- DUAL_EC_DRBG was a random number generator standardized by NIST that was designed and promoted by the NSA and contained a backdoor. It used elliptic curve points to generate random numbers but the NSA knew the private key, allowing them to determine the internal state. - While difficult to demonstrate on real-world implementations, the attack works by observing the random output, brute forcing short bits, and using scalar multiplication with the private key to recover the internal state. - A weaker demonstration version was created to help explain the concepts using a smaller finite field and elliptic curve parameters that could be cracked with modest computing power to find the private key and demonstrate the attack.

1. Hidden in Plain Sight
DUAL_EC_DRBG ‘n stuff

2. What’s this nerd doing
onstage?
● CS & Math BS
● Software Engineer
● Cryptoparty Ann Arbor
○ cryptoparty.in/ann_arbor - @CryptopartyAA
● Chiptunes are cool
● NOT a cryptographer

4. The Setup

5. History
tl;dr:
● ANSI, NIST, ISO standardized Deterministic
Random Bit Generator
● Designed/promoted/backdoored by NSA
● Secure crypto REQUIRES random numbers
● Cool story I won’t repeat

6. DUAL_EC_DRBG
NIST SP 800-90A:
● some elliptic curve over a finite field
● some points P, Q on the curve
● some process of getting output and
permuting secret state

7. MATH BASICS
Wait… what do those words in the standard
mean?
What the hell does this look like?

8. Elliptic Curves

9. Elliptic Curves Group

10. Groups
● set of elements G, with an operation +
● “order”: how many elements it has
Think Whole Numbers (Integers) with only +

11. Groups (Example)
Integers mod 12: a = b % 12

12. Scalar Multiplication on EC
n*P = P + P + … + P
● (n times)
● n is an integer, P is a point
● Important for the standard

13. Discrete Logarithm
● No efficient algorithm known
b^k = g
b*b*b* … *b = g (k times)
k = log_b (g)
( P = d*Q )

14. Math Concepts/Tools
Essential to understanding, won’t be covered in
more depth
● Subgroups, Cyclic groups
● Cauchy’s, Lagrange’s, Sylow’s theorems
● Finite Fields

15. Two Versions...
● Dual EC 2006
● Dual EC 2007
I’ll focus on Dual EC 2006

16. Getting Technical

17. DUAL_EC_DRBG
● Defined elliptic curve, points P, Q
○ COULD use your own, but MUST use NIST provided
constants for FIPS 140 certification
● P, Q are in the same group

18. DUAL_EC_DRBG
The order of the group P, Q are in is also
defined as n
● for curve P-256, n =
11579208921035624876269744694940757
35299969552241357603424222590610685
12044369
○ huh...

19. DUAL_EC_DRBG

20. Tools
● Lagrange’s Theorem: Order of a subgroup
divides the order its group
● Group generated by X:
<X> = {X, X+X, X+X+X, … }

21. So...
● Q is in a group of prime order
● Lagrange’s Theorem! Order of <Q> is either
1 or n (turns out it’s n).
● Q must generate that entire group!
● <Q> = {Q, Q+Q, Q+Q+Q, … }

22. DUAL_EC_DRBG
There exists some integer d such that:
P = d * Q
(P = Q + Q + … + Q)
Spoiler alert: that’s the backdoor

23. DUAL_EC_DRBG
Secret state s, points P, Q, functions f, g:
● f(s) = x(s*P)
○ updates secret state: s1 := f(s0)
● g(s) = x(s*Q)
○ gives you random bits: r1 := g(s1)

24. DUAL_EC_DRBG
ϕ: “put this into bits”, like an integer
extract_bits: remove 16 most significant bits

25. DUAL_EC_DRBG
Simplified algorithm (no additional input)
(courtesy: Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen)

26. DUAL_EC_DRBG
(Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen)

27. DUAL_EC_DRBG
Shumow-Ferguson attack:
● observe random output r
● 2^16 ACTUAL r1 candidates. brute-force.
● curve equation to recover R=(r1, y)
○ use tonelli-shanks to get y, easy!
● x-coord of d*R gets us secret state s2 :)
○ backdoor!

28. 2006 & simple
Observe a full round’s-worth of output

29. 2006 & simple
brute-force to compensate for 16 truncated bits

30. 2006 & simple
scalar multiply with backdoor. ONE of these will
give secret state s2! we win!

31. 2006 + additional input!

32. 2006 + additional input!

33. 2006 + additional input!

34. (Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen)

35. DUAL_EC_DRBG
(These are all group operations)
● R = s1*Q = g(s1)
● d*R = d*(s1*Q) = s1*(d*Q) = s1*P
● d*R = s1*P = f(s1)
● x(d*R) = x(s1*P) = s2
● internal state s2 isn’t secret anymore

36. DUAL_EC_DRBG
So, if you know d, you can backtrack and
recover state!
P = d*Q

37. Demo…?

38. DUAL_EC_DRBG Demo?
OK, so that’s cool, but can we demo this?
Actually cracking it is difficult, since we don’t
know d and can’t easily find it...
Two things you can do

39. Be Awesome

40. Be Awesome
● BSAFE - :,(
○ Java - Includes fingerprints in connections
○ C - gives longer string of random bits. Faster attack!
● SChannel - :/
○ Bug that made it slightly faster to attack.
● OpenSSL - :|
○ Only FIPS version
○ Easily fixed but totally breaking bug
○ Uses additional input :)

41. Be Awesome
Each TLS library needs a tailored attack
1. Recover state from session ID/server
random fields in handshake
2. Compute DHE/ECDHE shared secret => get
“master secret”
3. (optionally) recover long-lived DSA/ECDSA
signing key

42. Be Awesome
Exploiting a real-world instance is certainly
tricky, but possible!

43. Weak DUAL_EC_DRBG
Or… re-make everything, but smaller.
More contrived, but hopefully a bit easier to
grasp.
Requires algebra know-how

45. Weak DUAL_EC_DRBG
● Get some large-ish finite field (integers mod
some prime)
○ 331337 is prime. cool!
● Find a curve (I have no idea what I’m doing
here)
● Find some point Q on the curve that
generates a large-ish subgroup of prime
order

46. Weak DUAL_EC_DRBG
● Need a point Q in a subgroup of prime order.
But, a large enough prime that cracking isn’t
too easy (not 2, 5, 7, …)
○ Choice of finite field should put an upper bound on
subgroup’s size: Don’t worry about making it too
hard.

47. Weak DUAL_EC_DRBG
If Q itself doesn’t generate a prime-order
subgroup, some scalar multiple of Q will.
● If order of <Q> is not prime, factor it
○ hope it has a large prime factor
■ if not… try another Q! ¯_(ツ)_/¯
○ If it does: Cauchy’s theorem => subgroup of that
order exists! Generate with scalar multiple of Q
■ ‘intuition’ from quotient groups

48. Weak DUAL_EC_DRBG
● Once we’ve chosen Q, finding P is easy
○ pick your backdoor integer d
○ P = d*Q
○ publish P, Q. keep d secret.
● But, our subgroup is small enough we can
use brute-force to find d

49. Weak DUAL_EC_DRBG
https://github.com/zandi/dual_ec_demo
● Working weak DUAL_EC_DRBG code!
○ jeopardy ctf-style, server challenges client
○ 3 lead-in levels building up to Dual EC wannabe
level
○ test attack code for each level.
○ scary but harmless cruft
Go learn!

50. Practical Takeaway
What did we learn from this whole ordeal? Is
there anything we need to do *right now* to
secure ourselves? What can we do going
forward to prevent this from happening again?

51. Practical Takeaway
● NSA, NIST, ANSI, etc.?
○ MAYBE trust, DEFINITELY verify, peer-review.
● Using same PRNG instance for secret &
non-secret random numbers. Bad idea?
○ Shouldn’t HAVE to program defensively against your
crypto library/rng, but is it a good idea? ehhh…
maybe not.

52. ● NIST SP 800-90A
● “The NSA Back Door to NIST” - Thomas C. Hales,
Notices of the AMS Vol. 61 No. 2
● http://projectbullrun.org/dual-ec/index.html
● “Dual EC: A Standardized Back Door” - Daniel J.
Bernstein, Tanja Lange, and Ruben Niederhagen
● “Practical Kleptography” - Matthew Green, Woot ‘14
● https://www.usenix.
org/conference/usenixsecurity14/technical-
sessions/presentation/checkoway
● Jeremy Kun - elliptic curves over finite fields library -
https://github.com/j2kun/elliptic-curves-finite-fields

53. Keep in touch!
@the_zandi
the.zandi@gmail.com
Thanks
David Adrian, “his excellency”
dafluck, jimtern, Misec, Arbsec,
A2Y.asm, Obama, and Satan