Hidden in Plain Sight: DUAL_EC_DRBG 'n stuff
- 1. Hidden in Plain Sight DUAL_EC_DRBG ‘n stuff
- 2. What’s this nerd doing onstage? ● CS & Math BS ● Software Engineer ● Cryptoparty Ann Arbor ○ cryptoparty.in/ann_arbor - @CryptopartyAA ● Chiptunes are cool ● NOT a cryptographer
- 4. The Setup
- 5. History tl;dr: ● ANSI, NIST, ISO standardized Deterministic Random Bit Generator ● Designed/promoted/backdoored by NSA ● Secure crypto REQUIRES random numbers ● Cool story I won’t repeat
- 6. DUAL_EC_DRBG NIST SP 800-90A: ● some elliptic curve over a finite field ● some points P, Q on the curve ● some process of getting output and permuting secret state
- 7. MATH BASICS Wait… what do those words in the standard mean? What the hell does this look like?
- 10. Groups ● set of elements G, with an operation + ● “order”: how many elements it has Think Whole Numbers (Integers) with only +
- 11. Groups (Example) Integers mod 12: a = b % 12
- 12. Scalar Multiplication on EC n*P = P + P + … + P ● (n times) ● n is an integer, P is a point ● Important for the standard
- 13. Discrete Logarithm ● No efficient algorithm known b^k = g b*b*b* … *b = g (k times) k = log_b (g) ( P = d*Q )
- 14. Math Concepts/Tools Essential to understanding, won’t be covered in more depth ● Subgroups, Cyclic groups ● Cauchy’s, Lagrange’s, Sylow’s theorems ● Finite Fields
- 15. Two Versions... ● Dual EC 2006 ● Dual EC 2007 I’ll focus on Dual EC 2006
- 17. DUAL_EC_DRBG ● Defined elliptic curve, points P, Q ○ COULD use your own, but MUST use NIST provided constants for FIPS 140 certification ● P, Q are in the same group
- 18. DUAL_EC_DRBG The order of the group P, Q are in is also defined as n ● for curve P-256, n = 11579208921035624876269744694940757 35299969552241357603424222590610685 12044369 ○ huh...
- 19. DUAL_EC_DRBG
- 20. Tools ● Lagrange’s Theorem: Order of a subgroup divides the order its group ● Group generated by X: <X> = {X, X+X, X+X+X, … }
- 21. So... ● Q is in a group of prime order ● Lagrange’s Theorem! Order of <Q> is either 1 or n (turns out it’s n). ● Q must generate that entire group! ● <Q> = {Q, Q+Q, Q+Q+Q, … }
- 22. DUAL_EC_DRBG There exists some integer d such that: P = d * Q (P = Q + Q + … + Q) Spoiler alert: that’s the backdoor
- 23. DUAL_EC_DRBG Secret state s, points P, Q, functions f, g: ● f(s) = x(s*P) ○ updates secret state: s1 := f(s0) ● g(s) = x(s*Q) ○ gives you random bits: r1 := g(s1)
- 24. DUAL_EC_DRBG ϕ: “put this into bits”, like an integer extract_bits: remove 16 most significant bits
- 25. DUAL_EC_DRBG Simplified algorithm (no additional input) (courtesy: Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen)
- 26. DUAL_EC_DRBG (Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen)
- 27. DUAL_EC_DRBG Shumow-Ferguson attack: ● observe random output r ● 2^16 ACTUAL r1 candidates. brute-force. ● curve equation to recover R=(r1, y) ○ use tonelli-shanks to get y, easy! ● x-coord of d*R gets us secret state s2 :) ○ backdoor!
- 28. 2006 & simple Observe a full round’s-worth of output
- 29. 2006 & simple brute-force to compensate for 16 truncated bits
- 30. 2006 & simple scalar multiply with backdoor. ONE of these will give secret state s2! we win!
- 31. 2006 + additional input!
- 32. 2006 + additional input!
- 33. 2006 + additional input!
- 34. (Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen)
- 35. DUAL_EC_DRBG (These are all group operations) ● R = s1*Q = g(s1) ● d*R = d*(s1*Q) = s1*(d*Q) = s1*P ● d*R = s1*P = f(s1) ● x(d*R) = x(s1*P) = s2 ● internal state s2 isn’t secret anymore
- 36. DUAL_EC_DRBG So, if you know d, you can backtrack and recover state! P = d*Q
- 37. Demo…?
- 38. DUAL_EC_DRBG Demo? OK, so that’s cool, but can we demo this? Actually cracking it is difficult, since we don’t know d and can’t easily find it... Two things you can do
- 39. Be Awesome
- 40. Be Awesome ● BSAFE - :,( ○ Java - Includes fingerprints in connections ○ C - gives longer string of random bits. Faster attack! ● SChannel - :/ ○ Bug that made it slightly faster to attack. ● OpenSSL - :| ○ Only FIPS version ○ Easily fixed but totally breaking bug ○ Uses additional input :)
- 41. Be Awesome Each TLS library needs a tailored attack 1. Recover state from session ID/server random fields in handshake 2. Compute DHE/ECDHE shared secret => get “master secret” 3. (optionally) recover long-lived DSA/ECDSA signing key
- 42. Be Awesome Exploiting a real-world instance is certainly tricky, but possible!
- 43. Weak DUAL_EC_DRBG Or… re-make everything, but smaller. More contrived, but hopefully a bit easier to grasp. Requires algebra know-how
- 45. Weak DUAL_EC_DRBG ● Get some large-ish finite field (integers mod some prime) ○ 331337 is prime. cool! ● Find a curve (I have no idea what I’m doing here) ● Find some point Q on the curve that generates a large-ish subgroup of prime order
- 46. Weak DUAL_EC_DRBG ● Need a point Q in a subgroup of prime order. But, a large enough prime that cracking isn’t too easy (not 2, 5, 7, …) ○ Choice of finite field should put an upper bound on subgroup’s size: Don’t worry about making it too hard.
- 47. Weak DUAL_EC_DRBG If Q itself doesn’t generate a prime-order subgroup, some scalar multiple of Q will. ● If order of <Q> is not prime, factor it ○ hope it has a large prime factor ■ if not… try another Q! ¯_(ツ)_/¯ ○ If it does: Cauchy’s theorem => subgroup of that order exists! Generate with scalar multiple of Q ■ ‘intuition’ from quotient groups
- 48. Weak DUAL_EC_DRBG ● Once we’ve chosen Q, finding P is easy ○ pick your backdoor integer d ○ P = d*Q ○ publish P, Q. keep d secret. ● But, our subgroup is small enough we can use brute-force to find d
- 49. Weak DUAL_EC_DRBG https://github.com/zandi/dual_ec_demo ● Working weak DUAL_EC_DRBG code! ○ jeopardy ctf-style, server challenges client ○ 3 lead-in levels building up to Dual EC wannabe level ○ test attack code for each level. ○ scary but harmless cruft Go learn!
- 50. Practical Takeaway What did we learn from this whole ordeal? Is there anything we need to do *right now* to secure ourselves? What can we do going forward to prevent this from happening again?
- 51. Practical Takeaway ● NSA, NIST, ANSI, etc.? ○ MAYBE trust, DEFINITELY verify, peer-review. ● Using same PRNG instance for secret & non-secret random numbers. Bad idea? ○ Shouldn’t HAVE to program defensively against your crypto library/rng, but is it a good idea? ehhh… maybe not.
- 52. ● NIST SP 800-90A ● “The NSA Back Door to NIST” - Thomas C. Hales, Notices of the AMS Vol. 61 No. 2 ● http://projectbullrun.org/dual-ec/index.html ● “Dual EC: A Standardized Back Door” - Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen ● “Practical Kleptography” - Matthew Green, Woot ‘14 ● https://www.usenix. org/conference/usenixsecurity14/technical- sessions/presentation/checkoway ● Jeremy Kun - elliptic curves over finite fields library - https://github.com/j2kun/elliptic-curves-finite-fields
- 53. Keep in touch! @the_zandi the.zandi@gmail.com Thanks David Adrian, “his excellency” dafluck, jimtern, Misec, Arbsec, A2Y.asm, Obama, and Satan