Prac­tical In­va­lid Curve At­tacks on TLS-ECDH

Tibor Jager, Jörg Schwenk, Juraj So­mo­rovs­ky

ESO­RICS 2015

Ab­stract

El­lip­tic Curve Cryp­to­gra­phy (ECC) is based on cy­clic groups, where group ele­ments are re­pre­sen­ted as points in a fi­ni­te plane. All ECC crypto­sys­tems im­pli­cit­ly as­su­me that only valid group ele­ments will be pro­ces­sed by the dif­fer- ent cryp­to­gra­phic al­go­rith­ms. It is well-known that a check for group mem­bership of given points in the plane should be per­for­med be­fo­re pro­ces­sing.

Howe­ver, in se­ver­al wi­de­ly used cryp­to­gra­phic li­b­ra­ries we ana­ly­zed, this check was mis­sing, in par­ti­cu­lar in the po­pu­lar ECC im­ple­men­ta­ti­ons of Ora­cle and Boun­cy Cast­le. We ana­ly­ze the ef­fect of this mis­sing check on Ora­cle’s de­fault Java TLS im­ple­men­ta­ti­on (JSSE with a SunEC pro­vi­der) and TLS ser­vers using the Boun­cy Cast­le li­b­ra­ry. It turns out that the ef­fect on the se­cu­ri­ty of TLS-ECDH is de­va­s­ta­ting. We de­scri­be an at­tack that al­lows to extract the long-term pri­va­te key from a TLS ser­ver that uses such a vul­nerable li­b­ra­ry. This al­lows an at­ta­cker to im­per­so­na­te the le­gi­ti­ma­te ser­ver to any com­mu­ni­ca­ti­on part­ner, after per­for­ming the at­tack only once.

The di­stri­bu­ted do­cu­ment has been pro­vi­ded by the cont­ri­bu­ting aut­hors as a means to en­su­re ti­me­ly dis­se­mi­na­ti­on of scho­lar­ly and tech­ni­cal work on a non­com­mer­ci­al basis. Co­py­right and all rights the­r­ein are main­tained by the aut­hors or by other co­py­right hol­ders, not­wi­th­stan­ding that they have of­fe­red their works here elec­tro­ni­cal­ly. It is un­ders­tood that all per­sons co­py­ing this in­for­ma­ti­on will ad­he­re to the terms and cons­traints in­vo­ked by each aut­hor's co­py­right. These works may not be re­pos­ted wi­thout the ex­pli­cit per­mis­si­on of the co­py­right hol­der.

Tags: ecc, In­va­lid Curve At­tack, TLS