Presentation is loading. Please wait.

Presentation is loading. Please wait.

Thursday, October 15, 2015 Securing the Wireless World.

Published bySamantha Barnett Modified over 9 years ago

Similar presentations

Presentation on theme: "Thursday, October 15, 2015 Securing the Wireless World."— Presentation transcript:

1 Thursday, October 15, 2015 Securing the Wireless World

2 Presented by Validation of Elliptic Curve Public Keys Dan Brown Adrian Antipa *, Dan Brown *, Alfred Menezes +, Rene Struik * and Scott Vanstone +* PKC 2003 Miami, Florida Jan 7, 2003 * Certicom Research + U. Waterloo

3 Securing the Wireless World Outline ECC and Public Key Validation Attacking ECIES, 1-Pass ECDH, & ECMQV Inadequacy of Proof-of-Possession for ECPKV Improving Attack: Power Order Curves Modifying Attack for Compressed Points Countermeasures and Conclusions

4 Securing the Wireless World Elliptic Curve Cryptography in Standards (incl. Drafts & Proposals) ANSI X9: 62, 63, 92, … IEEE: 1363-2000, P1363a, P1363.2, P802.15.3/4, … ISO: 14888-3, 9496, 15496, 18033-2, … FIPS: 186-2, 2XX, … NESSIE, IPA Cryptrec, … SECG: SEC1, SEC2, … IETF: PKIX, IPSec, SMIME, TLS, … SET, MediaPlayer, 5C, WAP, …

5 Securing the Wireless World Elliptic Curves in Cryptography Usual elliptic curves (ANSI, SECG, FIPS): E a,b (GF(p)):y 2 =x 3 +ax+b, E a,b (GF(2 m )):y 2 +xy=x 3 +ax 2 +b. Group consists of: Pairs (x,y) satisfying curve equation, Point at infinity, “0”. CRUCIAL FACT: b determinable from x,y,a.

6 Securing the Wireless World Coefficient b as Function of x,y,a

7 Securing the Wireless World Elliptic Curve Group Law Usual formulae for EC group law: Do not use coefficient b, and Are the most efficient known. Example: Over GF(p), compute 2(x,y) = (x’,y’): Set t = (3x 2 +a)/(2y). Set x’ = t 2 -2x. Set y’ = t(x-x’’)-y.

8 Securing the Wireless World Elliptic Curve Domain Parameters Field size q. Coefficients a, b of E=E a,b (GF(q)). Field representation (if q=2 m ). Seed s (Optional). Base point G on curve E. Order n of G: should be prime. Cofactor h such that #E = hn. Usually h belongs to {1,2,4}.

9 Securing the Wireless World Elliptic Curve Public Key Validation (ECPKV) Input: Domain (E,n) and alleged point P. Output: Valid or invalid. Actions: Parse P and then output: Invalid if P = 0, Invalid if x or y invalid for GF(q), Invalid if equation for E fails for (x,y), Invalid if nP is not 0, (*) Valid otherwise. * Note: Naïve nP too slow (but tricks known).

10 Securing the Wireless World ECPKV: Why and When? Why ECPKV: If not then: Private key stolen via following attacks. When ECPKV: On any EC point to which an EC private key is applied: Static public key (ECDH, ECMQV), Ephemeral public key (ECDH, ECIES), Public keys for certification (ECDSA). Scope: A variety of protocols are at risk.

11 Securing the Wireless World Elliptic Curve Integrated Encryption Scheme (ECIES) - Encryption Input: Public key (static) Q in E, message M. Output: Ciphertext (R,S,A). Actions: Set R = rG for random r in [1,n-1]. Set (s,a) = KDF(x( rQ )). Set S = SYM(s,M) and A = MAC(a,S). Note: (R,r) ephemeral public-private key pair.

12 Securing the Wireless World ECIES - Decryption Input: Private key q, ciphertext (R,S,A). Output: Invalid; or valid and message M. Actions: Set (s,a) = KDF( x( qR )). Valid if A=MAC (a,S) else invalid. If valid, set M = SYM -1 (s,S).

13 Securing the Wireless World Invalid Curve Attack on ECIES, Phase 1 Choose small integer n’. Find curve E’ = E a,b’ with n’ |#E’. Find point R’ of order n’ on E’. Notation: Z’ indicates the adversary’s version of a variable Z. Note: R’ generates “small subgroup” (cf. Lim and Lee, Crypto 97) of another group.

14 Securing the Wireless World Invalid Curve Attack, Phase 2 Choose any message M’. Pick random q’ in [1, n’-1]. Compute (s’,a’) = KDF(x(q’R’)). Compute S’=SYM(s’,M’) and A’=MAC(a’,S). Send victim (R’,S’,A’).

15 Securing the Wireless World Victim Response to Phase 2 Victim receives (R’,S’,A’). Victim decrypts with (s,a) = KDF(x(qR’)). If q=±q’ mod n’ then: x(qR’) = x(q’R’), (s,a) = (s’,a’), A’ = MAC(a’,S’) = MAC(a,S’), M = SYM -1 (s,S’) = SYM -1 (s’,S’) = M’, “Valid” ciphertext decryption.

16 Securing the Wireless World Invalid Curve Attack, Phase 3 Observe reaction of victim. Determine validity or invalidity of (R’,S’,A’) Repeat Phase 2 until (R’,S’,A’) valid: If (R’,S’,A’) invalid, try another q’. Conclude q = ±q’ mod n’. This is partial information about victim’s private key q.

17 Securing the Wireless World Invalid Curve Attack, Phase 4 Note: q 2 =(±q’) 2 =(q’) 2 mod n’. Repeat Phase 1 to 3 with various n’. Example: for small primes n’. Learn q 2 mod n’ for various n’. Chinese Remainder Theorem Combines info about q, Deduces q 2 exactly as integer. Find q by ordinary square root of q 2.

18 Securing the Wireless World Cost of Attack on ECIES # of ciphertexts: (n 1 +…+n k )/4 where n i is ith prime and n 1 …n k > n 2. Bits in qCiphertexts 1921996 2242548 2563275 3846735 52111548

19 Securing the Wireless World Attack on Ephemeral-Static ECDH If responder (victim) uses shared key before initiator (adversary): But, in practice, initiator (adversary) uses key first. NOTE: Biehl, Meyer, Müller (Crypto 2000). Bits in qCiphertexts 19261(1) 22468(1) 25676(1) 384105(1) 521134(1)

20 Securing the Wireless World 1-Pass Menezes-Qu-Vanstone (MQV) Static Key Ephemeral Key Alice (Attacker) Bob (Victim)

21 Securing the Wireless World Attack on 1-Pass ECMQV Same idea as ECIES but … Attacker needs invalid static key (certified). Attacker needs CA to certify invalid key. Attacker needs CA to skip ECPKV. Standards for PKI do not require (EC)PKV. Standards for PKI require POP. Does “proof-of-possession” stop attack?

22 Securing the Wireless World Proof of Possession via Certificate Requests Certificate request is a self-signed public key and identity information. Signature “proves” possession of private key, which helps avoid certain other attacks. ECDSA natural choice for EC public key.

23 Securing the Wireless World Elliptic Curve Digital Signature Algorithm (ECDSA) - Verification A pair (r,s) is a valid signature On message M, For public key Q, For EC domain (E,G,n) and For hash function H, If: r and s integers are in [1,n-1], and r=x((H(M)/s mod n)G+(r/s mod n)Q) mod n.

24 Securing the Wireless World Valid ECDSA Signature with Invalid Public Key Input: Message M, valid EC domain (E,G,n), invalid public key info Q’ and n’. Output: Valid signature (r,s) on M in domain (E,G,n) under invalid public key Q’. Actions: Choose s in [1,n-1] and a in [1,n’-1]. Set r = x((H(M)/s mod n) G + aQ’) mod n. If not a=(r/s mod n) mod n’ try again.

25 Securing the Wireless World Invalid Curve Attack on ECMQV Choose invalid static public keys of orders n 1, n 2, …, n k. Generate ECDSA certificate requests. Get invalid static keys certified by lazy CA. Send invalid static and ephemeral keys to victim. Learn victim’s (static) private key.

26 Securing the Wireless World Special Curves for Accelerating Attack Pohlig-Hellman approach works if #E’ is divisible by powers of small primes. Example: NIST field GF(2 521 -1). Let E’=E -3,0 :y 2 =x 3 -3x (supersingular). Then #E’ = 2 521. Attack uses 521 ciphertexts (< 11548). Problem 1: Find #E’(GF(2 m ))=2 m. Problem 2: Find #E’(GF(p))=2 m (or 2 m d).

27 Securing the Wireless World Elliptic Curve Point Compression Compressed point (x,z) where z=0 or z=1. Decompression solves quadratic for y. Bit z determines which y, if any, to use for the decompressed point (x,y).

28 Securing the Wireless World Invalid Compressed Points Fixing x leaves 0,1, or 2 solutions for y. Half of x have 0 solutions for y. Element x invalid if y has 0 solutions. Compressed point (x’,z) invalid if x’ invalid. Reject invalid compressed points. Can an invalid compressed point be “used”?

29 Securing the Wireless World Invalid Decompression in GF(p) Fact: If p=3 mod 4, then y 2 =w can be solved as y=f(w)=w (p+1)/4 mod p. Proof: y 2 =w (p+1)/2 =w p-(p-1)/2 =w(w/p) mod p, where (w/p) is the Legendre symbol, which is 1 (or 0) if w has a square root and –1 if not. Note: If x invalid, an invalid compressed point (x,z) can be decompressed to (x,y) where y=(x 3 +ax+b) (p+1)/4.

30 Securing the Wireless World 1-Time Setup: Finding Low Order Invalid Compressed Points Fact: If x invalid then y 2 =-(x 3 +ax+b) mod p, since if w has no square root then f(w) 2 =-w. Output: Invalid x with (x,y) of low order m Actions: Find division polynomial in x and b’. Substitute b’ = -2(x 3 +ax+b). Find invalid root x of subbed poly. Problem 3: Setup cost as Schoof for #E?

31 Securing the Wireless World Order 11 Invalid Compressed Point Consider the octet string: 02 2f 8c 8c 8a 7c b1 1c 06 aa a3 4b 23 4f 7d 88 cd b9 9f d7 66 4a 00 a4 d7. Parses under FIPS 186-2 EC domain P-192 (secp192r1) to invalid compressed point. Non-validated decompression gives order 11. Found with Maple, by solving degree 60 poly.

32 Securing the Wireless World Countermeasures Best: Validate EC public keys: Ephemeral and static, When verifying and decrypting, In key agreement. Special EC arithmetic: Eg: Koblitz curves (used for efficiency). “Frobenius” map is f:(x,y) -> (x 2,y 2 ). Invalid curves: f moves off curve. Invalid curve attack seems to fail.

33 Securing the Wireless World ECPKV in Standards StandardSchemePrimitiveFormat Informative Security Annex IEEE 1363.2000 OptionalAssumedAbsent (noted) Optional, LL97 noted ANSI X9.63 (2000) MandatoryAbsentMandatory Optional, LL97 noted SEC1 (2000) OptionalAbsentMandatory Optional, LL97 noted FIPS 2XXNot published yet

34 Securing the Wireless World Conclusions Elliptic curve private keys risk being compromised if applied to invalid EC points. Standards have not provided adequate warning about this attack.

35 Securing the Wireless World References I. Biehl, B. Meyer, and V. Müller, “Differential fault analysis on elliptic curve cryptosystems”, Advances in Cryptology – CRYPTO 2000, Lecture Notes in Computer Science 1880, pp. 131-146. C. Lim and P. Lee, “A key recovery attack on discrete log-based schemes using a prime order subgroup”, Advances in Cryptology - CRYPTO 97, Lecture Notes in Computer Science 1294, pp. 249-263.

Download ppt "Thursday, October 15, 2015 Securing the Wireless World."

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
ECC Curve Selection By Edward Yin CS 265 Project Spring 2005.

ECC Curve Selection By Edward Yin CS 265 Project Spring 2005.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )

Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Electronic Payment Systems Lecture 5: ePayment Security II

Electronic Payment Systems Lecture 5: ePayment Security II
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:

CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:
Digital Signatures Presented by Olga Shishenina. 2 Outline  Cryptographic goals  Message Authentication Codes (MACs)  Digital signatures RSA digital.

Digital Signatures Presented by Olga Shishenina. 2 Outline  Cryptographic goals  Message Authentication Codes (MACs)  Digital signatures RSA digital.
C HAPTER 13 Asymmetric Key Cryptography Slides adapted from Foundations of Security: What Every Programmer Needs To Know by Neil Daswani, Christoph Kern,

C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography
The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.

The RSA Algorithm Based on the idea that factorization of integers into their prime factors is hard. ★ n=p . q, where p and q are distinct primes Proposed.

Similar presentations

Ads by Google