1*3d322d52SAndroid Build Coastguard Worker 2*3d322d52SAndroid Build Coastguard Worker# ECDH 3*3d322d52SAndroid Build Coastguard Worker 4*3d322d52SAndroid Build Coastguard Worker[TOC] 5*3d322d52SAndroid Build Coastguard Worker 6*3d322d52SAndroid Build Coastguard Worker##ECDH description: 7*3d322d52SAndroid Build Coastguard WorkerSee https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman 8*3d322d52SAndroid Build Coastguard Worker 9*3d322d52SAndroid Build Coastguard Worker##Bugs 10*3d322d52SAndroid Build Coastguard WorkerSome libraries do not check if the elliptic curve points received from another 11*3d322d52SAndroid Build Coastguard Workerparty are points on the curve. Encodings of public keys typically contain the 12*3d322d52SAndroid Build Coastguard Workercurve for the public key point. If such an encoding is used in the key exchange 13*3d322d52SAndroid Build Coastguard Workerthen it is important to check that the public and secret key used to compute 14*3d322d52SAndroid Build Coastguard Workerthe shared ECDH secret are using the same curve. 15*3d322d52SAndroid Build Coastguard WorkerSome libraries fail to do this check. 16*3d322d52SAndroid Build Coastguard Worker 17*3d322d52SAndroid Build Coastguard Worker**Potential exploits:** 18*3d322d52SAndroid Build Coastguard WorkerThe damage done depends on the protocol that uses ECDH. E.g. if ECDH is used 19*3d322d52SAndroid Build Coastguard Workerwith ephemeral keys then the damage is typically limited. If the EC keys are 20*3d322d52SAndroid Build Coastguard Workerstatic, i.e. used for multiple key exchanges then a failure to verify a public 21*3d322d52SAndroid Build Coastguard Workerpoint can disclose the private key used in the same protocol. 22*3d322d52SAndroid Build Coastguard Worker(To do: add papers describing the attack). 23*3d322d52SAndroid Build Coastguard Worker 24*3d322d52SAndroid Build Coastguard Worker##Libraries 25*3d322d52SAndroid Build Coastguard Worker**Sun JCE provider:** 26*3d322d52SAndroid Build Coastguard WorkerECDH does not check if the points are on the curve. 27*3d322d52SAndroid Build Coastguard WorkerThe implementer must do this. 28*3d322d52SAndroid Build Coastguard Worker 29*3d322d52SAndroid Build Coastguard Worker**Bouncycastle:** 30*3d322d52SAndroid Build Coastguard WorkerThe ECDH implementation does not check if the point is on the curve. 31*3d322d52SAndroid Build Coastguard WorkerFurthermore, Bouncycastle does not even check if the public and private key are 32*3d322d52SAndroid Build Coastguard Workeron the same curve. It performs a point multiplication \\(x \cdot Y\\) over the 33*3d322d52SAndroid Build Coastguard Workercurve specified by the public key. 34*3d322d52SAndroid Build Coastguard Worker 35*3d322d52SAndroid Build Coastguard Worker**OpenSSL:** 36*3d322d52SAndroid Build Coastguard WorkerPoint verification is done in OpenSSL if the right functions are used. 37*3d322d52SAndroid Build Coastguard WorkerSince OpenSSL is not well documented it is a bit tricky to find the right 38*3d322d52SAndroid Build Coastguard Workerfunctions. 39*3d322d52SAndroid Build Coastguard Worker(To do: maybe add an example). 40*3d322d52SAndroid Build Coastguard Worker 41*3d322d52SAndroid Build Coastguard Worker##Countermeasures 42*3d322d52SAndroid Build Coastguard WorkerTODO: 43*3d322d52SAndroid Build Coastguard Worker* use point compression. Formats such as X509EncodedKeySpec 44*3d322d52SAndroid Build Coastguard Workerin Java include bits that indicate whether the point is compressed or not. 45*3d322d52SAndroid Build Coastguard WorkerHence an attacker can always choose to use uncompressed points as long as this 46*3d322d52SAndroid Build Coastguard Workeroption is incorrectly implemented. 47*3d322d52SAndroid Build Coastguard Worker* check that public and private key use the same curve 48*3d322d52SAndroid Build Coastguard Worker* restrict the protocol to named curves 49*3d322d52SAndroid Build Coastguard Worker* reconstruct the public key explicitly using the parameters of the private 50*3d322d52SAndroid Build Coastguard Worker key. 51*3d322d52SAndroid Build Coastguard Worker 52*3d322d52SAndroid Build Coastguard Worker**Further recommendations:** 53*3d322d52SAndroid Build Coastguard WorkerIf possible I also check if the points are on the curve after point 54*3d322d52SAndroid Build Coastguard Workermultiplications on an elliptic curve in the hope to catch implementation 55*3d322d52SAndroid Build Coastguard Workerand hardware faults. 56*3d322d52SAndroid Build Coastguard Worker 57*3d322d52SAndroid Build Coastguard Worker## Some notable bugs: 58*3d322d52SAndroid Build Coastguard Worker* ECDHC in bouncy castle could be broken by modifying the order of the public key. 59