![Page 1: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/1.jpg)
Dual_EC_DRBG or, the story of a not so random backdoor
Martijn Grooten Virus Bulletin, UK
![Page 2: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/2.jpg)
Martijn Grooten (Μαρτάιν Γρόουτεν)
Mathematics
IT Security
Civil liberties
Disclaimer: I am not a cryptographer
![Page 3: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/3.jpg)
A backdoor in software
...
if ( PORT == 1337 && password == "roodkcab" ) {
/* support access */
access_level = "admin";
}
...
![Page 4: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/4.jpg)
A weakness in a standard
For Authenticated Encryption in the data plane, AES
with 128 bit keys in GCM mode with 128 bit ICV MUST
be used. For Integrity checks (when Authenticated
Encryption is not in use), HMAC-SHA-256-128 MUST be
used. For hashing algorithms, SHA-256 MUST be used.
For certificate based signatures, RSA-2048 and SHA-
256 MUST be used. For Diffie-Hellman key exchanges,
a 2048-bit MODP group MUST be used. Explicitly,
Diffie-Hellman Group 14 MUST be used. For pseudo-
random generation function, PRF-HMAC-SHA-256 MUST be
used.
![Page 5: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/5.jpg)
A weakness in a standard
For Authenticated Encryption in the data plane, AES
with 32 bit keys in GCM mode with 32 bit ICV MUST
be used. For Integrity checks (when Authenticated
Encryption is not in use), HMAC-SHA-128-64 MUST be
used. For hashing algorithms, SHA-64 MUST be used.
For certificate based signatures, RSA-512 and SHA-
64 MUST be used. For Diffie-Hellman key exchanges,
a 512-bit MODP group MUST be used. Explicitly,
Diffie-Hellman Group 14 MUST be used. For pseudo-
random generation function, PRF-HMAC-SHA-64 MUST be
used.
![Page 6: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/6.jpg)
A backdoor in a standard?
Introducing: Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG)
![Page 7: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/7.jpg)
A bit of history
Public key cryptography (RSA, DH; 1970s)
Crypto Wars (1990s)
public private
n = p·q
a = xn mod p (discrete logarithm problem)
![Page 8: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/8.jpg)
The crypto wars were won…
…but the battle went on underground
![Page 9: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/9.jpg)
Encryption
Encryption is “the process of encoding messages or information in such a way that only authorized parties can read it.” (Wikipedia).
“An encryption scheme usually needs a key-generation algorithm to randomly produce keys” (Wikipedia)
![Page 10: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/10.jpg)
Encryption
Encryption generates data that is indistinguishable from random.
Encryption needs random data as input.
![Page 11: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/11.jpg)
Randomness
Getting good randomness with enough entropy (‘surprise’) is hard.
It is not impossible though.
But getting enough good randomness is without some extra help.
![Page 12: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/12.jpg)
Deterministic random bit generator
random seed
internal state output
seed
![Page 13: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/13.jpg)
Did I say randomness is hard?
Random number generators are a major weakness in many cryptography implementation.
Blindly trusting someone else’s RNG is a bad idea (as we will see).
But writing your own is worse.
![Page 14: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/14.jpg)
Elliptic curves
Solution to third degree equation without singularities in the projective plane over a field.
y = x3 + a·x + b for some given a and b
![Page 15: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/15.jpg)
Elliptic curves
![Page 16: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/16.jpg)
Point addition on elliptic curves
A B
A+B
. . .
.
![Page 17: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/17.jpg)
Point addition on elliptic curves
A
3·A
2·A
. .
.
.
.
![Page 18: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/18.jpg)
Discrete logarithm problem on elliptic curves
Given a point A and a (large) number n, there is – under certain circumstances – a unique point B such that A = n·B.
Finding B is fiendishly difficult.
This is very useful for cryptography
… or to backdoor a standard.
![Page 19: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/19.jpg)
Turning points into numbers
A .
x(A) .
![Page 20: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/20.jpg)
Dual_EC_DRBG
seed s
(s’,t) bits of t
seed r = x( s · P )
s’ = x( r · P )
t = x( r · Q )
s := s’
Curve, points P, Q given
![Page 21: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/21.jpg)
Finding good P and Q isn’t trivial
Using wrong P and Q could break the algorithm. Thankfully, the NIST standard provides them for us:
“The security of Dual_EC_DRBG requires that the points P and Q be properly generated. To avoid using potentially weak points, the points specified in Appendix A.1 should be used.”
![Page 22: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/22.jpg)
So how ‘random’ are P and Q
Fact: given P and Q the exists a number e such that P = e·Q.
Remember: e is fiendishly hard to find. (Discrete logarithm problem.)
But if you can choose P and Q, you can do so that you know the number e.
![Page 23: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/23.jpg)
Does it matter if you know e?
Ferguson, Shumow (2007): it bloody well does.
Knowledge of e makes the output of the random number generator trivial to predict.
This means Dual_EC_DRBG is very unsafe against anyone who knows e.
![Page 24: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/24.jpg)
Facts about in Dual_EC_DRBG?
Regardless of the backdoor Dual_EC_DRBG is a rather bad idea (H/T Matthew Green).
Dual_EC_DRBG is (assumed) safe against any adversary who doesn’t know the number e.
We don’t know for sure if anyone knows this number!
(But I think the NSA does.)
![Page 25: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/25.jpg)
Why there might not be a backdoor
It is too simple, too clumsy.
$10m allegedly paid to RSA to implement Dual_EC_DRBG in Bsafe is not a lot of money.
![Page 26: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/26.jpg)
Why there might be a backdoor
$10m allegedly paid to RSA is a lot of money.
P and Q are not explained.
It is widely used despite being a bad idea.
Snowden etc.
![Page 27: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/27.jpg)
Conclusion
Cryptography is very hard. This is its biggest weakness.
Keep checking existing standards and implementations. Reject if unsure about certain things.
![Page 28: Dual EC DRBG - Hackerspace.gr · For Diffie-Hellman key exchanges, a 2048-bit MODP group MUST be used. Explicitly, Diffie-Hellman Group 14 MUST be used. ... Regardless of the backdoor](https://reader035.vdocuments.pub/reader035/viewer/2022062607/60488d88c5b5093a317d62d9/html5/thumbnails/28.jpg)
Thanks
Questions or comments?
Contact:
@martijn_grooten
www.virusbtn.com www.lapsedordinary.net