SlideShare a Scribd company logo

Zero to Dual_EC_DRBG in 30 minutes

Entrust Datacard
Entrust Datacard

A look into the suspect Dual-EC DRBG cryptographic mechanism.

Technology
1 of 12
Download to read offline
Zero to Dual_EC_DRBG in 30 minutes A look into the suspect Dual-EC DRBG cryptographic mechanism © Entrust Inc. All Rights Reserved. Entrust Inc. All Rights Reserved. 1 1
Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. Entrust is a registered trademark of Entrust Limited in Canada. All other company and product names are trademarks or registered trademarks of their respective owners. The material provided in this document is for information purposes only. It is not intended to be advice. You should not act or abstain from acting based upon such information without first consulting a professional. ENTRUST DOES NOT WARRANT THE QUALITY, ACCURACY OR COMPLETENESS O F THE INFORMATION CONTAINED IN THIS ARTICLE. SUCH INFORMATION IS PROVIDED "AS IS" WITHOUT ANY REPRESENTATIONS AND/OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, BY USAGE OF TRADE, OR OTHERWISE, AND ENTRUST SPECIFICALLY DISCLAIMS ANY AND ALL REPRESENTATIONS, AND/OR WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, NON-INFRINGEMENT, OR FITNESS FOR A SPECIFIC PURPOSE. © 2014 Entrust. All rights reserved. © Entrust Inc. All Rights Reserved. 2 2
Table of Contents Introduction .......................................................... 4 Building Block...................................................... 5 NIST’s Dual_EC_DRBG ....................................... 6 Points form a Group ............................................ 7 The Attack ............................................................ 9 Conclusion ......................................................... 11 Entrust & You ..................................................... 12 © Entrust Inc. All Rights Reserved. 3 3
Introduction The National Institute of Standards and Technology (NIST) is one of the oldest physical science laboratories in the United States. NIST helps promote domestic innovation by advancing, monitoring and evaluating technical standards and measurement sciences. Core to its mission, NIST produces special publications to disseminate policies, standards and findings to related security and technology communities. However, special publication 800-90, first published in 2006, came under heavy criticism from the media, who claimed that security vendor RSA and the NSA created a deal to make the dual-EC (elliptic curve) variant the default deterministic random-bit generator algorithm, or DRBG, in its commercial toolkit product. RSA denied the allegation. The claims introduce serious questions about the security of the algorithm. Random-bit generation is a critical foundation of every security protocol. The presence of a backdoor would have serious implications for security everywhere the algorithm is used. Fortunately, the NIST specification describes three alternative algorithms, all of which were based on well-established cryptographic principles. By “well-established” we mean that the academic community had examined their security properties over many years and was satisfied that they were cryptographically sound. Because of the critical role they play in every security protocol, Entrust pays close attention to the design of random-bit generators, and it does not use NIST’s Dual-EC DRBG in any of its products or services. This white paper provides an introduction to the elliptic-curve DRBG mechanism and why the design approach is suspect. © Entrust Inc. All Rights Reserved. 4 4
Building Block The basic building block of all elliptic-curve cryptographic mechanisms is integer-point multiplication. In subsequent diagrams we use the symbol shown in Figure 1 to denote this operation. “ Random-bit generation is a critical foundation of every security protocol. ” Figure 1: ECC Building Block Bold upper-case characters and thick lines denote curve points, and normal font and thin lines denote integers. Integer-point multiplication is one-way, because, while, given a and M, it is easy to calculate N, given M and N, it is computationally infeasible to calculate a. Calculating a is known as the elliptic-curve discrete logarithm problem. © Entrust Inc. All Rights Reserved. 5 5
NIST’s Dual_EC_DRBG The NIST Dual_EC_DRBG is described in NIST Special Publication 80090A. One round of the procedure is shown in Figure 2. Figure 2: One Round Note that all three integer-point multiplication operations shown here use the same elliptic curve with a base-point of either P or Q. The ‘int’ operation denotes taking the input point’s x coordinate as an integer value. And the ‘truncate’ operation denotes taking the input point’s x coordinate and removing the least significant 16 bits. ti is the output random bit sequence. The output, Si+1, becomes the input for the next round, so that longer random sequences can be generated from one seed. Bear in mind that, while it is easy to calculate si+1 and ti, it is computationally infeasible, given ti, to calculate the corresponding ri. The initial round is seeded from a non-deterministic random-bit generator. © Entrust Inc. All Rights Reserved. 6 6
Points form a Group Consider the example curve shown in Figure 3. This curve satisfies the equation: Y2 = x3 + 5x + 1 mod 23 Obviously, this example is for illustrative purposes only; it has no cryptographic utility. The curve has group order 31; i.e., there are 31 points on the curve, including the additive identity, or point at infinity (0). 31 is a prime number. So, every point on the curve is an integer multiple mod 31 of every other point except 0. And 31P = 0, regardless of which point is chosen for P. Figure 3: Example Curve © Entrust Inc. All Rights Reserved. 7 7
Suppose Q were the point (9,4), as shown in Figure 4. And suppose that P were the point (12,8). Figure 4: P = (12,8) Then, the figure shows multiples of Q up to 4Q, and we see that P = 4Q. More generally, P = eQ. © Entrust Inc. All Rights Reserved. 8 8
The Attack Multiplying interim state, ri, of the Dual_EC_DRBG by Q and then multiplying the resulting point by e produces the same result as multiplying the interim state by the point P. See Figure 5. Figure 5: The Attack In other words, the internal state can be calculated from the output by anyone who knows e. Clearly, the designers of the algorithm COULD know e, although it cannot be proved whether they do or not. There is one final complication. Only a truncated version of the output curve point is known, ti, rather than Ti. © Entrust Inc. All Rights Reserved. 9 9
In order to multiply the curve point Ti by e, the attacker has to reconstruct the curve point that produced ti. See Figure 7. Figure 7: The Effect of Truncation ti is calculated by taking the x coordinate of Ti and truncating it by 16 bits. So, the attacker has to try all 65,536 corresponding x coordinates and find all those that have a solution on the curve. In our example, if ti = 4 and we truncate by two bits, then the following points are candidate values for Ti: (17,10), (17,13), (18,9), (18,14), (19,3) and (19,20). Once the candidates have been identified, then subsequent output for each of them can easily be calculated. If subsequent output is used to generate keys, for instance, then the attacker has a small number of key values to search through in order to find the correct one. This attack depends upon the RBG being used to produce a public random number (such as a nonce, a challenge or an initialization vector) and then subsequently using it to generate a secret value, such as a key. © Entrust Inc. All Rights Reserved. 10 10
Conclusion Either the designers failed to appreciate that their design approach was vulnerable to this criticism, or they knew perfectly well, but didn’t expect others to discover the vulnerability. Both explanations seem equally improbable. But, one of them has to be true. Either way, the mechanism is now thoroughly discredited. © Entrust Inc. All Rights Reserved. 11 11
Entrust & You More than ever, Entrust understands your organization’s security pain points. Whether it’s the protection of information, securing online customers, regulatory compliance or large-scale government projects, Entrust provides identity-based security solutions that are not only proven in real-world environments, but cost-effective in today’s uncertain economic climate. A trusted provider of identity-based security solutions, Entrust empowers governments, enterprises and financial institutions in more than 5,000 organizations spanning 85 countries. Entrust’s award-winning software authentication platforms manage today’s most secure identity credentials, addressing customer pain points for cloud and mobile security, physical and logical access, citizen eID initiatives, certificate management and SSL. Company Facts Website: www.entrust.com Employees: 359 Customers: 5,000 Offices: 10 Globally Headquarters Three Lincoln Centre 5430 LBJ Freeway, Suite 1250 Dallas, Texas 75240 Sales North America: 1-888-690-2424 EMEA: +44 (0) 118 953 3000 Email: entrust@entrust.com For more information about Entrust products and services, call 888-690-2424, email entrust@entrust.com or visit entrust.com. © Entrust Inc. All Rights Reserved. 30061-2-0114 12 12

Recommended

Zksnarks in english
Zksnarks in englishZksnarks in english
Zksnarks in english
Ronak Kogta
 
zkSNARKs in Ethereum, and Baby ZoE
zkSNARKs in Ethereum, and Baby ZoEzkSNARKs in Ethereum, and Baby ZoE
zkSNARKs in Ethereum, and Baby ZoE
Feng-Ren Tsai
 
BREAKING MIGNOTTE’S SEQUENCE BASED SECRET SHARING SCHEME USING SMT SOLVER
BREAKING MIGNOTTE’S SEQUENCE BASED SECRET SHARING SCHEME USING SMT SOLVERBREAKING MIGNOTTE’S SEQUENCE BASED SECRET SHARING SCHEME USING SMT SOLVER
BREAKING MIGNOTTE’S SEQUENCE BASED SECRET SHARING SCHEME USING SMT SOLVER
ijcsit
 
Presentacion diapositiva 40
Presentacion diapositiva 40Presentacion diapositiva 40
Presentacion diapositiva 40
FUCS - Fundación Universitaria de Ciencias de la Salud
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
Entrust Datacard
 
Entrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Solutions Portfolio
Entrust Solutions Portfolio
Entrust Datacard
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard Mobile
Entrust Datacard
 
INFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL CertificatesINFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL Certificates
Entrust Datacard
 

Recommended

Zksnarks in english
Zksnarks in englishZksnarks in english
Zksnarks in english
Ronak Kogta
 
zkSNARKs in Ethereum, and Baby ZoE
zkSNARKs in Ethereum, and Baby ZoEzkSNARKs in Ethereum, and Baby ZoE
zkSNARKs in Ethereum, and Baby ZoE
Feng-Ren Tsai
 
BREAKING MIGNOTTE’S SEQUENCE BASED SECRET SHARING SCHEME USING SMT SOLVER
BREAKING MIGNOTTE’S SEQUENCE BASED SECRET SHARING SCHEME USING SMT SOLVERBREAKING MIGNOTTE’S SEQUENCE BASED SECRET SHARING SCHEME USING SMT SOLVER
BREAKING MIGNOTTE’S SEQUENCE BASED SECRET SHARING SCHEME USING SMT SOLVER
ijcsit
 
Presentacion diapositiva 40
Presentacion diapositiva 40Presentacion diapositiva 40
Presentacion diapositiva 40
FUCS - Fundación Universitaria de Ciencias de la Salud
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
Entrust Datacard
 
Entrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Solutions Portfolio
Entrust Solutions Portfolio
Entrust Datacard
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard Mobile
Entrust Datacard
 
INFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL CertificatesINFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL Certificates
Entrust Datacard
 
SPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATION
SPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATIONSPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATION
SPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATION
IJNSA Journal
 
Symmetric Key Encryption Decryption Technique Using Image Based Key Generation
Symmetric Key Encryption Decryption Technique Using Image Based Key GenerationSymmetric Key Encryption Decryption Technique Using Image Based Key Generation
Symmetric Key Encryption Decryption Technique Using Image Based Key Generation
IRJET Journal
 
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECCAN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
ijcisjournal
 
Survey: Elliptic Curve Cryptography using Scalar Multiplication Algorithms
Survey: Elliptic Curve Cryptography using Scalar Multiplication AlgorithmsSurvey: Elliptic Curve Cryptography using Scalar Multiplication Algorithms
Survey: Elliptic Curve Cryptography using Scalar Multiplication Algorithms
AM Publications
 
Essay On Cryptography
Essay On CryptographyEssay On Cryptography
Essay On Cryptography
Haley Johnson
 
IRJET- Enhanced Security using Genetic Algorithm in Cryptography
IRJET- Enhanced Security using Genetic Algorithm in CryptographyIRJET- Enhanced Security using Genetic Algorithm in Cryptography
IRJET- Enhanced Security using Genetic Algorithm in Cryptography
IRJET Journal
 
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGEDATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
IJTRET-International Journal of Trendy Research in Engineering and Technology
 
Analysis of symmetric key cryptographic algorithms
Analysis of symmetric key cryptographic algorithmsAnalysis of symmetric key cryptographic algorithms
Analysis of symmetric key cryptographic algorithms
IRJET Journal
 
Collusion tolerable privacy-preserving sum
Collusion tolerable privacy-preserving sumCollusion tolerable privacy-preserving sum
Collusion tolerable privacy-preserving sum
nexgentech15
 
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
Nexgen Technology
 
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
nexgentechnology
 
Collusion tolerable privacy-preserving sum
Collusion tolerable privacy-preserving sumCollusion tolerable privacy-preserving sum
Collusion tolerable privacy-preserving sum
Nexgen Technology
 
Protocols and Practices in Using Encryption Chapter 4
Protocols and Practices in Using Encryption Chapter 4Protocols and Practices in Using Encryption Chapter 4
Protocols and Practices in Using Encryption Chapter 4
AfiqEfendy Zaen
 
Data Democratization at Nubank
Data Democratization at Nubank Data Democratization at Nubank
Data Democratization at Nubank
Databricks
 
Strategic IP Litigation: How to Make Better, Justifiable Decisions - A Case S...
Strategic IP Litigation: How to Make Better, Justifiable Decisions - A Case S...Strategic IP Litigation: How to Make Better, Justifiable Decisions - A Case S...
Strategic IP Litigation: How to Make Better, Justifiable Decisions - A Case S...
brucelb
 
Deep Learning for Cybersecurity Innovation Insights from Patents
Deep Learning for Cybersecurity Innovation Insights from PatentsDeep Learning for Cybersecurity Innovation Insights from Patents
Deep Learning for Cybersecurity Innovation Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
IRJET- Implementation of DNA Cryptography in Cloud Computing and using Socket...
IRJET- Implementation of DNA Cryptography in Cloud Computing and using Socket...IRJET- Implementation of DNA Cryptography in Cloud Computing and using Socket...
IRJET- Implementation of DNA Cryptography in Cloud Computing and using Socket...
IRJET Journal
 
IRJET-Triple Layered Security on Android Based SMS Transaction
IRJET-Triple Layered Security on Android Based SMS TransactionIRJET-Triple Layered Security on Android Based SMS Transaction
IRJET-Triple Layered Security on Android Based SMS Transaction
IRJET Journal
 
Modification the Security of Flip Protocol by Changing the Base Point Selection
Modification the Security of Flip Protocol by Changing the Base Point SelectionModification the Security of Flip Protocol by Changing the Base Point Selection
Modification the Security of Flip Protocol by Changing the Base Point Selection
AIRCC Publishing Corporation
 
A Process Quality Improvement Mechanism for Reducing the Risk of CI Environment
A Process Quality Improvement Mechanism for Reducing the Risk of CI EnvironmentA Process Quality Improvement Mechanism for Reducing the Risk of CI Environment
A Process Quality Improvement Mechanism for Reducing the Risk of CI Environment
AIRCC Publishing Corporation
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Entrust Datacard
 
INFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of ThingsINFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of Things
Entrust Datacard
 

More Related Content

Similar to Zero to Dual_EC_DRBG in 30 minutes

SPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATION
SPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATIONSPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATION
SPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATION
IJNSA Journal
 
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECCAN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
ijcisjournal
 
Survey: Elliptic Curve Cryptography using Scalar Multiplication Algorithms
Survey: Elliptic Curve Cryptography using Scalar Multiplication AlgorithmsSurvey: Elliptic Curve Cryptography using Scalar Multiplication Algorithms
Survey: Elliptic Curve Cryptography using Scalar Multiplication Algorithms
AM Publications
 
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGEDATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
IJTRET-International Journal of Trendy Research in Engineering and Technology
 
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
Nexgen Technology
 
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
nexgentechnology
 
Collusion tolerable privacy-preserving sum
Collusion tolerable privacy-preserving sumCollusion tolerable privacy-preserving sum
Collusion tolerable privacy-preserving sum
Nexgen Technology
 
Protocols and Practices in Using Encryption Chapter 4
Protocols and Practices in Using Encryption Chapter 4Protocols and Practices in Using Encryption Chapter 4
Protocols and Practices in Using Encryption Chapter 4
AfiqEfendy Zaen
 
Data Democratization at Nubank
Data Democratization at Nubank Data Democratization at Nubank
Data Democratization at Nubank
Databricks
 
Deep Learning for Cybersecurity Innovation Insights from Patents
Deep Learning for Cybersecurity Innovation Insights from PatentsDeep Learning for Cybersecurity Innovation Insights from Patents
Deep Learning for Cybersecurity Innovation Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
Modification the Security of Flip Protocol by Changing the Base Point Selection
Modification the Security of Flip Protocol by Changing the Base Point SelectionModification the Security of Flip Protocol by Changing the Base Point Selection
Modification the Security of Flip Protocol by Changing the Base Point Selection
AIRCC Publishing Corporation
 
A Process Quality Improvement Mechanism for Reducing the Risk of CI Environment
A Process Quality Improvement Mechanism for Reducing the Risk of CI EnvironmentA Process Quality Improvement Mechanism for Reducing the Risk of CI Environment
A Process Quality Improvement Mechanism for Reducing the Risk of CI Environment
AIRCC Publishing Corporation
 

Similar to Zero to Dual_EC_DRBG in 30 minutes (20)

SPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATION
SPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATIONSPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATION
SPDZ-BASED OPTIMISTIC FAIR MULTI-PARTY COMPUTATION
 
Symmetric Key Encryption Decryption Technique Using Image Based Key Generation
Symmetric Key Encryption Decryption Technique Using Image Based Key GenerationSymmetric Key Encryption Decryption Technique Using Image Based Key Generation
Symmetric Key Encryption Decryption Technique Using Image Based Key Generation
 
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECCAN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
AN EFFICIENT AND SECURE DIGITAL MULTI-SIGNATURE PROTOCOL BASED ON ECC
 
Survey: Elliptic Curve Cryptography using Scalar Multiplication Algorithms
Survey: Elliptic Curve Cryptography using Scalar Multiplication AlgorithmsSurvey: Elliptic Curve Cryptography using Scalar Multiplication Algorithms
Survey: Elliptic Curve Cryptography using Scalar Multiplication Algorithms
 
Essay On Cryptography
Essay On CryptographyEssay On Cryptography
Essay On Cryptography
 
IRJET- Enhanced Security using Genetic Algorithm in Cryptography
IRJET- Enhanced Security using Genetic Algorithm in CryptographyIRJET- Enhanced Security using Genetic Algorithm in Cryptography
IRJET- Enhanced Security using Genetic Algorithm in Cryptography
 
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGEDATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
DATA INTEGRITY AUDITING WITHOUT PRIVATE KEY STORAGE FOR SECURE CLOUD STORAGE
 
Analysis of symmetric key cryptographic algorithms
Analysis of symmetric key cryptographic algorithmsAnalysis of symmetric key cryptographic algorithms
Analysis of symmetric key cryptographic algorithms
 
Collusion tolerable privacy-preserving sum
Collusion tolerable privacy-preserving sumCollusion tolerable privacy-preserving sum
Collusion tolerable privacy-preserving sum
 
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
 
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
COLLUSION-TOLERABLE PRIVACY-PRESERVING SUM AND PRODUCT CALCULATION WITHOUT SE...
 
Collusion tolerable privacy-preserving sum
Collusion tolerable privacy-preserving sumCollusion tolerable privacy-preserving sum
Collusion tolerable privacy-preserving sum
 
Protocols and Practices in Using Encryption Chapter 4
Protocols and Practices in Using Encryption Chapter 4Protocols and Practices in Using Encryption Chapter 4
Protocols and Practices in Using Encryption Chapter 4
 
Data Democratization at Nubank
Data Democratization at Nubank Data Democratization at Nubank
Data Democratization at Nubank
 
Strategic IP Litigation: How to Make Better, Justifiable Decisions - A Case S...
Strategic IP Litigation: How to Make Better, Justifiable Decisions - A Case S...Strategic IP Litigation: How to Make Better, Justifiable Decisions - A Case S...
Strategic IP Litigation: How to Make Better, Justifiable Decisions - A Case S...
 
Deep Learning for Cybersecurity Innovation Insights from Patents
Deep Learning for Cybersecurity Innovation Insights from PatentsDeep Learning for Cybersecurity Innovation Insights from Patents
Deep Learning for Cybersecurity Innovation Insights from Patents
 
IRJET- Implementation of DNA Cryptography in Cloud Computing and using Socket...
IRJET- Implementation of DNA Cryptography in Cloud Computing and using Socket...IRJET- Implementation of DNA Cryptography in Cloud Computing and using Socket...
IRJET- Implementation of DNA Cryptography in Cloud Computing and using Socket...
 
IRJET-Triple Layered Security on Android Based SMS Transaction
IRJET-Triple Layered Security on Android Based SMS TransactionIRJET-Triple Layered Security on Android Based SMS Transaction
IRJET-Triple Layered Security on Android Based SMS Transaction
 
Modification the Security of Flip Protocol by Changing the Base Point Selection
Modification the Security of Flip Protocol by Changing the Base Point SelectionModification the Security of Flip Protocol by Changing the Base Point Selection
Modification the Security of Flip Protocol by Changing the Base Point Selection
 
A Process Quality Improvement Mechanism for Reducing the Risk of CI Environment
A Process Quality Improvement Mechanism for Reducing the Risk of CI EnvironmentA Process Quality Improvement Mechanism for Reducing the Risk of CI Environment
A Process Quality Improvement Mechanism for Reducing the Risk of CI Environment
 

More from Entrust Datacard

Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Entrust Datacard
 

More from Entrust Datacard (10)

Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
 
INFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of ThingsINFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of Things
 
Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser Malware
 
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
 
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust? INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
 
Advanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionAdvanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure Protection
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate Management
 
Entrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Physical & Logical Access Solutions
Entrust Physical & Logical Access Solutions
 
Entrust Mobile Security Solutions
Entrust Mobile Security SolutionsEntrust Mobile Security Solutions
Entrust Mobile Security Solutions
 
Entrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Enterprise Authentication
Entrust Enterprise Authentication
 

Recently uploaded

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Zero to Dual_EC_DRBG in 30 minutes

  • 1. Zero to Dual_EC_DRBG in 30 minutes A look into the suspect Dual-EC DRBG cryptographic mechanism © Entrust Inc. All Rights Reserved. Entrust Inc. All Rights Reserved. 1 1
  • 2. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. Entrust is a registered trademark of Entrust Limited in Canada. All other company and product names are trademarks or registered trademarks of their respective owners. The material provided in this document is for information purposes only. It is not intended to be advice. You should not act or abstain from acting based upon such information without first consulting a professional. ENTRUST DOES NOT WARRANT THE QUALITY, ACCURACY OR COMPLETENESS O F THE INFORMATION CONTAINED IN THIS ARTICLE. SUCH INFORMATION IS PROVIDED "AS IS" WITHOUT ANY REPRESENTATIONS AND/OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, BY USAGE OF TRADE, OR OTHERWISE, AND ENTRUST SPECIFICALLY DISCLAIMS ANY AND ALL REPRESENTATIONS, AND/OR WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, NON-INFRINGEMENT, OR FITNESS FOR A SPECIFIC PURPOSE. © 2014 Entrust. All rights reserved. © Entrust Inc. All Rights Reserved. 2 2
  • 3. Table of Contents Introduction .......................................................... 4 Building Block...................................................... 5 NIST’s Dual_EC_DRBG ....................................... 6 Points form a Group ............................................ 7 The Attack ............................................................ 9 Conclusion ......................................................... 11 Entrust & You ..................................................... 12 © Entrust Inc. All Rights Reserved. 3 3
  • 4. Introduction The National Institute of Standards and Technology (NIST) is one of the oldest physical science laboratories in the United States. NIST helps promote domestic innovation by advancing, monitoring and evaluating technical standards and measurement sciences. Core to its mission, NIST produces special publications to disseminate policies, standards and findings to related security and technology communities. However, special publication 800-90, first published in 2006, came under heavy criticism from the media, who claimed that security vendor RSA and the NSA created a deal to make the dual-EC (elliptic curve) variant the default deterministic random-bit generator algorithm, or DRBG, in its commercial toolkit product. RSA denied the allegation. The claims introduce serious questions about the security of the algorithm. Random-bit generation is a critical foundation of every security protocol. The presence of a backdoor would have serious implications for security everywhere the algorithm is used. Fortunately, the NIST specification describes three alternative algorithms, all of which were based on well-established cryptographic principles. By “well-established” we mean that the academic community had examined their security properties over many years and was satisfied that they were cryptographically sound. Because of the critical role they play in every security protocol, Entrust pays close attention to the design of random-bit generators, and it does not use NIST’s Dual-EC DRBG in any of its products or services. This white paper provides an introduction to the elliptic-curve DRBG mechanism and why the design approach is suspect. © Entrust Inc. All Rights Reserved. 4 4
  • 5. Building Block The basic building block of all elliptic-curve cryptographic mechanisms is integer-point multiplication. In subsequent diagrams we use the symbol shown in Figure 1 to denote this operation. “ Random-bit generation is a critical foundation of every security protocol. ” Figure 1: ECC Building Block Bold upper-case characters and thick lines denote curve points, and normal font and thin lines denote integers. Integer-point multiplication is one-way, because, while, given a and M, it is easy to calculate N, given M and N, it is computationally infeasible to calculate a. Calculating a is known as the elliptic-curve discrete logarithm problem. © Entrust Inc. All Rights Reserved. 5 5
  • 6. NIST’s Dual_EC_DRBG The NIST Dual_EC_DRBG is described in NIST Special Publication 80090A. One round of the procedure is shown in Figure 2. Figure 2: One Round Note that all three integer-point multiplication operations shown here use the same elliptic curve with a base-point of either P or Q. The ‘int’ operation denotes taking the input point’s x coordinate as an integer value. And the ‘truncate’ operation denotes taking the input point’s x coordinate and removing the least significant 16 bits. ti is the output random bit sequence. The output, Si+1, becomes the input for the next round, so that longer random sequences can be generated from one seed. Bear in mind that, while it is easy to calculate si+1 and ti, it is computationally infeasible, given ti, to calculate the corresponding ri. The initial round is seeded from a non-deterministic random-bit generator. © Entrust Inc. All Rights Reserved. 6 6
  • 7. Points form a Group Consider the example curve shown in Figure 3. This curve satisfies the equation: Y2 = x3 + 5x + 1 mod 23 Obviously, this example is for illustrative purposes only; it has no cryptographic utility. The curve has group order 31; i.e., there are 31 points on the curve, including the additive identity, or point at infinity (0). 31 is a prime number. So, every point on the curve is an integer multiple mod 31 of every other point except 0. And 31P = 0, regardless of which point is chosen for P. Figure 3: Example Curve © Entrust Inc. All Rights Reserved. 7 7
  • 8. Suppose Q were the point (9,4), as shown in Figure 4. And suppose that P were the point (12,8). Figure 4: P = (12,8) Then, the figure shows multiples of Q up to 4Q, and we see that P = 4Q. More generally, P = eQ. © Entrust Inc. All Rights Reserved. 8 8
  • 9. The Attack Multiplying interim state, ri, of the Dual_EC_DRBG by Q and then multiplying the resulting point by e produces the same result as multiplying the interim state by the point P. See Figure 5. Figure 5: The Attack In other words, the internal state can be calculated from the output by anyone who knows e. Clearly, the designers of the algorithm COULD know e, although it cannot be proved whether they do or not. There is one final complication. Only a truncated version of the output curve point is known, ti, rather than Ti. © Entrust Inc. All Rights Reserved. 9 9
  • 10. In order to multiply the curve point Ti by e, the attacker has to reconstruct the curve point that produced ti. See Figure 7. Figure 7: The Effect of Truncation ti is calculated by taking the x coordinate of Ti and truncating it by 16 bits. So, the attacker has to try all 65,536 corresponding x coordinates and find all those that have a solution on the curve. In our example, if ti = 4 and we truncate by two bits, then the following points are candidate values for Ti: (17,10), (17,13), (18,9), (18,14), (19,3) and (19,20). Once the candidates have been identified, then subsequent output for each of them can easily be calculated. If subsequent output is used to generate keys, for instance, then the attacker has a small number of key values to search through in order to find the correct one. This attack depends upon the RBG being used to produce a public random number (such as a nonce, a challenge or an initialization vector) and then subsequently using it to generate a secret value, such as a key. © Entrust Inc. All Rights Reserved. 10 10
  • 11. Conclusion Either the designers failed to appreciate that their design approach was vulnerable to this criticism, or they knew perfectly well, but didn’t expect others to discover the vulnerability. Both explanations seem equally improbable. But, one of them has to be true. Either way, the mechanism is now thoroughly discredited. © Entrust Inc. All Rights Reserved. 11 11
  • 12. Entrust & You More than ever, Entrust understands your organization’s security pain points. Whether it’s the protection of information, securing online customers, regulatory compliance or large-scale government projects, Entrust provides identity-based security solutions that are not only proven in real-world environments, but cost-effective in today’s uncertain economic climate. A trusted provider of identity-based security solutions, Entrust empowers governments, enterprises and financial institutions in more than 5,000 organizations spanning 85 countries. Entrust’s award-winning software authentication platforms manage today’s most secure identity credentials, addressing customer pain points for cloud and mobile security, physical and logical access, citizen eID initiatives, certificate management and SSL. Company Facts Website: www.entrust.com Employees: 359 Customers: 5,000 Offices: 10 Globally Headquarters Three Lincoln Centre 5430 LBJ Freeway, Suite 1250 Dallas, Texas 75240 Sales North America: 1-888-690-2424 EMEA: +44 (0) 118 953 3000 Email: entrust@entrust.com For more information about Entrust products and services, call 888-690-2424, email entrust@entrust.com or visit entrust.com. © Entrust Inc. All Rights Reserved. 30061-2-0114 12 12