g., publish “security proof”.

Pseudo-random-number generators Crypto libraries expand short seed into long stream of random bits. Random bits are used as secret keys, DSA nonces, . . .

The usual structure, starting from short seed s1: f (s0) f (s1) f (s2) f (s3) f (s4) s0 s1 s2 s3 s4 ···

g(s0) g(s1) g(s2) g(s3) g(s4)

r0 r1 r2 r3 r4

XXX’s mission: Predict the “random” output bits. 1. Create protocols that directly output rn for some reason. 2. Design f , g with back door from rn to sn+1: i.e., get f (s) from g(s).

Tanja Lange Backdoors always backfire 4 4. Convince users to switch to this design: e.g., publish “security proof”.

Pseudo-random-number generators Crypto libraries expand short seed into long stream of random bits. Random bits are used as secret keys, DSA nonces, . . .

The usual structure, starting from short seed s1: f (s0) f (s1) f (s2) f (s3) f (s4) s0 s1 s2 s3 s4 ···

g(s0) g(s1) g(s2) g(s3) g(s4)

r0 r1 r2 r3 r4

XXX’s mission: Predict the “random” output bits. 1. Create protocols that directly output rn for some reason. 2. Design f , g with back door from rn to sn+1: i.e., get f (s) from g(s). 3. Standardize this design of f , g.

Tanja Lange Backdoors always backfire 4 Pseudo-random-number generators Crypto libraries expand short seed into long stream of random bits. Random bits are used as secret keys, DSA nonces, . . .

The usual structure, starting from short seed s1: f (s0) f (s1) f (s2) f (s3) f (s4) s0 s1 s2 s3 s4 ···

g(s0) g(s1) g(s2) g(s3) g(s4)

r0 r1 r2 r3 r4

XXX’s mission: Predict the “random” output bits. 1. Create protocols that directly output rn for some reason. 2. Design f , g with back door from rn to sn+1: i.e., get f (s) from g(s). 3. Standardize this design of f , g. 4. Convince users to switch to this design: e.g., publish “security proof”. Tanja Lange Backdoors always backfire 4 Full TODO list

I Design: Construct a PRNG that secretly contains a back door.

I Evaluation: Publish statements that the PRNG is secure.

I Standardization: Edit standards to include the PRNG.

I Standardization maintenance: Monitor changes to the PRNG standard, and counteract changes that make the PRNG more difficult to exploit.

I Auxiliary standardization: If necessary modify other standards to make the PRNG easier to exploit.

I Selection, implementation, and deployment: Provide incentives to cryptographic libraries to implement this PRNG.

I Attack optimization: Reduce the cost of computation required to exploit the back door, through algorithmic improvements and through influencing the way the PRNG is used in practice.

Tanja Lange Backdoors always backfire 5 DUAL EC RNG: history part I

Earliest public source (?) June 2004, draft of ANSI X9.82:

Extract gives all but the top 16 bits ⇒ about 215 points sQ match given string. Claim:

Tanja Lange Backdoors always backfire 6 I Sidorenko & Schoenmakers (May 2006): output sequence is even more biased. Answer: Too late to change, already implemented.

I Included in standards ISO 18031 (2005), NIST SP 800-90 (2006), ANSI X9.82 (2007).

I Shumow & Ferguson (August 2007): Backdoor if d is known.

I NIST SP800-90 gets appendix about choosing points verifiably at random, but requires use of standardized P, Q for FIPS-140 validation.

DUAL EC RNG: common public history part II Various public warning signals:

I Gjøsteen (March 2006): output sequence is biased.

I Brown (March 2006): security “proof” “This proof makes essential use of Q being random.” If d with dQ = P is known then dRi = Si+1. Brown concludes that there might be distinguisher.

Tanja Lange Backdoors always backfire 7 DUAL EC RNG: common public history part II Various public warning signals:

I Gjøsteen (March 2006): output sequence is biased.

I Brown (March 2006): security “proof” “This proof makes essential use of Q being random.” If d with dQ = P is known then dRi = Si+1. Brown concludes that there might be distinguisher.

I Sidorenko & Schoenmakers (May 2006): output sequence is even more biased. Answer: Too late to change, already implemented.

I Included in standards ISO 18031 (2005), NIST SP 800-90 (2006), ANSI X9.82 (2007).

I Shumow & Ferguson (August 2007): Backdoor if d is known.

I NIST SP800-90 gets appendix about choosing points verifiably at random, but requires use of standardized P, Q for FIPS-140 validation.

Tanja Lange Backdoors always backfire 7 NYT: the NSA had inserted a back door into a 2006 standard adopted by NIST [..] called the Dual EC DRBG standard.

. . . but surely nobody uses that!?!

NIST’s DRBG Validation List: more than 70 validations of Dual EC DRBG; RSA’s BSAFE has Dual EC DRBG enabled as default,.

NIST re-opens discussions on SP800.90; recommends against using Dual EC. RSA suggests changing default in BSAFE. 21 April 2014 NIST removes Dual EC from the standard.

September 2013: NSA Bullrun program

Tanja Lange Backdoors always backfire 8 . . . but surely nobody uses that!?!

NIST’s DRBG Validation List: more than 70 validations of Dual EC DRBG; RSA’s BSAFE has Dual EC DRBG enabled as default,.

NIST re-opens discussions on SP800.90; recommends against using Dual EC. RSA suggests changing default in BSAFE. 21 April 2014 NIST removes Dual EC from the standard.

September 2013: NSA Bullrun program

NYT: the NSA had inserted a back door into a 2006 standard adopted by NIST [..] called the Dual EC DRBG standard.

Tanja Lange Backdoors always backfire 8 NIST’s DRBG Validation List: more than 70 validations of Dual EC DRBG; RSA’s BSAFE has Dual EC DRBG enabled as default,.

NIST re-opens discussions on SP800.90; recommends against using Dual EC. RSA suggests changing default in BSAFE. 21 April 2014 NIST removes Dual EC from the standard.

September 2013: NSA Bullrun program

NYT: the NSA had inserted a back door into a 2006 standard adopted by NIST [..] called the Dual EC DRBG standard.

. . . but surely nobody uses that!?!

Tanja Lange Backdoors always backfire 8 NIST re-opens discussions on SP800.90; recommends against using Dual EC. RSA suggests changing default in BSAFE. 21 April 2014 NIST removes Dual EC from the standard.

September 2013: NSA Bullrun program

NYT: the NSA had inserted a back door into a 2006 standard adopted by NIST [..] called the Dual EC DRBG standard.

. . . but surely nobody uses that!?!

NIST’s DRBG Validation List: more than 70 validations of Dual EC DRBG; RSA’s BSAFE has Dual EC DRBG enabled as default,.

Tanja Lange Backdoors always backfire 8 September 2013: NSA Bullrun program

NYT: the NSA had inserted a back door into a 2006 standard adopted by NIST [..] called the Dual EC DRBG standard.

. . . but surely nobody uses that!?!

NIST’s DRBG Validation List: more than 70 validations of Dual EC DRBG; RSA’s BSAFE has Dual EC DRBG enabled as default,.

NIST re-opens discussions on SP800.90; recommends against using Dual EC. RSA suggests changing default in BSAFE. 21 April 2014 NIST removes Dual EC from the standard.

Tanja Lange Backdoors always backfire 8 Client Server Generate client random Generate client random (≥ 28 bytes) session ID, server random, a, , sig aP signature nonce server random, session ID, cert(pk), Generate b (≤ 32 + 28 + 32 (46 bytes) bP, Finished + 32 bytes) Finished

MS = PRF(x(abP), ”master secret”, client random —— server random)

SSL/TLS/HTTPS – internet security protocols

How are RNGs actually used? Do implementations actually leak enough of rn?

Tanja Lange Backdoors always backfire 9 SSL/TLS/HTTPS – internet security protocols

How are RNGs actually used? Do implementations actually leak enough of rn? Client Server Generate client random Generate client random (≥ 28 bytes) session ID, server random, a, , sig aP signature nonce server random, session ID, cert(pk), Generate b (≤ 32 + 28 + 32 (46 bytes) bP, Finished + 32 bytes) Finished

MS = PRF(x(abP), ”master secret”, client random —— server random)

Tanja Lange Backdoors always backfire 9 32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 sc2 s3 x(dRc ) r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

Rc = (rc , y(rc )) rc1 r2 r3 30 bytes

Dual EC in TLS

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s1 sc2 s3 x(dRc ) r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

Rc = (rc , y(rc )) rc1 r2 r3 30 bytes

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes

s0

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

sc2 s3 x(dRc ) r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

Rc = (rc , y(rc )) rc1 r2 r3 30 bytes

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P)

s0 s1

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

sc2 s3 x(dRc ) r2 = x(s2Q) r3 = x(s3Q)

Rc = (rc , y(rc )) rc1 r2 r3 30 bytes

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P)

s0 s1

r1 = x(s1Q)

r1

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

sc2 s3 x(dRc ) r2 = x(s2Q) r3 = x(s3Q)

Rc = (rc , y(rc )) rc r2 r3

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P)

s0 s1

r1 = x(s1Q)

r1 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

sc2 s3 x(dRc ) r2 = x(s2Q) r3 = x(s3Q)

Rc = (rc , y(rc )) rc r2 r3

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P)

s0 s1

r1 = x(s1Q)

r1 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s3 = x(s2P) s4 = x(s3P)

sc2 s3 x(dRc ) r2 = x(s2Q) r3 = x(s3Q)

Rc = (rc , y(rc )) rc r2 r3

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P)

s0 s1 s2

r1 = x(s1Q)

r1 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s3 = x(s2P) s4 = x(s3P)

sc2 s3 x(dRc ) r3 = x(s3Q)

Rc = (rc , y(rc )) rc r2 r3

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P)

s0 s1 s2

r1 = x(s1Q) r2 = x(s2Q)

r1 r2 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s4 = x(s3P)

sc2 x(dRc ) r3 = x(s3Q)

Rc = (rc , y(rc )) rc r2 r3

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P)

s0 s1 s2 s3

r1 = x(s1Q) r2 = x(s2Q)

r1 r2 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s4 = x(s3P)

sc2 x(dRc )

Rc = (rc , y(rc )) rc r2 r3

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P)

s0 s1 s2 s3

r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

r1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s4 = x(s3P)

sc2 x(dRc )

Rc = (rc , y(rc )) rc

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P)

s0 s1 s2 s3

r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

r1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 s4 = x(s3P)

sc2 x(dRc )

Rc = (rc , y(rc )) rc

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P)

s0 s1 s2 s3

r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

r1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 sc2 x(dRc )

Rc = (rc , y(rc )) rc

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 s2 s3

r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

r1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 sc2 x(dRc )

Rc = (rc , y(rc )) rc

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 s2 s3

r1 = x(s1Q) ? r2 = x(s2Q) r3 = x(s3Q)

r1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 sc2 x(dRc )

Rc = (rc , y(rc )) rc

Dual EC in TLS

Points Q and P on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 s2 s3

r1 = x(s1Q) ? r2 = x(s2Q) ECDLP!r3 = x(s3Q)

r1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 sc2 x(dRc )

x(ds1Q) Rc = (rc , y(rc )) rc

Basic attack

Points Q and P = dQ on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 s2 s3

r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

r1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 sc2 x(dRc )

Rc = (rc , y(rc )) rc

Basic attack

Points Q and P = dQ on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 s2 s3

r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q) x(ds1Q) r1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 sc2 x(dRc )

Rc = (rc , y(rc )) rc

Basic attack

Points Q and P = dQ on an elliptic curve.

s2 = x(s1P) = x(s1dQ)

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 s2 s3

r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q) x(ds1Q) r1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 sc2 x(dRc )

Rc = (rc , y(rc ))

Basic attack

Points Q and P = dQ on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 s2 s3

r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

rc1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 sc2 x(dRc )

Basic attack

Points Q and P = dQ on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 s2 s3

r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

Rc = (rc , y(rc )) rc1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 Basic attack

Points Q and P = dQ on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 sc2 s3 x(dRc ) r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

Rc = (rc , y(rc )) rc1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 Basic attack

Points Q and P = dQ on an elliptic curve.

32 bytes s1 = x(s0P) s2 = x(s1P) s3 = x(s2P) s4 = x(s3P)

s0 s1 sc2 s3 x(dRc ) r1 = x(s1Q) r2 = x(s2Q) r3 = x(s3Q)

Rc = (rc , y(rc )) rc1 r2 r3 30 bytes

28 bytes 40 bytes Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 10 t1 t2

• ⊕ H(adin1) x(•P) • ⊕ H(adin2) x(•P) • ⊕ H(adin4)

Dual EC in TLS

x(•P) x(•P) x(•P) x(•P)

s0 s1 s2 s3 x(•Q) x(•Q) x(•Q)

r1 r2 r3

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 11 NIST SP800-90 in June 2006

t1 t2

• ⊕ H(adin1) x(•P) • ⊕ H(adin2) x(•P) x(•P) • ⊕ H(adin4)

s0 s1 s2 s3 x(•Q) x(•Q) x(•Q)

r1 r2 r3

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 11 NIST SP800-90 in June 2006

t1 t2

• ⊕ H(adin1) x(•P) • ⊕ H(adin2) x(•P) x(•P) • ⊕ H(adin4)

s0 s1 s2 s3 x(•Q) x(•Q) x(•Q)

r1 r2 r3

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 11 NIST SP800-90 in June 2006

t1 t2

• ⊕ H(adin1) x(•P) • ⊕ H(adin2) x(•P) x(•P) • ⊕ H(adin4)

s0 s1 s2 s3 x(•Q) x(•Q) x(•Q)

rc1 r2 r3

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 11 NIST SP800-90 in June 2006

t1 t2

• ⊕ H(adin1) x(•P) • ⊕ H(adin2) x(•P) x(•P) • ⊕ H(adin4)

s0 s1 s?2 s3 x(dRc ) x(•Q) x(•Q) x(•Q)

rc1 r2 r3

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 11 s0 sc2 s5

• ⊕ H(adin1) • ⊕ H(adin3) • ⊕ H(adin6) x(•P) x(•P) t3 x(dRc )

s3 s4

rc r3 r4

Dual EC in TLS

t1 t2

• ⊕ H(adin1) x(•P) • ⊕ H(adin2) x(•P) • ⊕ H(adin4)

s0 s1 s2 s3 x(•Q) x(•Q) x(•Q)

r1 r2 r3

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 12 sc

x(dRc )

rc

NIST SP800-90 in March 2007

s0 s2 s5

• ⊕ H(adin1) • ⊕ H(adin3) • ⊕ H(adin6) x(•P) x(•P) t1 t23 x(•P) x(•P)

s0 s1 s23 s34 x(•Q) x(•Q) x(•Q)

r1 r23 r34

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 12 sc

x(dRc )

rc

NIST SP800-90 in March 2007

s0 s2 s5

• ⊕ H(adin1) • ⊕ H(adin3) • ⊕ H(adin6) x(•P) x(•P) t1 t23 x(•P) x(•P)

s0 s1 s23 s34 x(•Q) x(•Q) x(•Q)

r1 r23 r34

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 12 sc

x(dRc )

NIST SP800-90 in March 2007

s0 s2 s5

• ⊕ H(adin1) • ⊕ H(adin3) • ⊕ H(adin6) x(•P) x(•P) t1 t23 x(•P) x(•P)

s0 s1 s23 s34 x(•Q) x(•Q) x(•Q)

rc1 r23 r34

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 12 NIST SP800-90 in March 2007

s0 sc2 s5

• ⊕ H(adin1) • ⊕ H(adin3) • ⊕ H(adin6) x(•P) x(•P) t1 t23 x(dRc ) x(•P) x(•P)

s0 s1 s23 s34 x(•Q) x(•Q) x(•Q)

rc1 r23 r34

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 12 NIST SP800-90 in March 2007

s0 sc2 s5

• ⊕ H(adin1) • ⊕ H(adin3) • ⊕ H(adin6) x(•P) x(•P) t1 t23 x(dRc ) x(•P) x(•P)

s0 s1 s23 s34 x(•Q) x(•Q) x(•Q)

rc1 r23 r34

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 12 Changelog to NIST SP800-90

Tanja Lange Backdoors always backfire 13 s0 sc2 s5 x(•P) x(•P) x(•P) x(•P) x(dR) x(•P) s1 s3 s4 x(•Q) x(•Q) x(•Q)

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 Graphics: Ruben Niederhagen. average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

server random ECDHE priv. key ECDSA nonce

Tanja Lange Backdoors always backfire 14 sc2 s5 x(•P) x(•P) x(•P) x(•P) x(dR) x(•P) s1 s3 s4 x(•Q) x(•Q) x(•Q)

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc2 s5 x(•P) x(•P) x(•P) x(dR) x(•P) s3 s4 x(•Q) x(•Q) x(•Q)

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 x(•P)

s1

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc2 s5 x(•P) x(•P) x(•P) x(dR) x(•P) s3 s4 x(•Q) x(•Q)

rc r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 x(•P)

s1 x(•Q)

r1

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc2 s5 x(•P) x(•P) x(•P) x(dR) x(•P) s3 s4 x(•Q) x(•Q)

rc r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 x(•P)

s1 x(•Q)

r1

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc s5 x(•P) x(•P) x(dR) x(•P) s3 s4 x(•Q) x(•Q)

rc r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 x(•P) x(•P)

s1 x(•Q)

r1

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc s5 x(•P) x(•P) x(dR) x(•P) s3 s4 x(•Q) x(•Q)

rc r3 r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 x(•P) x(•P)

s1 x(•Q)

r1

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc s5 x(•P) x(dR) x(•P) s4 x(•Q) x(•Q)

rc r3 r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 x(•P) x(•P) x(•P)

s1 s3 x(•Q)

r1

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc s5 x(•P) x(dR) x(•P) s4 x(•Q)

rc r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 x(•P) x(•P) x(•P)

s1 s3 x(•Q) x(•Q)

r1 r3

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc s5 x(•P) x(dR) x(•P) s4 x(•Q)

rc r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 x(•P) x(•P) x(•P)

s1 s3 x(•Q) x(•Q)

r1 r3

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc s5 x(•P) x(dR)

x(•Q)

rc r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 x(•P) x(•P) x(•P) x(•P)

s1 s3 s4 x(•Q) x(•Q)

r1 r3

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc s5 x(•P) x(dR)

rc

Exposes longterm secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 x(•P) x(•P) x(•P) x(•P)

s1 s3 s4 x(•Q) x(•Q) x(•Q)

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc s5 x(•P) x(dR)

rc

Exposes longterm secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 x(•P) x(•P) x(•P) x(•P)

s1 s3 s4 x(•Q) x(•Q) x(•Q)

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc x(dR)

rc

Exposes longterm secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 s5 x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s3 s4 x(•Q) x(•Q) x(•Q)

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc x(dR)

rc

Exposes longterm secret key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 s5 x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s3 s4 x(•Q) x(•Q) x(•Q)

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc x(dR)

rc

Exposes longterm secret key! ECDSA nonce •P Impersonation attack possible! ECDSA signature

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 s5 x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s3 s4 x(•Q) x(•Q) x(•Q)

r1 r3 r4

server random ECDHE priv. key ECDSA nonce •P ECDHE public key

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc x(dR)

rc

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 s5 x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s3 s4 x(•Q) x(•Q) x(•Q)

r1 r3 r4

server random ECDHE priv. key ECDSA nonce •P •P ECDHE public key ECDSA signature

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc x(dR)

rc

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 s5 x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s3 s4 x(•Q) x(•Q) x(•Q)

r1 r3 r4

server random ECDHE priv. key ECDSA nonce •P •P ECDHE public key ECDSA signature

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 sc x(dR)

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 s2 s5 x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s3 s4 x(•Q) x(•Q) x(•Q)

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce •P •P ECDHE public key ECDSA signature

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 sc2 s5 x(•P) x(•P) x(•P) x(•P) x(dR) x(•P) s1 s3 s4 x(•Q) x(•Q) x(•Q)

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce •P •P ECDHE public key ECDSA signature

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 sc2 s5 x(•P) x(•P) x(•P) x(•P) x(dR) x(•P) s1 s3 s4 x(•Q) x(•Q) x(•Q)

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce •P ? •P ECDHE public key ECDSA signature

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 (Cv + 5Cf )

Attack – Example: BSAFE-Java

s0 sc2 s5 x(•P) x(•P) x(•P) x(•P) x(dR) x(•P) s1 s3 s4 x(•Q) x(•Q) x(•Q)

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce •P •P ECDHE public key ECDSA signature

Graphics: Ruben Niederhagen.

Tanja Lange Backdoors always backfire 14 Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

Attack – Example: BSAFE-Java

s0 sc2 s5 x(•P) x(•P) x(•P) x(•P) x(dR) x(•P) s1 s3 s4 x(•Q) x(•Q) x(•Q)

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce •P •P ECDHE public key ECDSA signature

31 Graphics: Ruben Niederhagen. average cost: 2 (Cv + 5Cf )

Tanja Lange Backdoors always backfire 14 ECDSA nonce

Attack – Example: BSAFE-Java

s0 sc2 s5 x(•P) x(•P) x(•P) x(•P) x(dR) x(•P) s1 s3 s4 x(•Q) x(•Q) x(•Q)

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 Graphics: Ruben Niederhagen. average cost: 2 (Cv + 5Cf )

Tanja Lange Backdoors always backfire 14 Attack – Example: BSAFE-Java

s0 sc2 s5 x(•P) x(•P) x(•P) x(•P) x(dR) x(•P) s1 s3 s4 x(•Q) x(•Q) x(•Q)

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce •P •P Impersonation attackECDHE possible! public key ECDSA signature

31 Graphics: Ruben Niederhagen. average cost: 2 (Cv + 5Cf )

Tanja Lange Backdoors always backfire 14 explicit watermark in handshake ⇒ easy recognition. Alas, BSAFE does not give fresh randomness in session ID, so attack costs roughly 232.

Network Working Group E. Rescorla Internet-Draft RTFM, Inc. Intended status: Informational M. Salter Expires: September 3, 2009 National Security Agency March 02, 2009

Extended Random Values for TLS draft-rescorla-tls-extended-random-02.txt [..] The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient.

Some more fun with RSA’s BSAFE-Java No additional input,

Tanja Lange Backdoors always backfire 15 Alas, BSAFE does not give fresh randomness in session ID, so attack costs roughly 232.

Network Working Group E. Rescorla Internet-Draft RTFM, Inc. Intended status: Informational M. Salter Expires: September 3, 2009 National Security Agency March 02, 2009

Extended Random Values for TLS draft-rescorla-tls-extended-random-02.txt [..] The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient.

Some more fun with RSA’s BSAFE-Java No additional input, explicit watermark in handshake ⇒ easy recognition.

Tanja Lange Backdoors always backfire 15 Some more fun with RSA’s BSAFE-Java No additional input, explicit watermark in handshake ⇒ easy recognition. Alas, BSAFE does not give fresh randomness in session ID, so attack costs roughly 232.

Network Working Group E. Rescorla Internet-Draft RTFM, Inc. Intended status: Informational M. Salter Expires: September 3, 2009 National Security Agency March 02, 2009

Extended Random Values for TLS draft-rescorla-tls-extended-random-02.txt [..] The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of Tanja Langerandomness provided by Backdoors the always current backfire TLS random values 15 insufficient. s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 sc2 s4 x(dR) x(•Q) x(•Q) x(•Q)

rc1 r2 r4

session ID server random EDH key

Attack – Example: BSAFE-C

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 sc2 s4 x(dR) x(•Q) x(•Q) x(•Q)

rc1 r2 r4

session ID server random EDH key

Attack – Example: BSAFE-C

s0

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s3 s5

x(•P) x(•P) x(•P) x(•P)

sc2 s4 x(dR) x(•Q) x(•Q) x(•Q)

rc1 r2 r4

session ID server random EDH key

Attack – Example: BSAFE-C

s0 x(•P)

s1

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s3 s5

x(•P) x(•P) x(•P) x(•P)

sc2 s4 x(dR) x(•Q) x(•Q)

rc r2 r4

session ID server random EDH key

Attack – Example: BSAFE-C

s0 x(•P)

s1 x(•Q)

r1

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s3 s5

x(•P) x(•P) x(•P) x(•P)

sc2 s4 x(dR) x(•Q) x(•Q)

rc r2 r4

session ID server random EDH key

Attack – Example: BSAFE-C

s0 x(•P)

s1 x(•Q)

r1

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s3 s5 x(•P) x(•P) x(•P)

sc s4 x(dR) x(•Q) x(•Q)

rc r2 r4

session ID server random EDH key

Attack – Example: BSAFE-C

s0

x(•P) x(•P)

s1 s2 x(•Q)

r1

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s3 s5 x(•P) x(•P) x(•P)

sc s4 x(dR) x(•Q) x(•Q)

rc r2 r4

session ID server random EDH key

Attack – Example: BSAFE-C

s0

x(•P) x(•P)

s1 s2 x(•Q) x(•Q)

r1 r2

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s3 s5 x(•P) x(•P) x(•P)

sc s4 x(dR) x(•Q) x(•Q)

rc r2 r4

session ID server random EDH key

Attack – Example: BSAFE-C

s0

x(•P) x(•P)

s1 s2 x(•Q) x(•Q)

r1 r2

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s5 x(•P) x(•P)

sc s4 x(dR) x(•Q) x(•Q)

rc r2 r4

session ID server random EDH key

Attack – Example: BSAFE-C

s0 s3

x(•P) x(•P) x(•P)

s1 s2 x(•Q) x(•Q)

r1 r2

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s5 x(•P) x(•P)

sc s4 x(dR) x(•Q) x(•Q)

rc r2 r4

server random EDH key

Attack – Example: BSAFE-C

s0 s3

x(•P) x(•P) x(•P)

s1 s2 x(•Q) x(•Q)

r1 r2

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s5 x(•P) x(•P)

sc s4 x(dR) x(•Q) x(•Q)

rc r2 r4

EDH key

Attack – Example: BSAFE-C

s0 s3

x(•P) x(•P) x(•P)

s1 s2 x(•Q) x(•Q)

r1 r2

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s5 x(•P)

sc x(dR) x(•Q) x(•Q)

rc r2 r4

EDH key

Attack – Example: BSAFE-C

s0 s3

x(•P) x(•P) x(•P) x(•P)

s1 s2 s4 x(•Q) x(•Q)

r1 r2

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s5 x(•P)

sc x(dR) x(•Q)

rc r2

EDH key

Attack – Example: BSAFE-C

s0 s3

x(•P) x(•P) x(•P) x(•P)

s1 s2 s4 x(•Q) x(•Q) x(•Q)

r1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 s5 x(•P)

sc x(dR) x(•Q)

rc r2

EDH key

Attack – Example: BSAFE-C

s0 s3

x(•P) x(•P) x(•P) x(•P)

s1 s2 s4 x(•Q) x(•Q) x(•Q)

r1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 sc x(dR) x(•Q)

rc r2

EDH key

Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s2 s4 x(•Q) x(•Q) x(•Q)

r1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 sc x(dR) x(•Q)

rc r2

Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s2 s4 x(•Q) x(•Q) x(•Q)

r1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 sc x(dR) x(•Q)

rc r2

Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s2 s4 x(•Q) x(•Q) x(•Q)

r1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 sc x(dR) x(•Q)

rc r2

Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s2 s4 x(•Q) x(•Q) x(•Q)

r1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 sc x(dR) x(•Q)

r2

Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 s2 s4 x(•Q) x(•Q) x(•Q)

rc1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 x(•Q)

r2

Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 sc2 s4 x(dR) x(•Q) x(•Q) x(•Q)

rc1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 ?

Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 sc2 s4 x(dR) x(•Q) x(•Q) x(•Q)

rc1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 sc2 s4 x(dR) x(•Q) x(•Q) x(•Q)

rc1 r2 r4 ?

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 sc2 s4 x(dR) x(•Q) x(•Q) x(•Q)

rc1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 sc2 s4 x(dR) x(•Q) x(•Q) x(•Q)

rc1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 sc2 s4 x(dR) x(•Q) x(•Q) x(•Q)

rc1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 Attack – Example: BSAFE-C

s0 s3 s5

x(•P) x(•P) x(•P) x(•P) x(•P)

s1 sc2 s4 x(dR) x(•Q) x(•Q) x(•Q)

rc1 r2 r4

session ID server random EDH key

Graphic thanks to Ruben Niederhagen.

Tanja Lange Backdoors always backfire 16 Timings

Attack Bytes per Additional Time (min) session entropy (bits) BSAFE-C v1.1 31–60 0.04∗ BSAFE-Java v1.1 28 63.96∗ SChannel I 28 62.97∗ SChannel II 30 182.64∗

OpenSSL-fixed I 32 20 0.02∗ OpenSSL-fixed II 32 35 83.32∗ OpenSSL-fixed III 32 35+ k 2k · 83.32 ∗measured on 16 core cluster

Tanja Lange Backdoors always backfire 17

How did we get here . . .

Tanja Lange Backdoors always backfire 20 Full TODO list

I Design: Construct a PRNG that secretly contains a back door.

I Evaluation: Publish statements that the PRNG is secure.

I Standardization: Edit standards to include the PRNG.

I Standardization maintenance: Monitor changes to the PRNG standard, and counteract changes that make the PRNG more difficult to exploit.

I Auxiliary standardization: If necessary modify other standards to make the PRNG easier to exploit.

I Selection, implementation, and deployment: Provide incentives to cryptographic libraries to implement this PRNG.

I Attack optimization: Reduce the cost of computation required to exploit the back door, through algorithmic improvements and through influencing the way the PRNG is used in practice.

Tanja Lange Backdoors always backfire 21 How did we get here . . .

Official editors of SP800-90 are Elaine Barker and John Kelsey.

No editors stated for ANSI X9.82 nor for ISO 18031.

Miles Smid’s 2004 slides say “ANSI X9.82 Concepts submitted as input to ISO/IEC CD 18031. (See Debby Wallner)”.

Interesting Dec 2013 slide deck by John Kelsey 800 – 90 and Dual EC DRBG.

I Standardization effort by NIST and NSA, with some participation from CSE.

I Most of work on standards done by US federal employees (NIST and NSA, with some help from CSE).

I The standard Dual EC parameters P and Q come ultimately from designers of Dual EC DRBG at NSA.

Tanja Lange Backdoors always backfire 22 Kelsey 20 Dec 2013

Tanja Lange Backdoors always backfire 23 NIST FOIA Two FOIA requests by Andrew Crocker and Nate Cardozo of EFF and Matthew Stoller and Rep. Alan Grayson. Files hosted by Matt Green at https://github.com/matthewdgreen/nistfoia. Interesting documents, e.g.

This is most likely a reaction to the research on biases. Tanja Lange Backdoors always backfire 24 From 011 – 9.12 Choosing a DRBG Algorithm.pdf

Tanja Lange Backdoors always backfire 25 Why does nobody use a different Q?

Tanja Lange Backdoors always backfire 26 Fake Math!

Tanja Lange Backdoors always backfire 27 ISO standard

I NIST history is relatively well documented, partially because of FOIA and partially because of NIST efforts to clean up.

I But ISO standard 18031 came first (2005). NYT article says

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.” “Eventually, N.S.A. became the sole editor,” the memo says.

Tanja Lange Backdoors always backfire 28 ATTACHMENT 10 TO SC27 N3685

US National Body comments on ISO/IEC 2nd CD 18031 Date: 20030822 Document: N3578

12 (3)4 5 (6)

NB1 Clause No./ Paragraph/ Type Comment (justification for change) by the NB Proposed change by the NB Subclause No./ Figure/Table/ of Annex Note com- (e.g. 3.1) (e.g. Table 1) ment2

US Whole te The U.S. National Body has reviewed ISO/IEC 2nd CD document 18031, N3578. We feel that this document is lacking sufficient depth in many areas and simply is not developed enough to be an ISO standard which encompasses both Non-deterministic and Deterministic Random Bit Generation. We do feel that ANSI X9.82 Random Bit Generation standardization work is much further developed and should be used as the basis for this ISO standard. To make ISO/IEC 18031 consistent with X9.82 would require extensive commenting and revisions. To better progress this standard, the U.S. has instead developed a contribution for ISO that is consistent with ANSI X9.82, but written in ISO format. Furthermore, we believe this contribution will also be complementary to ISO/IEC 19790. We provide this contribution as an attachment, and propose that ISO further develop this contribution as their standard. Additionally, the U.S. recognizes that ANSI X9.82 is not an approved standard and still requires further work. As ANSI X9.82 develops, the U.S. will contribute these changes to ISO.

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 1 of 1 ISO electronic balloting commenting template/version 2001-10 Hat tip @nymble.

Tanja Lange Backdoors always backfire 30 Snippets from the patent application

Tanja Lange Backdoors always backfire 31 Certicom patents

The Canadian company Certicom (now part of Blackberry) has patents in multiple countries on

I Dual EC exploitation: the use of Dual EC for key escrow (i.e., for a deliberate back door)

I Dual EC escrow avoidance: modifying Dual EC to avoid key escrow. The patent filing history also shows that

I Certicom knew the Dual EC back door by 2005;

I NSA was informed of the Dual EC back door by 2005, even if they did not know it earlier;

I the patent application, including examples of Dual EC exploitation, was publicly available in July 2006, just a month after SP800-90 was standardized. https://projectbullrun.org/dual-ec/patent.html

Tanja Lange Backdoors always backfire 32 17 Dec 2015: Important Juniper Security Announcement Soon identified to include changes to their Dual EC parameters. Ralf Philipp Weinmann: Some Analysis of the Backdoored Backdoor Full postmortem shows

I Juniper used Dual EC as RNG for Screen OS.

I Juniper used their own points.

I ScreenOS had a bug (?) that exposed raw Dual EC output.

I Around 2012 somebody changed these points to yet other points.

Can one keep a back door closed?

Tanja Lange Backdoors always backfire 33 their Dual EC parameters. Ralf Philipp Weinmann: Some Analysis of the Backdoored Backdoor Full postmortem shows

I Juniper used Dual EC as RNG for Screen OS.

I Juniper used their own points.

I ScreenOS had a bug (?) that exposed raw Dual EC output.

I Around 2012 somebody changed these points to yet other points.

Can one keep a back door closed?

17 Dec 2015: Important Juniper Security Announcement Soon identified to include changes to

Tanja Lange Backdoors always backfire 33 Ralf Philipp Weinmann: Some Analysis of the Backdoored Backdoor Full postmortem shows

I Juniper used Dual EC as RNG for Screen OS.

I Juniper used their own points.

I ScreenOS had a bug (?) that exposed raw Dual EC output.

I Around 2012 somebody changed these points to yet other points.

Can one keep a back door closed?

17 Dec 2015: Important Juniper Security Announcement Soon identified to include changes to their Dual EC parameters.

Tanja Lange Backdoors always backfire 33 I Around 2012 somebody changed these points to yet other points.

Can one keep a back door closed?

17 Dec 2015: Important Juniper Security Announcement Soon identified to include changes to their Dual EC parameters. Ralf Philipp Weinmann: Some Analysis of the Backdoored Backdoor Full postmortem shows

I Juniper used Dual EC as RNG for Screen OS.

I Juniper used their own points.

I ScreenOS had a bug (?) that exposed raw Dual EC output.

Tanja Lange Backdoors always backfire 33 Can one keep a back door closed?

17 Dec 2015: Important Juniper Security Announcement Soon identified to include changes to their Dual EC parameters. Ralf Philipp Weinmann: Some Analysis of the Backdoored Backdoor Full postmortem shows

I Juniper used Dual EC as RNG for Screen OS.

I Juniper used their own points.

I ScreenOS had a bug (?) that exposed raw Dual EC output.

I Around 2012 somebody changed these points to yet other points.

Tanja Lange Backdoors always backfire 33 I Lots of bad ideas got rejected in the making of TLS 1.3.

I IETF / CFRG is open & welcoming, remote participation is possible. Consensus: RFC 7258 – Pervasive Monitoring Is An Attack.

More on the standardization ecosystem

I Apr 2018 Simon and Speck do not get included in ISO lightweight standard, breaking with ISO tradition of being very permissive. This was a large effort, but enough cryptographers got involved and many countries were reasonable. But: ISO is pay to play and hard to get in for some countries.

I Nov 2018 OCB2 (standardized in ISO/IEC 19772:2009) broken in3 different ways.

I OCB1 and OCB3 (RFC 7253) are not affected.

I 28 Aug 2018 IETF publishes TLS 1.3 in RFC 8446.

Tanja Lange Backdoors always backfire 34 More on the standardization ecosystem

I Apr 2018 Simon and Speck do not get included in ISO lightweight standard, breaking with ISO tradition of being very permissive. This was a large effort, but enough cryptographers got involved and many countries were reasonable. But: ISO is pay to play and hard to get in for some countries.

I Nov 2018 OCB2 (standardized in ISO/IEC 19772:2009) broken in3 different ways.

I OCB1 and OCB3 (RFC 7253) are not affected.

I 28 Aug 2018 IETF publishes TLS 1.3 in RFC 8446.

I Lots of bad ideas got rejected in the making of TLS 1.3.

I IETF / CFRG is open & welcoming, remote participation is possible. Consensus: RFC 7258 – Pervasive Monitoring Is An Attack.

Tanja Lange Backdoors always backfire 34 URL URL I Nov 2018 ETSI publishes surveillance-friendly variant. I ETSI is fully pay to play. Interest groups make their own “standards”, no oversight, no outside review.

More on the standardization ecosystem

I Apr 2018 Simon and Speck do not get included in ISO lightweight standard, breaking with ISO tradition of being very permissive. This was a large effort, but enough cryptographers got involved and many countries were reasonable. But: ISO is pay to play and hard to get in for some countries. I Nov 2018 OCB2 (standardized in ISO/IEC 19772:2009) broken in3 different ways. I OCB1 and OCB3 (RFC 7253) are not affected. I Aug 2018 IETF publishes TLS 1.3 in RFC 8446. I Lots of bad ideas got rejected in the making of TLS 1.3. I IETF / CFRG is open & welcoming, remote participation is possible. Consensus: RFC 7258 – Pervasive Monitoring Is An Attack.

Tanja Lange Backdoors always backfire 37 More on the standardization ecosystem

I Apr 2018 Simon and Speck do not get included in ISO lightweight standard, breaking with ISO tradition of being very permissive. This was a large effort, but enough cryptographers got involved and many countries were reasonable. But: ISO is pay to play and hard to get in for some countries. I Nov 2018 OCB2 (standardized in ISO/IEC 19772:2009) broken in3 different ways. I OCB1 and OCB3 (RFC 7253) are not affected. I Aug 2018 IETF publishes TLS 1.3 in RFC 8446. I Lots of bad ideas got rejected in the making of TLS 1.3. I IETF / CFRG is open & welcoming, remote participation is possible. Consensus: RFC 7258 – Pervasive Monitoring Is An Attack. I Nov 2018 ETSI publishes surveillance-friendly variant. I ETSI is fully pay to play. Interest groups make their own “standards”, no oversight, no outside review. Tanja Lange Backdoors always backfire 37

References

Many more results and much more background is provided at http://projectbullrun.org/dual-ec/.

On the Practical Exploitability of Dual EC DRBG in TLS Implementations with Stephen Checkoway, Matthew Fredrikson, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J. Bernstein, Jake Maskiewicz, Hovav Shacham. USENIX Security 2014. Dual EC: A Standardized Back Door with Daniel J. Bernstein and Ruben Niederhagen. The New Codebreakers, LNCS 9100. Where Did I Leave My Keys?: Lessons from the Juniper Dual EC Incident by Stephen Checkoway, Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric Rescorla, Hovav Shacham. Communications of the ACM.

Tanja Lange Backdoors always backfire 41