In Search of CurveSwap: Measuring Elliptic Curve Implementations in the Wild

The talk discusses the vulnerability of elliptic curve cryptography and the importance of implementing proper validation checks and secure curves in protocols to prevent attacks.

• Implementing validation checks and test factors as part of standards can prevent developers from omitting them in protocol implementations.
• Supporting only secure curves and designing protocols with proper downgrade protection can prevent downgrade attacks and curve swap attacks.
• Newly designed curves like curve 25519 and curve 448 are gaining widespread support and are included in TLS 1.3 standard.
• Internet scanning found that many hosts accepted invalid points and were vulnerable to attacks, highlighting the importance of proper validation checks.
• Consulting a cryptographer and using open source tools like ZMAP can aid in correctly using cryptographic primitives and black box testing implementations.

The talk highlights a study where internet scanning was used to test for curve blindness in hosts. The scanning found that almost 200,000 hosts accepted invalid points and were vulnerable to invalid curve attacks. While no hosts were found vulnerable to curve swap attacks, the study emphasizes the importance of implementing proper validation checks and secure curves in protocols to prevent attacks.

We survey elliptic curve implementations from several vantage points. We perform internet-wide scans for TLS on a large number of ports, as well as SSH and IPsec to measure elliptic curve support and implementation behaviors, as well as collect passive measurements of client curve support for TLS. We also perform active measurements to estimate server vulnerability to known attacks against elliptic curve implementations, including support for weak curves, invalid curve attacks, and curve twist attacks. We estimate that 0.77% of HTTPS hosts, 0.04% of SSH hosts, and 4.04% of IKEv2 hosts that support elliptic curves do not perform curve validity checks as specified in elliptic curve standards. We describe how such vulnerabilities could be used to construct an elliptic curve parameter downgrade attack called CurveSwap for TLS, and observe that there do not appear to be combinations of weak behaviors we examined enabling a feasible CurveSwap attack in the wild. We also analyze source code for elliptic curve implementations, and find that a number of libraries fail to perform point validation for JSON Web Encryption, and find a flaw in the Java and NSS multiplication algorithms.