On the practical exploitability of dual EC in TLS implementations

S. Checkoway, M. Fredrikson, R.F. Niederhagen, A. Everspaugh, M. Green, T. Lange, T. Ristenpart, D.J. Bernstein, J, Maskiewicz, H. Shacham

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

56 Citations (Scopus)

Abstract

This paper analyzes the actual cost of attacking TLS implementations that use NIST’s Dual EC pseudorandom number generator, assuming that the attacker generated the constants used in Dual EC. It has been known for several years that an attacker generating these constants and seeing a long enough stretch of Dual EC output bits can predict all future outputs; but TLS does not naturally provide a long enough stretch of output bits, and the cost of an attack turns out to depend heavily on choices made in implementing the RNG and on choices made in implementing other parts of TLS. Specifically, this paper investigates OpenSSL-FIPS, Windows’ SChannel, and the C/C++ and Java versions of the RSA BSAFE library. This paper shows that Dual EC exploitability is fragile, and in particular is stopped by an outright bug in the certified Dual EC implementation in OpenSSL. On the other hand, this paper also shows that Dual EC exploitability benefits from a modification made to the Dual EC standard in 2007; from several attack optimizations introduced here; and from various proposed TLS extensions, one of which is implemented in BSAFE, though disabled in the version we obtained and studied. The paper’s attacks are implemented; benchmarked; tested against libraries modified to use new Dual EC constants; and verified to successfully recover TLS plaintext.
Original languageEnglish
Title of host publicationProceedings of the 23rd USENIX Security Symposium 20-22 August 2014, San Diego CA, USA
PublisherUsenix Association
Pages319-335
ISBN (Print)978-1-931971-15-7
Publication statusPublished - 2014
Event23rd USENIX Security Symposium (USENIX Security 2014) - San Diego, United States
Duration: 20 Aug 201422 Aug 2014
Conference number: 23
https://www.usenix.org/conference/usenixsecurity14

Conference

Conference23rd USENIX Security Symposium (USENIX Security 2014)
Abbreviated titleUSENIX Security 14
CountryUnited States
CitySan Diego
Period20/08/1422/08/14
Internet address

Fingerprint Dive into the research topics of 'On the practical exploitability of dual EC in TLS implementations'. Together they form a unique fingerprint.

  • Cite this

    Checkoway, S., Fredrikson, M., Niederhagen, R. F., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D. J., Maskiewicz, J., & Shacham, H. (2014). On the practical exploitability of dual EC in TLS implementations. In Proceedings of the 23rd USENIX Security Symposium 20-22 August 2014, San Diego CA, USA (pp. 319-335). Usenix Association.