You are looking at a specific version 20080316:141200 of this paper.
See the latest version.
Paper 2008/113
Open Source Is Not Enough. Attacking the EC-package of Bouncycastle version 1.x_132
Daniel Mall and Qing Zhong
Abstract
BouncyCastle is an open source Crypto provider written in Java which supplies classes for Elliptic Curve Cryptography (ECC). We have found a flaw in the class ECPoint resulting from an unhappy interaction of elementary algorithms. We show how to exploit this flaw to a real world attack, e.g., on the encryption scheme ECIES. BouncyCastle has since fixed this flaw (version 1.x_133 and higher) but all older versions remain highly vulnerable to an active attacker and the attack shows a certain vulnerability of the involved validation algorithms.
Metadata
- Available format(s)
- Category
- Implementation
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- elliptic curve cryptography
- Contact author(s)
- daniel mall @ fhnw ch
- History
- 2008-03-16: received
- Short URL
- https://ia.cr/2008/113
- License
-
CC BY