- DUAL_EC_DRBG was a random number generator standardized by NIST that was designed and promoted by the NSA and contained a backdoor. It used elliptic curve points to generate random numbers but the NSA knew the private key, allowing them to determine the internal state.
- While difficult to demonstrate on real-world implementations, the attack works by observing the random output, brute forcing short bits, and using scalar multiplication with the private key to recover the internal state.
- A weaker demonstration version was created to help explain the concepts using a smaller finite field and elliptic curve parameters that could be cracked with modest computing power to find the private key and demonstrate the attack.
2. What’s this nerd doing
onstage?
● CS & Math BS
● Software Engineer
● Cryptoparty Ann Arbor
○ cryptoparty.in/ann_arbor - @CryptopartyAA
● Chiptunes are cool
● NOT a cryptographer
5. History
tl;dr:
● ANSI, NIST, ISO standardized Deterministic
Random Bit Generator
● Designed/promoted/backdoored by NSA
● Secure crypto REQUIRES random numbers
● Cool story I won’t repeat
6. DUAL_EC_DRBG
NIST SP 800-90A:
● some elliptic curve over a finite field
● some points P, Q on the curve
● some process of getting output and
permuting secret state
7. MATH BASICS
Wait… what do those words in the standard
mean?
What the hell does this look like?
12. Scalar Multiplication on EC
n*P = P + P + … + P
● (n times)
● n is an integer, P is a point
● Important for the standard
13. Discrete Logarithm
● No efficient algorithm known
b^k = g
b*b*b* … *b = g (k times)
k = log_b (g)
( P = d*Q )
14. Math Concepts/Tools
Essential to understanding, won’t be covered in
more depth
● Subgroups, Cyclic groups
● Cauchy’s, Lagrange’s, Sylow’s theorems
● Finite Fields
17. DUAL_EC_DRBG
● Defined elliptic curve, points P, Q
○ COULD use your own, but MUST use NIST provided
constants for FIPS 140 certification
● P, Q are in the same group
18. DUAL_EC_DRBG
The order of the group P, Q are in is also
defined as n
● for curve P-256, n =
11579208921035624876269744694940757
35299969552241357603424222590610685
12044369
○ huh...
20. Tools
● Lagrange’s Theorem: Order of a subgroup
divides the order its group
● Group generated by X:
<X> = {X, X+X, X+X+X, … }
21. So...
● Q is in a group of prime order
● Lagrange’s Theorem! Order of <Q> is either
1 or n (turns out it’s n).
● Q must generate that entire group!
● <Q> = {Q, Q+Q, Q+Q+Q, … }
27. DUAL_EC_DRBG
Shumow-Ferguson attack:
● observe random output r
● 2^16 ACTUAL r1 candidates. brute-force.
● curve equation to recover R=(r1, y)
○ use tonelli-shanks to get y, easy!
● x-coord of d*R gets us secret state s2 :)
○ backdoor!
38. DUAL_EC_DRBG Demo?
OK, so that’s cool, but can we demo this?
Actually cracking it is difficult, since we don’t
know d and can’t easily find it...
Two things you can do
40. Be Awesome
● BSAFE - :,(
○ Java - Includes fingerprints in connections
○ C - gives longer string of random bits. Faster attack!
● SChannel - :/
○ Bug that made it slightly faster to attack.
● OpenSSL - :|
○ Only FIPS version
○ Easily fixed but totally breaking bug
○ Uses additional input :)
41. Be Awesome
Each TLS library needs a tailored attack
1. Recover state from session ID/server
random fields in handshake
2. Compute DHE/ECDHE shared secret => get
“master secret”
3. (optionally) recover long-lived DSA/ECDSA
signing key
43. Weak DUAL_EC_DRBG
Or… re-make everything, but smaller.
More contrived, but hopefully a bit easier to
grasp.
Requires algebra know-how
44.
45. Weak DUAL_EC_DRBG
● Get some large-ish finite field (integers mod
some prime)
○ 331337 is prime. cool!
● Find a curve (I have no idea what I’m doing
here)
● Find some point Q on the curve that
generates a large-ish subgroup of prime
order
46. Weak DUAL_EC_DRBG
● Need a point Q in a subgroup of prime order.
But, a large enough prime that cracking isn’t
too easy (not 2, 5, 7, …)
○ Choice of finite field should put an upper bound on
subgroup’s size: Don’t worry about making it too
hard.
47. Weak DUAL_EC_DRBG
If Q itself doesn’t generate a prime-order
subgroup, some scalar multiple of Q will.
● If order of <Q> is not prime, factor it
○ hope it has a large prime factor
■ if not… try another Q! ¯_(ツ)_/¯
○ If it does: Cauchy’s theorem => subgroup of that
order exists! Generate with scalar multiple of Q
■ ‘intuition’ from quotient groups
48. Weak DUAL_EC_DRBG
● Once we’ve chosen Q, finding P is easy
○ pick your backdoor integer d
○ P = d*Q
○ publish P, Q. keep d secret.
● But, our subgroup is small enough we can
use brute-force to find d
49. Weak DUAL_EC_DRBG
https://github.com/zandi/dual_ec_demo
● Working weak DUAL_EC_DRBG code!
○ jeopardy ctf-style, server challenges client
○ 3 lead-in levels building up to Dual EC wannabe
level
○ test attack code for each level.
○ scary but harmless cruft
Go learn!
50. Practical Takeaway
What did we learn from this whole ordeal? Is
there anything we need to do *right now* to
secure ourselves? What can we do going
forward to prevent this from happening again?
51. Practical Takeaway
● NSA, NIST, ANSI, etc.?
○ MAYBE trust, DEFINITELY verify, peer-review.
● Using same PRNG instance for secret &
non-secret random numbers. Bad idea?
○ Shouldn’t HAVE to program defensively against your
crypto library/rng, but is it a good idea? ehhh…
maybe not.
52. ● NIST SP 800-90A
● “The NSA Back Door to NIST” - Thomas C. Hales,
Notices of the AMS Vol. 61 No. 2
● http://projectbullrun.org/dual-ec/index.html
● “Dual EC: A Standardized Back Door” - Daniel J.
Bernstein, Tanja Lange, and Ruben Niederhagen
● “Practical Kleptography” - Matthew Green, Woot ‘14
● https://www.usenix.
org/conference/usenixsecurity14/technical-
sessions/presentation/checkoway
● Jeremy Kun - elliptic curves over finite fields library -
https://github.com/j2kun/elliptic-curves-finite-fields