SlideShare a Scribd company logo

The Color of Money

Download as PPTX, PDF
Tal Be'ery
Tal Be'ery

This document summarizes an Elliptic Curve Cryptography (ECC) presentation about a Bluetooth pairing attack. It begins with an introduction of ECC using an analogy of billiards on an elliptic curve table. It then explains how ECC is used for key exchange in Elliptic Curve Diffie-Hellman (ECDH). The document describes a Bluetooth pairing vulnerability that allows an attacker to perform a man-in-the-middle attack on the ECDH key exchange by manipulating the Y-coordinate. This places the ball in a position where it can predict the shared secret if the private keys are both even numbers.

Related slideshows

The Industrial Revolution of Lateral Movement
The Industrial Revolution of Lateral MovementThe Industrial Revolution of Lateral Movement
The Industrial Revolution of Lateral Movement
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach Analysis
 
1 of 31
Tal Be’ery, Co-Founder @ KZen Networks 16.10.18 ZK TLV Meet-up The Color of Money Elliptic Curve Cryptography (ECC) primer + one attack on a flawed ECC implementation
Who Am I? ‣ Tal Be’ery ‣ Co-Founder @ KZen Networks ‣ email: Tal at kzencorp dot com ‣ Twitter: @TalBeerySec ‣ Security Researcher, speaker @ BlackHat, RSA ‣ Alumni of: Imperva, Aorato, Microsoft, Innov8 VC
KZen Networks
KZen Networks is Hiring! ‣ Peace of Mind for Your Digital Currency ‣ VC backed ‣ We are hiring! ‣ https://www.kzencorp.com/#careers
Agenda ‣ Elliptic Curve Cryptography (ECC) ‣ Motivation (TLS, Crypto Currency) ‣ Learning Elliptic Curve with Billiards ‣ Double Billiards: Elliptic Curve Diffie-Hellman (ECDH) ‣ The BlueTooth Pairing Attack CVE-2018-5383 ‣ BlueTooth’s Pairing Process ‣ Cheating in Double Billiards: ECDH Man-in-the-Middle (MITM)
Full Disclosure ‣ Billiards metaphor: Nick Sullivan 2013 ‣ https://blog.cloudflare.com/a-relatively-easy-to-understand-primer- on-elliptic-curve-cryptography/ ‣ CVE-2018-5383: Eli Biham & Lior Neumann 2018 ‣ http://www.cs.technion.ac.il/~biham/BT/bt-fixed-coordinate-invalid- curve-attack.pdf ‣ All I did is to combine them together: Tal Be’ery 2018 ‣ https://hackernoon.com/bluetooth-hacking-cheating-in-elliptic- curve-billiards-c092fdf70aae ‣ And I am a poor Billiards player
Some Found it Interesting…
Elliptic Curve Cryptography
Motivation: Why ECC? ‣ Public-key Cryptography /Asymmetric cryptography ‣ Based on “Hard Problems” that are easy to “do” but hard to “undo” ‣ But we already have RSA? ECC offers some trade offs ‣ Including smaller key size for the same security ‣ Some usage examples ‣ TLS ‣ Cryptocurrency (e.g. Bitcoin, Ethereum)
Billiards Table: Elliptic Curve ‣ The Elliptic Curve (y² = x³+ ax + b) is our Billiards table
Billiards Shot: Adding Points ‣ A+B=C ‣ Place ball at point A ‣ Shoot towards point B ‣ When the ball hits the curve, it bounces to the other side of the curve ‣ This is the result C
Billiards Trick Shot: Doubling Point ‣ “double” a point, add a Point to itself (P + P = 2P) ‣ How can you shoot a ball from P towards P itself? ‣ To do so, let’s choose point P’ very close to P and shot towards it. As we bring P’ closer and closer to P, the connecting line between them gets closer to the Tangent of P ‣ Like before, when the ball hits the curve, it bounces to the other side of the curve ‣ This is the result 2*P
The Point in Infinity ∞ ‣ A+B=C. What happens if B = -A ? ‣ Place ball at point A ‣ Shoot towards point B (-A) ‣ When the ball hits the curve, it bounces to the other side of the curve ‣ But the ball never touches the curve… ‣ The ball needs to be “artificially” stopped on a point named “point-at- infinity” or ∞, which is “0” ‣ This is the result P + (-P) = 0
Let’s Play Bizzaro Billiards! ‣ Two players: Shooter and Guesser ‣ The Shooter enters the game room alone ‣ The ball is placed on a known point P ‣ Shooter choose how many times to successively shoot towards the same Point P. ‣ When the Shooter is done, the Guesser enters the room and tries to guess how many time the ball was struck.
Hardness of Bizzaro Billiards ‣ For Guesser: ‣ Must replay the game until the table reaches its state and then they know the number. ‣ Complexity O(n) or O(2^L), where n=2^L ‣ For Player: ‣ they know n in advance, so they can use the doubling trick ‣ Example: 100P = 2(2[P + 2(2[2(P + 2P)])]) , Only 6 doubling and 2 additions ‣ Complexity is O(log(n)) or O(L), where N=2^L ‣ We found the “Hard Problem” we were after! ‣ "Elliptic Curve Discrete Logarithm Problem" (ECDLP)
Elliptic-Curve Diffie-Hellman ‣ Diffie-Hellman algorithm allows secure key exchange in the presence of eavesdropper ‣ Elliptic-Curve Diffie-Hellman (ECDH) is DH based on ECC
Doubles Bizzaro Billiards: ECDH ‣ Alice plays our Bizzaro Billiards game ‣ Ball placed in a known point P ‣ She shoots S₁ times (S₁*P) of her choosing. ‣ Sends a photo of the table to Bob. ‣ Bob places the ball on the same place on his table (S₁*P) according to the picture and then shoots S₂ times (S₂*(S₁*P)). ‣ At the same time, Bob starts a new game on another table and strikes S₂ times (S₂*P), sending a picture to Alice so she can strike S₁ times. (S₁*(S₂*P)) ‣ By doing so, Alice and Bob individually arrived to the same final table position (S₁*S₂*P =S₂*S₁*P) ‣ They can now use the X coordinate of this final point as their shared secret.
More Formal Notation ‣ Private keys: S₁,S₂ ‣ public keys ‣ Pb₁ = S₁*P ‣ Pb₂ = S₂*P
I don’t understand
Security Analysis for Eve ‣ In this process neither Alice nor Bob learned about the other party’s individual secret. (S₁, S₂) ‣ More importantly, Eve didn’t learn about S₁, S₂ or the final table position and the resulting shared secret, although she had access to the table pictures exchanged in the middle of the game. ‣ Revealing S₁ or S₂ is impossible, as we recall that “undoing” the number of times the ball was struck is hard.
I got it!
Security Analysis for Mallory ‣ However, if the attacker is an active MITM, Mallory, she can play DH with Alice and Bob individually and have them talking to her, instead of each other ‣ Therefore, shared secret (X coordinate) must be validated later on within the protocol
The BlueTooth Pairing Attack
BlueTooth ‣ Bluetooth is a wireless technology standard for exchanging data over short distances ‣ Bluetooth can expose private data or let a connecting party control the Bluetooth device. ‣ Pairing process is used to identify specific devices, and thus enable control over which devices can connect to a given Bluetooth device.
Bluetooth Pairing Process ‣ ECDH to generate Kdh ‣ Kdh is later verified using the Bluetooth PIN code ‣ Great! Or not so? 😈 ‣ Kdh is only the X coordinate ‣ The spec doesn’t mandate Y coordinate verification
CVE-2018-5383 ‣ Y coordinate is not verified ‣ Mallory abuses this fact and zeroes the Y coordinate of the pictures (public keys) exchanged by Alice and Bob. ‣ Zeroing the Y coordinate places the ball in a very special place on (another) table
Dull Billiards on ∞ ‣ Bob places the ball on the X Axis (according to the fiddled pic) ‣ Bob is snookered! He can only shot on a right angle: ‣ He shoots the ball towards itself ( P + P = 2P). The tangent is a straight line. The result is “0” (“point-at-infinity” ∞). ‣ Bob is Snookered forever! since the ball doesn’t hit the curve with an angle, it can only bounce from the table edge on a right angle again ‣ On the next shot, the ball is shot towards the original point and ends there. ( 0 + P = P) ‣ Next shots merely repeat that process: On every even addition the ball reaches ∞, on every odd addition the ball lands back on the X axis.
I got it! If S₂ is evenIf S₁ is even
Mallory Wins! ‣ Boring and predictable is exactly what Mallory wants! ‣ She replaces the original pictures (Pb₁, Pb₂) of the table with pictures of “fixed-up” tables (Pb₁', Pb₂’) ‣ If both S₁,S₂ happen to be even then the result will be S₂*Pb₁' = ∞ =S₁*Pb₂'. The pairing will be successful and will create a shared key that Eve knows! ‣ In any other case, i.e. if either s1 or s2 is odd the pairing will fail as Pb₁’≠ Pb₂’≠∞. ‣ Therefore, Eve has 25% success rate in finding the shared secret that allows her to eavesdrop and manipulate Bluetooth traffic. ‣ 25% may sound low, but since victim users are very likely to retry to pair if pairing has failed, then eventually Eve will be successful.
Questions? @TalBeerySec Tal at KZencorp dot com
KZen Networks is Hiring!

More Related Content

The Color of Money

  • 1. Tal Be’ery, Co-Founder @ KZen Networks 16.10.18 ZK TLV Meet-up The Color of Money Elliptic Curve Cryptography (ECC) primer + one attack on a flawed ECC implementation
  • 2. Who Am I? ‣ Tal Be’ery ‣ Co-Founder @ KZen Networks ‣ email: Tal at kzencorp dot com ‣ Twitter: @TalBeerySec ‣ Security Researcher, speaker @ BlackHat, RSA ‣ Alumni of: Imperva, Aorato, Microsoft, Innov8 VC
  • 4. KZen Networks is Hiring! ‣ Peace of Mind for Your Digital Currency ‣ VC backed ‣ We are hiring! ‣ https://www.kzencorp.com/#careers
  • 5. Agenda ‣ Elliptic Curve Cryptography (ECC) ‣ Motivation (TLS, Crypto Currency) ‣ Learning Elliptic Curve with Billiards ‣ Double Billiards: Elliptic Curve Diffie-Hellman (ECDH) ‣ The BlueTooth Pairing Attack CVE-2018-5383 ‣ BlueTooth’s Pairing Process ‣ Cheating in Double Billiards: ECDH Man-in-the-Middle (MITM)
  • 6. Full Disclosure ‣ Billiards metaphor: Nick Sullivan 2013 ‣ https://blog.cloudflare.com/a-relatively-easy-to-understand-primer- on-elliptic-curve-cryptography/ ‣ CVE-2018-5383: Eli Biham & Lior Neumann 2018 ‣ http://www.cs.technion.ac.il/~biham/BT/bt-fixed-coordinate-invalid- curve-attack.pdf ‣ All I did is to combine them together: Tal Be’ery 2018 ‣ https://hackernoon.com/bluetooth-hacking-cheating-in-elliptic- curve-billiards-c092fdf70aae ‣ And I am a poor Billiards player
  • 7. Some Found it Interesting…
  • 9. Motivation: Why ECC? ‣ Public-key Cryptography /Asymmetric cryptography ‣ Based on “Hard Problems” that are easy to “do” but hard to “undo” ‣ But we already have RSA? ECC offers some trade offs ‣ Including smaller key size for the same security ‣ Some usage examples ‣ TLS ‣ Cryptocurrency (e.g. Bitcoin, Ethereum)
  • 10. Billiards Table: Elliptic Curve ‣ The Elliptic Curve (y² = x³+ ax + b) is our Billiards table
  • 11. Billiards Shot: Adding Points ‣ A+B=C ‣ Place ball at point A ‣ Shoot towards point B ‣ When the ball hits the curve, it bounces to the other side of the curve ‣ This is the result C
  • 12. Billiards Trick Shot: Doubling Point ‣ “double” a point, add a Point to itself (P + P = 2P) ‣ How can you shoot a ball from P towards P itself? ‣ To do so, let’s choose point P’ very close to P and shot towards it. As we bring P’ closer and closer to P, the connecting line between them gets closer to the Tangent of P ‣ Like before, when the ball hits the curve, it bounces to the other side of the curve ‣ This is the result 2*P
  • 13. The Point in Infinity ∞ ‣ A+B=C. What happens if B = -A ? ‣ Place ball at point A ‣ Shoot towards point B (-A) ‣ When the ball hits the curve, it bounces to the other side of the curve ‣ But the ball never touches the curve… ‣ The ball needs to be “artificially” stopped on a point named “point-at- infinity” or ∞, which is “0” ‣ This is the result P + (-P) = 0
  • 14. Let’s Play Bizzaro Billiards! ‣ Two players: Shooter and Guesser ‣ The Shooter enters the game room alone ‣ The ball is placed on a known point P ‣ Shooter choose how many times to successively shoot towards the same Point P. ‣ When the Shooter is done, the Guesser enters the room and tries to guess how many time the ball was struck.
  • 15. Hardness of Bizzaro Billiards ‣ For Guesser: ‣ Must replay the game until the table reaches its state and then they know the number. ‣ Complexity O(n) or O(2^L), where n=2^L ‣ For Player: ‣ they know n in advance, so they can use the doubling trick ‣ Example: 100P = 2(2[P + 2(2[2(P + 2P)])]) , Only 6 doubling and 2 additions ‣ Complexity is O(log(n)) or O(L), where N=2^L ‣ We found the “Hard Problem” we were after! ‣ "Elliptic Curve Discrete Logarithm Problem" (ECDLP)
  • 16. Elliptic-Curve Diffie-Hellman ‣ Diffie-Hellman algorithm allows secure key exchange in the presence of eavesdropper ‣ Elliptic-Curve Diffie-Hellman (ECDH) is DH based on ECC
  • 17. Doubles Bizzaro Billiards: ECDH ‣ Alice plays our Bizzaro Billiards game ‣ Ball placed in a known point P ‣ She shoots S₁ times (S₁*P) of her choosing. ‣ Sends a photo of the table to Bob. ‣ Bob places the ball on the same place on his table (S₁*P) according to the picture and then shoots S₂ times (S₂*(S₁*P)). ‣ At the same time, Bob starts a new game on another table and strikes S₂ times (S₂*P), sending a picture to Alice so she can strike S₁ times. (S₁*(S₂*P)) ‣ By doing so, Alice and Bob individually arrived to the same final table position (S₁*S₂*P =S₂*S₁*P) ‣ They can now use the X coordinate of this final point as their shared secret.
  • 18. More Formal Notation ‣ Private keys: S₁,S₂ ‣ public keys ‣ Pb₁ = S₁*P ‣ Pb₂ = S₂*P
  • 20. Security Analysis for Eve ‣ In this process neither Alice nor Bob learned about the other party’s individual secret. (S₁, S₂) ‣ More importantly, Eve didn’t learn about S₁, S₂ or the final table position and the resulting shared secret, although she had access to the table pictures exchanged in the middle of the game. ‣ Revealing S₁ or S₂ is impossible, as we recall that “undoing” the number of times the ball was struck is hard.
  • 22. Security Analysis for Mallory ‣ However, if the attacker is an active MITM, Mallory, she can play DH with Alice and Bob individually and have them talking to her, instead of each other ‣ Therefore, shared secret (X coordinate) must be validated later on within the protocol
  • 24. BlueTooth ‣ Bluetooth is a wireless technology standard for exchanging data over short distances ‣ Bluetooth can expose private data or let a connecting party control the Bluetooth device. ‣ Pairing process is used to identify specific devices, and thus enable control over which devices can connect to a given Bluetooth device.
  • 25. Bluetooth Pairing Process ‣ ECDH to generate Kdh ‣ Kdh is later verified using the Bluetooth PIN code ‣ Great! Or not so? 😈 ‣ Kdh is only the X coordinate ‣ The spec doesn’t mandate Y coordinate verification
  • 26. CVE-2018-5383 ‣ Y coordinate is not verified ‣ Mallory abuses this fact and zeroes the Y coordinate of the pictures (public keys) exchanged by Alice and Bob. ‣ Zeroing the Y coordinate places the ball in a very special place on (another) table
  • 27. Dull Billiards on ∞ ‣ Bob places the ball on the X Axis (according to the fiddled pic) ‣ Bob is snookered! He can only shot on a right angle: ‣ He shoots the ball towards itself ( P + P = 2P). The tangent is a straight line. The result is “0” (“point-at-infinity” ∞). ‣ Bob is Snookered forever! since the ball doesn’t hit the curve with an angle, it can only bounce from the table edge on a right angle again ‣ On the next shot, the ball is shot towards the original point and ends there. ( 0 + P = P) ‣ Next shots merely repeat that process: On every even addition the ball reaches ∞, on every odd addition the ball lands back on the X axis.
  • 28. I got it! If S₂ is evenIf S₁ is even
  • 29. Mallory Wins! ‣ Boring and predictable is exactly what Mallory wants! ‣ She replaces the original pictures (Pb₁, Pb₂) of the table with pictures of “fixed-up” tables (Pb₁', Pb₂’) ‣ If both S₁,S₂ happen to be even then the result will be S₂*Pb₁' = ∞ =S₁*Pb₂'. The pairing will be successful and will create a shared key that Eve knows! ‣ In any other case, i.e. if either s1 or s2 is odd the pairing will fail as Pb₁’≠ Pb₂’≠∞. ‣ Therefore, Eve has 25% success rate in finding the shared secret that allows her to eavesdrop and manipulate Bluetooth traffic. ‣ 25% may sound low, but since victim users are very likely to retry to pair if pairing has failed, then eventually Eve will be successful.
  • 31. KZen Networks is Hiring!

Editor's Notes

  1. https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication