Paper 2018/298

In search of CurveSwap: Measuring elliptic curve implementations in the wild

Luke Valenta, Nick Sullivan, Antonio Sanso, and Nadia Heninger

Abstract

We survey elliptic curve implementations from several vantage points. We perform internet-wide scans for TLS on a large number of ports, as well as SSH and IPsec to measure elliptic curve support and implementation behaviors, and collect passive measurements of client curve support for TLS. We also perform active measurements to estimate server vulnerability to known attacks against elliptic curve implementations, including support for weak curves, invalid curve attacks, and curve twist attacks. We estimate that 0.77% of HTTPS hosts, 0.04% of SSH hosts, and 4.04% of IKEv2 hosts that support elliptic curves do not perform curve validity checks as specified in elliptic curve standards. We describe how such vulnerabilities could be used to construct an elliptic curve parameter downgrade attack called CurveSwap for TLS, and observe that there do not appear to be combinations of weak behaviors we examined enabling a feasible CurveSwap attack in the wild. We also analyze source code for elliptic curve implementations, and find that a number of libraries fail to perform point validation for JSON Web Encryption, and find a flaw in the Java and NSS multiplication algorithms.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. EuroS&P 2018
Keywords
elliptic curve cryptographyinvalid curve attackcurveswap
Contact author(s)
lukev @ seas upenn edu
History
2018-03-29: received
Short URL
https://ia.cr/2018/298
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/298,
      author = {Luke Valenta and Nick Sullivan and Antonio Sanso and Nadia Heninger},
      title = {In search of {CurveSwap}: Measuring elliptic curve implementations in the wild},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/298},
      year = {2018},
      url = {https://eprint.iacr.org/2018/298}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.