The Color of Money
- 1. Tal Be’ery, Co-Founder @ KZen Networks
16.10.18 ZK TLV Meet-up
The Color of Money
Elliptic Curve Cryptography (ECC) primer + one attack on a flawed ECC implementation
- 2. Who Am I?
‣ Tal Be’ery
‣ Co-Founder @ KZen
Networks
‣ email: Tal at kzencorp dot
com
‣ Twitter: @TalBeerySec
‣ Security Researcher, speaker
@ BlackHat, RSA
‣ Alumni of: Imperva, Aorato,
Microsoft, Innov8 VC
- 4. KZen Networks is Hiring!
‣ Peace of Mind for Your Digital Currency
‣ VC backed
‣ We are hiring!
‣ https://www.kzencorp.com/#careers
- 5. Agenda
‣ Elliptic Curve Cryptography (ECC)
‣ Motivation (TLS, Crypto Currency)
‣ Learning Elliptic Curve with Billiards
‣ Double Billiards: Elliptic Curve Diffie-Hellman (ECDH)
‣ The BlueTooth Pairing Attack CVE-2018-5383
‣ BlueTooth’s Pairing Process
‣ Cheating in Double Billiards: ECDH Man-in-the-Middle
(MITM)
- 6. Full Disclosure
‣ Billiards metaphor: Nick Sullivan 2013
‣ https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-
on-elliptic-curve-cryptography/
‣ CVE-2018-5383: Eli Biham & Lior Neumann 2018
‣ http://www.cs.technion.ac.il/~biham/BT/bt-fixed-coordinate-invalid-
curve-attack.pdf
‣ All I did is to combine them together: Tal Be’ery 2018
‣ https://hackernoon.com/bluetooth-hacking-cheating-in-elliptic-
curve-billiards-c092fdf70aae
‣ And I am a poor Billiards player
- 9. Motivation: Why ECC?
‣ Public-key Cryptography /Asymmetric cryptography
‣ Based on “Hard Problems” that are easy to “do” but hard to “undo”
‣ But we already have RSA? ECC offers some trade offs
‣ Including smaller key size for the same security
‣ Some usage examples
‣ TLS
‣ Cryptocurrency (e.g. Bitcoin, Ethereum)
- 11. Billiards Shot: Adding Points
‣ A+B=C
‣ Place ball at point A
‣ Shoot towards point B
‣ When the ball hits the
curve, it bounces to the
other side of the curve
‣ This is the result C
- 12. Billiards Trick Shot: Doubling
Point
‣ “double” a point, add a Point to itself (P
+ P = 2P)
‣ How can you shoot a ball from P towards
P itself?
‣ To do so, let’s choose point P’ very close
to P and shot towards it. As we bring P’
closer and closer to P, the connecting
line between them gets closer to the
Tangent of P
‣ Like before, when the ball hits the curve,
it bounces to the other side of the curve
‣ This is the result 2*P
- 13. The Point in Infinity ∞
‣ A+B=C. What happens if B = -A ?
‣ Place ball at point A
‣ Shoot towards point B (-A)
‣ When the ball hits the curve, it
bounces to the other side of the curve
‣ But the ball never touches the curve…
‣ The ball needs to be “artificially”
stopped on a point named “point-at-
infinity” or ∞, which is “0”
‣ This is the result P + (-P) = 0
- 14. Let’s Play Bizzaro Billiards!
‣ Two players: Shooter and Guesser
‣ The Shooter enters the game room alone
‣ The ball is placed on a known point P
‣ Shooter choose how many times to successively
shoot towards the same Point P.
‣ When the Shooter is done, the Guesser enters the
room and tries to guess how many time the ball was
struck.
- 15. Hardness of Bizzaro Billiards
‣ For Guesser:
‣ Must replay the game until the table reaches its state and then they know the
number.
‣ Complexity O(n) or O(2^L), where n=2^L
‣ For Player:
‣ they know n in advance, so they can use the doubling trick
‣ Example: 100P = 2(2[P + 2(2[2(P + 2P)])]) , Only 6 doubling and 2 additions
‣ Complexity is O(log(n)) or O(L), where N=2^L
‣ We found the “Hard Problem” we were after!
‣ "Elliptic Curve Discrete Logarithm Problem" (ECDLP)
- 17. Doubles Bizzaro Billiards:
ECDH
‣ Alice plays our Bizzaro Billiards game
‣ Ball placed in a known point P
‣ She shoots S₁ times (S₁*P) of her choosing.
‣ Sends a photo of the table to Bob.
‣ Bob places the ball on the same place on his table (S₁*P) according to the
picture and then shoots S₂ times (S₂*(S₁*P)).
‣ At the same time, Bob starts a new game on another table and strikes S₂ times
(S₂*P), sending a picture to Alice so she can strike S₁ times. (S₁*(S₂*P))
‣ By doing so, Alice and Bob individually arrived to the same final table position
(S₁*S₂*P =S₂*S₁*P)
‣ They can now use the X coordinate of this final point as their shared secret.
- 20. Security Analysis for Eve
‣ In this process neither Alice nor Bob learned
about the other party’s individual secret. (S₁,
S₂)
‣ More importantly, Eve didn’t learn about S₁, S₂
or the final table position and the resulting
shared secret, although she had access to the
table pictures exchanged in the middle of the
game.
‣ Revealing S₁ or S₂ is impossible, as we recall
that “undoing” the number of times the ball was
struck is hard.
- 22. Security Analysis for Mallory
‣ However, if the attacker is an active MITM,
Mallory, she can play DH with Alice and Bob
individually and have them talking to her,
instead of each other
‣ Therefore, shared secret (X coordinate) must
be validated later on within the protocol
- 24. BlueTooth
‣ Bluetooth is a wireless technology
standard for exchanging data over
short distances
‣ Bluetooth can expose private data
or let a connecting party control the
Bluetooth device.
‣ Pairing process is used to identify
specific devices, and thus enable
control over which devices can
connect to a given Bluetooth device.
- 25. Bluetooth Pairing Process
‣ ECDH to generate Kdh
‣ Kdh is later verified using
the Bluetooth PIN code
‣ Great! Or not so? 😈
‣ Kdh is only the X
coordinate
‣ The spec doesn’t
mandate Y coordinate
verification
- 26. CVE-2018-5383
‣ Y coordinate is not verified
‣ Mallory abuses this fact and
zeroes the Y coordinate of
the pictures (public keys)
exchanged by Alice and Bob.
‣ Zeroing the Y coordinate
places the ball in a very
special place on (another)
table
- 27. Dull Billiards on ∞
‣ Bob places the ball on the X Axis (according to
the fiddled pic)
‣ Bob is snookered! He can only shot on a right
angle:
‣ He shoots the ball towards itself ( P + P = 2P).
The tangent is a straight line. The result is “0”
(“point-at-infinity” ∞).
‣ Bob is Snookered forever! since the ball doesn’t
hit the curve with an angle, it can only bounce
from the table edge on a right angle again
‣ On the next shot, the ball is shot towards the
original point and ends there. ( 0 + P = P)
‣ Next shots merely repeat that process: On every
even addition the ball reaches ∞, on every odd
addition the ball lands back on the X axis.
- 29. Mallory Wins!
‣ Boring and predictable is exactly what Mallory wants!
‣ She replaces the original pictures (Pb₁, Pb₂) of the table with pictures of
“fixed-up” tables (Pb₁', Pb₂’)
‣ If both S₁,S₂ happen to be even then the result will be S₂*Pb₁' = ∞
=S₁*Pb₂'. The pairing will be successful and will create a shared key that
Eve knows!
‣ In any other case, i.e. if either s1 or s2 is odd the pairing will fail as Pb₁’≠
Pb₂’≠∞.
‣ Therefore, Eve has 25% success rate in finding the shared secret that
allows her to eavesdrop and manipulate Bluetooth traffic.
‣ 25% may sound low, but since victim users are very likely to retry to pair if
pairing has failed, then eventually Eve will be successful.
Editor's Notes
- https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication