Merken
Squeezing a key through a carry bit
Automatisierte Medienanalyse
Diese automatischen Videoanalysen setzt das TIBAVPortal ein:
Szenenerkennung — Shot Boundary Detection segmentiert das Video anhand von Bildmerkmalen. Ein daraus erzeugtes visuelles Inhaltsverzeichnis gibt einen schnellen Überblick über den Inhalt des Videos und bietet einen zielgenauen Zugriff.
Texterkennung – Intelligent Character Recognition erfasst, indexiert und macht geschriebene Sprache (zum Beispiel Text auf Folien) durchsuchbar.
Spracherkennung – Speech to Text notiert die gesprochene Sprache im Video in Form eines Transkripts, das durchsuchbar ist.
Bilderkennung – Visual Concept Detection indexiert das Bewegtbild mit fachspezifischen und fächerübergreifenden visuellen Konzepten (zum Beispiel Landschaft, Fassadendetail, technische Zeichnung, Computeranimation oder Vorlesung).
Verschlagwortung – Named Entity Recognition beschreibt die einzelnen Videosegmente mit semantisch verknüpften Sachbegriffen. Synonyme oder Unterbegriffe von eingegebenen Suchbegriffen können dadurch automatisch mitgesucht werden, was die Treffermenge erweitert.
Erkannte Entitäten
Sprachtranskript
00:01
to do that and
00:06
and I a a I think now I would speak of was he's thinking year and these specialized in go he some kind of go with it so to say and he's the CloudFlare II actually shows today in the talk how he made an attack to exploit the box in the implementation of the elliptic curve peak 256 in goal that's why he's a go with that and the reason is actually due to a misplaced but it's on the assembly level just to to curves implementation and the result is that you can in certain cases you can retrieve the private key in indeed elliptic curve to the hell it encryption scheme so please welcome feeble all the to his talk giving me a round of applause Thank you thank you furious and over the term crypto gopher or tonic in upward and I just I want business starts with that on it anyway OK I'm and sleeper as you heard I worked on intent infrastructure after I work Congo I work on cryptography but this is a collaboration which on Beverly as you might know him our as 1 of the outer off the creep the pulse or order and with the challenges so the a few months ago and met earlier this year and I do it at a conference
01:38
in year was scanning the the logs city logs are um big logs of peerless certificates ends it was checking the ECDC signatures on the certificates and what the signatures was not very fine the which is weird because CT logs the uh the certificates before adding them to the log it turned out that the bad woes in the code that cover was using to verify the certificates and more specifically it was in the ghost and the library uh it was in the implementation of the NIST P 256 cure of which is our popular and hard to implement elliptic curve that is used for example for EC DSA TLS certificates of this curve has AP assembly implementation in the ghost and the Library of do you of course on who is to squeeze every bit of performance out of it and specifically optimized for x 86 64 architecture so that's what about was the was our carry propagation that the it was reported upstream and everyone agreed that this was not obviously exploitable but Unimind we'll also said that it would be equal pay and well I mean how do you pass on that so I meet in Paris uh and spend a weekend and then some eating Thai food and staring at the use of assembly code to try to understand what is it doing 1 month later we have a
03:20
CV and to go security releases we found a way to go from this single carry bit about up to a full q recall very against protocols that use elliptic curve DiffieHellman a week in ephemeral static uh wait if this meals nothing to you it's OK I will try to go over 1 of these particles for example is JWT jealousy or however you want to call it it has 15 different acronyms ends it it's often planted so this was exportable against real word uh services so let's start by looking at the code with about let's take it from the beginning this is
04:10
the short absolutely function that does subtraction but when you do elliptic curve nasty you usually work on the field you work on mass modulo some prime p so if you go subtraction you do a minus b model p and is what this is uh assemblers but that's it that it sets a 2 8 minus B Of course out these are numbers way too big to fit into a single register so how do you do the math when you can fit it into a single register you do multiprecision that end the thing is you all know how to do more to precision that you learned in elementary school when you would write numbers in columns and you do math with register size of 10 because every digit you would subtract the digits and carried a minus 1 if it went negative and then subtract with the carrier and then carried a minus 1 that's exactly what this is doing but it's doing it instead with digits with 64 bit registers because this is a 64 bit architecture so we look at the 1st line is the 1st lines is nothing else than subtract subtract subtract which carry and then the carrier is finally stored in that multiple mild 0 accumulated but then what do we do if it goes negative we said that this is model p so we can't just let it run around module to to the 256 because that's how wide you know for registers are but since we're doing our genetic modular number we can just add to that number and the result is the same right adding chemotherapy is and know what the results so this would this code does it does aid uh uh equal in minus B it takes a copy of the result it adds p and then in constant time it uses that final Kerry to check if it went negative or not to decide in constant time which 1 to use the 1 with the so 8 minus B plus the or a minus B. and that subtraction so forward enough now the problem with this code is that if you look closely you can see something that might be weird if you're not familiar with absolutely still trichinae to user condition like these time conditionals there which have to be constant time because you don't want to eke timings based on the size of number you have to 1st operate on 0 so that you said the flags that 0 flat so normally what you do is you added 0 or end of 1 to the to your mold 0 to check it if to set the facts but that's not that's not a bad that's the ad would carry the In meals that it's adding 0 to mold 0 element the carry bit from this edition here which has nothing to do with it it's not supposed to be there like this is adding p but it doesn't matter if it overflows because if it does it wasn't going to be picked here anyway so it's adding and another bit into the operation that wasn't supposed to be there so it's flipping the result but then also the conditions here are flipped so essentially evens itself out except except when that carry bit happens not to be set because the number of 8 minus B is small enough that if have P you don't wrap around that happens once every 2 to the 32 times which is why it's so rare that nobody had noticed so far so the code went in and nobody noticed from long time until coffers such scanning CT logs and had this we or 1 signature that wasn't verified in there were lucky enough to actually have it in lots because you know if it happens transiently you might just think uh I don't know the connection broke right so this is what we call that carry propagation
08:29
by carry propagation is that activity of making sure that you can read the 1 and here it's a bit we're we don't forget to carry it but we carried a carry love how we care sorry so we carried out a bit that we weren't supposed to carry into our results most of the times that goes well sometimes that breaks when that makes wrong results wrong result wrong point computation ends conditions so what right how does for getting to carry the 1 leads to of fooled he recall very this is not 1 of those nights where like a buffer overflow you know what you're trying to do even if you might have to jump through so many hoops because there might be is all the use protections you know all with your capabilities you can override some memory here is said it's not clear what your capabilities so today I'm going to trying to explain that how we turn this fair we're rare field computation into a complete cure recovery attack but 1st I apologize that I have
09:40
to give us elliptic curve cryptography crash course here at CCC of so we've seen the field field mules nothing else then all operations model p then there are 2 points the points are X and Y the coordinates they fit an equation which we don't care about the the that equation the integers so we can work with them and we can use them to build a group a group is 1 of the core structures in modern cryptography to do the the growth we need a 0 point a generator point and an addition over 2 groups of the dead points so we define an addition a game we don't care about how addition works it's just you take 2 points you add them together you get a result it has all the properties that you remember from elementary school edition it's commutative it's associative and then you have multiplication you don't actually define how to multiply a point but if I tell you that you have an addition operation and I won't 5 times this point would be the you take the point and you are the point and you of the point and you have the point so this gold scatter multiplication uh it's doing multiplication by adding repeatedly a certain point so now we have a group which is given by the about multiplying the appointed generator point at a certain number of times and we have a multiplication operation so how do we build cryptography out of it like this is all all fully abstracts of our so we build elliptic curve DiffieHellman if you're familiar with normal DiffieHellman you will see something snapped at some point on the private key is a giant number is important the private key in the H is just a random giants 256 bit number and then we have a public key a public key is that giant number multiplied by the scalar multiplication we just talk about by a generator point the if you know normal DiffieHellman this is like doing g today if you don't just say it's OK is just multiplying private key by pointing and then when I have my own private key and my public key you send your public key we need to agree on a shared secret how we do that is that I take your public key which is a point we I think this and I multiplied by my private key here so again it's my giants number private key multiplied by your point that comes together the 2 results are the same because if we do like my private key times your private key times G is the same as your private key times my private key times g that's commutative and we act of land on a shared secret and that's all we need to know to you about this about elliptic curve cryptography to explore this however there's 1 thing
13:08
that I over the it's easy to multiply by 5 you add 5 times but if I'm asking you to uh multiplied by 256 bit numb you can't odds 2 to the 256 times a point right the so what do we do remember that here we're trying to do is the multiplication of the private key times the public key the point
13:36
we do something called double and that we take our private was string it out like bits and we start from the most significant bit this is little endian because I had gone the slide wrong the 1st time in that you know you just claim that you meant it to be adopted and in its anyway that's the most significant at the 1 that is more of to 256 now to 255 if you flip it that you are adding or removing 2 2 2 2 5 so you start with the above that z 0 nothing and you check the 1st met the most important is that self yes or no yes so you add the point he was the point we're trying to multiply by descending so we had the point In down 1 made up by doubling can imagine how we double something within and we only had edition we added to itself of course so we use additional to double the point and you might see where we're going with this we double every time we slide down 1 bit by the time we arrive at the end how many times to be double that 1st point that we have been because the 1st bit was 1 255 times that the it was worth to to the 255 so at the end that will have the value it was supposed to have and we keep going we check if this bit is 1 is that 1 no so we do nothing we double the gain to move down 1 when we check if this bit is 1 this bit is 1 so we add to the point so we did at the point babble babble at that point double moving was down 1 and we keep going like this we keep going like this until well we have slides but also until we reach the least significant bit at the least significant bit if it's 1 we have the point if it's not we don't have the point and again we have the correct result and the result comes from this sequence of operations which at most r twice 255 operations which is something that we can do concretely now why did I explained is very specific I going to you because you have to understand the part you have to recognize that each key so each string of bits here converts into a very specific sequence of operations OK if you change 1 that there will be 1 more addition or no on 1 exhibition end each key has a very specific sequence in this case it's can't double double add double adds doubledouble and it keeps going so they talk about if if you
16:43
spaced out because we spent took a lot of correct I so I your own eye so you know her her her feet but um the 2 things you should take away r the there's a giant number if the private key we want to multiply the giant number by a point and we do that by doing additions and doubles in an order that is specified by the dates of the giant number that's what you need to have clear the only thing the so let's go back to see how we use that to turn our very small carry bags into a complete satirical very attacked the 1st thing we do
17:24
is we double up that function that breaks is called P. 256 some internal that's I showed you earlier the the Visix of some internal is used by the 256 . add which is what we talk about adding to uh 2 points the only important operation and adding 2 points we've seen we use when we're multiplying when we're doing that scholar multiplication which is the times q d times the points and how is the color most used here we finally surfaced to uh level that each worked with LAI cryptographic protocols you might start recognizing the pieces of Stella multiplication is the operation that that the appeared as in elliptic curve if you have there's a scatter which is the secret which is the private key there's a point which is the public key of the older persons which might be the attacker so this here speaking in InfoSec terms has an attacker supplied point in the secret scatter in the result this the shared secret is the session key for example TNS when you open a connection with TLS and you're using elliptic curve DiffieHellman then you will do this there's to agree on a session key if the session key is correct the connection will open and you will be able to add a low get sent HEP quest if the bag is and the result is wrong so the result bubbles up into a wrong such cigarette the session he's wrong and this shared social cues from q notice how you notice the connection breaks so this is what in of human colon oracle you have an oracle that you can call and send a point because that's your private key Europe know that's your public key your detector and you send that point and it gets multiplied by the private key and it gives you 1 bit of information did the bad trigger did it not most of the times it want because remember is an extremely rare back so you have an oracle that tells you but happened but didn't happen based on the point you say a let's assume that the key state stays the same will talk about that imagine how we use that to start learning things about the key well let's say
20:09
that we can't magically consumer a point that in that sequence of operation and that's why I told you the sequence of operation was important it the bad happens there we specifically a definition and we find another point word about happens very specifically a that's double if we know already these bits of the key and we are sure about this 1 what can we do with this 2 points we send them
20:43
both 1 of them will break the TLS connection the other 1 will succeed the news that the 1 that broke triggered the bag the 1 that didn't break didn't trigger back and we
20:59
know which 1 corresponds to which key because we major magical made special points and only break very precisely at that point of the computation OK so we learned a bit of the key In cryptography as soon as you learn 1 bit of 2 key there's probably a way all the way down so read er build what's
21:25
called unadapted to attack let's say we have these this we have these bits that we want to learn this to we compute 2 points 1 that breaks when the vision happens exactly at that point in the double and add procedure in 1 that triggers only when the ad doesn't happen at this specific point In the double in and sequence we send them both only 1 of them breaks the TLS connection well then we know a bit we go back and we go we go back to aware of magic point generator ends we generate 2 new points this time we don't look for things that break here we look for thanks break here we make 2 points we send them both 1 of them breaks the connection to the doesn't make the connection we don't 1 more bit of the key we go back really make 2 points we send them both 1 breaks the collection 1 doesn't we keep going like that was rich that every time we go back and we adapt to what we've learned so far that's why it's called an adaptive attack we can precompute all these points we have to come up with them while we learn the key and the beautiful thing about the adaptive attacks is that they look exactly like Hollywood it's beautiful because you see them flake thing and like going to values getting it right and moving to the next 1 which you all told it was stated was not who have have good but everything else is fake hello hello numbers from that good anyway but OK so this is a tax we
23:14
can a came up with we told we have some the extremely novel we went to the literature and everyone that heads take an academic carrier in the audience knows exactly what happened the we found a paper that was doing exactly this the um however it you know it was a bit a little different it was still P 256 and it was still the CDH and but and say OK it's really similar but we have it's an attack that depends a lot on the implementation details on how you pull it off you can't say we just the code but they just so far and adaptive attack where you sent 2 points and you check which 1 breaks is the same as a BBB paper of from a few years ago when it worked against open instead of instead all off of the years this bag in but the ghost and library so instead from now on is relevant
24:16
to talk about how exactly we implemented is against go because this changes a lot based on the implementation details of the library you're working with so this was the general idea of how the attack works all that fine points that break at the right time you send them both and that way you learn a bit of the key except lie to you the I lied to you because I let you on a lot of things the 1st 1 of is that go doesn't do double and add 1 bit at a time and does it 5 bits at a time it's cold booth multiplication it took us for ever to figure it out it's it's a major stay the of is then also on and is that all of adding 1 . or 0 points and then doubling it takes it adds between 1 between minus 16 + 16 points and then doubles 5 times moving down the just doesn't in blocks of 5 OK so it splits up the key and then you accept each block of uh bits takes a value from a precomputed table which
25:31
is just you know all the values from 1 times the point to 16 times the point and in the group
25:39
it doubles 5 times because he moved 5 bits down and then he chooses which points between 1 and said 0 16 to use from the table and it adds that today rolling resolved instead of adding 1 or 0 there also a bit of constant time our cosmetic there because the other thing I lied to you on is that there's no such thing as a 0 point it's not imaginary point that we added to make the math work but when you try to to tell the code to actually added that's your point it's like asking me to divide by 0 it just won't do it but you know how you add 0 right you do nothing so there's some constant time code here that looks at it and if it's 0 it does nothing if it's not 0 it adds to the um the the value so
26:38
this 1st thing we had to do to adapt to this format is that we worked in the limbs when you hear me say it just neurons that we would look at each 5 bit block uh on its own as it's 0 to 16 end sign value that's much easier because it's actually kind of weird how the end of 5 bits are extracted and I don't want to bore you with that so let's just consider that we look at each group of 5 converted into a value from 0 16 and 1 and sign or a plus plus minus 16 so when you hear me talk about things you just know that it means that 5 bits value from the key this is still the giant the key that where that's the multiplier so how does the pack change not that much but instead of attacking 1 bit at a time you know 2 points 1 that breaks on 0 1 the base 1 with that 1 thing at a time 1 that breaks for 1 1 the base for 2 1 the basic 3 16 minus 1 minus 2 minus 16 so to move 5 this to recover 5 bits of the key will need on average house displaced 17 points which is a a little less efficient than the bit by bit One because that would be 5 points um before 5 bits so however how the uh
28:16
triggers is the same we're looking for out for about that happens in the 5 doubles at the very right time or that happens at the addition at the right time no
28:33
let's still higher the high level of how we're going to do it but in practice I didn't tell you how we're going to magically generate this magic points that break just at the right time and didn't tell you because it's parsing um there is no there is no specific way to generate them a algebraically so instead we just hooked today actually code with something that we just set a Boolean no true false well if the conditions for the bad are met and then we run into a lot of points and if for each point
29:13
we run it through the limbs we already know remedies and adaptive attack so we want to learn that the next to the we we learned after limbs we want to look at the next 1 we run the ones we know and then we try all the possible values for the for the 1 that we don't know if 1 of them and only 1 of them breaks that's a useful point because if we send that point and it breaks we know exactly what the value of the next limit it's OK so this
29:48
is going even uh moral level if you're interested in optimizations have we had to run through a lot of candidate points and for each point we needed to know the devalue because we can find a magic point that if we don't know the private key we don't know if the your entire protocol works and our oracle doesn't work anymore so too will work with that instead of multiplying a new random private key every time we just added 1 to the private key the end of that G. today of that the point to the public key is just an optimization the we called into devise possibly off the um the assembly of the standard library don't do it is but it's beautiful you can go call exported functions in the standard library I I will never approve it on could review but I know that but and then there's some
30:46
postprocessing to make sure that you know that the that the bag is actually there because sometimes the false positives so we just run it through the broken cold the fixed code is the all the same Welt falsepositive is a different no get
31:03
OK so we have a beginning we side we have a way to move through that act the only thing we don't have yet is how few of the 1st and then the 1st 1 the most important the most significant 1 when we still don't know anything about the key the brother with this 1 is is like this so let's pick predefined example case let's pretend that the lean is 3 so we do our usual thing we do our fuzzing and we find something that breaks at the 50 doubling and if we send it and it breaks the news that the 1st industry right wrong had suddenly it may mean that the leaders also 6 or 12 because how 6 is selected for example is that pre is taken if doubled and saved in the procompetition table as 6 that is taken out of the table doubled 5 times but what happens after you double 6 4 times was the value the exact same as doubling 3 5 times and the sequence is the exact same thing so we don't know which 1 it is because we only know that that's the sequence but that doesn't tell us anything and the same happens for 12 12 is nothing else than tree double double so if we double is 5 times and the TIR double it breaks and we only know which breaks or not so the we can't of so is that what we do is that we find 3 points 1 that breaks after doubling 3 5 times 1 that breaks after break a doubling its 6 times and 1 that breaks after doubling at 7 times we send them all and we look at which was great only this 1 it's a trait the 1st and 2nd but not the 3rd point it affects all 3 it's a 12 this took me for to wrap my head around this is like a pure from uh inside the OK now I can feel that you're the getting a bit tired of this this intensive is a lot of math so let's go for a change of pace and let's talk about kangaroos
33:28
instead the book I'm gonna tell you something that I learned from a cryptographic paper I swear the and it's about how kangaroos shot apparently kangaroos Joe jumped depending on how the terrane on which they're starting on which are jumping from it's depending on the terror if you put 2 kangaroos on the exact same spot there will jump at the same distance and approximately the same direction I don't know if this is true but Pollard said so in a paper and I am not arguing with polar so it no why is this useful well this
34:11
makes for an extremely cool way to catch kangaroos I mean the dispatch some now for pretty well at the that nowhere catching kangaroos here so you take a kangaroo that you have on hand because you'll have a kangaroo on and and you put up a GPS tracker and you never lose this kangaroo gems OK and it Rome's it enjoys a brief stint of freedom and In rows and at some point you will pick it up and because you know where there's and you place subtract them exactly where you find it what happens to the kangaroo that is just passing by if it steps at any
34:59
point on 1 of the points where did all their kangaroo John from their own it will follow the same path because each jump depends on the ground so this way if it let the while kangaroo lands on any of the prince of the previous kangaroo you're catching it because eventually it will end up in the trap what is this had nothing to do with a talk I just want to share this no OK
35:35
so here's how this converts to to correct them we can make an elliptic curve points jump like kangaroos we just have to make the jump of deterministic based on the input based on the starting point for example we can take a hash any hash you design a hash apparently that's popular in cryptocurrencies to design your own passion that it uh in this proof of this OK so and you hash point to another point and when you want to do a job you take the point and you added to its own hash so Q N plus one depends only do I. Q. when and this is just like the kangaroo down how to use this for what we're doing we want to recover D. right we want to recall their day at multiplication the multiplier the discrete order in it's often called off the of the public key but how we do no work at this is that we take we obtain the kangaroo a point that we know the DIY off and we make a jump a lot keeps dumping and we remember what would the value is again we take that value again and we said no need to keep all the points in between so we don't need some giant memory construction end and then we take the points that we don't know the DIY off and we make a jump a lot what happens is that it has much higher probability to intersect 1 1 of the values prints of the previous point when it does it will eventually end up in our truck it will end up having the same value as the 1 we isolated area when that happens we we know how far the wild . traveled because we were the ones making it John so we can just walk backwards to the starting point it turns out that this is extremely efficient to find the D value when you know the interval of the D value the intuition there is that if the kangaroos starts in small area you know all when it it's been too much time it's probably traveled past your problem so you have to rewind time which encryptor you can uh and stop trying to gain because it went pasta so more danger all the more precise you can be the more efficient attacked this is called the colored kangaroo attack and it's described in the original paper from the eighties it was described on DiffieHellman 1st but it works on any groups so it works on elliptic curves and the elliptic curve version is then improved by a few papers later and in there's sparse chapter in the the elliptic and hyperelliptic Handbook of that describes it so we have all we have how to start we have how to run through the attack and we have a how to end so
38:58
now let's get concrete but let's pick a target but as I said this attack works against GWT jw T made a lot of questionable choices 1 of them is to include as 1 of the public key uh algorithms elliptical orbit Helmand but not the version of DiffieHellman you and I are familiar with the 1 where we generate if we both generate a new private key every time which makes this a pattern possible remember that is an adaptive attack we need to hear it Oracle for the same private key all over and over and over again instead there's about body and cold but if federal static this element where 1 of the 2 sides is always the same this is sometimes done as an optimization don't do that openness a cell was doing that and is stopped doing that after a bunch of attacks came from that of so in TLS that usually doesn't happen and the goatee actively never did that so it that that doesn't work against a less but GWT is encoded stride into the standard because if your public key is fixed so is your private key always the same so if you have a service that accepts things in credited that with a public but we don't use the DH yes algorithm we can use this attack for example against the popular implementation go jossey it's not good jobs fault but end goal 1 . 8 . 1 . 1 the latest vulnerable version and we can just check if the service can the correct what we're sending it can be because it throws HDP error when he can't because of different timings this changes in any case but what you need is oracle that tells you did it work did not work did the bad the trigger so are you write about your prediction of limbs or are you not then of course you
41:12
need to do a lot of work but if you don't have the resources all of the big corporations of of were to spin up things you can just use easy to spot instances of how we are to that and that is that there will be as small of a piece of code that would do nothing intensive on your laptop or anything don't would accept http requests from the workers the beautiful thing about this infrastructure is that you can score is always scale the workers spin up as many as you want on our it new uh and uh no it urges um that because the only thing that they need to be able to do they don't need to have Ports open ended you don't have to worry about now that you can even runs on your bot that because the only thing they have to do is connect back and ask for work and then after 30 seconds or when they find a point connect back and say I found something again find anything give me some more work and send the result this is uh this was also useful because if you get the worker called wrong or if you want to change the employment you can just redeployed workers without losing state on the dispatcher because the dispatcher just keeps running and then it would just wait for the workers to come and ask specifically we built this is just with the small script that you can start by EC Commission with because we don't even need to make a custom image so I have a few few years a few numbers
42:59
out each key has 52 limbs it will take a bit less than that because we have kangaroos but let's say approximately 52 it should them is 16 . marriage um it would be 17 but 2 of the points are faster to 5 so that's a succinct each point takes approximately 2 to the 2 systems to implement to do 26 candidate points so we have to try to to the 26 points before we find 1 that triggers the bad at the right the point of and since we need 16 candidate points and each takes 2 to the 26 a kind of points so that takes approximately 85 CPU hours that's like the it you running for an hour 1 claw the you can get 85 secu hours from its spot instances for ABC proud to a dollar and a quarter but which makes the total cost of something like 60 bucks which was a relief because I had done the math wrong 1st and the became out as that at 1 thousand and I run the Duma tonight and I can check the bill again anyway if but of no I am not brave enough to run the attack alive because yes it's a nice infrastructure but no I don't trust it that much up
44:33
but also because it takes a while like if you don't want to spin up infinite number of DCT materials you have to accept that it will take and to take about how I think how attack run in 12 hours so we're going to
44:51
look at a spedup version of a one hour video in the next 45 minutes you have time right it's a couple minutes so this is on the rise it's you shouldn't be too
45:05
confusing and that if anyone work said uh Hollywood and wants to like Nigel said we can talk but how saying is that the Reds uh values are the ones that we found the . 4
45:19
from the workers and resubmitted and when we submitted that uh it resulted not to be the right limb and the green ones are the ones that instead broke so there there right Lin remember that here the target is i jw T receiving application and then you can see the key slowly move
45:41
flipping from the from the bottom end it's exactly like all the food I of that most of of so yeah you can see that the limbs filling out as we find them and that approximately the sturdy bits so 2 to the 30 rounds 230 candidates were for each uh but uh round for each each that we find it obviously depends on luck so in yes I do the thing will probably keep running from the 1 that uh this is already at link 9 it has to get 250 and you don't have that patients so this was that the half attack the code will be
46:31
open source soon the earth live the lives you lost they belong to us now have
46:37
and any questions was other thank you very much for leisurely talk and the kangaroo so we have a questions from this signal angel go ahead please actually the Internet wants to know where did you compare this book to implementation of the libraries so that I guess that neurons if I looked for a similar bias in all the implementations but we did not also because each implementations of the different uh handle works on a lot of fuzzing of uh begins implementations in the brain she asks me like on we're just today if I tried fuzzing the go implementation for example and sadly this is constant time code that is specific to Peter 56 so the answer is there's a lot of them and the bike can be as small and anywhere it's all like you will be looking for another by in uh the 256 6 subtraction it can be anywhere in the underlying mass and we can turn that into the same attack so no look for this specific 1 but I think that 4 CDs in 2 thousand 17 on openness cell have descriptions that are very similar but they're about um find field famine like normal DH if you look for from 2 for something this is about it's very doable because all the computation can be done offline that that's this kind of attacks on opponents itself next part the questions from the single angel so please sign up at the microphone the microphone in 1 case um so why can't you determine the points have to break the so using this this snow ahead so but it's entirely absolutely and there's a lot of points where the values then thrown out or like it might get a corrected by the how weights essentially we do not see a clear path to this and it's 65 dollars on EC 2 so it doesn't really change the feasibility to just pass them up so we just went Florida of fastest path to the to the entrance are there any other questions on 1 is asking about kangaroos people I mean yes also about Canada has lovely because and even just earlier I haven't you have to yeah definitely I think there aren't any other questions so if people older the ground and also you thinking few was which was
49:44
and and it did it in the and took the think it could
00:00
PublicKeyKryptosystem
Resultante
Quader
Implementierung
Nummerung
Unrundheit
Term
Übergang
Kollaboration <Informatik>
Chiffrierung
Puls <Technik>
Kryptologie
Kurvenanpassung
Ordnung <Mathematik>
Elliptische Kurve
01:35
Bit
Ausbreitungsfunktion
Implementierung
Login
Softwaretest
Zufallszahlen
Iteration
Adressraum
Abgeschlossene Menge
Computersicherheit
Programmbibliothek
Kurvenanpassung
Elliptische Kurve
Implementierung
Streuungsdiagramm
Digitales Zertifikat
Assembler
Protokoll <Datenverarbeitungssystem>
Computersicherheit
National Institute of Standards and Technology
Elektronische Unterschrift
Dienst <Informatik>
Codierung
Wort <Informatik>
Computerarchitektur
Partikelsystem
04:08
Resultante
Bit
Subtraktion
Punkt
Mathematisierung
Ausbreitungsfunktion
Zahlenbereich
Schreiben <Datenverarbeitung>
Computerunterstütztes Verfahren
Element <Mathematik>
Login
Informationsmodellierung
Fahne <Mathematik>
Restklasse
Kontrollstruktur
Disjunktion <Logik>
Elliptische Kurve
Gerade
Einfach zusammenhängender Raum
Nichtlinearer Operator
Lineares Funktional
Vervollständigung <Mathematik>
Freier Ladungsträger
Assembler
Spieltheorie
Ruhmasse
Elektronische Unterschrift
Datenfeld
AnalogDigitalUmsetzer
Pufferüberlauf
Festspeicher
Konditionszahl
Digitalisierer
Elektronischer Fingerabdruck
Codierung
Wiederherstellung <Informatik>
Computerarchitektur
09:40
Resultante
PublicKeyKryptosystem
Bit
Multiplikation
Punkt
Datenfeld
Gruppenkeim
Kurvenanpassung
Zahlenbereich
Systemzusammenbruch
Gleichungssystem
Systemzusammenbruch
Kartesische Abgeschlossenheit
Multiplikation
Informationsmodellierung
Ganze Zahl
Kryptologie
Spieltheorie
Punkt
Addition
Datenstruktur
Gleichungssystem
Elliptische Kurve
Assoziativgesetz
Nichtlinearer Operator
Addition
Kategorie <Mathematik>
Abstraktionsebene
Streuung
Kryptologie
Ausgleichsrechnung
Grundrechenart
Kommutator <Quantentheorie>
Ellipse
Datenfeld
Gruppenkeim
Ganze Zahl
Zahlenbereich
Speicherabzug
Normalvektor
Brennen <Datenverarbeitung>
13:36
PublicKeyKryptosystem
Resultante
Umwandlungsenthalpie
Addition
Nichtlinearer Operator
Folge <Mathematik>
Bit
Punkt
Zahlenbereich
Rechenschieber
Mereologie
Ordnung <Mathematik>
Schlüsselverwaltung
Zeichenkette
17:23
Resultante
Einfach zusammenhängender Raum
PublicKeyKryptosystem
Nichtlinearer Operator
Lineares Funktional
Folge <Mathematik>
Bit
Punkt
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Streuung
Term
Übergang
Multiplikation
Kryptologie
Kontrollstruktur
Wort <Informatik>
Skalarfeld
Information
Kantenfärbung
Schlüsselverwaltung
Elliptische Kurve
Aggregatzustand
Orakel <Informatik>
20:42
Einfach zusammenhängender Raum
Bit
Multifunktion
Punkt
Kryptologie
Kontrollstruktur
Computerunterstütztes Verfahren
Schlüsselverwaltung
21:21
Einfach zusammenhängender Raum
Folge <Mathematik>
Bit
Punkt
Zahlenbereich
Kontrollstruktur
Schlüsselverwaltung
Maschinelles Sehen
Algorithmische Programmiersprache
23:13
Bit
Multiplikation
Punkt
Freier Ladungsträger
Elektronischer Programmführer
Implementierung
Gebäude <Mathematik>
Computer
pBlock
Information
Homepage
Software
Multiplikation
Eliminationsverfahren
Programmbibliothek
Codierung
Kontrollstruktur
Schlüsselverwaltung
LieGruppe
Implementierung
Tabelle <Informatik>
25:29
Konstante
Bit
Multiplikation
Punkt
Loop
Mathematisierung
Codierung
Gruppenkeim
Indexberechnung
Punkt
Skalarfeld
Tabelle <Informatik>
26:36
Mittelwert
Addition
Bit
Punkt
Multiplikation
Mathematisierung
Gruppenkeim
Indexberechnung
pBlock
Multiplikation
Loop
Vorzeichen <Mathematik>
Selbstrepräsentation
Dateiformat
Punkt
Skalarfeld
Schlüsselverwaltung
Implementierung
28:29
Punkt
FuzzyLogik
RaumZeit
Vorzeichen <Mathematik>
Übergang
Eins
Spannweite <Stochastik>
Hook <Programmierung>
AnalogDigitalUmsetzer
Konditionszahl
Anpassung <Mathematik>
Codierung
Inverser Limes
Kontrollstruktur
Boolesche Algebra
Operations Research
Disjunktion <Logik>
29:45
PublicKeyKryptosystem
Lineares Funktional
Punkt
Protokoll <Datenverarbeitungssystem>
Ortsoperator
Minimierung
Kryptologie
Ellipse
Übergang
Spannweite <Stochastik>
Programmbibliothek
Codierung
Ganze Funktion
Standardabweichung
Orakel <Informatik>
31:01
Folge <Mathematik>
Punkt
Mathematisierung
Familie <Mathematik>
Delisches Problem
Richtung
Netzwerktopologie
FuzzyLogik
Rechter Winkel
Kontrollstruktur
Abstand
Schlüsselverwaltung
SchreibLeseKopf
Tabelle <Informatik>
34:11
Wechselsprung
Datensatz
Punkt
PRINCE2
35:35
Objekt <Kategorie>
PublicKeyKryptosystem
HashAlgorithmus
Punkt
Minimierung
Hochdruck
Mathematisierung
Gruppenkeim
Versionsverwaltung
Kurvenanpassung
Zellularer Automat
Implementierung
Diskrete Gruppe
Element <Mathematik>
Eins
Wurm <Informatik>
Chiffrierung
Multiplikation
Wechselsprung
Prognoseverfahren
Algorithmus
Prozess <Informatik>
Mustersprache
HashAlgorithmus
Elliptische Kurve
Auswahlaxiom
Algorithmus
Konstruktor <Informatik>
Güte der Anpassung
Orbit <Mathematik>
EinAusgabe
Dienst <Informatik>
Flächeninhalt
Offene Menge
Rechter Winkel
Beweistheorie
Festspeicher
Ellipse
Ordnung <Mathematik>
Fehlermeldung
Orakel <Informatik>
41:11
Resultante
Bit
Total <Mathematik>
Punkt
Betragsfläche
Mathematisierung
Zwei
Zahlenbereich
Physikalisches System
Instantiierung
Zentraleinheit
Teilmenge
Rechter Winkel
NotebookComputer
Codierung
Skript <Programm>
Punkt
Schlüsselverwaltung
Zentraleinheit
Bildgebendes Verfahren
Aggregatzustand
Instantiierung
44:33
Retrievalsprache
Materialisation <Physik>
Rechter Winkel
Versionsverwaltung
Zahlenbereich
Skalarfeld
Demo <Programm>
Eins
Videokonferenz
Unendlichkeit
45:18
Retrievalsprache
Bit
Minimum
Codierung
Unrundheit
Kartesische Koordinaten
Skalarfeld
Binder <Informatik>
Eins
46:29
Subtraktion
Gewicht <Mathematik>
Punkt
Open Source
FeasibilityStudie
Ruhmasse
Implementierung
Zellularer Automat
Computerunterstütztes Verfahren
Internetworking
Konstante
Deskriptive Statistik
Datenfeld
FuzzyLogik
Offene Menge
Mereologie
Codierung
Normalvektor
49:43
Hypermedia
Medianwert
Systemprogrammierung
Metadaten
Formale Metadaten
Titel  Squeezing a key through a carry bit 
Untertitel  No bug is small enough 
Serientitel  34th Chaos Communication Congress 
Autor 
Valsorda, Filippo

Lizenz 
CCNamensnennung 4.0 International: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. 
DOI  10.5446/34838 
Herausgeber  Chaos Computer Club e.V. 
Erscheinungsjahr  2017 
Sprache  Englisch 
Inhaltliche Metadaten
Fachgebiet  Informatik 
Abstract  The Go implementation of the P256 elliptic curve had a small bug due to a misplaced carry bit affecting less than 0.00000003% of field subtraction operations. We show how to build a full practical key recovery attack on top of it, capable of targeting JSON Web Encryption. 
Schlagwörter  Security 