Squeezing a key through a carry bit @ 34c3

Transcript

1. Squeezing a key
   through a carry bit
   Sean Devlin, Filippo Valsorda
   

   View Slide

2. View Slide

3. View Slide

4. One month later
   

   View Slide

5. The code
   a = a - b
   mod p
   a = a - b
   x = a
   a = a + p
   

   View Slide

6. The code
   a = a - b
   mod p
   a = a - b
   x = a
   a = a + p
   a = a - b
   t = a
   t += p
   a ?= t
   

   View Slide

7. The code
   a = a - b
   mod p
   a = a - b
   x = a
   a = a + p
   a < b
   a = a - b
   t = a
   t += p
   a ?= t
   

   View Slide

8. a = a - b
   x = a
   a = a + p
   The bug
   a = a - b
   t = a
   t += p
   a ?= t
   

   View Slide

9. The bug
   

   View Slide

10. The bug
    Wrong result with
    probability 2-32
    

    View Slide

11. A carry propagation bug
    

    View Slide

12. ECCCCCCC
    Elliptic Curve Cryptography Crash Course for CCC
    • Field: numbers modulo p
    • Points: like (3, 7); fitting an equation
    • Group: a generator point and addition
    • Multiplication: repeated addition
    

    View Slide

13. ECCCCCCCC
    Elliptic Curve Cryptography Crash Course for CCC (cont.)
    • Multiplication: 5Q = Q + Q + Q + Q + Q
    • ECDH private key: a big integer d
    • ECDH public key: Q = dG (think y = ga)
    • ECDH shared secret: Q2 = dQ1
    

    View Slide

14. Double and add
    Q2 = dQ1
    d is BIG. Like, 256 bit.
    Can't add Q to itself 2256 times.
    

    View Slide

15. Double and add
    Q2 = dQ1
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    +Q1
    Z +Q
    

    View Slide

16. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    x2
    Z +Q x2
    Q2 = dQ1
    

    View Slide

17. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    x2
    Z +Q x2 x2
    Q2 = dQ1
    

    View Slide

18. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    +Q1
    Z +Q x2 x2 +Q
    Q2 = dQ1
    

    View Slide

19. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    Z +Q x2 x2 +Q x2
    x2
    Q2 = dQ1
    

    View Slide

20. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    Z +Q x2 x2 +Q x2 +Q
    +Q1
    Q2 = dQ1
    

    View Slide

21. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    Z +Q x2 x2 +Q x2 +Q x2
    x2
    Q2 = dQ1
    

    View Slide

22. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    Z +Q x2 x2 +Q x2 +Q x2 x2 ...
    x2
    Q2 = dQ1
    

    View Slide

23. Back to the carry bug
    

    View Slide

24. secret = ScalarMult(point, scalar) ← Q2 = dQ
    └─ p256PointAddAffineAsm
    └─ p256SubInternal
    attacker supplied secret key
    session key
    

    View Slide

25. Q1
    → ScalarMult(Q1, )
    Q2
    → ScalarMult(Q2, )
    1 1 1 0 1
    Z +Q1 x2 x2 +Q1 x2 +Q1 x2 +Q1
    
    0 1 1 0 1
    Z +Q2 x2 x2 +Q2 x2 +Q2 x2 x2
    

    View Slide

26. Q1
    → ScalarMult(Q1, ) →
    Q2
    → ScalarMult(Q2, ) → ✅
    ? 1 1 0 1
    ? 1 1 0 1
    1 1 1 0 1
    

    View Slide

27. Q1
    →
    Q2
    →
    0 1 1 0 1
    1 1 1 0 1
    Q1
    →
    Q2
    →
    0 0 1 1 0 1
    1 0 1 1 0 1
    Q1
    →
    Q2
    →
    0 1 0 1 1 0 1
    1 1 0 1 1 0 1
    
    
    

    View Slide

28. View Slide

29. Go implementation of ScalarMult
    Booth's multiplication in 5-bit windows.
    Precomputed table of 1Q to 16Q. Add, double 5 times.
    01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...
    

    View Slide

30. Precomp
    table
    

    View Slide

31. Multiplication
    loop
    

    View Slide

32. Go implementation of ScalarMult
    Booth's multiplication in 5-bit windows.
    Precomputed table of 1Q to 16Q. Add, double 5 times.
    Limbs representation: less overlap and aliasing problems.
    01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...
    {1 0} {15 1} {7 0} {5 0} {5 0} {9 0} {1 0} {8 1} {6 1} {9 1} ...
    

    View Slide

33. Go implementation of ScalarMult
    Booth's multiplication in 5-bit windows.
    Precomputed table of 1Q to 16Q. Add, double 5 times.
    Attack one limb at a time, instead of one bit.
    34 limb values → 17 points / 5 key bits on average.
    01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...
    

    View Slide

34. Multiplication
    loop
    
    
    

    View Slide

35. Assembly
    hook
    
    

    View Slide

36. View Slide

37. View Slide

38. View Slide

39. The first limb
    3 3 x2 x2 x2 x2 x2 → 3 x25
    Precomp Doubling
    Limb
    
    

    View Slide

40. The first limb
    3 3 x2 x2 x2 x2 x2 → 3 x25
    3 x2 6 x2 x2 x2 x2 x2 → 3 x26
    3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27
    Precomp Doubling
    Limb
    
    
    
    

    View Slide

41. The first limb
    3 3 x2 x2 x2 x2 x2 → 3 x25
    3 x2 6 x2 x2 x2 x2 x2 → 3 x26
    3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27
    Precomp Doubling
    Limb
    
    
    
    
    
    

    View Slide

42. The
    last bits
    

    View Slide

43. 
    
    
    Kangaroo jumps depend from the terrain at the start point.
    Let a tracked kangaroo loose. Place a trap at the end.
    

    View Slide

44. 
    
    
    
    
    
    Kangaroo jumps depend from the terrain at the start point.
    If the wild kangaroo intersects the path at any point,

    it ends up in the trap.
    

    View Slide

45. Back to elliptic curves.
    A jump is QN+1 = QN + H(QN) where H is a hash.
    Same starting point, same jump.
    You run from a known starting point, then from dG.

    If you collide, you traceback to d!
    
    
    

    View Slide

46. A target
    • JSON Object Signing and Encryption, JOSE (JWT)
    • ECDH-ES public key algorithm
    • go-jose and Go 1.8.1
    • Check if the service successfully decrypts payload
    

    View Slide

47. Spot instance infrastructure
    
    Sage
    dispatcher /work
    /result
    

    View Slide

48. Figures!
    • Each key: ~52 limbs, modulo the kangaroo
    • Each limb: ~16 points on average
    • Each point: ~226 candidate points
    • (226 * 16) candidate points: ~85 CPU hours
    • 85 CPU hours: $1.26 EC2 spot instances
    • Total: 4,400 CPU hours / $65 on EC2
    

    View Slide

49. Demo
    

    View Slide

50. Demo
    

    View Slide

51. Demo
    

    View Slide

52. Filippo Valsorda
    @FiloSottile
    Sean Devlin
    @spdevlin
    Thank you!
    No bug is small enough.
    

    View Slide