In Se­arch of Cur­veSwap: Me­a­su­ring El­lip­tic Curve Im­ple­men­ta­ti­ons in the Wild

Luke Va­len­ta, Nick Sul­liv­an, An­to­nio Sanso

In IEEE Eu­ropean Sym­po­si­um on Se­cu­ri­ty and Pri­va­cy (EuroS&P), 2018

Ab­stract

We sur­vey el­lip­tic curve im­ple­men­ta­ti­ons from se­ver­al van­ta­ge points. We per­form in­ter­net-wi­de scans for TLS on a large num­ber of ports, as well as SSH and IPsec to me­a­su­re el­lip­tic curve sup­port and im­ple­men­ta­ti­on be­ha­vi­ors, and collect pas­si­ve me­a­su­re­ments of cli­ent curve sup­port for TLS. We also per­form ac­tive me­a­su­re­ments to esti­ma­te ser­ver vul­nerabi­li­ty to known at­tacks against el­lip­tic curve im­ple­men­ta­ti­ons, in­clu­ding sup­port for weak cur­ves, in­va­lid curve at­tacks, and curve twist at­tacks. We esti­ma­te that 1.​53% of HTTPS hosts, 0.​04% of SSH hosts, and 4.​04% of IKEv2 hosts that sup­port el­lip­tic cur­ves do not per­form curve va­li­di­ty checks as spe­ci­fied in el­lip­tic curve stan­dards. We de­scri­be how such vul­nerabi­li­ties could be used to con­struct an el­lip­tic curve pa­ra­me­ter down­gra­de at­tack cal­led Cur­veSwap for TLS, and ob­ser­ve that there do not ap­pe­ar to be com­bi­na­ti­ons of weak be­ha­vi­ors we ex­amined en­ab­ling a fe­a­si­ble Cur­veSwap at­tack in the wild. We also ana­ly­ze sour­ce code for el­lip­tic curve im­ple­men­ta­ti­ons, and find that a num­ber of li­b­ra­ries fail to per­form point va­li­da­ti­on for JSON Web En­cryp­ti­on, and find a flaw in the Java and NSS mul­ti­pli­ca­ti­on al­go­rith­ms.

Tags: