On the Practical Exploitability of Dual EC in TLS Implementations

This paper analyzes the actual cost of attacking TLS implementations that use NIST's Dual EC pseudorandom number generator, assuming that the attacker generated the constants used in Dual EC. It has been known for several years that an attacker generating these constants and seeing a long enough stretch of Dual EC output bits can predict all future outputs; but TLS does not naturally provide a long enough stretch of output bits, and the cost of an attack turns out to depend heavily on choices made in implementing the RNG and on choices made in implementing other parts of TLS. Specifically, this paper investigates OpenSSL-FIPS, Windows' SChannel, and the C/C++ and Java versions of the RSA BSAFE library. This paper shows that Dual EC exploitability is fragile, and in particular is stopped by an outright bug in the certified Dual EC implementation in OpenSSL. On the other hand, this paper also shows that Dual EC exploitability benefits from a modification made to the Dual EC standard in 2007; from several attack optimizations introduced here; and from various proposed TLS extensions, one of which is implemented in BSAFE, though disabled in the version we obtained and studied. The paper's attacks are implemented; benchmarked; tested against libraries modified to use new Dual EC constants; and verified to successfully recover TLS plaintext.

[1]  Sebastian Zander,et al.  An Improved Clock-skew Measurement Technique for Revealing Hidden Services , 2008, USENIX Security Symposium.

[2]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[3]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[4]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[5]  Paul Hoffman,et al.  Additional PRF Inputs for TLS , 2009 .

[6]  Paul Hoffman,et al.  Additional Random Extension to TLS , 2010 .

[7]  J. Ball,et al.  Revealed: How US and UK Spy Agencies Defeat Internet Privacy and Security , 2013 .

[8]  Eric Rescorla,et al.  Opaque PRF Inputs for TLS , 2006 .

[9]  Berry Schoenmakers,et al.  Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator , 2006, IACR Cryptol. ePrint Arch..

[10]  Kwok-Wo Wong,et al.  Elliptic curve random number generation , 2001, Proceedings of IEEE Region 10 International Conference on Electrical and Electronic Technology. TENCON 2001 (Cat. No.01CH37239).

[11]  Shay Gueron,et al.  Fast prime field elliptic-curve cryptography with 256-bit primes , 2014, Journal of Cryptographic Engineering.

[12]  Hans Werner Meuer,et al.  Top500 Supercomputer Sites , 1997 .

[13]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[14]  Paul E. Hoffman,et al.  Additional Master Secret Inputs for TLS , 2012, RFC.

[15]  John Kelsey,et al.  NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2011 .

[16]  Eric Rescorla,et al.  Extended Random Values for TLS , 2009 .

[17]  Robin Sommer,et al.  Revisiting SSL : A Large-Scale Study of the Internet ' s Most Trusted Protocol , 2012 .