How to Backdoor Diffie-Hellman David Wong NCC Group, June 2016 Abstract have pointed an attack on our first contribu- tion, as well as an improvement for the ex- Lately, several backdoors in cryptographic ploitation of our second contribution. This constructions, protocols and implementations work has been updated to reflect these ad- have been surfacing in the wild: Dual-EC in vances. RSA’s B-Safe product, a modified Dual-EC in Juniper’s operating system ScreenOS and a non-prime modulus in the open-source tool 1 Introduction socat. Many papers have already discussed the fragility of cryptographic constructions Around Christmas 2015 Juniper, a networking not using nothing-up-my-sleeve numbers, as hardware company, released an out-of-cycle se- 2 well as how such numbers can be safely picked. curity bulletin . Two vulnerabilities were dis- However, the question of how to introduce a closed without much details to help us grasp backdoor in an already secure, safe and easy the seriousness of the situation. Fortunately, to audit implementation has so far rarely been at this period of the year many researchers researched (in the public). were home with nothing else to do but to solve We present a new way of building a Nobody- this puzzle. By quickly comparing both the But-Us (NOBUS) Diffie-Hellman backdoor by patched and vulnerable binaries, the two is- using a composite modulus with a smooth sues were pinpointed. While one of the vulner- order. We then explain how we were able to abilities was a simple “master”-password im- implement a proof of concept with Socat and plemented at a crucial step of the product’s OpenSSL in order to exploit our backdoor on authentication, the other discovery was a bit the TLS protocol. more subtle: a unique value was modified. More accurately, a number in the source code Keywords: Diffie-Hellman, Ephemeral, was replaced. The introduction of the vulner- DHE, NOBUS, Backdoor, Discrete Logarithm, ability was so simple, and due to the fact that Small Subgroup Attack, Pohlig-Hellman, Pol- the number was stored as a string of hexadec- lard Rho, Factorization, Pollard’s p-1, ECM, imal digits, the trivial use of the UNIX com- Dual-EC, Juniper, socat mand line tool strings was enough to discover it. The special value ended up being a constant Update (December 2016): Dorey et al.1 Archive, Report 2016/999. http : / / eprint . iacr . 1Kristen Dorey, Nicholas Chang-Fong, and Alek- org/2016/999. 2016 sander Essex. Indiscreet Logs: Persistent Diffie- 2https://kb.juniper.net/InfoCenter/index? Hellman Backdoors in TLS. Cryptology ePrint page=content&id=JSA10713 1 Shumow and Ferguson4 at Crypto 2007, which might have been the reason why Juniper gen- erated their own point Q in their implementa- tion of Dual EC. Shortly after that revision, a mysterious update would change that Q point one more time, magically allowing another or- ganization, or person, to access that backdoor in place of the NSA or Juniper. Although the quest to find Juniper’s backdoor Figure 1: The strings of the patched binary and the numerous open questions that arose from that work is a fascinating read by itself5, it is only the introduction of the work you are currently reading. Here we aim to show how secure and strong cryptographic constructions are a single and subtle change away from being your own secretive peep show. On February 1st, 2016, only a few months after Juniper’s debacle, socat published a security advisory of its own6: Figure 2: The strings of the vulnerable binary In the OpenSSL address implemen- tation the hard coded 1024-bit DH p used in the system’s pseudo-random number parameter was not prime. The effec- generator (PRNG) Dual EC, an odd algo- tive cryptographic strength of a key rithm believed to have been backdoored by the exchange using these parameters was NSA3. The PRNG’s core has the ability to pro- weaker than the one one could get vide a Nobody-But-Us (NOBUS) trapdoor: a by using a prime p. Moreover, since secret passage that can only be accessed by the there is no indication of how these pa- people holding the secret key. In our case: the rameters were chosen, the existence elliptic curve discrete logarithm k in the Dual of a trapdoor that makes possible for EC equation Q = [k]P (where P and Q are an eavesdropper to recover the shared the two elliptic curve points used in the foun- secret from a key exchange that uses dation of Dual EC). them cannot be ruled out. Solely the NSA is thought to be in possession In the same vein as Juniper’s problem, a single of that k value, making them the only ones 4 able to climb back to the PRNG’s internal Shumow and Ferguson. On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng. state from random outputs, and then able to Crypto 2007. http : / / rump2007 . cr . yp . to / 15 - predict the PRNG’s future states and outputs. shumow.pdf. 2007 The backdoor in Dual EC was pointed out by 5Stephen Checkoway et al. A Systematic Analysis of the Juniper Dual EC Incident. Cryptology ePrint 3Daniel J. Bernstein, Tanja Lange, and Ruben Archive, Report 2016/376. http : / / eprint . iacr . Niederhagen. Dual EC: A Standardized Back Door. org/2016/376. 2016 Cryptology ePrint Archive, Report 2015/767. http: 6http://www.openwall.com/lists/ //eprint.iacr.org/2015/767. 2015 oss-security/2016/02/01/4 2 number was at issue. This time it was the parameters into open-source or closed-source public modulus, an integer used to generate libraries. This work is about generating such the ephemeral Diffie-Hellman keys of both backdoors and implementing them in TLS, parties during socat’s TLS handshakes. This showing how easy and subtle the process is. algorithm had been, contrary to Dual-EC, The working code along with explanations on considered secure from the start. But as it how to reproduce our setup is available on turned out, badly understood as well: as the Github10. Logjam7 paper had demonstrated earlier in the previous year, most servers would use In section 2, we will first briefly talk about Diffie-Hellman key exchanges to perform the several attacks possible on Diffie-Hellman, ephemeral handshakes, and the same servers from small subgroup attacks to Pohlig Hell- would generate their ephemeral keys from man’s algorithm. In section 3 we will introduce hardcoded defaults (often the same ones) our first attempt at a DH backdoor. We will provided by various TLS libraries. The present another DH backdoor in section 4 by paper raised a wave of discussion around how using the ideas of the previous section with a developers should use Diffie-Hellman, at the composite modulus. In section 5 we will see an- same time scaring people away from 1024 bit other method using a composite modulus that DH: “We estimate that even in the 1024-bit allows us to choose a specific generator, allow- case, the computations are plausible given ing us to only modify the modulus value when nation-state resources”. implementing our backdoor. In section 6 we will explain how we implemented the backdoor Securely integrating DH in a protocol is in TLS and how we exploited it. We will then unfortunately not well understood. Defensive see in section 7 how to detect such backdoors approaches are discussed in several RFCs89, and how to prevent them. Eventually we will but few papers so far have taken the point of wrap it all up in section 8. view of the attacker. The combination of the current trend of increasing the bitsize of DH 2 Attacks on Diffie-Hellman parameters with the now old trend of using open source libraries’ defaults to generate and the Discrete Logarithm ephemeral Diffie-Hellman keys would give To attack a Diffie-Hellman key exchange, one opportunist attackers a valid excuse to submit could extract the secret key a from one of the their bigger (more secure) and backdoored a peer’s public key ya = g (mod p). One could then compute the shared key gab (mod p) 7 David Adrian et al. “Imperfect Forward Secrecy: using the other peer’s public key y = gb How Diffie-Hellman Fails in Practice”. In: 22nd ACM b Conference on Computer and Communications Secu- (mod p). rity. https : / / weakdh . org / imperfect - forward - secrecy-ccs15.pdf. Oct. 2015 The naive way to go about this is to compute 8 Eric Rescorla. RFC 2631: Diffie-Hellman Key each power of g (while tracking the exponent) Agreement Method. RFC 2631. https://rfc-editor. org/rfc/rfc2631.txt. 2013. doi: 10.17487/rfc2631 until the public key is found. This is called 9Robert Zuccherato. RFC 2785: Methods for trial multiplication and would need on av- Avoiding the Small-Subgroup Attacks on the Diffie- q erage 2 operations to find a solution (with Hellman Key Agreement Method for S/MIME. RFC 2785. https://rfc-editor.org/rfc/rfc2785.txt. 10https://github.com/mimoo/Diffie-Hellman_ 2013. doi: 10.17487/rfc2785 Backdoor 3 q the order of the base). More efficiently, 2.2 Pohlig-Hellman algorithms that compute discrete logarithm p In 1978, Pohlig and Hellman discovered a in expected q steps like Shank’s baby-step 11 giant-step (deterministic), Pollard rho or shortcut to the discrete logarithm problem : Pollard Kangaroo (both probabilistic) can be if you know the complete factorization of the used. Because of the memory required for order of the group, and all of the factors are rel- baby-step giant-step, Pollard’s algorithms are atively small, then the discrete logarithm can often preferred.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages18 Page
-
File Size-